Mint: A Fresh New On-Line Personal Finance Tool

Mint was my first exposure to online financial account aggregation, and I at once loved the ability to view all accounts and transactions from one login. Since then though, I haven’t used Mint much.. mainly because of these annoyances: 1) I can’t add a few accounts (e.g. my credit union and Capital One), even though I can add them in BOA’s Portfolio; and 2) Their auto-category-renaming feature is so often wrong and hard to train.

All these apps are great for simple expense tracking and a general overview, but I’ve yet to see really good integration with budget management. For instance, why can’t I itemize a receipt/transaction into multiple budget categories?

I’ll still use BOA’s Portfolio and Mint for the account overview (and I plan to check out yodlee), but as for expense tracking and budget integration, I’m sticking to the custom app I wrote.

Ravi, As a software engineer, you should be used to this level of “concern” from users when it comes to security!

Hi SR,

I don’t see how making offers that potentially save people money is unethical? In addition, a consumer doesn’t need to take an offer to use the service (the service is free & there’s no obligation for the user to accept any offer).

“Saying that XY credit card is a better card to save someone money is only true if the ongoing APR is lower — not just a balance transfer promotional rate.”

And those are the specific offers we try to highlight to consumers (long-term APR rates, other benefits, etc.)

@Damon
Ignoring all security concerns, since I have already voiced them.

Part of the problem with your model is you are making recommendations without complete information. The customers targeted are those who already weak when it comes to financial responsibility, and you tell them “this credit card is better!” when in fact lower APR != better always. It is irresponsible to make financial recommendations with only a portion of their financial situation understood. Not to mention that you get a profit when they follow your recommendation. One of the first rules for finding a financial adviser is to find one who is unbiased to a particular product. Otherwise they will recommend the best one for them, not you.

I guess its not your concern to do socially responsible business. You are there to make money, so I understand, but don’t you think your product would have more value if it was truly unbiased? Charge a subscription fee, and you wont have to make sure they are picking the credit card or loan that will pay you the most.

@SR.

No product is flawless. This has to be understood. The key with security is getting as close as possible without destroying usability. Yodlee is a solid service, and Mint is smart to use it as a back end… its their front end that concerns me.

Sorry to keep posting on this, but the more information I read, the more I distrust mint security planning and execution.

I just read the Nobosh.com article that someone else referenced, and mint clearly doesn’t have top security. Someone can create a password that is “password”??! Everytime I’ve had to create a password for a banking/financial site, I’ve had to use more than just letters. I thought that was pretty basic in password security measures — ESPECIALLY when dealing with personal or financial information.

A financial services site that doesn’t make users take reasonable precautions in creating their passwords only makes it easier for hackers to hack an account.

Damon, you’re pushing financial products on people that are concerned about their budgeting. Some commenters have already said they had poor habits, before using your site. There will obviously be foolish users, who think that you are *recommending* a service/provider, when all you’re doing is providing a link so you can make money.

I’m not an ethics professional, and I don’t claim to be one — I’m just saying: in my world, what you’re doing is unethical. What many will likely think is mint-sponsored financial advice is really just advertising so mint can make money. I see a big problem in that.

Hi Jordan,

*What* specifically were your questions? I believe I left a comment on your blog that you’re more than welcome to contact me directly. If I can’t answer the question, I am more than happy to get the answer from someone that can.

Hi SR,

“I just read the Nobosh.com article that someone else referenced, and mint clearly doesn’t have top security. Someone can create a password that is “password”??!”

A bug that is being addressed in a fix this month (you can look at the forums’ thread for this).

welp, I kinda forgot I’d set up a Mint account soon after it opened. I just closed it, because in addition to the security concerns, it just doesn’t work very well. it’s buggy, not very intuitive, and half the transactions in my checking account were truncated and it was impossible to figure out just what they were without a trip into Quicken, and I figured I have similar features in Quicken anyway, so I deleted my account.

Another quick note on security concerns…

If you send me a check, I have access to the following about you:

Name
Address
Phone Number (in some cases).
Drivers License# (in some cases)
Bank Account and Routing Transit Number

Mint doesn’t ask for your address or name, so your risk is actually low in the unlikely event we were hacked (reminder: username and passwords are not stored on our site).

In order to do credit card theft, you would also need the following:
Name
Address
CVV numbers

(Credit Card numbers, CVV numbers & address are not on our site).

