« Can Your Facebook Page Be Your Legal Residence? | Main | The Cause of the Financial, Mortgage, and Credit Mess Explained »

Tuesday, December 23, 2008

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00e008d035db883401053689a84d970b

Listed below are links to weblogs that reference Is Mint.com As Safe And Secure As It Says It Is?:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

John Taylor

Great job George! In this world where the holes in out privacy seive are becoming larger folks are increasingly expanding their exposure to ID theft crimes. Thank you for your tireless research, and have a wonderful holiday season!!

John T

matt @ Thrive

Who to trust, and how much to trust them, is certainly an important question. I actually get a couple of Thrive (www.justthrive.com) users a week call up and ask about security, and I always tell them that I'm actually glad they called: consumers that ask about this sort of thing are good consumers. Maybe you should give us a call, George, and we can explain our "one-way tunnel" system and how we protect our users' information?

George

Matt: thanks for the comment. I took a look at your company's web site http://www.justthrive.com . It seems very similar to Mint.com . So, what's different about Justthrive.com? How is the security at Justthrive.com any better than Mint.com? After viewing your site, I didn't seen any differences, except that Mint.com has more awards and service reviews linked.

George
Editor
http://ivebeenmugged.typepad.com

matt @ Thrive

For one, and I think this is big: you can actually call us. We pick up the phone, we talk back, we'll answer questions and address security concerns. We even welcome visitors in the office, if they are in NYC - you can come check on the people that accepted your sign-in data and we'll usually buy you lunch, if someone is free. I'd love to see Mint make the same commitment.

Another difference: we're talking to you (on Christmas Eve, no less!). We're actively out there in the world, talking about bank and data security, and what people can and should do to keep themselves safe. We consider increasing financial literacy (which includes security discussions) part of what personal finances need to do to help the public and serve their members.

Unlike Mint, we also ask for your name and phone number. Why? Because in the event of a data emergency, we want to be able to contact you immediately, verify your identity, and get to work dealing with the problem. Anonymity is a double-edged sword: less for hackers for steal, but less ability to actually help you with security issues.

These combined serve to reinforce one of your points: if you are going to work with a personal finance site, you want one that is actually interested in your welfare and will help you with any issues that you have. We are not a churn-and-burn shop and we were founded to help people. Compare this to Mint's founding purpose, which was to make the graphs that Quicken wouldn't.

A few notes that apply to the way Thrive handles your data (I can't speak to Mint's system - I'm sure you could write them and they might answer). The way I like to explain the one-way security tunnel is as a multi-step process. When you first login, we take your sign-up credentials and they are sent to your bank, to create the secure tunnel. We DO NOT store the logins on our server - after the secure tunnel is created, it simple sits as a one-way tunnel for information. Banks can push information to us, and we cannot push it back.

If you change your login credentials, your bank breaks the tunnel and lets us know - we then request updated credentials for you. Again, your credentials are not stored on our servers, they are simply used to recreate the tunnel.

So there are two data-loss situations. In one case, you Thrive account credentials are hacked and someone can log in as you. What can they see? Your balances, your transactions, what types of accounts you have, and what banks you use. Damaging information, to be sure. But they don't have your bank passwords or logins, they can't change anything at your bank or move any money around. They can only view some sensitive information about you, which they could get straight from your mailbox - it is the same information on any paper statement you receive.

The other data-loss situation is a hacking of our servers, not just your account. The same information is available, but on a vastly larger number of people.

You sum it up well at the end of your post: everyone has to choose for themselves, based on the positives and negatives, of joining a site like Thrive. And honestly, if someone understands all the considerations and still chooses not to use Thrive, we're totally fine with that - it isn't for everyone and some people are less comfortable than others. I simply care that people understand what they are and aren't making accessible by using such a site, and all the things they stand to gain.

I'm a behavioral psychologist and we've worked hard to make sure that Thrive gives measurable help to our members. We can see, in concrete numbers, how our system changes people's financial behaviors, and the money they save by making infrastructure improvements, understand where they spend and why, and working towards their goals and plans in an organized way. So for all this talk of data security, there is a very real upside to joining Thrive (www.justhrive.com) and I wouldn't want to have a security discussion without ending on that note.

Forest Marie

I'm going to pass on mint.com. I don't feel they're ready for primetime yet.


Denzel

I would really love to start using Mint or Thrive. I actually just learned about Thrive by reading the comments section. I think that what Mint is missing is the ability to give people financial advice based on their individual financial situation. That is where Thrive will certainly be able to compete against many of these new services.

One thing that I have noticed is that Matt from Thrive did not address is what happens if all the credentials are stolen during the first sign-up, or while they are being updated (when all the log-in information is sent to confirm the credentials with the bank)? That seems to be the only time/point where all the passwords would be moved at the same time and generally qualifies as the only time a hacker could gain all to learn about every log-in and password used for each financial institution linked to Thrive. What if, and I realize how low the probability of this happening is, a hacker gets access to the "tunnel" at that very point when a user is signing up with Thrive and sharing his/her passwords?

