Last week, a coworker asked me what I thought about the Mint.com personal finance service site. Deanna asked me because, in her own words, "George, you are more paranoid than me." I spent several days researching and reviewing the site. Afterward, I began to wonder how safe and secure it really is.
If you aren't familiar with the site, it is an online service to help consumers manage their money. It is a free alternative for consumers who don't have the money to hire a personal financial adviser. Many consumers like Mint.com since it mostly eliminates the manual data entry of financial transactions at your bank. According to the site, 600,000 people+ use Mint.com with 2,000+ daily users, $50 billion in transactions, and $15 billion in assets. The site publishes an impressive list of reviews and awards, too.
My question is this: how safe is it to store all of your personal financial information in a single online site? Shelley Elmblad at About.com answered the first part of that question with a comparison of desktop and online financial services software. The second part of the answer is specific to the Mint.com site, which says:
"Mint does not ask for its customers' names, addresses or Social Security numbers. It establishes a one-way connection with the bank so that no money can be moved around... Mint works for you without requiring any personally identifiable information from you. Your Mint account is anonymous; set up requires only an email, password and zip code."
That sounds good. Mint.com says that it uses the same physical and encryption security as the banks. While that might sound good, it's not 100% bullet-proof since some banks and financial companies (e.g., Ameritrade and Bank of America) have had data breaches, and some reports have documented flaws in the financial system. Plus, all of that online security won't necessarily prevent a a data breach by an inside job -- data stolen by an employee.
The Mint.com site says that it's account setup doesn't allow Mint.com to move money. It's a "read-only" service. That sounds good, but how safe is it really?
My skepticism with a service like this is that in order for a consumer to enjoy the full benefits of Mint.com, he/she still must submit their bank sign-in credentials (e.g., ID and password) repeatedly so the Mint.com software can import their latest financial transactions. And, a consumer must provide those credentials for every bank account and credit card account he/she wants to evaluate.
To learn more, I read several online reviews of Mint.com at About.com, TechCrunch, the Well-Rounded Woman, the Consumerist, the New York Times, and Brit Gardner. Afterward, I wished that all of these reviews had focused less on the features and more on the data security.
Since I started writing this blog, one thing I've learned is that my financial, bank account, and e-mail sign-in credentials are just as valuable as the sensitive personal data companies archive about consumers. An identity thief in possession of my sign-in credentials can still do lots of damage. They could use a brute-force method to determine which other sites they could sign in with the stolen sign-in credentials; and then sign in and steal the remainder of my sensitive personal data and money.
And, a data breach at Mint.com would clearly be a huge disaster. While writing this blog, I also learned that identity thieves are smart and persistent. They will hack into sites that don't maintain current and effective security measures. They will hack into the electronic transmissions between sites and third-party sites. They will identify and attack both high-value sites and the consumers that use those sites.
One area that seems murky is what happens when things go bad when a consumer submits their Site B sign-in credentials at site A to use information retrieved from site B. What happens when site A suffers a data breach where site B sign-in credentials are stolen? Which site's company is liable: A or B? Which company will help the user with credit monitoring and recovery services? It seems unlikely that site B would provide assistance due to a breach at site A.
Think of it this way: when there's a credit card theft, I know that the credit card issuing bank will stand by me with help. Another example, when IBM suffered a data breach that exposed the sensitive personal data of its employees and former employees, it provided one year of free credit monitoring and recovery services to the other data-breach victims. What can I expect from a small start-up like Mint.com? Does Mint.com have the resources to help, should things go bad? For me, it is important to know this upfront when deciding whether or not to register with a new financial services site, since data breaches unfortunately happen.
