A few weeks ago, Equifax, one of the world’s largest repository of personal financial information, announced it had been hacked. Over 140 million consumers’ personal data was stolen, including credit card numbers for some of those affected.
This is just the latest in a string of breaches that include large, formerly-trusted American companies, like Target, J.P. Morgan Chase, and Home Depot. In fact, if before the Equifax breach your personal information had not been exposed at least once, chances are it has been now.
So given this reality, how is it that millions of us readily and willingly give our sacred bank account credentials into third-party hands? That’s right; while it might seem crazy, the truth is that over 20 million users have signed up for Mint.com, a cloud-based budgeting and personal financial management software. Mint promises to make life easier by automatically recording and categorizing every purchase, as well as helping us track our cash, debt, and asset balances. In addition, it collects the data from all your accounts and organizes it in easy-to-understand charts and graphs, and does all this for free.
So, it’s clearly useful service. But still, is all that enough to justify putting our bank account login credentials into their hands? Are millions of us, myself included, completely crazy?
What is Mint.com?
If you’re not familiar with Mint.com, it is an easy-to-use online system for tracking your finances. You simply enter your account credentials (for each bank/financial institution website), and Mint collects the data from all your accounts and organizes it in easy to understand charts and graphs.
One of the most attractive things about Mint is that it is free to sign up for and use. Contrast this with Intuit’s (former) desktop personal finance software, Quicken, which has a $29.99 annual fee, and you can see why so many people like it. (To be fair, Quicken offers much more sophisticated features for complex financial situations, but for those who just want an easy-to-use system for tracking their budget and net worth, Mint works just fine.)
How to Know if Mint.com is Safe
To really wrap our heads around the security, or lack thereof, of Mint.com, we first need to establish the risks. Essentially, these can be broken down into four basic questions:
- How secure is my Mint.com account?
- What happens if someone hacks my Mint.com account?
- How secure is Customer Central, the internal Intuit division that holds my bank login credentials?
- What happens if someone hacks Customer Central?
How Secure is my Mint.com Account?
There are several things you should know about Mint’s security that might help you sleep better. First, they use bank-level encryption and security measures. This means that your connection with Mint’s servers is protected with a 128-bit SSL encryption, which is, for all practical purposes, impenetrable from brute force attacks. (Want to geek out on password hacking probabilities? You’re going to need a calculator, a stiff drink, and this wikipedia article.)
Within Mint, the data is even more secure, as they utilize one of the highest encryption levels out there, 256-bit, to completely scramble your data and hide it from prying human eyes. In addition, Mint contracts Verisign to provide security scanning on their systems to help “ensure security for sensitive data transfer.”
What if Someone Hacks my Mint.com Account?
Now, as great as these protections are, there is no way to completely eliminate the risk that someone might be able to hack into your Mint.com account. As most major hacks in recent years have shown, it’s simple human error that criminals typically exploit, not an attempt to brute-force crack into a database. And, in Mint’s case, probably the easiest way to gain access would be to hack your email account first, and then reset your password.
Truth be told, it’s probably not that hard to hack your email.
So, what happens if someone does get into your Mint.com account? First, all they have access to is the data itself, not your bank credentials. Therefore, they would know how much you have in your checking account and how much you spend eating out, but could not actually move any money out of your account. In addition, account numbers, Social Security numbers, and other sensitive data are not available inside the Mint.com interface, so there’s little that one could do with that information alone.
Further, within Mint there is no ability transfer funds or move money. There is a bill pay service available, but you have to go through separate security measures to set it up to pay someone that’s not on their pre-approved list of large corporate entities. You cannot simply write in someone’s name and have Mint send them a check.
For all these reasons, your Mint.com account could be considered “read only” access, and so it’s not the end of the world financially if the account is breached. (That’s not to say it’s a good thing, of course!)
How Secure is Customer Central, the Division of Intuit that holds my Bank Credentials?
And now, we get to the real risks.
As I’ve already indicated, it’s important to distinguish between someone hacking directly into your Mint.com account and someone directly stealing your bank account credentials, for the simple reason that your bank credentials are not held within the Mint.com database itself. This information is protected within a special division of Intuit called Customer Central, which handles the actual data aggregation part of the Mint service.
The Customer Central servers are located in a separate, highly protected, datacenter within the Intuit corporation that holds the bank account credentials themselves in a 256-bit encrypted database. This datacenter is completely within the control of Intuit, and is not simply “rented rackspace” in the cloud like so many other cloud-based software programs. This datacenter is guarded 24/7 with cameras with lights that follow you as you walk, and doors that won’t unlock until the previous door is fully secured behind you. In addition, these servers are not directly accessible by the internet, but are protected under layers of security software, checking and double-checking the identity of anyone requesting data from server.
Mint’s website says that it uses 256-bit encryption for the account credentials themselves, which would, in theory, take 50 supercomputers checking a billion billion keys per second about 3×1051 years to crack. In addition, they pay outside security firms and white-hat hackers to routinely test their systems for vulnerabilities, so that they can catch any holes and patch them before the hackers get in.
What if Someone Hacks Customer Central and then Transfers Money Out of my Account?