What if that same hacker logs into all of the stolen accounts and pulls out all the money. How would Thrive (or Mint for that matter) be able to help? Why could not Thrive and financial websites like Thrive buy insurance for such instances, so that they can actually reimburse their clients in case of data or money loss? Credit cards are doing it, why could not Thrive? I am sure the insurance premiums would be high (maybe not due to the low probability of such a hack actually happening), but it would be a real differentiator for Thrive and it would certainly help it become the #1 financial website everybody trusts.

matt @ Thrive

Denzel: thanks for the commentary. The reason I didn't mention what happens if a hacker steals your info when we send your credentials nightly is that we don't send your credentials - we do not store your password or username on our servers at anytime. And yes, while someone could theoretically try to "listen in" while you inputted them the first time, it is important to realize that the same thing is true of logging into your bank online: there is the same possibility of interception.

Thrive's security is handled is by experts, and at some level, you have to decide for yourself whether you are ready to trust in that expertise. But this is no more or less true than any other website: if you submit your credit card info to any online vendor or log in to any online bank, you are exposing yourself to the same risk.

benizi

Mint does the same thing Thrive does, apparently. The financial account info is never stored at Mint. Yodlee (yodlee.com) has it.


And really, doesn't having lunch with customers just set you up for social-engineering attacks? :-)

I kid. You're obviously thinking about the risks and issues in a reasoned way.

Sources on the Yodlee/Mint connection:
A FAQ on Mint's forums:
http://forums.mint.com/showthread.php?s=3526b65b4c8e1a11411b182d55e26542&t=461

An outside forum's discussion that mentions Yodlee:
http://forums.cnet.com/5208-7808_102-0.html?messageID=2735272&tag=forums06;posts#2735272

Another post that pointed to Yodlee:
http://forums.mint.com/showthread.php?t=703

matt @ Thrive

Naturally, I can't confirm that about Mint/Yodlee but...=]

We have fencing equipment in the office - if anyone tries to social engineering attack, they may find themselves at the wrong end of a sabre with no protective equipment. *grins* We take a lot of pride in making sure that we are here: at the other end of the phone, in the office, in the press, working for both Thrive users and people in general. Each of us is attaching our face and name to Thrive because we believe in what we do.

And I actually think that's a relevant security concern. Amid all this talk about banks and bonuses and lack of transparency, I can't help but wonder how things might have turned out different with AIG and others if those people were publicly exposed to the world and therefore accountable. We know people make very different decisions when they know their name and face are going to be attached to them.

So my name is Matt Wallaert, my picture (and most regretted purchase and executive bio) are up on the Thrive site and I'm on the other end of the phone when you call.

George

Matt:

Thanks for your insightful, honest, and sincere comments. They are truly appreciated.

George
Editor
http://ivebeenmugged.typepad.com

matt @ Thrive

George: my pleasure. Thrive is a service, and we take that commitment seriously; you can't very well help people if you're not willing to talk with them.

Dawid

The one-way read tunnel is an interesting idea, but I would feel more secure if the tunnel was established by my bank and not the other way around. This would ensure that Mint or Thrive never see my credentials.

Dawid

matt @ Thrive

Dawid: We'd love to do that to, but you'd have to get banks to buy in (harder than it sounds), coordinate every banks login, and the friction for users would be high. So I agree in theory, but I'll be honest: we simply can't implement that.

Cynthia

Thanks for that great article and all the research. It's exactly what I was looking for.

George

Cynthia:

Glad that you find this post helpful. There are plenty of other helpful posts in this blog. And, if you have any questions, feel free to send them.

George
Editor
http://ivebeenmugged.typepad.com

RD

great article. great blog! thanks all involved and thanks for joining the conversation Thrive.

If I were Matt I'd say, "Where is Mint for this conversation?" Hopefully, Thrive found this blog simply through monitoring social media and proactively addressing the concerns of the public (or googling themselves). I only say that because the opposite would be that somehow this site and someone at Thrive are buddies. That is not a whisper smear or anything. I had to say that because other companies and other blogs out there in the world team up. And, if this wasn't the first time i've been to this site, or the first article I've read here, then certainly I would know for sure that this is all legit. And I think it is all legit. Sorry for the ramble, but now I'm going to check out Mint and Thrive. Oh, and why not join both and compare?? I might do that. Cheers to George and Matt and everyone else in this blog's community!!

George

RD:

Glad that you found this post helpful and informative. You are correct: Thrive found this blog simply through monitoring social media. I wish that more companies monitored social media. It's another way for companies to engage with prospects and customers.

Also know that if there is/was a relationship between this blog and Thrive (there isn't and wasn't), I would have mentioned it. Transparency and trust are important to me.