In the state where I live, companies are required to notify its customers after a data breach. While I could reasonably expect notification from Mint.com if a breach happens, the law doesn't specify the level of post-breach help. So, I took a closer look at the Mint.com Terms of Use policy to see what else a consumer can expect should things go bad:
"Mint cannot always foresee or anticipate technical or other difficulties which may result in failure to obtain data or loss of data, personalization settings or other service interruptions. Mint cannot assume responsibility for the timeliness, accuracy, deletion, non-delivery or failure to store any user data, communications or personalization settings... You agree and understand that you are responsible for maintaining the confidentiality of your password which, together with your LoginID e-mail address, allows you to access the Service... Your access and use of Mint.com may be interrupted from time to time for any of several reasons, including, without limitation, the malfunction of equipment, periodic updating, maintenance or repair of Mint.com or other actions that Mint, in its sole discretion, may elect to take... you grant Mint a limited power of attorney, and appoint Mint as your attorney-in-fact and agent, to access third party sites, retrieve and use your information with the full power and authority to do and perform each thing necessary in connection with such activities, as you could do in person."
So, Mint.com customers authorize the site to act fully on their behalf, and assumes all risk for maintaining the security of all of their bank and financial service sign-in credentials. Nothing surprising there. However, there's more (bold added for emphasis):
"YOU EXPRESSLY AGREE THAT YOUR USE OF THE SERVICE IS AT YOUR SOLE RISK. MINT MAKES NO REPRESENTATIONS, WARRANTIES OR GUARANTEES, EXPRESS OR IMPLIED, REGARDING THE ACCURACY, RELIABILITY OR COMPLETENESS OF THE CONTENT ON MINT.COM OR OF THE SERVICE... MINT MAKES NO REPRESENTATION, WARRANTY OR GUARANTEE THAT THE CONTENT THAT MAY BE AVAILABLE THROUGH THE SERVICE IS FREE OF INFECTION FROM ANY VIRUSES OR OTHER CODE OR COMPUTER PROGRAMMING ROUTINES THAT CONTAIN CONTAMINATING OR DESTRUCTIVE PROPERTIES OR THAT ARE INTENDED TO DAMAGE, SURREPTITOUSLY INTERCEPT OR EXPROPRIATE ANY SYSTEM, DATA OR PERSONAL INFORMATION... MINT SHALL IN NO EVENT BE RESPONSIBLE OR LIABLE TO YOU OR TO ANY THIRD PARTY, WHETHER IN CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, EXEMPLARY, LIQUIDATED OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO LOSS OF PROFIT, REVENUE OR BUSINESS, ARISING IN WHOLE OR IN PART FROM YOUR ACCESS TO MINT.COM, YOUR USE OF THE SERVICE OR THIS AGREEMENT, EVEN IF MINT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES."
Well, that seems pretty clear. If Mint.com is hacked or breached, they aren't liable and the consumer is on their own to resolve the problem. While Mint.com has every right to protect itself, there has to be a better balance with the needs of consumers. Based on the above copy, Mint.com customers are on their own should a data breach happen.
Should you register for Mint.com? That's your decision and a decision only you can make. Only you know how much risk you are willing to tolerate.
My take: a consumer that uses any financial services site like Mint.com absolutely has to make sure that their personal computer is properly protected, and that he/she creates and uses strong passwords. It'd be foolish to use the same sign-in credentials at Mint.com that you use for your e-mail or at your online banking site.
Seems to me that sites like Mint.com are high-value targets. Time will tell how effective Mint.com's data security methods are. I hope that they are as effective as advertised.
Great job George! In this world where the holes in out privacy seive are becoming larger folks are increasingly expanding their exposure to ID theft crimes. Thank you for your tireless research, and have a wonderful holiday season!!
John T
Posted by: John Taylor | Tuesday, December 23, 2008 at 11:37 AM
Who to trust, and how much to trust them, is certainly an important question. I actually get a couple of Thrive (www.justthrive.com) users a week call up and ask about security, and I always tell them that I'm actually glad they called: consumers that ask about this sort of thing are good consumers. Maybe you should give us a call, George, and we can explain our "one-way tunnel" system and how we protect our users' information?
