Bogleheads.org

[Savvy]

Although we haven't had any security issues to date with mint.com, my wife and i decided to terminate our account. Since we track most expenses and savings accounts through Excel, the risk of a compromised account was not worth the value of mint's conveniences to us.

[justus]

Are there specific risks or just a generalized one?

[CJOttawa]

In Canada at least, financial institutions have client agreements that don't permit the use of services like Mint.com.
In the event a bank or credit card is compromised, even if Mint was not implicated, the bank can deny all coverage for the loss on the grounds that you violated their terms of service.

The issue isn't one of Mint.com security; it's loss protection.

That was enough for me; I'm using Microsoft Money, now a free download.

[Skyler]

Any suggestions for an iPad app for personal finance mgmt? I downloaded mint, but deleted it once it started asking for account details. I'd prefer something closer to spreadsheet where I enter and maintain financial data as opposed to providing access to all the accounts.

[runner9]

That was enough for me; I'm using Microsoft Money, now a free download.

+1

[Rainier]

Of course it needs account details, how else would it work?

I erased mine too, but only because you can't reconcile accounts.

[oaksavannah]

Any suggestions for an iPad app for personal finance mgmt? I downloaded mint, but deleted it once it started asking for account details. I'd prefer something closer to spreadsheet where I enter and maintain financial data as opposed to providing access to all the accounts.

What are Boglehead Mac users using for Personal Financial Software? I too am concerned about security and would like the information to be stored on my machine. Just need something to make/track budget, income and expenses. Maybe paying bills online would be nice, but don't at present. Dont't need it to track investments!

[tadamsmar]

In Canada at least, financial institutions have client agreements that don't permit the use of services like Mint.com.
In the event a bank or credit card is compromised, even if Mint was not implicated, the bank can deny all coverage for the loss on the grounds that you violated their terms of service.

The issue isn't one of Mint.com security; it's loss protection.

That was enough for me; I'm using Microsoft Money, now a free download.

It's arguable that Vanguard can deny the loss protection it provides under it's online fraud policy, since not sharing your password with anyone is a requirement of the protection:

https://personal.vanguard.com/us/help/S ... ontent.jsp

[mwgr5]

I don't understand the security concern here. Even if you gave a stranger your mint login information they could see your accounts but not actually access any of the accounts. Isn't the only risk that someone hacks the mint database that stores all the account infor, but that has the same level of security as bank databases?

[Sidney]

Spreadsheet works well for me. I extract data from two credit cards each year then add the handful of check disbursements and DDs. Can usually do the whole thing in an hour or two -- including generating a couple of nice looking but totally useless pie charts.

[DonDraper]

I don't understand the security concern here. Even if you gave a stranger your mint login information they could see your accounts but not actually access any of the accounts. Isn't the only risk that someone hacks the mint database that stores all the account infor, but that has the same level of security as bank databases?

Yes but one bank doesn't have every password for every account you own. Giving one company access to every dollar of my liquid net worth seems like a very bad idea.

[BigFoot48]

I set up a Mint account about six months ago to see what it offered, but didn't think it offered an advantage in tracking expenses over Microsoft Money for our lifestyle, and found the weekly reports of my Schwab account balances only of minor interest. So about a week ago I finally decided that a private company, that I really knew nothing about, accessing my account data was a bit disconcerting, so I deleted my account (hopefully - time to change my password me thinks). (My iPod Touch with the Schwab app works really well for quickly looking at my data, and allows me to deposit checks via photos! Yes, I am no longer an early-adopter of technology.)

[RobInCT]

Everyone needs to decide for him/herself whether the risks outweigh the benefits, but I use mint.com. With respect to the potential TOU violation, I find it difficult to believe that Vanguard, or any other company, would refuse to honor its online fraud policy in the event of a mint.com hacking. It seems to me that the PR effects of refusing to do so would vastly outweigh the benefit to the company. At this point, institutions that are available through mint.com are aware that it is being used and are taking no steps to stop it. In many cases, they appear to be cooperating with mint.com in making the interfaces compatible (you'll see this periodically if you use mint.com regularly--it will stop working for some or other financial institution for a period of a several days, and customer service will come on and say they are "working with the institution" to resolve some sort of technical compatibility issue). Companies can (and some actually do) block access by mint.com to their accounts, so at this point any institution available through mint.com is there by choice.