George
Editor
http://ivebeenmugged.typepad.com

Sophie

Matt @ thrive : Where might I find a JustThrive user forum? I'd like to read a bit about other users' experience before I share my info with Thrive.

kellie

if thrive is so good, why is it free? i love free stuff but it does make me worry just a bit.

JK

My biggest problem with Mint.com is that you are granting them limited power of attorney to access third party sites. I know that one is to assume that is only sites that you authorize them to access, but it does not state that. Using 'power of attorney', financial institutions, your login credentials and 'WILL NOT BE HELD RESPONSIBLE' in the same paragraph is enough to turn me away. I am surprised that you did not expand on that George. Granting anyone Power of Attorney for anything is just plain dangerous! Especially when "retrieve and use your information with the full power and authority to do and perform each thing necessary in connection with such activities, as you could do in person." is at the end of that sentence.

I will stick to my Excel spreadsheet that does forcasting, budgeting and analysis on its own. And it doesn't try to sell me anything when I put in my paycheck amount.

matt @ Thrive

@RD: I wish I could say George was my buddy (I certainly appreciate what he is doing to help educate and inform people) but alas, I don't know him personally - certainly if he wanted to drop by the office, we'd take him out to lunch, but that applies to all of our users.

I don't even remember how I found the site originally, but you're absolutely right that we do monitor Google mentions of us and our Google Analytics to see when people are talking about Thrive.

The simple reason: we want to listen. Not every comment becomes a feature on the site, and some comments are downright counterproductive, but as the "new stuff" guy at Thrive, I take user feedback into account when I decide what we're going to work on next. Users can let us know both what isn't working now and, importantly, what is, which helps us know what to continue to grow and develop and what to prune back. There is a ton of good science behind Thrive but all the good science in the world does not substitute for just talking with people. And we do, to literally thousands of folks a year.

Which I'm thankful for. As much as you may appreciate you listening, you cannot imagine how much I appreciate you talking. Finance can be a hard topic to talk about, and when users take the time to be honest about how things are going for them, that makes a difference in the way we are able to help the world.

So thanks. Really. We at www.justthrive.com appreciate it, and I do personally as well.

matt @ Thrive

@Sophie: Unfortunately, we don't have a user forum (we simply haven't had the manpower to build and moderate it yet). But a quick Google search will bring you lots of reviews from people who have used the site, and if you wait a week or so, we'll be rolling out an area for user testimonials, so that people can tell us what they think.

Another useful way to find out about Thrive? Twitter. Check out http://twitter.com/#search?q=justthrive.com to see what folks are saying about us, good and bad, in real time. It will only show you the last 10 days or so, but it is a good way to get a quick glimpse of how we're working for people.

As a quick bonus, if you're willing to trust me, I checked our support inbox for the last "positive comment" email and this is what I came up with (parts are censored to anonymize the sender).

"Thank you so much for your thorough response to my concerns. I have been testing out a number of applications to track my finances over the past few months. Mint has been my favorite up to this point, but every time I submit an inquiry, they send back short -- and often irrelevant -- answers. I am brand new to Thrive and I love the look and feel of it....

...Again, thank you so much for that thorough reply. It really does make a huge difference for me in deciding which site to be loyal to. Keep providing great service and improving your site and I'll be around for a long time.
Take care,
*******

p.s. so far the things that set your site apart are the "plan for your future" section where you can set goals to make purchases and then the retirement section where it tells you how much you will have in retirement. That is sweet!"

matt @ Thrive

@kellie: I can understand your caution: it can be hard to trust a company without understanding their motivations. So let me tell you a little personal story, and then I'll fill in with some facts.

I'm 27, a behavioral psychologist by training. I grew up in rural Oregon in a working class family, went to college, and then on to grad school. The Thrive folks actually got in touch with me while I was working on my PhD and I didn't write back to them for almost eight months - the concept of working for a "startup" and outside of academia didn't really seem like it was for me. It seemed so risky, and so business-oriented. I got into academia to do research that would help people lead better, happier lives...how could a company do that?

Finally, after several emails, Thrive's founder Avi Karnani finally managed to coax me into a phone call. And he never said "how can we make more money", only "you are a scientist. You understand how people make decisions. How can we help them make better ones?"

Again, over a period of several months, they finally talked me into coming to New York City to have a meeting. I sat across from Avi and we're chatting and I said "what is Thrive trying to do?" And he looked me straight in the face and said "we're going to end bad debt in America." And so I put my PhD program on hold and came to work at Thrive, on the strength of that promise. He said that we would always try to help people the very best we could and he's never broken that promise to me yet.

So why isn't Thrive a non-profit? It turns out, we actually registered both as a non-profit and a for-profit company in the beginning, so that we could make the decision as to which would help people more later on. But the problem with non-profits is that they are hard to sustain - they have to limit what they do because they can't pay for big plans, and far too many can't get continued funding and so they cease to exist.