Posted by: matt @ Thrive | Wednesday, December 24, 2008 at 09:11 PM
Matt: thanks for the comment. I took a look at your company's web site http://www.justthrive.com . It seems very similar to Mint.com . So, what's different about Justthrive.com? How is the security at Justthrive.com any better than Mint.com? After viewing your site, I didn't seen any differences, except that Mint.com has more awards and service reviews linked.
George
Editor
http://ivebeenmugged.typepad.com
Posted by: George | Friday, December 26, 2008 at 01:39 PM
For one, and I think this is big: you can actually call us. We pick up the phone, we talk back, we'll answer questions and address security concerns. We even welcome visitors in the office, if they are in NYC - you can come check on the people that accepted your sign-in data and we'll usually buy you lunch, if someone is free. I'd love to see Mint make the same commitment.
Another difference: we're talking to you (on Christmas Eve, no less!). We're actively out there in the world, talking about bank and data security, and what people can and should do to keep themselves safe. We consider increasing financial literacy (which includes security discussions) part of what personal finances need to do to help the public and serve their members.
Unlike Mint, we also ask for your name and phone number. Why? Because in the event of a data emergency, we want to be able to contact you immediately, verify your identity, and get to work dealing with the problem. Anonymity is a double-edged sword: less for hackers for steal, but less ability to actually help you with security issues.
These combined serve to reinforce one of your points: if you are going to work with a personal finance site, you want one that is actually interested in your welfare and will help you with any issues that you have. We are not a churn-and-burn shop and we were founded to help people. Compare this to Mint's founding purpose, which was to make the graphs that Quicken wouldn't.
A few notes that apply to the way Thrive handles your data (I can't speak to Mint's system - I'm sure you could write them and they might answer). The way I like to explain the one-way security tunnel is as a multi-step process. When you first login, we take your sign-up credentials and they are sent to your bank, to create the secure tunnel. We DO NOT store the logins on our server - after the secure tunnel is created, it simple sits as a one-way tunnel for information. Banks can push information to us, and we cannot push it back.
If you change your login credentials, your bank breaks the tunnel and lets us know - we then request updated credentials for you. Again, your credentials are not stored on our servers, they are simply used to recreate the tunnel.
So there are two data-loss situations. In one case, you Thrive account credentials are hacked and someone can log in as you. What can they see? Your balances, your transactions, what types of accounts you have, and what banks you use. Damaging information, to be sure. But they don't have your bank passwords or logins, they can't change anything at your bank or move any money around. They can only view some sensitive information about you, which they could get straight from your mailbox - it is the same information on any paper statement you receive.
The other data-loss situation is a hacking of our servers, not just your account. The same information is available, but on a vastly larger number of people.
You sum it up well at the end of your post: everyone has to choose for themselves, based on the positives and negatives, of joining a site like Thrive. And honestly, if someone understands all the considerations and still chooses not to use Thrive, we're totally fine with that - it isn't for everyone and some people are less comfortable than others. I simply care that people understand what they are and aren't making accessible by using such a site, and all the things they stand to gain.
I'm a behavioral psychologist and we've worked hard to make sure that Thrive gives measurable help to our members. We can see, in concrete numbers, how our system changes people's financial behaviors, and the money they save by making infrastructure improvements, understand where they spend and why, and working towards their goals and plans in an organized way. So for all this talk of data security, there is a very real upside to joining Thrive (www.justhrive.com) and I wouldn't want to have a security discussion without ending on that note.
Posted by: matt @ Thrive | Friday, December 26, 2008 at 04:17 PM
I'm going to pass on mint.com. I don't feel they're ready for primetime yet.
Posted by: Forest Marie | Thursday, February 26, 2009 at 04:49 PM
I would really love to start using Mint or Thrive. I actually just learned about Thrive by reading the comments section. I think that what Mint is missing is the ability to give people financial advice based on their individual financial situation. That is where Thrive will certainly be able to compete against many of these new services.