This isn't to say that companies are legally just as responsible for a mint.com hacking as they would be for a hacking of their own databases--it's just to say that it would be very hard for them from a public relations standpoint to claim that your use of mint.com voided their fraud protection warranty such that they have no obligation to make you whole. If I heard that, e.g., Vanguard had done this to another consumer, I'd remove all of my funds from Vanguard immediately because I'd take it as a sign that Vanguard was not seriously committed to consumer fraud protection.

On top of that, it's hard for me to imagine catastrophic personal consequences even to a full hacking of all my passwords on mint.com. What exactly would someone do with my Fidelity password? I suppose they could add another bank account (their own) and transfer money out. Alternatively, they could transfer the money to the existing bank account (mine) and with my bank password then initiate an electronic funds transfer to their own overseas accounts. Neither of these is an instantaneous process, both should be caught by the company's own fraud detection software and additionally because of built-in delays designed to prevent frauds such as this would likely be caught by me before the funds actually left the United States because I'm in the habit of checking my accounts on a daily basis.

Whatever security risks mint.com introduces also have to be weighed against the risks that it mitigates against. With mint.com, I check all of my accounts once a day. Without it, on average I'd probably log into my bank account daily, my credit card accounts weekly, and my brokerage accounts once a month or less. If there's a problem with any one of the 15 or so financial accounts I have, I figure I'm much more likely to spot it quickly because I use mint.com than if I did not use it.

That's why I have decided that the security risks are not significant enough to me to stop me from using mint.com.

[crumbgrabber]

Any suggestions for an iPad app for personal finance mgmt? I downloaded mint, but deleted it once it started asking for account details. I'd prefer something closer to spreadsheet where I enter and maintain financial data as opposed to providing access to all the accounts.

What are Boglehead Mac users using for Personal Financial Software? I too am concerned about security and would like the information to be stored on my machine. Just need something to make/track budget, income and expenses. Maybe paying bills online would be nice, but don't at present. Dont't need it to track investments!

I've been happy with iBank. It's missing a few Quicken features but its very stable and all data is on your Mac only. It will also connect to your banks and download transactions.

[Browser]

I tried Mint and loved the automatic transaction downloads but was also concerned with security, so I deleted it. I've been playing around with Moneydance. I still use the sunset edition of MS Money. Moneydance will work on Windows and I think is available as both Apple and Android app as well.

[englishgirl]

I've lost a whole lot more from having my house broken into and my computers stolen than from online fraud. [So far.] I'd rather have things online where I can always access them, than stuck on my computer which someone might walk off with or which might die.

Mint is owned by Intuit. Intuit already knows everything about me because I use Turbotax online. As far as I recall, all the financial institutions I use in the US allow Turbotax to import 1099's and other forms. And they allow mint.com to import all transactions as well. I would think that if they really had a problem with the use of mint or Turbotax, they wouldn't allow such online access, and that if they later cry foul, the fact that they have allowed this to go on for years implies consent to me, no matter what the fine print that they know nobody reads might say.

I'm much more aware of what's going on with my accounts with mint.com. So, I'll keep using it. And Turbotax online. And I've decided to start using Quickbooks online too (yet another Intuit offering). There will soon be absolutely nothing that Intuit doesn't know about me!

Intuit owns Quicken too, by the way.

[Sidney]

on my computer which someone might walk off with or which might die.

Irrespective of whether one uses online data storage, with the tools available today for free there is absolutely no reason why anyone should leave personal data unencrypted on a computer. Laptop computers especially are easy marks. Windows user passwords provide virtually no security.

[englishgirl]

on my computer which someone might walk off with or which might die.

Irrespective of whether one uses online data storage, with the tools available today for free there is absolutely no reason why anyone should leave personal data unencrypted on a computer. Laptop computers especially are easy marks. Windows user passwords provide virtually no security.

Oh, I was more concerned with losing the data, which I had not backed up properly. Some of it was backed up to another device that got stolen at the same time, so that didn't save me. I've learned that lesson and now I store important documents/spreadsheets in Google Drive. But there you go, that's another potential security risk.

[tadamsmar]

I don't understand the security concern here. Even if you gave a stranger your mint login information they could see your accounts but not actually access any of the accounts. Isn't the only risk that someone hacks the mint database that stores all the account infor, but that has the same level of security as bank databases?

