How Safe is Mint?

February 26, 2009

mintlogoMint owes much of their success to the ease in which  they allow you to setup access to your various bank accounts. The technology behind Mint – normally referred to as account aggregation – is not new. Earlier this decade, account aggregation was the next big thing in internet banking.

Many banks and service providers rushed to add aggregation to their internet banking offerings. The problem was that customers were never too keen on account integration.  One of the main adoption inhibitors was customers’ reluctance to supply their usernames and passwords for their other financial institutions. Adoption remained low, and many banks dropped aggregation features all together.

Apparently Mint is the pill that helps people overcome their password sharing inhibitions.  Mint’s concoction of PFM tools and account aggregation is so useful that close 700,000 people are willing to trust them with their internet banking credentials for their various accounts.  Technically, Mint does not store user credentials.   Here is the explanation they give.

“We connect securely to your financial institutions using one or more online financial service providers. Your online banking credentials are stored only with these institutions enabling Mint to automatically and securely update your transactions and saving you from updating, syncing or uploading financial information manually.”

Mint offloads your user credentials to one or some of their partners. Mint lists some very impressive data and data center security features.  The problem is the listed security features apply to Mint’s datacenter; not their partners data center.

yodleelogo1Mint does not advertise the identity of their account aggregation partner, but Yodlee, a well known account aggregation company, lists Mint as one of their customers. I think it’s pretty safe to assume that Yodlee provides some of the account aggregation features for Mint. Thus, there is a good chance that Yodlee is storing your username and password. That’s not necessarily bad. After all, Yodlee is a trusted partner of many large financial institutions.  However, there is a strong possibility that the way Yodlee stores your passwords is not as safe as the way your internet banking site stores your passwords.

Your internet banking site probably stores a hashed version of your password.  A password hash is a one way encryption technique. The main benefit to hashed passwords is that even if a hacker cracks/discovers the encryption scheme and steals your encrypted password from your banks database, they will not be able to unscramble your password.  Your password is pretty safe.

The nature of account aggregation prevents Yodlee from storing hashed passwords.  They probably encrypt your passwords in their database, but if a hacker ever got a hold of their encyption scheme and their database content, they could get your internet banking passwords.

Is the difference in password encryption and storage significant?  Probably not. I track five accounts in Mint, and I don’t worry too much about my login credentials being stolen. The possibility of a key logger virus being placed on my computer is probably much greater than the possibility of a Mint/Yodlee datacenter breach.

I feel comfortable supplying Mint/Yodlee with my passwords for my various banks because I know that, in the event of a databreach, they have more to lose than I do.   Where as I might have to go through the hassle of changing passwords and canceling cards, Mint and Yodlee would have to go through the hassle of closing up shop and hiring good bankcruptcy lawyers.

Advertisements

Mint’s Controversy, Mobile Loyalty Rewards, Opportunities for Mobile Advertising

February 20, 2009

It seems like Mint is in the news just about ever day now.

Javelin posted an article today titled “Will Mint’s latest upgrades leave an unsavory aftertaste?” The author addresses something that I have wondered for quite a while: does Mint really offer unbiased advice? They obviously are not afraid to rank products according to how much they could save you. However, the author points out that it seems like all of the credit card products that Mint recommends are sponsored products (Mint makes money by offering customers products from their sponsors). He also points out that the new real estate evaluation tools might not be that great of an idea. Mint’s valuation of my house is 16% lower than Zillow’s valuation. These types of estimates are never very accurate and could end up frustrating users.

TechCrunch reports that Mint has riled the mighty Inuit.  Intuit doesn’t believe Mint’s self reported user numbers so they sent Mint a letter demanding information that backs up Mint’s claims.  Mint complied and revealed that their user base is growing by at least 4,000 users per day.  They have a pretty liberal definition of user (anyone who has provided an email address, password, and zipcode), but 680,000 of their 934,000 users have added at least one bank account to Mint.  They did not mention how many of those users are active users (I would guess that about 340,000 of their users log in at least every couple of months).  The link above includes copies of the letters sent by Inuit and the response sent by Mint.

Aneace Haddad’s Taggo adds convenience and one step enrollment to loyalty programs

Taggo consolidates all of your loyalty rewards cards onto your mobile device. Actually, it consolidates them onto a small Taggo sticker that you can attach to your device. You register the sticker on the Taggo website and then tap it at NFC equipped retail pos devices. The divice sends a message to Taggo and Taggo responds with the unique rewards ID for that sticker/store combination. If the customer is not a current rewards member, they are sent a text message, and can apply for the rewards card by responding to the text. I think this is very clever idea with lots of potential. There just a couple of potential roadblocks. 1) The realive scarcity of NFC enabled POS terminals in the US. 2) Customers must pay $10.00 to get the Taggo sticker to put on their phone.

Economic Downturn Will Create Opportunities for Mobile Advertising, Says Analysys Mason

BARCELONA, Spain–(BUSINESS WIRE)–Prospects for mobile advertising in 2009 are promising despite the economic downturn, but realism is called for, says Analysys Mason, the global telecoms adviser during Mobile World Conference.