One thing that I have noticed is that Matt from Thrive did not address is what happens if all the credentials are stolen during the first sign-up, or while they are being updated (when all the log-in information is sent to confirm the credentials with the bank)? That seems to be the only time/point where all the passwords would be moved at the same time and generally qualifies as the only time a hacker could gain all to learn about every log-in and password used for each financial institution linked to Thrive. What if, and I realize how low the probability of this happening is, a hacker gets access to the "tunnel" at that very point when a user is signing up with Thrive and sharing his/her passwords?
What if that same hacker logs into all of the stolen accounts and pulls out all the money. How would Thrive (or Mint for that matter) be able to help? Why could not Thrive and financial websites like Thrive buy insurance for such instances, so that they can actually reimburse their clients in case of data or money loss? Credit cards are doing it, why could not Thrive? I am sure the insurance premiums would be high (maybe not due to the low probability of such a hack actually happening), but it would be a real differentiator for Thrive and it would certainly help it become the #1 financial website everybody trusts.
Posted by: Denzel | Friday, March 06, 2009 at 11:00 AM
Denzel: thanks for the commentary. The reason I didn't mention what happens if a hacker steals your info when we send your credentials nightly is that we don't send your credentials - we do not store your password or username on our servers at anytime. And yes, while someone could theoretically try to "listen in" while you inputted them the first time, it is important to realize that the same thing is true of logging into your bank online: there is the same possibility of interception.
Thrive's security is handled is by experts, and at some level, you have to decide for yourself whether you are ready to trust in that expertise. But this is no more or less true than any other website: if you submit your credit card info to any online vendor or log in to any online bank, you are exposing yourself to the same risk.
Posted by: matt @ Thrive | Sunday, March 08, 2009 at 11:13 AM
Mint does the same thing Thrive does, apparently. The financial account info is never stored at Mint. Yodlee (yodlee.com) has it.
And really, doesn't having lunch with customers just set you up for social-engineering attacks? :-)
I kid. You're obviously thinking about the risks and issues in a reasoned way.
Sources on the Yodlee/Mint connection:
A FAQ on Mint's forums:
http://forums.mint.com/showthread.php?s=3526b65b4c8e1a11411b182d55e26542&t=461
An outside forum's discussion that mentions Yodlee:
http://forums.cnet.com/5208-7808_102-0.html?messageID=2735272&tag=forums06;posts#2735272
Another post that pointed to Yodlee:
http://forums.mint.com/showthread.php?t=703
Posted by: benizi | Wednesday, March 11, 2009 at 11:36 PM
Naturally, I can't confirm that about Mint/Yodlee but...=]
We have fencing equipment in the office - if anyone tries to social engineering attack, they may find themselves at the wrong end of a sabre with no protective equipment. *grins* We take a lot of pride in making sure that we are here: at the other end of the phone, in the office, in the press, working for both Thrive users and people in general. Each of us is attaching our face and name to Thrive because we believe in what we do.
And I actually think that's a relevant security concern. Amid all this talk about banks and bonuses and lack of transparency, I can't help but wonder how things might have turned out different with AIG and others if those people were publicly exposed to the world and therefore accountable. We know people make very different decisions when they know their name and face are going to be attached to them.
So my name is Matt Wallaert, my picture (and most regretted purchase and executive bio) are up on the Thrive site and I'm on the other end of the phone when you call.
Posted by: matt @ Thrive | Thursday, March 26, 2009 at 11:19 AM
Matt:
Thanks for your insightful, honest, and sincere comments. They are truly appreciated.
George
Editor
http://ivebeenmugged.typepad.com
Posted by: George | Saturday, March 28, 2009 at 10:11 PM
George: my pleasure. Thrive is a service, and we take that commitment seriously; you can't very well help people if you're not willing to talk with them.
Posted by: matt @ Thrive | Friday, April 03, 2009 at 10:19 AM
The one-way read tunnel is an interesting idea, but I would feel more secure if the tunnel was established by my bank and not the other way around. This would ensure that Mint or Thrive never see my credentials.