If the bank gets hacked the bank reimburses by law and has a big insurance policy to cover this kind if stuff. If Mint gets hacked, they can point at their terms and conditions that explicitly do not represent MINT as fit for anything: "INTUIT MAKES NO REPRESENTATIONS, WARRANTIES OR GUARANTEES, EXPRESS OR IMPLIED, REGARDING THE ACCURACY, RELIABILITY OR COMPLETENESS OF THE CONTENT ON MINT.COM OR OF THE SERVICE (WHETHER OR NOT SPONSORED), AND EXPRESSLY DISCLAIMS ANY WARRANTIES OF NON-INFRINGEMENT OR FITNESS FOR A PARTICULAR PURPOSE" (capitalization is their's) That's similar to the disclaimer I signed about a hang-glider I was renting.

The hazard is not that somebody gets hacked, the hazard is loss of your money.

[stan1]

For me, near real time monitoring of credit card accounts is the most actionable thing I can do once I've taken care of the basics (like a strong password changed twice per year). Mint posts charges on my credit cards within hours (sometimes minutes), and there is a convenient new transaction counter that shows up with the Mac client application in the menu bar and via notification center. Quicken is slower -- with delays of 24-48 hours for my accounts. I use Mint for near real time situational awareness, and Quicken for long term tracking. I do not give Mint (or CashEdge or any similar service) my investing account passwords.

If you are logging into your account to check for transactions 5 to 7 days per week that's fine, but I don't think updating a spreadsheet once per month after a statement posts is timely enough to minimize the damages/headache fraud could cause if its not detected quickly (by you or by the credit card issuer).

[covertfantom]

For those of you concerned about username and password storage, salting and hashing is almost certainly how mint stores your data. The only time that databases get hacked and there is actual cause for concern is when sensitive data is not salted and hashed.

http://en.m.wikipedia.org/wiki/Salt_(cryptography)

[happymob]

For those of you concerned about username and password storage, salting and hashing is almost certainly how mint stores your data. The only time that databases get hacked and there is actual cause for concern is when sensitive data is not salted and hashed.

http://en.m.wikipedia.org/wiki/Salt_(cryptography)

Not so fast... hashing your account passwords to other sites would make it impossible for Mint to access the other sites (since hashing has no inverse function). So they almost certainly salt and hash your Mint.com password, they almost certainly do not hash your passwords to other sites.

With that said, they probably do encrypt your passwords, so hacking the database is not sufficient to get all your passwords.

[Braumeister]

What are Boglehead Mac users using for Personal Financial Software?

For the last year or so, I've been using Moneydance.
http://www.infinitekind.com/moneydance

It replaced Quicken for me, and has pretty much all the features I want, for both banking and investments. Very stable and useful.

The nice thing about Moneydance is that it runs equally well on Mac, Windows, and Linux.

[wrysys]

does moneydance import vg and fidelity accounts easily? I tried quicken but it required me to manually input so much information, which was what I was trying to avoid. It couldn't handle my regular funds upgraded into admiral. Can you compare quicken vs moneydance?

[Browser]

does moneydance import vg and fidelity accounts easily? I tried quicken but it required me to manually input so much information, which was what I was trying to avoid. It couldn't handle my regular funds upgraded into admiral. Can you compare quicken vs moneydance?

You can get a trial version of Moneydance free at their website to find out yourself.

[ProfessorX]

Everyone needs to decide for him/herself whether the risks outweigh the benefits, but I use mint.com. With respect to the potential TOU violation, I find it difficult to believe that Vanguard, or any other company, would refuse to honor its online fraud policy in the event of a mint.com hacking. It seems to me that the PR effects of refusing to do so would vastly outweigh the benefit to the company. At this point, institutions that are available through mint.com are aware that it is being used and are taking no steps to stop it. In many cases, they appear to be cooperating with mint.com in making the interfaces compatible (you'll see this periodically if you use mint.com regularly--it will stop working for some or other financial institution for a period of a several days, and customer service will come on and say they are "working with the institution" to resolve some sort of technical compatibility issue). Companies can (and some actually do) block access by mint.com to their accounts, so at this point any institution available through mint.com is there by choice.

This isn't to say that companies are legally just as responsible for a mint.com hacking as they would be for a hacking of their own databases--it's just to say that it would be very hard for them from a public relations standpoint to claim that your use of mint.com voided their fraud protection warranty such that they have no obligation to make you whole. If I heard that, e.g., Vanguard had done this to another consumer, I'd remove all of my funds from Vanguard immediately because I'd take it as a sign that Vanguard was not seriously committed to consumer fraud protection.