If you’re really concerned about ID theft, shred mail that you discard (including credit card offers, bank statements,etc.). A lot more damage is done this way than the risk of a firm you’re working with being hacked (a lot of the issues, after all, have been firms where an employee mis-placed a file, laptop, etc.) I would also recommend that people do some research on spoofing or phishing, which is actually a much larger issue than hacking. Hacking takes a lot of work, whereas phishing is a much easier way to lure unsuspecting customers into providing information.

Mint: Employees can’t view usernames and passwords. We also will not ask for it to resolve a customer issue.

Hi SR,

“Damon, you say the ability someone had to create a password of “password” was a “bug”? Reallllly? I’m sorry, but that just doesn’t inspire confidence in your security team. To my thinking, that should be one of the basics of what not to allow. That’s a pretty basic industry standard, yes? Don’t you have QA staff that test this kind of stuff??”

Yes, a bug. Like all internet companies, bugs aren’t realized until things are in the “real world”. When I signed up for a Mint account, for example, I was prompted to create a complex password. That being said, the issue is being addressed & should be fixed this month.

Note: While this may sound bad, I would actually hope that most internet consumers are savvy enough to realize that “password” isn’t a secure way of protecting ANY account.

Security: Our primary focus, as it should be, has been on making sure that our security of customer data is rock solid (it is). The password bug aside, something that has been addressed, we feel quite confident in our site security. Outside of the password issue mentioned, you haven’t demonstrated that the site is flawed in any other way. You mention security breeches & we haven’t had any.

Customer service: Actually, we’re around a 90% initial response rate within 24 hours right now for most inquiries (we also get back to customers when things are resolved with a particular bank). Are there any other web 2.0 companies that are close? I don’t think so (most customers are surprised that we bother to even answer).

May I ask what company you work for? Perhaps I could cast a more critical eye on your comments & what your firm does. Sorry, I get a little skeptical when every comment verges on the negative.

Offers: Customer feedback about not viewing certain offers has certainly been taken into consideration.

“(e.g. “This cell phone plan is $100 cheaper per year (but we’re really not taking into consideration that you will have to pay $200 to cancel your existing contract, and we also really don’t know your coverage needs.”))”

This is obviously not something we would know. How would we know when a customer’s contract with a carrier is about to expire and/or if they have to pay a termination fee. Our system, again, is simply looking at transaction information & making a recommendation. The recommendation has no obligation for the customer to accept.

I tried Mint – nice interface and pretty charts, but not as advanced as Yodlee. With Yodlee you can display pretty much everything including reward plans and frequent flyer points. It’s a much more complete package.
-Raymond

This comment isn’t directed at Mint per se (as it applies to all aggregators), but Damon, your trivialization of the security aspect borders on irresponsible. Yes, definitely do all of the things that you mentioned (I do), and never, ever put your phone number, SSN, or driver’s license number on a check unless you are forced, in person, by a known institution, to do so. Pay with cash whenever possible.

Those are good suggestions, but how do those best practices make aggregators like Mint/Yodlee any safer?

Mint uses Yodlee. That’s good. Yodlee has a very clean track record so far. Excellent. However, the biggest security threat is not that someone would actually hack Yodlee. The bigger issue is that you as a customer of any aggregator (like Mint or any competitor) are aggregating all of your data into a _central point of exposure_, which is fundamentally dangerous, and should be well thought out.

I’ll give you one common, relatively simple example (and there are many) of why hiding _all_ of your information behind a single password is a supremely bad idea. Your financial info can be exploited _before_ it reaches Mint/Yodlee without having to decrypt anything. How? Is that possible?

If a hacker is trying to steal data, Yodlee is obviously, as you point out, too much work for most would-be thieves. The juicier target is the DNS lookup table information for a hot company like Mint that is stored on any of the servers that your information passes through when you connect to the Internet. DNS Hijacking essentially means that someone accesses an intermediate server that your data passes through, maliciously recreates a Web page that looks exactly like the intended destination, and alters the DNS table to direct traffic to their fake site instead of the intended, secure site. While DNS Hijacking is more or less hard to do, it is a much easier (and much more common) target.

How does this look to the user? How many times have you tried to log in to your bank site and after typing in your credentials you are sent to a page that says, “we’re sorry. Bank of Blah is undergoing maintenance. Please try again later.”?

Seems innocent enough. Except that what you have just done is sent your information across the wire, over numerous servers that you hope are securely routing your data correctly, with no verification that it arrived where you think it did (if you got into your account, you would be confident that its actually your bank, but since you didn’t get in, you can’t be sure).