And that wouldn't help people. We talked about it as a team and made the decision that we needed to be a self-sustaining, for-profit company, because that is how we could get the power in the world to do big things and also make sure that we stayed around to help people not just for a year or two, but for as long as we could be of service.

That paid off for us. LendingTree acquired us and they've kept to Avi's promise: Thrive is a place where we help people build better financial lives, as simple as that.

Do we make money? Yes. We want to stay in business, we want to hire more engineers, we want to do cool things and that takes money. But the ways we make money will not violate the best interests of our users.

For example, if you have a bad credit card, we recommend a better one. Sometimes, the credit card company will give us a little money, called an "account generation fee" for bringing them a new customer. Sometimes they won't. We don't let that affect what we recommend: whether we are getting paid or not, you get our recommendation of the best card we can find. Unlike some of our competitors, we don't do "sponsored listings" that put some companies at the top, and we don't say "this company is better" simply because they'd pay us to do so. That isn't how we do business because it isn't what we believe in: we came to help people.

So there is a story, some facts, and the promise. But let me add my personal guarantee. I can't say that Thrive will never do anything to hurt people - that would be foolish, as I'm not the only one who works here and I can't guarantee what the future will bring. But I can promise you this: the day that Thrive starts putting making money above helping our users, I'll add a comment on this post and let you know that they no longer have your best interests at heart and that I've left the company. Fair enough?

George

Matt:

Thanks for taking the time and effort to write your detailed comments and replies. I really appreciate it. Whenever you visit Boston, shoot me an e-mail so we can meet. I'll buy you a coffee.

George
Editor
http:ivebeenmugged.typepad.com

RobbieB

How are there any additional risks here than using any other site you provide credentials for? please read this article to actually learn something about the mint.com service and what happens if you do have identity theft or malicious activity with your accounts:
http://themedium.blogs.nytimes.com/2009/05/27/addressing-security-concerns-on-mintcom/

George

RobbieB:

Thanks for the link to the NY Times articles.

I stand by what I wrote above, especially given the words from Mint.com's own Terms of Use policy. It is reasonable to ask what help is provided when things go wrong, because unfortunately s--- happens. (See the bank breaches I mentioned above.) Also, you might want to check you bank's Terms and Conditions policy about what help your bank will/won't provide when you enter your log-in credentials at another company's web site.

Last, Mint.com executives have always been and still are welcome to post comments here. So far, they have chosen not to.

George
Editor
http://ivebeenmugged.typepad.com

Brian A

I've been googling "Mint vs Thrive" and have read a few articles and their comments. So far Matt has responded on many of them, no one from Mint has, and that says alot to me. I couldn't really decide because of how similar they seem but based on the "human element" (because of the effort Matt is making) I've decided to go with Thrive, keep up the good work!

Anonymous

Only a fool would provide any site with all of your financial online information. One insider can ruin it for many with no recourse.

Josh

For those of you who are paranoid, please think about this: If someone is going to hack Yodlee (Where your bank account info is stored for mint.com) with miraculous ease, which probably won't happen as such, then why couldn't they just use the same tactics on YOUR bank's databases? They both use the same encryption right? Okay then.

And for those of you who use Quicken and MS Money, those programs also connect to the internet to sync information in one way or another. The only way you're truly safe with Quicken or MS Money is to have an isolated computer (as in, not hooked up to the internet AT ALL, EVER) with such information on it. Now, given that, probably 95% of computers in the world are connected to the internet with a lot less security than Yodlee or your bank. Not to mention, if someone burglarized your house and took this isolated computer, your files and/or hard drive are not encrypted either; but are with Yodlee and banks.

Just think about it. If you're truly worried about getting hijacked on the interwebz then just use pen, paper, and a fireproof safe in the closet that's bolted to the floor. There is no pure secureness in the digital age.

matt @ Thrive

@Brian: Thanks for the vote of confidence - hopefully, Thrive proves to be the right choice for you feature-wise and we can help you spend less, save more, and accomplish your financial goals.

@Anon: Just to be clear, the insiders would have to be fairly specific, as at most companies (or at least at Thrive), only two people have any sort of direct database access and all code is carefully reviewed.

Bryan

@George and Matt
I think you both have done a great job at addressing the security concerns I had with these services. I too will be using Thrive over Mint because of the points made in this discussion, as well as, Matt's continued effort to answer our questions. I like to think I make more effort than most when it comes to security, but I know at some point it becomes philosophical. Otherwise, we'll end up in a bunker wearing tin foil hats and mumbling to ourselves. :) I do have a question for Matt that I didn't see on Thrive's FAQ. What if I want to stop using the service or if Thrive does happen to go out of business; will there be a way to download my information into an spreadsheet?

Thanks

bg

@Josh @matt and all the others with the focus on the security while putting the liability in the background ...