On top of that, it's hard for me to imagine catastrophic personal consequences even to a full hacking of all my passwords on mint.com. What exactly would someone do with my Fidelity password? I suppose they could add another bank account (their own) and transfer money out. Alternatively, they could transfer the money to the existing bank account (mine) and with my bank password then initiate an electronic funds transfer to their own overseas accounts. Neither of these is an instantaneous process, both should be caught by the company's own fraud detection software and additionally because of built-in delays designed to prevent frauds such as this would likely be caught by me before the funds actually left the United States because I'm in the habit of checking my accounts on a daily basis.

Whatever security risks mint.com introduces also have to be weighed against the risks that it mitigates against. With mint.com, I check all of my accounts once a day. Without it, on average I'd probably log into my bank account daily, my credit card accounts weekly, and my brokerage accounts once a month or less. If there's a problem with any one of the 15 or so financial accounts I have, I figure I'm much more likely to spot it quickly because I use mint.com than if I did not use it.

That's why I have decided that the security risks are not significant enough to me to stop me from using mint.com.

This is more or less what I think too. There are security advantages to having a service like MINT as in that it enables you to check your balances and your transactions daily. I can look at my CC transactions as they post, and MINT makes this very easy. Otherwise I would just check the transactions during statement time, and may not be able to recall whether or not some charge is legitimate a month later...

[tadamsmar]

Everyone needs to decide for him/herself whether the risks outweigh the benefits, but I use mint.com. With respect to the potential TOU violation, I find it difficult to believe that Vanguard, or any other company, would refuse to honor its online fraud policy in the event of a mint.com hacking. It seems to me that the PR effects of refusing to do so would vastly outweigh the benefit to the company. At this point, institutions that are available through mint.com are aware that it is being used and are taking no steps to stop it. In many cases, they appear to be cooperating with mint.com in making the interfaces compatible (you'll see this periodically if you use mint.com regularly--it will stop working for some or other financial institution for a period of a several days, and customer service will come on and say they are "working with the institution" to resolve some sort of technical compatibility issue). Companies can (and some actually do) block access by mint.com to their accounts, so at this point any institution available through mint.com is there by choice.

This isn't to say that companies are legally just as responsible for a mint.com hacking as they would be for a hacking of their own databases--it's just to say that it would be very hard for them from a public relations standpoint to claim that your use of mint.com voided their fraud protection warranty such that they have no obligation to make you whole. If I heard that, e.g., Vanguard had done this to another consumer, I'd remove all of my funds from Vanguard immediately because I'd take it as a sign that Vanguard was not seriously committed to consumer fraud protection.

On top of that, it's hard for me to imagine catastrophic personal consequences even to a full hacking of all my passwords on mint.com. What exactly would someone do with my Fidelity password? I suppose they could add another bank account (their own) and transfer money out. Alternatively, they could transfer the money to the existing bank account (mine) and with my bank password then initiate an electronic funds transfer to their own overseas accounts. Neither of these is an instantaneous process, both should be caught by the company's own fraud detection software and additionally because of built-in delays designed to prevent frauds such as this would likely be caught by me before the funds actually left the United States because I'm in the habit of checking my accounts on a daily basis.

Whatever security risks mint.com introduces also have to be weighed against the risks that it mitigates against. With mint.com, I check all of my accounts once a day. Without it, on average I'd probably log into my bank account daily, my credit card accounts weekly, and my brokerage accounts once a month or less. If there's a problem with any one of the 15 or so financial accounts I have, I figure I'm much more likely to spot it quickly because I use mint.com than if I did not use it.

That's why I have decided that the security risks are not significant enough to me to stop me from using mint.com.

You are arguing from at least one false premise. Some Fidelity brokerage accounts have been drained with no delay:

http://www.theregister.co.uk/2008/09/10 ... an_jailed/

[ProfessorX]

You are arguing from at least one false premise. Some Fidelity brokerage accounts have been drained with no delay:

http://www.theregister.co.uk/2008/09/10 ... an_jailed/

The article that you have linked to does not say that "Some Fidelity brokerage accounts have been drained with no delay".

It is about a pump and dump scam where someone broke into lots of accounts, sold the owners holdings, and traded within those accounts (without draining the account) to pump up the stock price of some worthless security. Then they dumped their personal holdings in this worthless security for a massive profit.

If you own mutual funds, then your holdings can only be traded once at the end of the day. If you are monitoring with mint, then you would catch it.