In other words, In the worst case scenario you just typed in your user name and password into a page that you thought was the Bank’s page, but was actually simply gathering your user name and password info, and fooling you into thinking it failed to connect you because of simple server maintenance. A *smart* thief will do that for an hour here and there on different servers, restore the routing table so as not to arouse suspicion, and then do it again, trapping more and more user data. Eventually, the thief will have the user names and passwords for many, many accounts (if Mint and sites like it explode in popularity, which they are expected to).

So why is this any more dangerous with a service like Mint/Yodlee vs. accessing my bank account directly, online?

If this happens to my bank account, which it could, that is of course bad. But if this happens to an aggregator site like Mint/Yodlee, my _entire_ financial situation is now compromised, which is a potential disaster. Sure, my address and name are not visible because Mint didn’t ask for it. But now that the thief knows every single financial institution and transaction I have used or had because it is all kept behind the single password I use to log in, every account of mine is now a direct target. If I am a victim of a DNS Hijacking like this, I have just given the thief a short, neat list of every financial institution I use, and much more.

Why should that scare me? One example: How many Internet users use a unique user name and password for every site they use? A thief now has a clean, concise list of every bank, credit union, stock trading site, and credit card company to try my stolen user name and password on, or obvious derivatives, and if even one attempt works, each of those sites will provide a little more information here and there, including addresses, phone numbers, common security validation questions, email accounts, ability to change passwords, and on and on.

Possibly the greatest breach potential is if a user happens to use the same password for their primary email account, which many of us do. That means that even if the thief can’t get into some bank account directly, he can request that the password be either resent to the email address on file, or reset, which is almost always done via an email confirmation. Which is now exposed.

I can go on and on here. It only gets worse, and easier for thieves.

Again, _ANY_ site handling financial information is a target for this sort of attack, but an aggregator like Mint is a particularly attractive target because there is so much more to gain from a breach. Whole lists of financial details, all gathered neatly in organized piles for a thief to peruse at his leisure, or sell.

Bottom line:
Please don’t trivialize the danger of putting all of your financial information behind one password, as you (Damon) seem to be doing in your comments here and elsewhere. Users may choose your service, and it looks like a good one, but it should be an informed decision particularly from a security perspective, and not just so they can save a buck or two on good deals. And Particularly if you (Mint) are not doing things like enforcing strong password policies from the start, and you spin that a, “bug”. Not enforcing strong passwords is a _security design flaw_, which should be the first thing you consider/test, and is (strong passwords) generally very easy to implement. Maybe that user was lying – I dunno. Regardless, don’t trivialize it.

But I digress.

Sorry again for the length of post.

I tried Mint and was very excited about it at first, but they kept telling me my bank login information was incorrect, even though it wasn’t… I finally had to give up on it.

Assuming that customers are “smarter” than to use an obvious password is dangerous. Assumptions are deadly and I know from personal experience that you have to plan for the lowest common denominator. Being prompted to create a complex password, and being required to do so are two very different things. But you know that, right?

As to the cell phone example, that just demonstrates a flaw in the recommendation design. I just don’t see the value or usefulness in making a recommendation for something with so many variables.

It’s still disturbing that you call the ‘password’ issue a bug. Stop making excuses and just don’t call it what it was: an oversight and/or incomplete planning and execution. A bug is an issue with the software that interferes with the user’s ability to complete a task.

Regarding customer service: I’m going by what I’ve read in the comments here.

To re-quote *your CEO* “there has never been a major security breach at Yodlee.” That implies that a security breach has occurred, otherwise the statement would be “there has never been a security breach at Yodlee.”

Working for a big-name tech company does not automatically qualify someone for entrepreneurship, or mean they even know how to create or execute a smart business plan, much less that someone has a complete understanding of that particular business niche. I spent several years working at Amazon.com – not that it should matter. So does my experience working at Amazon.com (regardless of what I did there) automatically mean I’m qualified to start a similar business?

You can talk until you’re blue in the face about there being more danger of being pickpocketed or mail being stolen, but that *is not the issue here.* Spouting statistics about physical world examples is not relevant when you’re talking about online security. When a hacker breaches security, they are potentially pickpocketing the information of thousands of people.

It doesn’t matter whether or not I’m able to point to your site and say “this is a flaw and this is flawed, too.” I’m not going to use your site and I’m not going to spend my time and expose my information in order to help you make the mint site better – I am not mint QA staff.