The Security and all tech aspects of it are, of course, important. But most of all, in the finance management business, the key to the peaceful sleep is THE LIABILITY.

It does not really matter if my bank does not have the most secure tech stuff in the world - as long as they say they will "stand by me when bad time comes" (they accept the liability) i am fine. To those who say "we are super secure but when things go wrong YOU are on your own" (they are not liable) i reply "thanks, but no thanks"

ADW

I just started researching mint.com and justthrive.com and came across this blog and found the dialog very helpful. But curiously, Matt is listed on the website as a "previous employee" along with one of the co-founders. So what happened?
As for all of the discussion about the security "what ifs", does anyone know if there have been any actual breaches in security on either of these sites?

ashley

I set up an excel spreasheet years ago to aggregate my data. It works great and it's got to be safer than mint.com

Nick

It's really a good posting. I like it. It's pretty much impressive to me. i think others will agree with me.
Good Luck. ;)

webroyalty

Jenny

Thanks for the review. It is very helpful.

Kay

I have been investigating online financial services such as Mint and Thrive, and I feel that I have quite a dilemma. On the one hand, these services provide updates and information that I cannot easily get any other way. I've given up on desktop Quicken as too painful. On the other hand, the security issues make me very nervous.

I realize that it would require a lot of coordination to get the banking and financial industry to adopt this, but why can't banks and brokerages have two levels of security? One password would be used for read-only access to accounts, and a second password would be required for transfers and trades. The read-only password could be used for financial aggregation and analysis services. I would feel a lot less nervous to give Mint or Thrive my read-only password. It is fine for folks from those companies to say that they are read-only, but when you have to provide the same password for them that you would provide directly to the bank or brokerage for transfers and trades, it really makes you think twice about handing it out.

kt

Why is Matt listed as a previous employee on the Thrive website?

George

KT:

I don't know about Matt's employment status. If the Thrive site lists him as a former employee, then Matt must have left Thrive some time after posting the above comments. Hopefully, Matt will share his status at some point and if he has joined another financial services company.

George
Editor
http://ivebeenmugged.typepad.com

George

Drew:
Thanks for the link. That's a good overview of the company. Nobody denies that Mint.com provides its members with several benefits and advantages. The only concern of the article above is what happens when there is a data breach. The site's terms of conditions suggests that members won't get much assistance. Maybe they will. Time will tell.

George
Editor
http://ivebeenmugged.typepad.com

Jennifer

Just a note: Matt@thrive - if you go onto Thrive's website, he is now under Previous Employees. Bummer.

Anonymous

That's a good overview of the company. Nobody denies that Mint.com provides its members with several benefits and advantages.

Stacy Lorsan

Online money management tools help a lot in managing your money without any manual task. Currently i am using http://www.manageme7.com for managing my finances. It has some features which i could not find on mint.com. It is an awesome web application with the help of which i can manage my budget and track all my expenses more easily and can save more for my future.

harsh

Hmm!! you don't store the credentials at Thrive, how is the tunnel with bank open, what happens when a session times out?

dmitryb

This is an old post now, but I wanted to add that I recently found out Wells Fargo allows creation of "guest" accounts. I've created such an account with read-only access for exclusive use with Mint. Next, I'll create another read-only guest account to try out Thrive. A customer rep at Chase told me the other day that they don't offer a similar service. That's unfortunate. I wish more banks followed Wells Fargo's suit. I also wish Yodlee, Mint (with Quicken's weight behind them now), Thrive, et al. would start pushing banks to start offering read-only access for aggregators' use.

Anonymous

I don't see Matt's name on the "Team Bios" anymore. Does that mean that "they no longer have your best interests at heart and that I've left the company"??

Mary Ann in St. Louis

I was also curious about what happened to Matt and found this information.

http://www.linkedin.com/in/mattwallaert

He is no longer working there but is still an advisor. I found his posts all over blogs everywhere and am happy to see he is still working with them in some capacity. After reading dozens of his responses to posted questions, I will be signing up with Thrive. Hopefully it will prove to be a very useful tool.

George

Mary Ann:

Thanks for the update. I did not know where Matt landed. I am sure that many readers will appreciate this update.

George Jenkins
Editor
http://ivebeenmugged.typepad.com

Sonny

George,
I know this is an old post but I've found it extremely helpful in deciding whether to sign up for one of these online financial "planners." After reading your post and all the comments, I decided not to use Mint.com. I'll check out Thrive but the fact that they are now owned by LendingTree does not comfort me. And Matt stopped commenting after he left Thrive which makes me think he was selling a product rather than answering questions and allaying concerns.

Whatever I ultimately decide, I will bookmark your blog and make it one of my regular stops in the World Wide Web.

George

Sonny:

Thanks for the comment. Good luck and let me know what happens. I am sure that I've Been Mugged readers will be interested in your experiences with Thrive/LendingTree.