Dawid
Posted by: Dawid | Friday, April 10, 2009 at 11:35 AM
Dawid: We'd love to do that to, but you'd have to get banks to buy in (harder than it sounds), coordinate every banks login, and the friction for users would be high. So I agree in theory, but I'll be honest: we simply can't implement that.
Posted by: matt @ Thrive | Friday, April 10, 2009 at 12:17 PM
Thanks for that great article and all the research. It's exactly what I was looking for.
Posted by: Cynthia | Thursday, June 25, 2009 at 12:06 PM
Cynthia:
Glad that you find this post helpful. There are plenty of other helpful posts in this blog. And, if you have any questions, feel free to send them.
George
Editor
http://ivebeenmugged.typepad.com
Posted by: George | Thursday, June 25, 2009 at 12:53 PM
great article. great blog! thanks all involved and thanks for joining the conversation Thrive.
If I were Matt I'd say, "Where is Mint for this conversation?" Hopefully, Thrive found this blog simply through monitoring social media and proactively addressing the concerns of the public (or googling themselves). I only say that because the opposite would be that somehow this site and someone at Thrive are buddies. That is not a whisper smear or anything. I had to say that because other companies and other blogs out there in the world team up. And, if this wasn't the first time i've been to this site, or the first article I've read here, then certainly I would know for sure that this is all legit. And I think it is all legit. Sorry for the ramble, but now I'm going to check out Mint and Thrive. Oh, and why not join both and compare?? I might do that. Cheers to George and Matt and everyone else in this blog's community!!
Posted by: RD | Friday, June 26, 2009 at 11:55 PM
RD:
Glad that you found this post helpful and informative. You are correct: Thrive found this blog simply through monitoring social media. I wish that more companies monitored social media. It's another way for companies to engage with prospects and customers.
Also know that if there is/was a relationship between this blog and Thrive (there isn't and wasn't), I would have mentioned it. Transparency and trust are important to me.
George
Editor
http://ivebeenmugged.typepad.com
Posted by: George | Saturday, June 27, 2009 at 11:26 PM
Matt @ thrive : Where might I find a JustThrive user forum? I'd like to read a bit about other users' experience before I share my info with Thrive.
Posted by: Sophie | Wednesday, July 01, 2009 at 06:36 PM
if thrive is so good, why is it free? i love free stuff but it does make me worry just a bit.
Posted by: kellie | Friday, July 10, 2009 at 02:43 PM
My biggest problem with Mint.com is that you are granting them limited power of attorney to access third party sites. I know that one is to assume that is only sites that you authorize them to access, but it does not state that. Using 'power of attorney', financial institutions, your login credentials and 'WILL NOT BE HELD RESPONSIBLE' in the same paragraph is enough to turn me away. I am surprised that you did not expand on that George. Granting anyone Power of Attorney for anything is just plain dangerous! Especially when "retrieve and use your information with the full power and authority to do and perform each thing necessary in connection with such activities, as you could do in person." is at the end of that sentence.
I will stick to my Excel spreadsheet that does forcasting, budgeting and analysis on its own. And it doesn't try to sell me anything when I put in my paycheck amount.
Posted by: JK | Wednesday, August 05, 2009 at 12:43 PM
@RD: I wish I could say George was my buddy (I certainly appreciate what he is doing to help educate and inform people) but alas, I don't know him personally - certainly if he wanted to drop by the office, we'd take him out to lunch, but that applies to all of our users.
I don't even remember how I found the site originally, but you're absolutely right that we do monitor Google mentions of us and our Google Analytics to see when people are talking about Thrive.
The simple reason: we want to listen. Not every comment becomes a feature on the site, and some comments are downright counterproductive, but as the "new stuff" guy at Thrive, I take user feedback into account when I decide what we're going to work on next. Users can let us know both what isn't working now and, importantly, what is, which helps us know what to continue to grow and develop and what to prune back. There is a ton of good science behind Thrive but all the good science in the world does not substitute for just talking with people. And we do, to literally thousands of folks a year.