Ok, so Mint has done seemingly everything it can do to protect account credentials. But even still, there is that risk, no matter how infinitesimally small, that a hacker could get in. The most important question is what happens if they do?
Let’s walk through the potential damage then, shall we?
First, we already know that credit card fraud is protected by the credit card companies; they will reimburse you for fraudulent charges that you did not authorize. In fact, by law your maximum liability is only $50.
However, it’s direct bank access that’s the real threat here. If funds are stolen, what recourse would you have? This is bordering on a legal question, which I must confess I’m neither qualified nor able to answer; however, I’ll share my own research.
Many banks want to discourage the use of aggregators such as Mint.com, probably as much to keep customers coming directly to their websites so that they can cross-sell them products and services as it is for security concerns. Whatever the reason though, several banks, such as Chase, Capital One, and Fidelity have explicitly stated that sharing your credentials with a third party means you may be on the hook for stolen money.
But an article from Reuters reports that this position is not, in fact, backed by the law. The article interviews Lauren Saunders, associate director and managing attorney for the National Consumer Law Center, and quotes her calling the bank’s position “ridiculous.” This is because although there is a carve-out of the law releasing banks of liability when customers deliberately give power to transfer funds to a third party, such as a family member or business partner, this is obviously not the same thing as giving credentials to Mint to simply monitor and record the account activity.
She goes on to elaborate:
“When you give Mint your bank password, you don’t give them permission to make transfers. You don’t need to be a lawyer to understand that you are not a consumer who ‘grants authority to make transfers.’ You are … outside the provision about giving someone an access device because you didn’t give the hacker permission [to transfer money on your behalf.]”
Note: an “access device” is legal-speak for your login credentials, in this situation.
So based on Ms. Saunder’s opinion, I believe that you can rely on the consumer protection laws to come to your aid, should the unthinkable happen. And what do those laws say? Here’s a quick breakdown of your exposure:
- Up to $50 — If you notify the bank within two business days of learning about the theft
- Up to $500 — If you fail to notify the bank within two business days after learning of the theft
- Unlimited Liability — If after receiving a bank statement, you fail to notify the bank within 60 days, you could be liable for all fraudulent charges that happen after that point.
The “official interpretation” on the Consumer Finance Protection Bureau’s website reads as follows (in part):
“If a periodic statement shows an unauthorized transfer made with a lost or stolen debit card, the consumer must notify the financial institution within 60 calendar days after the periodic statement was sent; otherwise, the consumer faces unlimited liability for all unauthorized transfers made after the 60-day period.”
Again, I have to caveat all this with the simple fact that I’m not an attorney, and please do your own research. Still, I think the clear takeaway here is that the key to protecting yourself is careful monitoring of all your accounts. Whether you use Mint.com or accidentally lose your debit card, the world is full of risks and people who will happily steal your money. However, there are protections out there as long as you report fraudulent activity quickly. In that respect, you could argue that Mint.com actually makes you more secure, in that it’s a convenient way to keep track of all the activity in your accounts.
How Motivated is Mint.com to Protect My Information?
Protecting private data from would-be information thieves is hard and expensive work. Oftentimes, it requires hiring “white hat” hackers–people smart and skilled enough to hack into secure places, but ethical enough to use their abilities for good instead of ill–to test your systems. These types of people don’t come cheap. So, one of the key variables in deciding whether or not to trust an institution with your data is to determine how motivate they are to invest the money needed to protect you.
Therefore, an important question to ask would be: “Would Mint.com’s business model be severely harmed by a data breach?” Or, like Equifax probably reasoned, is privacy and security a lesser priority, because “consumers don’t actually pay us anyway.” In Mint’s case, it definitely has to be the former.
In the interview above, Mint’s former VP of Engineering talks about how Mint knows that security is one of the major stumbling blocks for consumers, and how they have tried to overcome that with the highest levels of protection.
So, I think we can safely assume that Intuit is fully aware of the potential costs, in terms of lost business, of a breach in security, but I think there is an even more important point to make. In most of the recent high-profile hacks, lawsuits abounded. The Target case is particularly instructive. In total, Target paid almost $300 million in damages across several lawsuits, most of which went to banks and credit card companies who were recouping their losses from fraudulent charges.
What Can You Do to Further Protect Yourself?
Of course, there are more secure and less secure ways of using Mint.com. Here are some best practices for protecting yourself while using the system:
- Use a separate email address dedicated to Mint, and don’t have any personally-identifying info in the email address itself (e.g. “email@example.com,” instead of “firstname.lastname@example.org”)
- Don’t fill out the personal information section within Mint
- Use the multi-factor authentication feature
- Sign up for a password database program, like Lastpass (and use multi-factor authentication with it), and use long, randomized passwords that are unique for each site
- Turn on the notification emails for unusual activity in your accounts
Based on all my research, I’m actually more comfortable using Mint.com than I was before, especially since I’m following the “best practices” listed above. If it keeps me on top of my money, then that’s ultimately the best way to stay safe in this digital world. You may not agree, and that’s fine. But if not, I encourage you to find a good budgeting system that works for you. At the end of the day, which risk is bigger? Online security or not being on top of your money? From my experience, the latter risk keeps more people from reaching their financial goals than the former.