Using Mint: Am I correct in having my security concerns allayed?

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills
Post Reply
Topic Author
Counterpoint
Posts: 50
Joined: Sun Jun 05, 2016 1:42 pm

Using Mint: Am I correct in having my security concerns allayed?

Post by Counterpoint » Mon Sep 03, 2018 7:12 am

I was wary of using financial aggregators because of concerns of having my passwords stored with them, which could conceivably lead to unauthorized transactions executed if the aggregator was hacked into. There’s a tradeoff between the benefits of aggregators (which vary depending on individual needs) versus this risk (and the annoyance of being marketed to). In our case, we are just looking for a more efficient way of tracking our overall expenses (on our credit cards and bank accounts), and not tracking our investments which are very straightforward (3 fund approach). In our case, the risk did not seem worth the benefits, especially after Equifax.

Recently I saw that Mint has moved to OAuth (Open System for Authentication) where they do not request or keep your passwords, but instead you authorize your credit card companies and banks to provide them with read-only access to your transaction and balances data. There’s a good explanation of this on a recent BH post - I don’t know how to quote it, but here’s the link:

viewtopic.php?p=4094257&sid=e0d05f83e22 ... 1#p4094257

I’d be a lot more comfortable with using an aggregator like Mint that uses OAuth than the old model where passwords were stored by them. As I see it, even if Mint gets hacked now, what would be compromised is my transaction data - but there would be no ability to undertake transactions, nor even revealing information like bank account numbers or social security numbers. Am I understanding this correctly? Are there risks here that I’m not seeing?

student
Posts: 4059
Joined: Fri Apr 03, 2015 6:58 am

Re: Using Mint: Am I correct in having my security concerns allayed?

Post by student » Mon Sep 03, 2018 7:15 am

I share your concerns. I use places like Personal Capital to manually add the accounts and not ask it to fetch the data.

User avatar
GoldStar
Posts: 957
Joined: Wed May 23, 2018 10:59 am

Re: Using Mint: Am I correct in having my security concerns allayed?

Post by GoldStar » Mon Sep 03, 2018 7:35 am

The problem with some security risks is that you don't know what they are until after they have been exploited.

Leemiller
Posts: 1243
Joined: Sat Jun 01, 2013 12:42 pm

Re: Using Mint: Am I correct in having my security concerns allayed?

Post by Leemiller » Mon Sep 03, 2018 7:58 am

I only use mint to track spending, but I think you have the gist of it right. The Treasury deptment issued a report in fintech and it has a section on data aggregators and risks. It goes straight to this issue. I will say I don’t use mint for my investing accounts, just checking and credit cards.

Topic Author
Counterpoint
Posts: 50
Joined: Sun Jun 05, 2016 1:42 pm

Re: Using Mint: Am I correct in having my security concerns allayed?

Post by Counterpoint » Mon Sep 03, 2018 9:35 am

Leemiller wrote:
Mon Sep 03, 2018 7:58 am
I only use mint to track spending, but I think you have the gist of it right. The Treasury deptment issued a report in fintech and it has a section on data aggregators and risks. It goes straight to this issue. I will say I don’t use mint for my investing accounts, just checking and credit cards.
Thanks for the info on the Treasury report (of which more below). What are your reasons for not using Mint for your investing accounts?

On the Treasury report issued a month ago - the chapter on Consumer Financial Data (and Data Aggregation) is very useful as a primer on the structure of the data aggregation/fintech industry and some of the macro benefits and risks. Here's the link to the report for anyone interested:

https://home.treasury.gov/sites/default ... tion_0.pdf

I found the following section particularly relevant to my question ("Screen-scraping" refers to the method used after you provide your login and password to the Financial Aggregator; "APIs" or Application Programming Interfaces is the method used now by Mint, where you don't need to provide your logins and passwords). It confirms my understanding that the (API-based) system that Mint currently uses is more secure than the screen-scraping methods used by many others (including I believe Personal Capital and Quicken). Note that the concerns about API mentioned below do not relate to security but rather to resistance from financial firms due to a change in relative market power and questions of liability between the aggregators and financial firms.

"Moving Away from Screen-Scraping to More Secure Access Methods

The practice of using login credentials for screen-scraping poses significant security risks, which have been recognized for nearly two decades.74 Screen-scraping increases cybersecurity and fraud risks as consumers provide their login credentials to access fintech applications. During outreach meetings with Treasury, there was universal agreement among financial services companies, data aggregators, consumer fintech application providers, consumer advocates, and regulators that the sharing of login credentials constitutes a highly risky practice.