Which I'm thankful for. As much as you may appreciate you listening, you cannot imagine how much I appreciate you talking. Finance can be a hard topic to talk about, and when users take the time to be honest about how things are going for them, that makes a difference in the way we are able to help the world.
So thanks. Really. We at www.justthrive.com appreciate it, and I do personally as well.
Posted by: matt @ Thrive | Wednesday, August 05, 2009 at 12:45 PM
@Sophie: Unfortunately, we don't have a user forum (we simply haven't had the manpower to build and moderate it yet). But a quick Google search will bring you lots of reviews from people who have used the site, and if you wait a week or so, we'll be rolling out an area for user testimonials, so that people can tell us what they think.
Another useful way to find out about Thrive? Twitter. Check out http://twitter.com/#search?q=justthrive.com to see what folks are saying about us, good and bad, in real time. It will only show you the last 10 days or so, but it is a good way to get a quick glimpse of how we're working for people.
As a quick bonus, if you're willing to trust me, I checked our support inbox for the last "positive comment" email and this is what I came up with (parts are censored to anonymize the sender).
"Thank you so much for your thorough response to my concerns. I have been testing out a number of applications to track my finances over the past few months. Mint has been my favorite up to this point, but every time I submit an inquiry, they send back short -- and often irrelevant -- answers. I am brand new to Thrive and I love the look and feel of it....
...Again, thank you so much for that thorough reply. It really does make a huge difference for me in deciding which site to be loyal to. Keep providing great service and improving your site and I'll be around for a long time.
Take care,
*******
p.s. so far the things that set your site apart are the "plan for your future" section where you can set goals to make purchases and then the retirement section where it tells you how much you will have in retirement. That is sweet!"
Posted by: matt @ Thrive | Wednesday, August 05, 2009 at 12:54 PM
@kellie: I can understand your caution: it can be hard to trust a company without understanding their motivations. So let me tell you a little personal story, and then I'll fill in with some facts.
I'm 27, a behavioral psychologist by training. I grew up in rural Oregon in a working class family, went to college, and then on to grad school. The Thrive folks actually got in touch with me while I was working on my PhD and I didn't write back to them for almost eight months - the concept of working for a "startup" and outside of academia didn't really seem like it was for me. It seemed so risky, and so business-oriented. I got into academia to do research that would help people lead better, happier lives...how could a company do that?
Finally, after several emails, Thrive's founder Avi Karnani finally managed to coax me into a phone call. And he never said "how can we make more money", only "you are a scientist. You understand how people make decisions. How can we help them make better ones?"
Again, over a period of several months, they finally talked me into coming to New York City to have a meeting. I sat across from Avi and we're chatting and I said "what is Thrive trying to do?" And he looked me straight in the face and said "we're going to end bad debt in America." And so I put my PhD program on hold and came to work at Thrive, on the strength of that promise. He said that we would always try to help people the very best we could and he's never broken that promise to me yet.
So why isn't Thrive a non-profit? It turns out, we actually registered both as a non-profit and a for-profit company in the beginning, so that we could make the decision as to which would help people more later on. But the problem with non-profits is that they are hard to sustain - they have to limit what they do because they can't pay for big plans, and far too many can't get continued funding and so they cease to exist.
And that wouldn't help people. We talked about it as a team and made the decision that we needed to be a self-sustaining, for-profit company, because that is how we could get the power in the world to do big things and also make sure that we stayed around to help people not just for a year or two, but for as long as we could be of service.
That paid off for us. LendingTree acquired us and they've kept to Avi's promise: Thrive is a place where we help people build better financial lives, as simple as that.
Do we make money? Yes. We want to stay in business, we want to hire more engineers, we want to do cool things and that takes money. But the ways we make money will not violate the best interests of our users.
For example, if you have a bad credit card, we recommend a better one. Sometimes, the credit card company will give us a little money, called an "account generation fee" for bringing them a new customer. Sometimes they won't. We don't let that affect what we recommend: whether we are getting paid or not, you get our recommendation of the best card we can find. Unlike some of our competitors, we don't do "sponsored listings" that put some companies at the top, and we don't say "this company is better" simply because they'd pay us to do so. That isn't how we do business because it isn't what we believe in: we came to help people.
