Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Mint.com security alert

Nov 6, 2007 10:30PM PST

Rafe Needleman's very positive review of Mint.com in Real Deal 83 was sadly out of touch. The only caveat Needleman off-handedly mentions is that Mint needs all your passwords. You might not be "comfortable" with that, he says.

No kidding. Giving your passwords for your online bank accounts and financial accounts to a third party might be a problem. This is especially the case because with the routing number and the account number, an identity thief could rip you off. A hacker or rogue employee at Mint.com could dip into your Mint.com account, log in to your bank, get any and all information stored there, and pretty much do anything with your money. Many companies think they are immune to attack. One was TJ Maxx, which was nevertheless hacked, exposing over 90 million credit card numbers.

Secondly, as a matter of privacy, there is no real way for Mint.com to be able to keep your data perfectly private. There is nothing holy or sacred when it comes to the privacy of online accounts. Recently, <a href="http://valleywag.com/tech/scoop/facebook-employees-know-what-profiles-you-look-at-315901.php">Facebook employees were accused</a> of peeking at people's private profiles, checking to see who visits what profile, and generally poking around in other people's business, when those people expected to be treated with respect. If that can happen with Facebook, it can happen anywhere.

In short, just because the Real Deal recommends Mint.com doesn't mean you shouldn't look at it with great skepticism.

BTW, I agree that Quicken, Microsoft Money, and the other financial apps all currently suck, too. Unfortunately, I am not aware of any personal financial platform that is worth using.

Discussion is locked

- Collapse -
I wonder if banks could offer a 'service entrance' login?
Nov 12, 2007 2:17AM PST

I'm thinking of a login specifically designed for 3rd party apps to view particular info that you specifically make available, but not all your info... kind of like an admin will give a user restricted/read-only access, but keep unlimited root access secure. Would a 2-tier system like that make mint type services less dangerous, but still useful?

- Collapse -
Mint.com already uses a third party
Mar 21, 2008 9:19PM PDT

I recommend you take a look at Mint.com's privacy and security page:

http://www.mint.com/safe.html

According to their written policy (you still have to take their word for it), they do not actually retain your login information. Rather, they partner with Yodlee (http://www.yodlee.com/), a third party that "has provided account aggregation services to the top US financial institutions and to one of the leading desktop personal finance software products for more than 10 years" (that's a quote directly from Mint.com). From what I have been able to research, Yodlee retains login information for some very large companies with many millions more dollars than myself. Of course, at the end of this, you are still trusting a party other than yourself or your bank, but the way I see it, even your own online banking site is vulnerable to attack or malicious employees. At any rate, that helped me. You can take that information for what it's worth. I think it's important that we all approach something like this with skepticism and not just sign up for something without first thinking.

- Collapse -
Privacy can only exist when
Dec 27, 2008 4:33PM PST

your own ISP cannot identify you, if say they are requested or demanded to by some authority. It can be done.

- Collapse -
Just to be clear...
Aug 8, 2010 1:42AM PDT

When a third party uses a third party - they are already spreading your info around - and even if the fine print says they will keep your data safe, they are not usually legally held to their own ideals - TJ Maxx is a good example, and remember even the US Govt is not immune to personal data leaks - example - several years ago the VA 'lost' millions of veterans info, simply because an empoloyee took some work home, and the laptop was stolen. Be wary of your data - Sad thing is that these companies offering online financial data storage and consolidation probably have better security than most personal laptops (or wireless devices!)! Additionally, many ISPs will retain all email, tracking data, buying trends - all data is potentially a money maker! Even 'private" data.