George
Editor
http://ivebeenmugged.typepad.com

Charles Jeter

Two years ago my mom asked me about signing up with mint.com... I posed to her the same question you fully explain: if you put all of your critical information in one spot and it's accessed, how bad can it become if this one spot is compromised?

Thanks George. I'll forward her this link. :)

Jyothi Sunnadkal

This was very helpful - especially highlighting the terms/policy of mint.com.
I am going to stay away from it; guess putting in that extra time/work to manage your hard-earned money is not such a bad thing.

Andrew

From the JustThrive.com privacy policy:

".. we do not promise, and you should not expect, that your personal information, searches or other communications will always remain secure."

That's enough to scare me away.

Also, I found a Mint.com employee answering questions here:

http://ask.metafilter.com/123119/Is-Mintcom-safe

George

Andrew:

Thanks for the comment. The link to the Mint discussion is helpful, since no Mint.com executive has posted a comment or offered a reply to this blog post. You'd think that they would have by now.

Thanks for the quote from the Thrive privacy policy. I agree. That's scary, so I don't use either Thrive or Mint.

George
Editor
http://ivebeenmugged.typepad.com

Michelle

I just stumbled upon this blog while looking for known issues with Mint.com. My daughter turned me on to it last month and I jumped in head first! I did spend an hour or two investigating it, but found no real issues. Now, I have been doing my banking online since around 1994 (probably when it was introduced :-) and I have never been paranoid or been hacked. After being with Mint.com about 3 weeks, I had 3 very large charges on my AMEX account which has never left my possession, nor been used in several months. Maybe it's a coincidence, but I immediately deleted all of my accounts on Mint and am now trying to figure out if they are really safe or if there is something out there that is. I will take a look at Thrive (hadn't heard of it until this blog). Thanks for all the info.

Robert Jordan

Very thorough article George! Thanks. I do not want to give my financial accounts info to mint.com. I would rather use a software package and keep the data on my computer. Unfortunately, I recently switched to MAC and the new quicken essentials is very weak in tracking investments. They force you to give your account info and then they only report accounts with Vanguard and a few other megabrokers. Large funds like Baron and Rydex are excluded. This is not so with the Widows Quicken where you can manually enter your account name, numbers and total shares, and only down load the daily pricing info from a variety of sites. Now where did I put my old HP Laptop?

matt @ churnless

First, a brief explanation and apology: I know I haven't been around to answer questions from some time. Let me update you all on the situation, and then get to the ones I can answer.

In October of last year, I did decided to leave LendingTree, and thus, Thrive. Along with founder of Thrive Avi Karnani, I opened up a company that builds other decision products on the web called Churnless, and we've been building all sorts of different tools and projects for the government, other companies, and ourselves to help people lead better, more healthy lives.

For example, launching in about a month, we've got a tool called GetRaised that helps people find out if they are underpaid and get raises. We've got a good team, we're happy, we're working hard.

So as to the obvious point: since I have left Thrive, I can no longer pledge that I'm sure it operates in the best interests of people. I have no reason to believe it doesn't, but since the entire original team has left, I have very little window into what LendingTree is choosing to do with the product.

That said, I can tell you a few interesting and exciting things. Before leaving Thrive, I ran a study to look at the finances of people who had been using the service versus those who hadn't. And the results were very encouraging. Over a six-month period, Thrive helped people reduce their spending by several thousand dollars, which they then used to pay off debt, increase their savings, and put into retirement accounts. We also saw a significant rise in credit scores, on the order of more than ten points.

So in that very little has changed about the service, I can at least say that Thrive works if you stick with it. Any questions about that study can be sent to me at matt@churnless.com and I'm happy to talk about the methodology (basically, it was a non-radomized, controlled, comparison study and all results mentioned are p<.05).

Next post = answers to questions!

matt @ churnless

@Bryan: Unfortunately, at least when I left, we had not implented that feature. It was planned and on the roadmap, however, so it is possible it may still be introduced.

@bg: That's a reasonable attitude. It just cuts you off from any service that isn't run by a massive company. And banks, of course, have no intention of standing by you: the government makes sure that they do in extreme cases, but many are more than happy to abandon you if, for example, you get rather late on your mortgage.

@ADW: Yes, both Avi and I have left the company, as has all of the original team. Many of us are now at Churnless. In terms of security breeches, we have none at Thrive that I know of.

@Kay: While I don't think they have it implemented yet, ING Direct proposed a security solution exactly like the one you are suggesting (with two levels of password). I do bring this up with legislators from time to time and occasionally the Treasury makes some noise about potentially implenting standards; I'll keep you posted.

@kt: As mentioned above, I've left Thrive. I stayed on as an advisor for some time, but have now moved on to other projects at Churnless (working to help people, as always).

@harsh: That is actually handled by partner Yodlee. Information about their tech is widely available.