APIs are a potentially more secure method of accessing financial account and transaction data than screen-scraping. A number of foreign jurisdictions have opted to promote access through APIs, in part due to security concerns. The United Kingdom, through its open banking initiative, has specified regulatory standards for data sharing through APIs.75 The European Union has adopted the Revised Payment Service Directive (PSD2), which requires banks to grant licensed third-party payment service providers access to bank infrastructure and account data. PSD2 also contemplates the standardization of APIs.76 Singapore has encouraged the use of bank APIs but has not made it a regulatory mandate.77

Data aggregators and consumer fintech application providers have expressed reservations with an API approach. They claim, for example, that their efforts to work with financial services companies to do away with screen-scraping have for the most part been met with resistance, and that financial services companies have largely refused to enable direct access to their data or to set up open APIs.78 There are concerns that without some sort of industry standard or regulatory guidance, API access could be restricted to certain types of data dictated by the financial services company, as opposed to the consumer, susceptible to unexpected interruptions and terminations, and subject to unreasonable and disproportionate liability."

Leemiller
Posts: 1243
Joined: Sat Jun 01, 2013 12:42 pm

Re: Using Mint: Am I correct in having my security concerns allayed?

Post by Leemiller » Sat Oct 20, 2018 7:00 pm

I just don’t want too much of my financial information in one place. I do use Morningstar to track some of my investments though

djheini
Posts: 73
Joined: Fri Jul 29, 2016 5:53 pm

Re: Using Mint: Am I correct in having my security concerns allayed?

Post by djheini » Sat Oct 20, 2018 7:28 pm

OAuth and APIs are for sure the better way to go, the problem is that most banks don't support it. (Capital One is the only one I've seen that does) This is because it puts the technical work and support costs on the bank's side, rather than the current typical model of the aggregators having to do the work to read from the banks' websites.

inbox788
Posts: 6594
Joined: Thu Mar 15, 2012 5:24 pm

Re: Using Mint: Am I correct in having my security concerns allayed?

Post by inbox788 » Sat Oct 20, 2018 7:48 pm

Counterpoint wrote:
Mon Sep 03, 2018 9:35 am
Data aggregators and consumer fintech application providers have expressed reservations with an API approach. They claim, for example, that their efforts to work with financial services companies to do away with screen-scraping have for the most part been met with resistance, and that financial services companies have largely refused to enable direct access to their data or to set up open APIs.78 There are concerns that without some sort of industry standard or regulatory guidance, API access could be restricted to certain types of data dictated by the financial services company, as opposed to the consumer, susceptible to unexpected interruptions and terminations, and subject to unreasonable and disproportionate liability."
Many companies don't want to play ball and that's been the main problem with API's that led to screen-scraping. Is Mint only API now? Website doesn't say much that I was able to find. Is there a list of institutions that they interface with without downloading the app and signing up? What fraction of your accounts does Mint supply aggregation via APIs?
Why does Mint need my login information?

We need your login user name and passwords so that we can help you organize and manage your accounts. We use this information to establish a secure connection with your financial institution or credit card company. This enables us to download and categorize your transaction information securely and automatically.
https://www.mint.com/how-mint-works/security

furwut
Posts: 1522
Joined: Tue Jun 05, 2012 8:54 pm

Re: Using Mint: Am I correct in having my security concerns allayed?

Post by furwut » Sat Oct 20, 2018 7:51 pm

Banks don’t want you logging onto aggregator sites like Mint and, possibly, being sold cross products for Mint’s benefit. They’d rather you directly logon to their site so they can sell you stuff that profits them.

I’ve used Mint for years but, right now, I’m switching my primary bank to Ally and have just discovered, mid-transfer that Ally won’t support Mint. :annoyed

I do want to simply my accounts but the beauty of Mint was that, not matter how complicated, there was one place I could to go to see all my spending. Even if I consoiidated on Ally I will still hold several outside credit cards. Without Mint in the picture I will have to individually logon to each and every one now to see my transactions.

3feetpete
Posts: 388
Joined: Sun Dec 14, 2014 7:30 pm

Re: Using Mint: Am I correct in having my security concerns allayed?

Post by 3feetpete » Sat Oct 20, 2018 10:22 pm

I use Mint only to track expenditures not portfolio. So credit cards and a checking account that I don’t keep more than a few thousand in. I’m not too worried about them getting hacked but if they are there is not much damage that can be done.

djheini
Posts: 73
Joined: Fri Jul 29, 2016 5:53 pm

Re: Using Mint: Am I correct in having my security concerns allayed?