So there is a story, some facts, and the promise. But let me add my personal guarantee. I can't say that Thrive will never do anything to hurt people - that would be foolish, as I'm not the only one who works here and I can't guarantee what the future will bring. But I can promise you this: the day that Thrive starts putting making money above helping our users, I'll add a comment on this post and let you know that they no longer have your best interests at heart and that I've left the company. Fair enough?
Posted by: matt @ Thrive | Wednesday, August 05, 2009 at 01:10 PM
Matt:
Thanks for taking the time and effort to write your detailed comments and replies. I really appreciate it. Whenever you visit Boston, shoot me an e-mail so we can meet. I'll buy you a coffee.
George
Editor
http:ivebeenmugged.typepad.com
Posted by: George | Wednesday, August 12, 2009 at 10:56 AM
How are there any additional risks here than using any other site you provide credentials for? please read this article to actually learn something about the mint.com service and what happens if you do have identity theft or malicious activity with your accounts:
http://themedium.blogs.nytimes.com/2009/05/27/addressing-security-concerns-on-mintcom/
Posted by: RobbieB | Tuesday, August 18, 2009 at 08:21 PM
RobbieB:
Thanks for the link to the NY Times articles.
I stand by what I wrote above, especially given the words from Mint.com's own Terms of Use policy. It is reasonable to ask what help is provided when things go wrong, because unfortunately s--- happens. (See the bank breaches I mentioned above.) Also, you might want to check you bank's Terms and Conditions policy about what help your bank will/won't provide when you enter your log-in credentials at another company's web site.
Last, Mint.com executives have always been and still are welcome to post comments here. So far, they have chosen not to.
George
Editor
http://ivebeenmugged.typepad.com
Posted by: George | Wednesday, August 19, 2009 at 12:30 PM
I've been googling "Mint vs Thrive" and have read a few articles and their comments. So far Matt has responded on many of them, no one from Mint has, and that says alot to me. I couldn't really decide because of how similar they seem but based on the "human element" (because of the effort Matt is making) I've decided to go with Thrive, keep up the good work!
Posted by: Brian A | Saturday, August 29, 2009 at 04:28 PM
Only a fool would provide any site with all of your financial online information. One insider can ruin it for many with no recourse.
Posted by: Anonymous | Sunday, September 20, 2009 at 09:08 PM
For those of you who are paranoid, please think about this: If someone is going to hack Yodlee (Where your bank account info is stored for mint.com) with miraculous ease, which probably won't happen as such, then why couldn't they just use the same tactics on YOUR bank's databases? They both use the same encryption right? Okay then.
And for those of you who use Quicken and MS Money, those programs also connect to the internet to sync information in one way or another. The only way you're truly safe with Quicken or MS Money is to have an isolated computer (as in, not hooked up to the internet AT ALL, EVER) with such information on it. Now, given that, probably 95% of computers in the world are connected to the internet with a lot less security than Yodlee or your bank. Not to mention, if someone burglarized your house and took this isolated computer, your files and/or hard drive are not encrypted either; but are with Yodlee and banks.
Just think about it. If you're truly worried about getting hijacked on the interwebz then just use pen, paper, and a fireproof safe in the closet that's bolted to the floor. There is no pure secureness in the digital age.
Posted by: Josh | Tuesday, September 22, 2009 at 12:28 AM
@Brian: Thanks for the vote of confidence - hopefully, Thrive proves to be the right choice for you feature-wise and we can help you spend less, save more, and accomplish your financial goals.
@Anon: Just to be clear, the insiders would have to be fairly specific, as at most companies (or at least at Thrive), only two people have any sort of direct database access and all code is carefully reviewed.
Posted by: matt @ Thrive | Monday, September 28, 2009 at 01:01 AM