After reading a bit about mint.com on the money stack exchange, I wanted to give it a try. But frankly, it scares me a little bit.

The site has a bunch of links explaining how they're so secure. I bet it's all true and I believe them that they take a lot of security measures. But one thing is misleading. They act like the site is safer because it is "read only". From their security page

Mint is a "read-only" service. You can organize and analyze your finances,
but you can't move funds between–or out of–any account using Mint.
And neither can anyone else.

That's not what I'm worried about. The thing I'm worried about is if somehow someone steals my passwords to my banking sites. Then they can go and do stuff with my accounts.

This got me thinking, is there something better we could push for to make this kind of service more secure? A few things I can think of off the top of my head that might be on the right track:

  1. one-time passwords / two factor authentication. I think the main problem with this is that all the services mint is accessing would need to work off the same one-time passwords so that the user would not have to enter each one for n services. This means you need a third party to handle this.
  2. Push instead of pull. Other sites would have to add a mechanism to export data to mint. Obviously tough for mint because it requires cooperation -- but seems great for the consumer.
  3. Getting special auth tokens to give to mint instead of my passwords. Potentially support a mechanism for mint to be able to prove its identity so you only someone who proves they are mint.com can use the token (so stealing the token is not useful unless you can prove you are mint.com)... I guess I'm in OAuth territory here?

I suppose other things that would make me feel better but aren't truly more secure: if all these money/banking sites could send access notifications. Then I might be able to know when mint is accessing vs someone who stole my data and I might have a fighting chance at reacting.

So I suppose I'm asking: what are your ideas on how this could be better? What would the perfect system look like if all these companies would cooperate? Is there a standard protocol for this kind of thing that could become more widespread so that more specialized services could sprout up like this and people could rest easy knowing their data is safe?

(FWIW, I might try it out anyways. If I do, I'm changing all my passwords just for this experiment, then changing them all again once I'm done trying it out.)

  • 461
  • 4
  • 4
  • 1
    They could start a bug bounty program like Google and Facebook. – rook Jan 19 '12 at 05:38
  • 2
    I'd be scared to share my bank data with an american company ;-) – ordag Jan 19 '12 at 16:37
  • Nothing to add, necessarily, but I've been on Mint for about 6 months. I, too, have questions about its security practices, and how much their system can be trusted - but the convenience and utility of the system actually outweighs much of that concern. Is any system 100% secure? Nope - so the question becomes... is this system reasonably so? (rhetorical) – Bosworth99 May 19 '12 at 20:43
  • 2
    I started to use mint and have the same security concerns. It really seems like for mint to be able to give more security regarding the user's online ids and password, it would need to work with all the banks, it cannot do it by itself. For example, one option I could see lowering the risk would be for my bank to allow me to have a read-only Id/password. This account wouldn't be able to do any transactions on the bank online website but could see the data, and that would be the Id I would use for mint. Of course, this wouldn't eliminate the risk of having someone steal the read-only passwords –  May 18 '12 at 17:32
  • 4
    If your password is already enough for a bank transfer (i.e. no _dynamic_ two-factor authentication like a TAN generator), you should be worried about your bank – Tobias Kienzler Feb 13 '13 at 16:59
  • Sounds like this will become an advertisement for Mint... – Rubber Duck Feb 12 '14 at 17:01
  • **Mint does not provide two-factor authentication on their own site.** Think about that for a moment. Sure, dealing with two-factor authentication on external bank sites would be hard, but the fact that mint.com exists without being able to add two-factor authentication. Brrrr... – Kzqai May 07 '15 at 19:31

5 Answers5


From what I can see this appears to be an aggregator for financial services. For it to have any useful function, that implies it must, at least temporarily, store your account details and authentication credentials - in which case it is far from "read-only". That the providers then state the exact opposite in the security statement makes me think these are not people to be trusted with my account details regardless of how sophisticated their controls are.

Ramhound suggests that mint.com uses an oath like system - but that still uses a temporary surrogate token for authentication. Ramhound also states You never give Mint your banking information yet the first question in the FAQ is Why does Mint need my bank login information (username and password)?. The FAQ goes on to explain how mint stores this data.

Such aggregation does have an intrinsic value, and one way to add value to such a service would be to provide better authentication security than that enabled on most financial service providers websites - but obviously this is not the case for mint.com. There's also a question of whether such a provider is subject to the same legislative constraints as a source provider.

But unless you're the guy who writes the mint.com software, isn't a question of what it should be like pure speculation?