Presumably this hacker got the passwords without trying to hack some account aggregator site. MINT would die a quick death virtually overnight if it was found out that people lost money because their passwords were hacked from MINT. They have the highest motivation possible to ensure that it doesn't happen...

[ciscovp]

Any suggestions for an iPad app for personal finance mgmt? I downloaded mint, but deleted it once it started asking for account details. I'd prefer something closer to spreadsheet where I enter and maintain financial data as opposed to providing access to all the accounts.

What are Boglehead Mac users using for Personal Financial Software? I too am concerned about security and would like the information to be stored on my machine. Just need something to make/track budget, income and expenses. Maybe paying bills online would be nice, but don't at present. Dont't need it to track investments!

Check out GnuCash. It works with Mac and it is free.

There is also GnuCash app for Android.

[Rainier]

If you don't trust mint, don't use it and move on. People worry about different things, some more than others.

[RobInCT]

You are arguing from at least one false premise. Some Fidelity brokerage accounts have been drained with no delay:

http://www.theregister.co.uk/2008/09/10 ... an_jailed/

I don't read that article the same way you do. The scheme I understand it to be describing is one in which the fraudster accessed legitimate accounts and executed legitimate, if unauthorized, trades within those accounts for the purpose of driving up the price of a particular account. That's different to me than "draining" an account, which I would understand to mean transferring funds out of the account. The victims in question still had all their money, although admittedly potentially a reduced quantity of it if someone had used their account to purchase junk stocks. I say "potentially" because at least some of these people--the ones who "got in early" on the junk stock and noticed it quickly--presumably PROFITED from the stock run-up. Though in practical effect, I'm going to guess fidelity just reverted all the trades. If someone tried such a thing with my fidelity account now, I would assume a couple of things: a) I would get an instantaneous email confirmation of "my" trades, which would cause me to call Fidelity immediately (an individual in your account would be able to change your email address, but that action should ALSO trigger an alert), b) even in the event of a failure of a) because I used mint.com, it would take me less than a day to figure out what had happened and alert the authorities, whereas without mint.com I wouldn't notice for weeks.

I don't take a firm position on this because I understand risks run both ways, and it's difficult to gauge what the "riskier" course of action is without more data than any of us is likely to have access to. I once had a credit card number hacked and was able to detect the fraud before I got hit with thousands of dollars in fraudulent charges (unlike many other people whose numbers were hacked by the same group of people) because I caught the initial, very small, fraudulent charge very quickly.

Obviously, anecdotes are not statistics, but that's another reason I think even in the event of a mint.com hacking it would be difficult for companies to disclaim all liability. By catching the people who hacked my credit card number early, I saved the bank thousands of dollars. I'm sure they were glad I was a mint.com user. That's likely one of, but not the only, reasons that financial institutions appear to be so cooperative with mint.com. Over the long run, I suspect that they have figured it's likely to save them more money than it costs them if it gets people to catch fraud earlier.

Anyway, these are just my thoughts. It's an interesting discussion but at the end of the day probably pretty hard to compare--it's kind of like comparing the damage from car accidents to the damage from nuclear terrorism. The kinds of frauds that mint.com reduces your exposure to are the kinds of low-level annoyance frauds we know happen on a regular basis--co-worker steals your credit card number, keystroke logger rips off your bank account password, etc. The potential hacking of the mint.com database itself, on the other hand, is a (seemingly) low-probability event that, if it happened, could have catastrophic consequences whose impact would be difficult to estimate. It's really hard to compare the risks of the two events, and at the end of the day, everyone has to choose for themselves where their comfort level is.

[tadamsmar]

It seems to me that the PR effects of refusing to do so would vastly outweigh the benefit to the company.

The company could offer you settlement where you had to sign a non-disclosure agreement for a payment less that full reimbursement, and you lawyers could tell you it was the best offer you are going to get. PR effects neutralized.

[RobInCT]

The company could offer you settlement where you had to sign a non-disclosure agreement for a payment less that full reimbursement, and you lawyers could tell you it was the best offer you are going to get. PR effects neutralized.

If mint.com itself were hacked, the company would have a legal obligation to disclose this information to each and every member whose information was or may have been compromised. You can't keep anything that big quiet. See, e.g. linkedin.