Post by djheini » Sat Oct 20, 2018 10:38 pm

inbox788 wrote:
Sat Oct 20, 2018 7:48 pm
Many companies don't want to play ball and that's been the main problem with API's that led to screen-scraping. Is Mint only API now? Website doesn't say much that I was able to find. Is there a list of institutions that they interface with without downloading the app and signing up? What fraction of your accounts does Mint supply aggregation via APIs?
from https://help.mint.com/Accounts-and-Tran ... ctions.htm
We’re negotiating contracts with individual banks to change the way we connect to them. This is why you’ll see only some of your banks offering this new connection, at least for now.

So far, Chase Bank and Bank of America, and Capital One have agreed to move toward a better connection for Mint customers. Look for more improved connections in the future.

inbox788
Posts: 6594
Joined: Thu Mar 15, 2012 5:24 pm

Re: Using Mint: Am I correct in having my security concerns allayed?

Post by inbox788 » Sun Oct 21, 2018 12:29 am

djheini wrote:
Sat Oct 20, 2018 10:38 pm
inbox788 wrote:
Sat Oct 20, 2018 7:48 pm
Many companies don't want to play ball and that's been the main problem with API's that led to screen-scraping. Is Mint only API now? Website doesn't say much that I was able to find. Is there a list of institutions that they interface with without downloading the app and signing up? What fraction of your accounts does Mint supply aggregation via APIs?
from https://help.mint.com/Accounts-and-Tran ... ctions.htm
We’re negotiating contracts with individual banks to change the way we connect to them. This is why you’ll see only some of your banks offering this new connection, at least for now.

So far, Chase Bank and Bank of America, and Capital One have agreed to move toward a better connection for Mint customers. Look for more improved connections in the future.
Thank you! It's a short list, but at least I won't be signing up for nothing. I hope this initiative is successful and rolls out quickly to many other institutions. I got tired of constantly having to update one or another linkage that got broken since the last time I had logged in. I was spending way too much time linking and re-linking accounts. I began neglecting the airline and hotel points, then credit cards, and finally just gave up. On the positive side, I did close about half my accounts, mostly low yield ones and I'm going to keep a high threshold for adding more. Still, a well working data aggregator is a desirable, but I won't be holding my breath. Just testing it out hoping it will mature into a usable product.

Quick followup. Took a look and it's fairly quick for what it does, but doesn't seem that useful to me, and I won't be adding more accounts for now. It might be helpful to accumulate transactions from various accounts and create and track a budget and spending. Don't think it does airline and hotel points, so have to track that elsewhere. I may take a look at how it handles bills and whether I can pay bills here or have to go to the banking site to set that up. Too many embedded ads that are repetitive and bounce back after you've closed them down. And they're everywhere. No way to delete categories I won't be using. It's like Fidelity, where each screen is very busy and there are lots of menus and submenus and sub-sub menus. I'd like a simpler organization, and Capital One seems to be going the right way.

I linked up my accounts at Capital One and Bank of America. I had to provide my username and password in a window that wasn't clear whether it was at mint.com or my bank. It wasn't clear at all that it was using API login vs. storing my username and password. Trying to add other accounts (Vanguard, Fidelity, etc.) presented similar screens, and I didn't go through with it. At capitalone.com, I was able to find the 3rd party permission and the button to revoke access if I chose to do so. I could NOT find anything at bankofamerica.com, so I suspect it's still scraping data and using my login credentials. Come to think of it, I did approve something at capital one that was different from the way bank of america handled the link. It went quickly, so I didn't pay too much attention.

User avatar
Cobra Commander
Posts: 174
Joined: Tue Mar 14, 2017 11:09 am

Re: Using Mint: Am I correct in having my security concerns allayed?

Post by Cobra Commander » Sun Oct 21, 2018 7:51 am

furwut wrote:
Sat Oct 20, 2018 7:51 pm
Banks don’t want you logging onto aggregator sites like Mint and, possibly, being sold cross products for Mint’s benefit. They’d rather you directly logon to their site so they can sell you stuff that profits them.

I’ve used Mint for years but, right now, I’m switching my primary bank to Ally and have just discovered, mid-transfer that Ally won’t support Mint. :annoyed

I do want to simply my accounts but the beauty of Mint was that, not matter how complicated, there was one place I could to go to see all my spending. Even if I consoiidated on Ally I will still hold several outside credit cards. Without Mint in the picture I will have to individually logon to each and every one now to see my transactions.
I have Ally and Mint works with it for me. Not sure if it has the higher security feature referred to in this thread though.

terran
Posts: 1017
Joined: Sat Jan 10, 2015 10:50 pm

Re: Using Mint: Am I correct in having my security concerns allayed?

