Mint owes much of their success to the ease in which they allow you to setup access to your various bank accounts. The technology behind Mint – normally referred to as account aggregation – is not new. Earlier this decade, account aggregation was the next big thing in internet banking.
Many banks and service providers rushed to add aggregation to their internet banking offerings. The problem was that customers were never too keen on account integration. One of the main adoption inhibitors was customers’ reluctance to supply their usernames and passwords for their other financial institutions. Adoption remained low, and many banks dropped aggregation features all together.
Apparently Mint is the pill that helps people overcome their password sharing inhibitions. Mint’s concoction of PFM tools and account aggregation is so useful that close 700,000 people are willing to trust them with their internet banking credentials for their various accounts. Technically, Mint does not store user credentials. Here is the explanation they give.“We connect securely to your financial institutions using one or more online financial service providers. Your online banking credentials are stored only with these institutions enabling Mint to automatically and securely update your transactions and saving you from updating, syncing or uploading financial information manually.”
Mint offloads your user credentials to one or some of their partners. Mint lists some very impressive data and data center security features. The problem is the listed security features apply to Mint’s datacenter; not their partners data center.
Mint does not advertise the identity of their account aggregation partner, but Yodlee, a well known account aggregation company, lists Mint as one of their customers. I think it’s pretty safe to assume that Yodlee provides some of the account aggregation features for Mint. Thus, there is a good chance that Yodlee is storing your username and password. That’s not necessarily bad. After all, Yodlee is a trusted partner of many large financial institutions. However, there is a strong possibility that the way Yodlee stores your passwords is not as safe as the way your internet banking site stores your passwords.
Your internet banking site probably stores a hashed version of your password. A password hash is a one way encryption technique. The main benefit to hashed passwords is that even if a hacker cracks/discovers the encryption scheme and steals your encrypted password from your banks database, they will not be able to unscramble your password. Your password is pretty safe.
The nature of account aggregation prevents Yodlee from storing hashed passwords. They probably encrypt your passwords in their database, but if a hacker ever got a hold of their encyption scheme and their database content, they could get your internet banking passwords.
Is the difference in password encryption and storage significant? Probably not. I track five accounts in Mint, and I don’t worry too much about my login credentials being stolen. The possibility of a key logger virus being placed on my computer is probably much greater than the possibility of a Mint/Yodlee datacenter breach.
I feel comfortable supplying Mint/Yodlee with my passwords for my various banks because I know that, in the event of a databreach, they have more to lose than I do. Where as I might have to go through the hassle of changing passwords and canceling cards, Mint and Yodlee would have to go through the hassle of closing up shop and hiring good bankcruptcy lawyers.