NB: This is especially true when you consider that some pretty substantial number of mint.com "users" probably have 0 account information (blank accounts form a pretty substantial portion of any online service account database), and some others would have compromised passwords but 0 loss (because realistically hackers aren't going to be able to get to the money of EVERY compromised account holder). These individuals, having suffered 0 loss, have no reason to be offered a settlement and no incentive to keep quiet.

[Jake46]

Any suggestions for an iPad app for personal finance mgmt? I downloaded mint, but deleted it once it started asking for account details. I'd prefer something closer to spreadsheet where I enter and maintain financial data as opposed to providing access to all the accounts.

What are Boglehead Mac users using for Personal Financial Software? I too am concerned about security and would like the information to be stored on my machine. Just need something to make/track budget, income and expenses. Maybe paying bills online would be nice, but don't at present. Dont't need it to track investments!

I've been happy with iBank. It's missing a few Quicken features but its very stable and all data is on your Mac only. It will also connect to your banks and download transactions.

+1. Former Quicken user. Been using iBank for two years & very pleased.

[bridenour]

I started using Mint a couple of years ago and eventually gave up because it wasn't integrating well with all my financial institutions.

Anyway, back then i was trying to use it to get a "complete picture."


I just started reusing it today just to track and categorize my expenses, primarily from my AMEX card. The auto-categorization is just nice, and i'll use that as output to my manual budget tracking spreadsheets to see how well we're sticking to it.

I was doing this manually and having to manually categorize literally thousands of transactions was consuming multiple hours each month.

[tadamsmar]

The company could offer you settlement where you had to sign a non-disclosure agreement for a payment less that full reimbursement, and you lawyers could tell you it was the best offer you are going to get. PR effects neutralized.

If mint.com itself were hacked, the company would have a legal obligation to disclose this information to each and every member whose information was or may have been compromised. You can't keep anything that big quiet. See, e.g. linkedin.

NB: This is especially true when you consider that some pretty substantial number of mint.com "users" probably have 0 account information (blank accounts form a pretty substantial portion of any online service account database), and some others would have compromised passwords but 0 loss (because realistically hackers aren't going to be able to get to the money of EVERY compromised account holder). These individuals, having suffered 0 loss, have no reason to be offered a settlement and no incentive to keep quiet.

But how about the more likely case where Mint was not hacked?

It more likely that a breach would happen when you were in the act of sharing your login credentials (thereby voiding your reimbursement agreement). A Trojan on the computer you are using is a much bigger threat. Take a closer look at Vanguard's fraud policy. They are going to ask for access to your PC and it's your responsibility under the agreement to provide it. Lots of stuff on your computer is time-stamped so they might be able to prove that the breach occurred the very moment that you shared your password in violation of your agreement.

[tadamsmar]

At this point, institutions that are available through mint.com are aware that it is being used and are taking no steps to stop it. In many cases, they appear to be cooperating with mint.com in making the interfaces compatible (you'll see this periodically if you use mint.com regularly--it will stop working for some or other financial institution for a period of a several days, and customer service will come on and say they are "working with the institution" to resolve some sort of technical compatibility issue). Companies can (and some actually do) block access by mint.com to their accounts, so at this point any institution available through mint.com is there by choice.

If you read Mint terms, you will find that you have granted them limited power of attorney to access the account for which you have shared login credentials. That's why the institutions being accessed don't care, they are not on the hook for a cent, legally.

You should at least skim Mint terms and read the parts that are highlighted by being in in all capitalizations.

[Browser]

I've never understood the line of argument that justifies doing one thing because another thing is just as risky. For example, I've heard people say that you shouldn't really be worried about flying in airplanes because it's likelier that you'll get killed in a car accident than a plane accident. But if you wanted to lower your odds of getting killed while travelling then it seems to me you should avoid travelling in both autos and airplanes. Applying this analogy to using Mint, I just can't see the point that it's OK to use Mint because there are other security risks using computers online that are lurking out there that are even worse. Does using Mint actually lower any of those other risks? Not that I know of. Does using Mint add incremental risk to the risks that are already out there? Yes, probably. So - if you want to try to keep your risk profile as low as possible, don't use Mint. Even better - don't use Mint and look into ways to better control the other risks that are out there too...

[RobInCT]

A Trojan on the computer you are using is a much bigger threat.

A Trojan on your computer lifting your Vanguard password when you enter it into Mint.com isn't going to void Vanguard's anti-fraud policy any more than a Trojan lifting your password when logging into Vanguard directly would. If they're getting your password via keystroke, Vanguard is not going to have any idea at what point the Trojan got your password. Unless you're arguing that Vanguard would routinely deny any and all fraud claims by anyone who it can see from its logs has accessed its site using mint.com on the grounds that that person has violated Vanguard's TOU? I guess that's plausible, but I find it highly unlikely they'd be able to keep it quiet.