Oh, and Ariston: if a site dealing with personal information *allows* weak passwords, that is the fault of the SITE for not enforcing better security. Reactive finger-pointing “Oh, well, they had a weak password, so it’s their fault” is just lame and unprofessional.

Ariston:

1. I’m not advocating avoiding online banking. Read the post. I cannot recommend any “aggregator” for the reasons I stated (IMHO aggregators are fundamentally bad ideas from a security perspective), but as I said, the difference between a break-in to my bank account (non-aggregated), and an aggregated account like Mint or the B of A portfolio is significant for several reasons: A)BofA provides reasonable assurance that if your account is compromised, they have a financial responsibility to you for that compromise. Mint, simply does not. And while it may be like pulling teeth to try to get BofA to live up to that (I can only imagine), at least they don’t require you to sign away that possibility by saying they bear no responsibility if the worst should happen, as Mint apparently does (not verified, btw). And B)as I said, with any aggregator you’ve now given a thief a nice neat, tidy list of your financial institutions which now become targets. Different than a single bank compromise.

On user responsibility, I absolutely 100% agree – this comes down to user responsibility, as always. My issue, as I stated, is that Mint via their site and employees seem to be downplaying how important that is by making statements like, “ya know, its more dangerous to not shred your mail…” — bad call. Make users make good decisions when it comes to this via your interface and security design; enforce things like strong passwords. Educate your customer directly on best practices, immediately and directly. Make them pay attention to security, not just the ads that sell good deals.

You also said: “[...]don’t you think a site like Mint would have taken into consideration security before coming out with a site like this?”

Not to be condescending, but read that for yourself and think about what you just said. You feel comfortable assuming that a Web Startup, a _Startup_, is safe, simply because they must be if they are trying to make some money via a site like this? Are they under regulatory compliance to be safe? Are they providing you fiduciary assurance that they are safe (as a bank does)? Do they have physical locations like banks, available to you, that help you to be assured that they are for real (sorry – that last one may be paranoia, I’ll give ya that )?

On your points on what can be done with your spending information: 1) who you bank with: as I said. sure a thief can see you use an ATM or walk into a bank. But why give them a nice, clean copy of _ALL_ of your financial statements, all at once if the worst happens? 2) What you buy: I addressed that in my original post. It matters, and tells much more about you than you think. Do you want, for example, a would be purchaser of your stolen identity to know where your kids go to pre-school because you write a check out every month? 3)Account balances: Do you really want a person, inclined already to rip you off, to have a really good reason now if say you have a large amount of money tied up in multiple, high yield long term accounts (for which they now have a list)? Do you really want that information, about you, for sale on the Internet? Paranoid, maybe. But if Identity Theft happens to you, and you embark and the years of effort it takes to recover, your tune will change.

I’m getting carried away again. The point is, folks should not downplay the risks or underestimate the damage that can occur from compromised financial data. Mint should offer better assurance. Customers should WAIT to trust startups until they are known, established entities (As Yodlee is doing), and make informed decisions on whether they are comfortable with the degree of information that are giving away.

And companies like this one should be iron-clad sure that what they call “bugs” do not represent fundamental security design flaws.

Hmm… quite an interesting thread. JG makes lots of very good points, and its clear he doesn’t think aggregators are a good idea. If his certification that he attached w/ his name is for real than obviously he knows way more than me or the layman. It has definitely made me rethink my use of various types of aggregator for the sake of convenience. I’ve been using yodlee since 2001, through many versions.. and I’d have to say that it wasn’t always working 100%. whenever a bank changes their site, yodlee will have to play catch up. the same thing applied when I was using MS money 05, which was horrible as data wouldn’t sync properly sometimes but for whatever reason seemed to sync fine on yodlee’s money center. image these days when bank updates their layout constantly!

I tried out Mint and other sites like it, Geezeo and what’s that other one.. and they all seem to be pretty basic so far in terms of a personal finance management tool. Mint looks pretty nice and was easy to use, but definitely lacking in capabilities that other yodlee powered site has (no support for loans and brokerages yet). Geezeo was working okay (uses cashedge as data middleman), it supported my student loan but not my brokerage accounts (although I probably wouldn’t have linked it anyway).

SR: Hate to call you out but you seem to be making a few assumption on Mint, and already hating on them before even looking at them. I totally agree with you that “password” as a bug is pretty stupid, and makes you wonder if they have any other explotable bugs, but I read through your arguments and was agreeing with them untill I read the part where you said you haven’t even visited mint’s site.

