MINT and security

I have a new favorite web service: Mint. It's a really nice implementation of kind of a "Quicken" online, but with a few unique wrinkles. Here's what it does:

  • Automatically and periodically downloads all the transactions from all your various accounts, banks, credit cards, etc.

  • Automatically categorizes the transactions based on the indicated vendors. This works about 80-90% of the time

  • Allows you to manually override the categorization if you know better (and it learns from that and applies it to other transactions.)

  • Automatically suggests a set of budget rules, which it then monitors for you. These are also fully customizable.

  • Generates useful pie charts and investment performance graphs, again automatically.

  • It's free.

Anyway that's just a small subset of the prominent features. Mint is a nicely executed, fast enough Web 2.0 application. I am pretty impressed with it.

What it does not do is to allow you to initiate any transactions from Mint. You can't withdraw, transfer, pay bills or anything like that.

Which brings me to everyone's first question: security. This is the scary side. I have not yet decided how I feel about it.

During setup you are asked to supply the password to each of your financial institutions (exactly what Quicken and Microsoft Money ask you to do. After all, you assume that the passwords never leave Quicken's files on your computer, but you don't really know that.) When I describe Mint to people, many of them freak out at this point.

Reading Mint's extensive security FAQ, what they say is that they don't store or remember any of that information. It's just a pass through one of several third party services, unnamed, who then have arrangements to download the information from your bank etc. So with proper security measures, clever cryptographic signing and secret keys… maybe.

What's the exposure?

The New York Times has an article about the security of Web based financial sites today.

But unfortunately it just reports that people are facing this dilemma and not what the real risks. Life Hacker had a nice article "Is Mint Ready for Your Money" that you want to read.

It would be nice to have an actual security expert do an analysis of this. Bruce Schneier? David Pogue? How about it?

technoorati links: money mint web schneier pogue