Additionally, people using mint.com are actually LESS susceptible to things lie Trojans because we only enter our mint.com password, and our mint.com password gets you nothing but read-only account access. Far more at risk from Trojans are people who repeatedly enter their actual financial passwords.

You should at least skim Mint terms and read the parts that are highlighted by being in in all capitalizations.

Good point and good reminder.

I've never understood the line of argument that justifies doing one thing because another thing is just as risky. For example, I've heard people say that you shouldn't really be worried about flying in airplanes because it's likelier that you'll get killed in a car accident than a plane accident. But if you wanted to lower your odds of getting killed while travelling then it seems to me you should avoid travelling in both autos and airplanes.

Good advice for the .01% of the population who has the luxury of never having to leave their houses? I guess you're right, I could minimize my risk of electronic fraud by not having any online accounts, period, but this seems to me an impractical solution given the state of the world.

[Carls]

...
On top of that, it's hard for me to imagine catastrophic personal consequences even to a full hacking of all my passwords on mint.com. What exactly would someone do with my Fidelity password? I suppose they could add another bank account (their own) and transfer money out. Alternatively, they could transfer the money to the existing bank account (mine) and with my bank password then initiate an electronic funds transfer to their own overseas accounts..

Good comment - besides, ironically, Fidelity offers the same functionality in their "FullView" screen !

Maybe someone can clarify with some details here, but all these services (FullView, MINT, Quicken, and MSMoney) tap into the services of Yodlee - a banking data aggregator that works with US _and_ Canadian banks. MINT is simply a front-end, like FullView, etc. That's why MINT is perfectly honest when they say they don't know anything about your sign-on data by accounts. They don't - that part is up to Yodlee and that company has already brokered deals with your bank. Because (prepare yourself) your bank gets paid and their credit card gets paid to give them your personal shopping and spending data. You'll find this spelled out in the "privacy disclosure" that tells you what your bank will allow you to opt out of. (Obligatory notices from US banks should have recently been mailed to you.)

So it's your bank, not MINT that is causing you the privacy concerns. As for your security concerns, that's Yodlee's concern, and they are already handling your bank's data security. The reason for using MINT or FullView, etc. is for the alerts they send out that can protect you to the extent that you get online quickly and change passwords or freeze accounts. And that is very good security and one I wouldn't live without.

Carls

[livesoft]

Carls, I'll tell you about MSMoney as I use it: It doesn't have my account numbers nor any account passwords and does not download anything, but quotes for my ticker symbols via the internet. I don't see it as a security risk.

[pennstater2005]

I don't understand the security concern here. Even if you gave a stranger your mint login information they could see your accounts but not actually access any of the accounts. Isn't the only risk that someone hacks the mint database that stores all the account infor, but that has the same level of security as bank databases?

Yes but one bank doesn't have every password for every account you own. Giving one company access to every dollar of my liquid net worth seems like a very bad idea.

This is why I deleted my account. Although I do have my bank information stored at many sites for online payments and know there is a possibility for any of these accounts to be hacked. I just didn't like having literally everything linked to one site. Not sure why I tried it in the first place.

[blevine]

Can't compare turbotax and mint as suggested above. You do not have to give acct numbers to turbotax. I use TurboTax online but not mint. One thing to risk privacy but another passwords to all your accounts.

There were also comments about ease of monitoring. All my bank Accts have email alerts which tell me of anything I want to monitor. No need to check mint daily.

[Epsilon Delta]

Yes but one bank doesn't have every password for every account you own. Giving one company access to every dollar of my liquid net worth seems like a very bad idea.

This is why I deleted my account. Although I do have my bank information stored at many sites for online payments and know there is a possibility for any of these accounts to be hacked. I just didn't like having literally everything linked to one site. Not sure why I tried it in the first place.

Have you considered changing all your passwords? If you don't quite trust Mint.com to keep your passwords safe do you trust them to delete them properly? Things like old backups can make deleting data hard to get right.

[pennstater2005]

Yes but one bank doesn't have every password for every account you own. Giving one company access to every dollar of my liquid net worth seems like a very bad idea.