In your first post, you said that reading privacy policy and terms and condition is important, since your concern is that they’ll mine your personal information, and I totally agree. In your second post you made that point again, but you stated again you haven’t review their privacy policy, and you won’t because the site turns you off.

Whenever I personally use a website, I always read their privacy policy and terms and condition carefully. Mint’s first line in their policy states that they won’t ever sell or rent my personal information. If they at least comply with that then I’m happy enough. At least they’re not actively trying to screw me over (security holes, if any, aside. heh).

Seems pretty silly to me for you to be bagging on them before even visiting the site. You’re making all these statements about them mining people’s information before you even use their service. Of course, you’re not comfortable with using their service, that’s totally understandable. But maybe at least read through the site before you start hating on it? Makes the argument much more valid.

I’m going to echo JG’s comments. People shouldn’t downplay risk into using online tools, whether you’re using aggregators like this, or giving out your CC information while you’re making purchases (regardless if you’re protected under law or by bank). Like I said, whenever I use anything remotely close to financial transaction online, I read a site’s privacy policy and terms and condition carefully. There’s a few clause in mint that makes me cringe, but they’re the standard business stuff that I’ve read elsewhere and quite frankly, in my own bank too (gotta cover their liability, after alll). So to protect my own, I take precautions.

You’ll never seen me linking my retirement accounts or brokerage accounts to unestablished companies. That’s where the majority of egg is at, since you can actually make transfers with the password to those account (although my brokerage has 2ndary trading passwords).

I’ve gotten my identity stolen before, and it was no fun to clear that up. Some clown opened up a CC in my name, and I believe I’m fairly careful with my personal information. I noticed this when I saw some strange charges on an account I haven’t used in a long time from a local community bank (through my account aggregators), and then signed up for credit monitoring just to be sure.. and sure enough, a new CC account was open at this community bank. Took me a week or two just to clear it up. I can only imagine if it was worse and I didn’t detect it earlier, as I’ve read plenty of horror stories. I was able to detect this early due to using yodlee, but of course you can also argue that using these aggregators made me more vunlerable.

Still, I think people should be proactive about their own privacy and financial information security. Whenever you use a website or do business with a company, you should always read about how they handle your information (and at least visit their site before making assumptions). Of course that doesn’t mean a company can be lax about their practices, but as with your own financial welfare, no one can judge your situation better, so its up to you to see how much you’re comfortable with in regards to online banking and other similar practies.

Can’t believe I spent 40 minutes typing that up. To add, it’s true that many major corporation also gets their butt handed to them. You can make the argument that if big companies or banks can’t secure their data, how can small startups? Although another argument can be that a bigger organization with more people also brings about more exposure and lax in customer protection practices.

Security AND privacy with financial information is always a hot topic (as it should be), but at some point, people just have different values and different comfort level. I certainly don’t go out every day, assuming the next company I buy stuff from is going to screw me over or sell me out. But I’m also not naive enough to trust everything on first impression (whether it’s a good or bad one).

If you really want to use a website like this, do yourself a favor and take proactive action. If you don’t want to bother with reading all the steps you can take, the policy they use, the terms they impose on you.. then definitely don’t use the service.

It’s the same with credit cards, you wouldn’t want to sign up with one without reading carefully what you’re getting into.

I’m a security engineer for a large multinational corporation and I fully understand what Mint (and Yodlee and the others) are doing, and the ramifications.

I would never, ever use a service like Mint, or Yodlee, or any other sort of financial information aggregate site. I don’t even use services like Google spreadsheets or calendar or anything like that. The fact that people are uploading all of their info like this to a central location simply boggles my mind.

Saying that Mint is safe because their servers are protected by guards or whatever is irrelevant. You don’t need access to their servers to compromise Mint, you only need an Internet connection.

The risks far, far outweigh any possible benefits you would get from a service like this (Mint or any other). I guess the fact that people are gullible enough to use a service like this means there will always be plenty of work for computer security people like me, which is a good thing, but wow.

I’d love to have automated tracking of all of my account balances but there is no way I would put all of my bank and credit card account info on one of these sites. I didn’t even enter that information when I used Quicken. There is no way for me to know if Intuit was uploading that info to their servers.

I wish there were a free simple client application that could be installed on my PC without storing/maintaining account info on a 3rd party internet server.

Booo for Mint!

I read this review and wanted to try it out – that was until:

1) it can’t see any bank that uses image verification
2) cant see student loans
3) cant see car loans
4) cant see your house payments

Uh…..what’s the point?