  • 18,278
  • 39
  • 73
  • Intuit owns Mint.com they have been around forever, they do pretty much one thing, create software that handles your money and your taxes. I remember their documentation being different, I remember a discussion on their "forums" ( this was before the Intuit buy out ) how the backend work. They do store your account information, I was under the impression, they did NOT store the password. – Ramhound Jan 20 '12 at 19:19
  • 1
    So why do they say they do store your password in some places (and say they don't in others) - from the discussion they do appear to provide support from cooperating originators for surrogate identifiers. It looks more like incompetence than deliberate malfeasance. Still doesn't inspire much trust from me. – symcbean Jan 24 '12 at 15:06
  • When I signed up for their service it might have worked differently or was explained differently I am not exactly sure. – Ramhound Jan 26 '12 at 13:11

So I just signed up with mint.com and think a combination of Ramhound and this.josh's answers are correct.

For well-supported banks (e.g., I tried ING direct), when you add your account to mint.com you typically give out your account number, plus an "access code" that isn't your typical password. An access code allows financial management tools like mint.com to have read only access to your account information; see: http://helpcenter.ingdirect.com/Topic.aspx?category=FINANCE1

For my small local credit union (9 total branches), mint.com seemed happy to let me add that account as well. However, for this bank they wanted my account number and my password. I am hesitant to give them this, as my password would need to be stored in cleartext (even if its encrypted; for mint.com to be able to use it, the site must be able to unencrypt it and thus any malicious admin their could do something with it) and would be giving mint.com my full online account permissions. Granted, a malicious administrator/hacker who got into mint.com could just as likely be a malicious admin who got into chase.com and managed to do things with my account.

EDIT: Upon further checking; it seems ING direct is the exception -- most types of accounts I've tried (even for big banks like chase) seem to want my passwords.

EDIT2: Anyhow, I decided to give mint.com my account passwords (they are not used anywhere else); I let them authenticate, and then immediately changed my passwords for those banks. Even after the password changes (which do not let me login with the old passwords), I am able to refresh my balances on mint.com despite never giving them the new password; so it seems that they are not using my passwords to login each time (as I initially feared). It seems like they used the passwords to initially create some sort of read-only access code that they can access. (see edit 3)

EDIT3: So apparently they do store your passwords in a recoverable way and use them to authenticate. If you change your password; it stops working. Its funny because; say I set up mint.com at ~10am yesterday; changed passwords at ~10:15am; and at 11:00am could request mint.com to refresh and it appeared to update successfully; however at 6pm I couldn't refresh my accounts. However, when I tried logging in last night it couldn't login to the accounts with the changed passwords and started complaining about authentication. So either the password changes are delayed syncing through the bank's system (e.g., mint.com's read-only login method versus a user's login method) or mint.com will lie about a refresh being successful if you've refreshed your accounts very recently.

I should mention that both banks use a form of two-factor authentication; e.g., first I have to register a computer with questions like "Mother's maiden name/father's middle name" and then can enter my credentials. mint.com doesn't seem to need any information about these security questions; only want my current login credentials. So to get their read-only access they seem to have an alternate login metchanism, that is potentially read-only. However, as security questions have the potential to be able to be researched or guessed, I doubt I'll be using their services.

dr jimbob
  • 38,768
  • 8
  • 92
  • 161
  • As I explained. As far as I know you never give Mint.com your password. You only setup a (trust) connection between your bank and mint.com. I might have not understood what was going on, I am not going to corrupt my account information to test, but I remember the "help" pages being different 2 years ago. – Ramhound Jan 20 '12 at 19:18
  • @Ramhound - Actually, I'm no longer confident they were doing it the correct way. A few hours after changing my passwords, I wasn't able to update the two (non-ING) accounts (that needed my password to initially authenticate). – dr jimbob Jan 20 '12 at 21:28
  • 5
    Mint might be keeping the session cookie cached. Until the session expires, they won't be forced to log in because they're already in. When the session expires, they'll need to try to log in again, at which point it fails because the password you gave them is no longer valid. – yfeldblum May 21 '12 at 15:03
  • "for mint.com to be able to use it, the site must be able to unencrypt it and thus any malicious admin their could do something with it" <<<< This statement is inaccurate and your test does not prove it. Mint communicates with banks using a standardized method known as OFX (Open Financial Exchange). This is how mint is able to support your local small branch... – Kirill Fuchs Jun 09 '12 at 18:11
  • 1
    FYI, some good discussion happened on a similar question here on the money stackexchange: http://money.stackexchange.com/questions/15392/are-there-any-risks-from-using-mint-com/15408 – Tom Jun 10 '12 at 03:50
  • 5
    @Kirill - Mint for every bank I tested but ING, required me to reveal secret passwords to mint. This with other info (e.g., mother's maiden name/first pet's name--known to others besides just me) can be used to gain full access to my account, not just "read only" access. I do not want to give a third party (mint.com) info that could be used to get full access; I'd prefer to only give read access. Unfortunately most banks (ING seemingly being the exception) do not seem to offer tokens that grant read-only access. The OFX protocol used is irrelevant -- you gave mint your password. – dr jimbob Jun 10 '12 at 05:02

One option I could see lowering the risk would be for my bank to allow me to have a read-only Id/password. This account wouldn't be able to do any transactions on the bank online website but could see the data, and that would be the Id I would use for mint. Of course, this wouldn't eliminate the risk of having someone steal the read-only passwords and have read access to your account but this would be much more acceptable I feel.