@dmitryb: I promise that we actually do (and still do) push pretty hard. The problem is leverage: we don't have much and the government is a slow moving beast. And banks, frankly, tend not to care.

@Anonymous: Since I'm no longer around, I can't speak to best interests, but I can confirm that I've left the company.

@Mary Ann: Good research! *smiles* I've actually moved on from my advisory position as well, however, and have trasitioned fully to new products at Churnless. I hope Thrive worked out for you, however, and if there is any questions I can answer as a former employee, I'm happy to help!

@Sonny: I'm sure you can imagine why, having left the company, I might need a little space and time before answering any Thrive questions. For legal reasons, for personal reasons, and just because it is prudent to give yourself a little space from any parting. Frankly, I'm a little sad that after so much hard work answering questions, you're so immediately ready to jump to the conclusion that I'm a salesman. Google around a bit - you might be surprised.

@Andrew: Unfortunately, lawyers make you point language like that into almost every privacy policy. Also, you do realize that you to quoted that out of context, right? That section discusses privacy expectations in the world at large, not at Thrive per se.

@George: Did you actually go read the privacy policy to see the whole quote?

N.O.

Thanks for the information. I think I will reconsider using Mint.com.

George

Thanks to everyone for sharing their experiences and opinions. I have added a new feature to the blog to allow readers to more easily follow comments. Scroll up the page to just before the comments start, and you will see the orange RSS feed icon next to this text:

"You can follow this conversation by subscribing to the comment feed for this post."

To subscribe to the RSS feed of comments for this blog post, you can click on either the orange RSS feed icon next to the above text, or click on the "comment feed" text link. Then, follow the onscreen instructions in your web browser to subscribe to the comments feed.

You can use any RSS feed reader software desired. I use the Firefox web browser to monitor hot feeds, and Google Reader to manage all of the RSS feeds I subscribe to.

George
Editor
http://ivebeenmugged.typepad.com

test@test.com

I just wanted to say thanks for this article, even if it was written awhile back. My bank account had never been hacked until about a week after signing up for Mint.com. I do not think this is a coincidence. Basically, providing bank login/e-mail, etc can do some damage if you use the same passwords. They can get the remainder of your information via the same methods described in this article. Anyway, just wanted others to know that Mint.com might be better if you use different passwords for EVERY site you use.

Tim Cook Sr

Thanks to everyone that posted here, It has helped in a great way and has caused me to research this situation even more before I make what seemed to be an easy decision.

Ugiogi

I agree with many previous posters, George - thanks for this great post and discussion. It's been really helpful, as I've been able to decide that Mint, Thrive, etc. are not for me.

As an addendum: Matt said the disclaimer quote that Andrew posted was taken out of context - so here is the whole thing:

"How we protect your personal information:

We take appropriate security measures (including physical, electronic and procedural measures) to help safeguard your personal information from unauthorized access and disclosure. For example, only authorized employees and authorized third-party service providers are permitted to access personal information, and they may do so only for permitted business functions. We use encryption in the transmission of your sensitive personal information between your system and ours, and we use firewalls to help prevent unauthorized persons from gaining access to your personal information.

We want you to feel confident using our website. However, no system can be completely secure. Therefore, although we take steps to secure your information, we do not promise, and you should not expect, that your personal information, searches or other communications will always remain secure. Users should also take care with how they handle and disclose their personal information."

Matt explains that this reflects only the "privacy expectations in the world at large, not at Thrive per se" -- but to me it seems pretty clear it's the policy OF Thrive, specifically, i.e., 'we'll do our best, but you shouldn't expect the info to remain secure'. Oooookay.

Anyway, just wanted to point that out. Thanks again!!

Risky Business

Wow, a 2 year conversation. I'll keep it going :D

I came to this post like many others; interested in a service like mint or thrive but unsure about the security risks.

For me, the main issue is not if there is risk to engaging in these services, but how to manage that risk.

I have used other systems with inherent risk but it always felt non-3rd party even when it might have been; my own spreadsheets (downloading info from banks online), quicken on my home system (where bank info is given to a 3rd party). As a result these didn't ring an alert bell the way this one seems to.

I'm concerned about the risk but actually leaning towards using one of these services. I'm curious if anyone has gone through the effort of reviewing the risk in their own trust chain (and what did they review and what was the effort).

Also curious if anyone has then been able to close the gaps to their satisfaction (I'm thinking; do I need to decrease the review period intervals with these services to reduce the amount I will be liable for, or contact the bank to put limits on accounts through certain channels, etc)?

I plan on making my own review of these key points:

-the email account I use (maybe get a new one with different password?)
-the bank I use and its security (back-end and info sharing agreements)
-the bank's policies on worst-case support (I've had good experiences with credit fraud)
-the current 3rd party service security and info sharing agreements
-the use of an identity theft service to close fraud gaps (anyone know if these services work as advertised?)

I'd love to hear any comments from this board.

