Last week, a coworker asked me what I thought about the Mint.com personal finance service site. Deanna asked me because, in her own words, "George, you are more paranoid than me." I spent several days researching and reviewing the site. Afterward, I began to wonder how safe and secure it really is.
If you aren't familiar with the site, it is an online service to help consumers manage their money. It is a free alternative for consumers who don't have the money to hire a personal financial adviser. Many consumers like Mint.com since it mostly eliminates the manual data entry of financial transactions at your bank. According to the site, 600,000 people+ use Mint.com with 2,000+ daily users, $50 billion in transactions, and $15 billion in assets. The site publishes an impressive list of reviews and awards, too.
My question is this: how safe is it to store all of your personal financial information in a single online site? Shelley Elmblad at About.com answered the first part of that question with a comparison of desktop and online financial services software. The second part of the answer is specific to the Mint.com site, which says:
"Mint does not ask for its customers' names, addresses or Social Security numbers. It establishes a one-way connection with the bank so that no money can be moved around... Mint works for you without requiring any personally identifiable information from you. Your Mint account is anonymous; set up requires only an email, password and zip code."
That sounds good. Mint.com says that it uses the same physical and encryption security as the banks. While that might sound good, it's not 100% bullet-proof since some banks and financial companies (e.g., Ameritrade and Bank of America) have had data breaches, and some reports have documented flaws in the financial system. Plus, all of that online security won't necessarily prevent a a data breach by an inside job -- data stolen by an employee.
The Mint.com site says that it's account setup doesn't allow Mint.com to move money. It's a "read-only" service. That sounds good, but how safe is it really?
My skepticism with a service like this is that in order for a consumer to enjoy the full benefits of Mint.com, he/she still must submit their bank sign-in credentials (e.g., ID and password) repeatedly so the Mint.com software can import their latest financial transactions. And, a consumer must provide those credentials for every bank account and credit card account he/she wants to evaluate.
To learn more, I read several online reviews of Mint.com at About.com, TechCrunch, the Well-Rounded Woman, the Consumerist, the New York Times, and Brit Gardner. Afterward, I wished that all of these reviews had focused less on the features and more on the data security.
Since I started writing this blog, one thing I've learned is that my financial, bank account, and e-mail sign-in credentials are just as valuable as the sensitive personal data companies archive about consumers. An identity thief in possession of my sign-in credentials can still do lots of damage. They could use a brute-force method to determine which other sites they could sign in with the stolen sign-in credentials; and then sign in and steal the remainder of my sensitive personal data and money.
And, a data breach at Mint.com would clearly be a huge disaster. While writing this blog, I also learned that identity thieves are smart and persistent. They will hack into sites that don't maintain current and effective security measures. They will hack into the electronic transmissions between sites and third-party sites. They will identify and attack both high-value sites and the consumers that use those sites.
One area that seems murky is what happens when things go bad when a consumer submits their Site B sign-in credentials at site A to use information retrieved from site B. What happens when site A suffers a data breach where site B sign-in credentials are stolen? Which site's company is liable: A or B? Which company will help the user with credit monitoring and recovery services? It seems unlikely that site B would provide assistance due to a breach at site A.
Think of it this way: when there's a credit card theft, I know that the credit card issuing bank will stand by me with help. Another example, when IBM suffered a data breach that exposed the sensitive personal data of its employees and former employees, it provided one year of free credit monitoring and recovery services to the other data-breach victims. What can I expect from a small start-up like Mint.com? Does Mint.com have the resources to help, should things go bad? For me, it is important to know this upfront when deciding whether or not to register with a new financial services site, since data breaches unfortunately happen.
"Mint cannot always foresee or anticipate technical or other difficulties which may result in failure to obtain data or loss of data, personalization settings or other service interruptions. Mint cannot assume responsibility for the timeliness, accuracy, deletion, non-delivery or failure to store any user data, communications or personalization settings... You agree and understand that you are responsible for maintaining the confidentiality of your password which, together with your LoginID e-mail address, allows you to access the Service... Your access and use of Mint.com may be interrupted from time to time for any of several reasons, including, without limitation, the malfunction of equipment, periodic updating, maintenance or repair of Mint.com or other actions that Mint, in its sole discretion, may elect to take... you grant Mint a limited power of attorney, and appoint Mint as your attorney-in-fact and agent, to access third party sites, retrieve and use your information with the full power and authority to do and perform each thing necessary in connection with such activities, as you could do in person."
So, Mint.com customers authorize the site to act fully on their behalf, and assumes all risk for maintaining the security of all of their bank and financial service sign-in credentials. Nothing surprising there. However, there's more (bold added for emphasis):
"YOU EXPRESSLY AGREE THAT YOUR USE OF THE SERVICE IS AT YOUR SOLE RISK. MINT MAKES NO REPRESENTATIONS, WARRANTIES OR GUARANTEES, EXPRESS OR IMPLIED, REGARDING THE ACCURACY, RELIABILITY OR COMPLETENESS OF THE CONTENT ON MINT.COM OR OF THE SERVICE... MINT MAKES NO REPRESENTATION, WARRANTY OR GUARANTEE THAT THE CONTENT THAT MAY BE AVAILABLE THROUGH THE SERVICE IS FREE OF INFECTION FROM ANY VIRUSES OR OTHER CODE OR COMPUTER PROGRAMMING ROUTINES THAT CONTAIN CONTAMINATING OR DESTRUCTIVE PROPERTIES OR THAT ARE INTENDED TO DAMAGE, SURREPTITOUSLY INTERCEPT OR EXPROPRIATE ANY SYSTEM, DATA OR PERSONAL INFORMATION... MINT SHALL IN NO EVENT BE RESPONSIBLE OR LIABLE TO YOU OR TO ANY THIRD PARTY, WHETHER IN CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, EXEMPLARY, LIQUIDATED OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO LOSS OF PROFIT, REVENUE OR BUSINESS, ARISING IN WHOLE OR IN PART FROM YOUR ACCESS TO MINT.COM, YOUR USE OF THE SERVICE OR THIS AGREEMENT, EVEN IF MINT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES."
Well, that seems pretty clear. If Mint.com is hacked or breached, they aren't liable and the consumer is on their own to resolve the problem. While Mint.com has every right to protect itself, there has to be a better balance with the needs of consumers. Based on the above copy, Mint.com customers are on their own should a data breach happen.
Should you register for Mint.com? That's your decision and a decision only you can make. Only you know how much risk you are willing to tolerate.
My take: a consumer that uses any financial services site like Mint.com absolutely has to make sure that their personal computer is properly protected, and that he/she creates and uses strong passwords. It'd be foolish to use the same sign-in credentials at Mint.com that you use for your e-mail or at your online banking site.
Seems to me that sites like Mint.com are high-value targets. Time will tell how effective Mint.com's data security methods are. I hope that they are as effective as advertised.