This would of course only help with banks like ING direct (now CapitalOne360) which offer an "access code" for read-only access.

But risks still remain because banks also let attackers leverage transaction information into withdrawal access, as discussed at the first comment on "ING Direct’s Personal Finance Access Code Solves Main Issue with Account Aggregators"

  • 20,544
  • 6
  • 69
  • 116
  • Agreed. Note some banks like ING direct do offer a read-only access code for these services. Its pitiful that all major banks do not. – dr jimbob May 18 '12 at 19:40
  • @Ramhound Easy - it is a technique that reduces risk, and can already help consumers since it is in use by mint and at least some banks and other financial institutions. – nealmcb Sep 28 '13 at 19:04

is there something better we could push for to make this kind of service more secure?

No. I realize that this was a rhetorical question, so give me a few lines to explain.

  • mint.com is fundamentally a online service

  • mint.com is a business focused on maximizing profit

  • security risk mitigation is expensive both in cash outflow and in training, maintenance, administration, and other operational costs

  • distributing security risk to individuals makes good business sense

A always online service which holds financial information has maximal exposure. It is always available from any location which can make an internet connection, and these days that is almost anywhere in the world.

It has a high value for adversaries. Financial information is one of the most valuable assets a criminal can steal. This means that all types of threats internal and external will attempt to compromise the mint.com security system. The more skillful and experienced the attacker, the harder it is to defend against them.

They appear to be focused on technical measures.

This is by far the worst indicator. If the history of computer and network security has taught us anything it is that people and policy are more critical to system success than any technical measure.

What should be on their security page:

  • Every mint.com employee has passed a background check with specific emphasis on financial questions. Employees are rechecked every three years (or other reasonable period).

  • mint.com's policy is to reduce the individual risk of every user and we insure against individual losses up to $10,000,000 (or some very large value)

  • mint.com has developed all software used for operation, administration, and maintenance internally and none of the software has been developed by a third party.

  • mint.com performs computer and network security check every quarter (or other reasonable and the results of those checks are published to every mint.com user

  • mint.com does not use third parties for any security critical work.

  1. one-time passwords / two factor authentication.

Authentication could be more secure, but you have to balance that with ease of use and cost. If authentication technology costs too much then the business can not afford to use it. If it is too hard to use then users will either leave mint.com or circumvent the technology.

Passing authentication responsibility to a third party is expensive and potentially dangerous. The third party must be as secure a company as mint.com or moving the authentication makes no sense.

  1. Push instead of pull.

This is extremely dangerous as it has the potential for misdirection. An adversary who could masquerade as mint.com for a short period of time could easily acquire financial information from many institutions and for many individuals. Often ease of information flow is in opposition to the confidentiality of the information. The easier it flows the harder it is to secure.

  1. Getting special auth tokens to give to mint

Authentication is done three ways: something you know (password), something you have (cryptographic token, physical key), or something you are (biometrics). Cryptographic authentication provides more security in a challenge response protocol than in a unidirectional transfer. Ideally you want a two way challenge response in which both parties are authenticated.

  • 8,843
  • 2
  • 29
  • 51
  • It is indeed nearly impossible to make a service like Mint bulletproof by itself, but the question goes on to ask if there are approaches beyond just Mint: *What would the perfect system look like if all these companies would cooperate? Is there a standard protocol for this kind of thing that could become more widespread* One trick is for banks to provide access mechanisms that allow read-only access to financial transaction data, as ING direct and Mint seem to have already demonstrated. – nealmcb Sep 28 '13 at 16:36
  • 3
    Law is the easiest remedy. Make online service providers liable for the full amount of any loss incured by an individual and due within seven days of the loss event. To align security interests, align the financial interests. – this.josh Oct 03 '13 at 05:00
  • There's a way to make it more secure. When performing sync, they should do it locally on the client side and ask for your password at that point only, which you would also be required to perform any of your banks 2 factor verification. – Didier A. Jun 05 '17 at 03:45

Addressing the problems you outlined would require support from banks. It's not something Mint can do on their own.

If banks wanted to support this, they could provide OAuth access to their customer's information, and provide a way to give Mint an OAuth token that grants it read-only access to your account. That would be a secure way to go, and it would ensure that even if Mint is compromised, the bad guys cannot steal your money (they can view confidential information about your transactions, but not initiate new transactions). However, that would require banks to change their systems.

For more details about this issue in a broader context, see also Are there a standard method(s) for me to give someone else read-only access to my data?.

  • 98,420
  • 30
  • 267
  • 572
  • +1 It seems that ING direct already allows this sort of read-only access or something like it, and Mint supports it. – nealmcb Sep 28 '13 at 16:53