George

Everyone:

Risky Business raised a good point. This thread is 2 years old. Some things and facts mentioned in the comments thread have changed. For example, Intuit acquired Mint.com.

As Risky Business emphasized, managing risk is important. That means understanding the risks, as hacks can occur throughout the Internet connection, not just a hack into your personal computer or into Mint.com's servers. It also means that consumers must act as informed shoppers... read the fine print (e.g., contract, privacy, terms of use) at any website **before** you buy or register. The fine print specifies what the website and company will and won't do when bad things happen.

George
Editor
http://ivebeenmugged.typepad.com

matt @ Churnless

@Ugiogi: You'll note, of course, that this is actually a more "user friendly" version of what every professional website has, which is an indemnification of loss - no competent lawyer or businessperson will let you launch a site without one.

For example, 20.1b of TypePad's Terms of Service, which you agreed to by posting, says the same thing. =]

On every site you use, you'll find this clause, for the same basic reason: if you put it in writing, assume it is public in any legal conversation you're likely to have.

amy amster

Very informative post. Thanks for sharing. Everyone made alot of good points. Lots to consider.
http://www.ghg.com

Shalimar

I decided to try mint.com at the recommendation of my son-in-law who is a program analyst. I also did research and, I too, found that Intuit acquired Mint.com recently which put me at ease somewhat. I use Turbo Tax which is a product of Intuit. Each year i give Turbo Tax my social security, birth date, and financial information. I also give a number of my savings account for the direct deposit. Now I'm thinking that some insider in Intuit can cross reference information from both Mint.com and Turbotax.com and hit the jackpot?

eve

Certainly very informative. Thank you.

So, what services does Churnless provide that helps people "live better"? Are we still speaking about Finances or something else?

Doug Young

Hi

I discovered an interesting problem with mint (but it's OK because bank info is read only and I can't see (although I can guess) a compromised users name)

Read here http://satisfaction.mint.com/mint/topics/security_hole-bq00a

Luc Laverdiere

I'm curious to know if there was a security issue and a loss, would my bank back me? They always tell me NEVER to give my PIN to anyone.

Mark

Great article.

So just fyi, I found your blog when I googled "is there a read only password for bofa" -- https://www.google.com/search?sourceid=chrome&ie=UTF-8&q=is+there+a+read+only+password+for+bofa

What I was searching for was a "daughter password" to use for mint.com, wasn't really interested in giving them full access to my accounts.

Thanks for your assistance, your article kind of put the brakes on mint.com.

~~ Mark

http://www.marksatterfield.com

Mikey

For those who are reluctant to share their private banking information with third-parties, check out https://www.inexfinance.com/ web-based personal finance manager and budgeting tool. It doesn't automatically sync to my bank accounts and when needed I can use the import feature to bulk upload my financial transactions. Moreover you are not asked to supply any personally identifiable information while registering, so basically you can create a completely anonymous account.

Michael Morin

"Your Mint account is anonymous; set up requires only an email, password and zip code"

Really? Then why does it ask for my bank account login information?

No way in hell I'm using this 'free' service.

raj

great analysis. to avoid the risk if any, i use a simple windows app called spending viewer ( http://spendingviewer.apphb.com ) that is local to my computer and feel safe. I download the transactions from my banks manually and upload them to this tool. it automatically assigns categories..i only needed to set up category the first time for a store.

DS

Thank you. Here's what it says when you hit Delete Your Mint Account: We will miss you as a customer. If there is anything we can do to keep you with us, please let us know. Once you delete your account, Mint.com will automatically expunge your financial information within 48 hours. You will receive confirmation via email.

I sure hope "expunge" is just as guaranteed as the other fine print.

Michael Scott (seriously!)

Mint "may" be trustworthy......but how stupid are they to ask for your credit card type, number and password, the second you sign up???

Duhhhhhhh!

Carley Struve

I signed up with Mint and have had ongoing problems with being locked out of my online banking site. I can only attribute this to Mint. My bank is now recommending not using third party sites such as Mint. I have cancelled my Mint account and I still got locked out so now I need to contact Mint, and make sure that my account has, indeed, been cancelled.

Hareiana

There is one website offering great budgeting and money management online that has taken a completely different approach to user safety and security. You give out nothing and you risk nothing. At Out Of The Dark (OOTD) Budgeting you never give out your personal identity or access to bank accounts, you are truly anonymous so even if someone stole the server with all your financial data all, they will have is a bunch of meaningless numbers and category names with no connection to you the user. This is what I call zero risk, and OOTD is unconditionally free. You can check the website out at: www.myootd.org

The comments to this entry are closed.

Follow

  • Updates via E-mail RSS Feed Updates via Twitter Updates via Facebook

About

  • Proud Elder Blogger
  • George Jenkins, author of the I've Been Mugged Blog

..

  • © 2007 - 2014. George Jenkins. All Rights Reserved.