Post by terran » Sun Oct 21, 2018 9:23 am

My thinking on this is companies get hacked all the time. If the companies at which I have financial accounts get hacked that's on them, if Mint/Personal Capital/etc get hacked and I gave them usernames and passwords to log in to my financial accounts against the terms of service of those financial companies that's on me -- the financial companies aren't going to do anything for me. If the financial companies would give me a "read only" login (one that could see balances, but not make changes) I would feel differently.

3feetpete
Posts: 388
Joined: Sun Dec 14, 2014 7:30 pm

Re: Using Mint: Am I correct in having my security concerns allayed?

Post by 3feetpete » Sun Oct 21, 2018 9:43 am

My Capital One credit card is set up so that I get a text whenever a charge is made. The text arrives within seconds of the charge being made so if I ever see a false charge I have plenty of tie to cancel it before any money changes hands. If Mint gets hacked and someone gets ahold of my Capital One data, they won't get anything.

User avatar
nisiprius
Advisory Board
Posts: 39285
Joined: Thu Jul 26, 2007 9:33 am
Location: The terrestrial, globular, planetary hunk of matter, flattened at the poles, is my abode.--O. Henry

Re: Using Mint: Am I correct in having my security concerns allayed?

Post by nisiprius » Sun Oct 21, 2018 9:50 am

(Deleted, misunderstood). I guess the question is how many financial institutions support OAuth, and whether you feel there is a risk simply in disclosing read-only access. You might want to listen to the podcast, Anatomy of a Scam, and, in particular note how important it is to scam artists to know how much money you have, so that they set the "price" of their phony "service" to about that amount.
Last edited by nisiprius on Sun Oct 21, 2018 10:03 am, edited 3 times in total.
Annual income twenty pounds, annual expenditure nineteen nineteen and six, result happiness; Annual income twenty pounds, annual expenditure twenty pounds ought and six, result misery.

User avatar
Thrifty Femme
Posts: 375
Joined: Sun Apr 12, 2015 1:54 pm

Re: Using Mint: Am I correct in having my security concerns allayed?

Post by Thrifty Femme » Sun Oct 21, 2018 9:58 am

terran wrote:
Sun Oct 21, 2018 9:23 am
My thinking on this is companies get hacked all the time. If the companies at which I have financial accounts get hacked that's on them, if Mint/Personal Capital/etc get hacked and I gave them usernames and passwords to log in to my financial accounts against the terms of service of those financial companies that's on me -- the financial companies aren't going to do anything for me. If the financial companies would give me a "read only" login (one that could see balances, but not make changes) I would feel differently.
Ohio 529 is the only company I have seen do this.

inbox788
Posts: 6594
Joined: Thu Mar 15, 2012 5:24 pm

Re: Using Mint: Am I correct in having my security concerns allayed?

Post by inbox788 » Sun Oct 21, 2018 11:49 am

terran wrote:
Sun Oct 21, 2018 9:23 am
My thinking on this is companies get hacked all the time. If the companies at which I have financial accounts get hacked that's on them, if Mint/Personal Capital/etc get hacked and I gave them usernames and passwords to log in to my financial accounts against the terms of service of those financial companies that's on me -- the financial companies aren't going to do anything for me. If the financial companies would give me a "read only" login (one that could see balances, but not make changes) I would feel differently.
FWIW, IngDirect (before Capital One acquired them) provided Access Codes for aggregators. I didn't see the idea spread.
ING Direct Adds Read-Only Access for Online Aggregators
https://www.fivecentnickel.com/ing-dire ... gregators/

inbox788
Posts: 6594
Joined: Thu Mar 15, 2012 5:24 pm

Re: Using Mint: Am I correct in having my security concerns allayed?

Post by inbox788 » Sun Oct 21, 2018 12:00 pm

nisiprius wrote:
Sun Oct 21, 2018 9:50 am
(Deleted, misunderstood). I guess the question is how many financial institutions support OAuth, and whether you feel there is a risk simply in disclosing read-only access. You might want to listen to the podcast, Anatomy of a Scam, and, in particular note how important it is to scam artists to know how much money you have, so that they set the "price" of their phony "service" to about that amount.
I'm sure scammers will misuse any data they attain. They can use the information to trick customers they're the bank or use it to target individuals with a certain account size. Smaller accounts might just get drained all at once. Bigger accounts may be better targets for repeat attacks, trying to stay under the radar for a while. If someone hacked Vanguard, would they get more by trying to transfer the biggest accounts overseas or withdrawing a few hundred each month for special medical supplement from every single account?

Still, limiting to read-only access is better than giving them full and complete transactional access.

Post Reply