This is why I deleted my account. Although I do have my bank information stored at many sites for online payments and know there is a possibility for any of these accounts to be hacked. I just didn't like having literally everything linked to one site. Not sure why I tried it in the first place.

Have you considered changing all your passwords? If you don't quite trust Mint.com to keep your passwords safe do you trust them to delete them properly? Things like old backups can make deleting data hard to get right.

I have considered that. I am terrible at changing passwords, especially on a regular basis. Quite a few of my accounts have the same password and that is a bad thing. I would never remember all of them and I don't particularly like the idea of having a list of them in my house.

[RobInCT]

I am terrible at changing passwords, especially on a regular basis. Quite a few of my accounts have the same password and that is a bad thing. I would never remember all of them and I don't particularly like the idea of having a list of them in my house.

As a tip, I have a physical list, and it's in code. All of my passwords are a combination of letters and numbers. The numbers are all related to a master number that is known only to me, and only their relationship to the master number is recorded in my physical password list.

So, for example, if I had a "master number" of 2000, and my Vanguard Password was Yankees1983, my list would say Yankees-17. For Fidelity it might be 1000Giants, so I'd write /2Giants. I don't write the master number down. It's not a perfect system, but it's strong enough to protect against people who might casually stumble across it. And less of a risk than using the same passwords all over the place and never changing them. Let's face it--the kind of people who might accidentally gain access to the papers in your desk are not likely to also happen to be be sophisticated computer hackers who will decode your system and write programs that will try hundreds of combinations in order to figure out what your "master" number is.

I also don't write out the names of the institutions (just use first letters), so someone who accidentally found it who wasn't looking might not realize it was a financial institutions password list.

Another tip the security-conscious should use for protecting access to financial sites: search for your most commonly used password/passwords in your gmail/hotmail/yahoo inbox. A fairly stunning number of sites actually send you your password (as opposed to a reset password link) when you click "forgot password." For any number of reasons, your email inbox is significantly more likely to be compromised than your bank accounts, and if your password is anywhere stored in your inbox, that's a much bigger security risk than storing your passwords at mint.com.

[tfb]

Maybe someone can clarify with some details here, but all these services (FullView, MINT, Quicken, and MSMoney) tap into the services of Yodlee - a banking data aggregator that works with US _and_ Canadian banks. MINT is simply a front-end, like FullView, etc.

This is not true. Mint doesn't use Yodlee. Quicken doesn't use Yodlee. Microsoft Money didn't use Yodlee if the bank supported a direct OFX interface (before it discontinued all downloads). Only FullView uses Yodlee.

[Sidney]

I have considered that. I am terrible at changing passwords, especially on a regular basis. Quite a few of my accounts have the same password and that is a bad thing. I would never remember all of them and I don't particularly like the idea of having a list of them in my house.

Use an encrypted password database. KeePass is an easy one to use but there are others. Establish one very secure key or that database that you remember. The rest of your passwords, secret questions etc can be retained in the database.

http://keepass.info/index.html

[mickcris]

Maybe someone can clarify with some details here, but all these services (FullView, MINT, Quicken, and MSMoney) tap into the services of Yodlee - a banking data aggregator that works with US _and_ Canadian banks. MINT is simply a front-end, like FullView, etc.

This is not true. Mint doesn't use Yodlee. Quicken doesn't use Yodlee. Microsoft Money didn't use Yodlee if the bank supported a direct OFX interface (before it discontinued all downloads). Only FullView uses Yodlee.

Mint used to used Yodlee:
http://techcrunch.com/2009/09/18/mint-i ... s-youtube/

Does not Vanguard have a similar service, but are not allowing new signups for it? Bank of America, I think also uses Yodlee for its similar service (i forget what its called).

[tadamsmar]

I have been using Mint recently to manage my bank and credit card accounts. But I find it hard to justify using it to aggregate my retirement accounts basically because they represent a huge proportion of my net worth. I grant that the probability of loss is low, but the financial impact would be high. The probability of some sort of breach (probably due to a trojan on my own computer) is higher than the probability of loss. If there was a breach, Vanguard explicitly requires your cooperation which would involve telling them you share your login credentials if they ask, and the same probably goes for other mutual fund companies. At the least, it would be nerve wracking to know that you failed to do the things required to keep your fraud protection in force.

I think your bank and credit card accounts are protected by federal law in the US, so your only responsibility is to report any unauthorized transactions in a timely fashion. The time limit is within 60 days. I think the clock starts counting when your monthly statement is available.