32

Having more accounts and more passwords probably increases the chances that someone could hack into at least one account.

But even if someone did hack into my Mint account, would there be any reason to worry?

What about other risks with mint.com? And what if I use Bank of America in particular?

InquilineKea
  • 1,101
  • 7
  • 14
  • 18
  • 6
    Please see this question on the security stackexchange: http://security.stackexchange.com/questions/10820/could-mint-com-be-more-secure-and-if-so-how – Tom Jun 09 '12 at 15:49

4 Answers4

16

Mint.com uses something called OFX (Open Financial Exchange) to get the information in your bank account. If someone accessed your mint account they would not be able to perform any transactions with your bank. All they would be able to do is view the same information you do, which some of it could be personal <- that's up to you.

Generally the weakest point in security is with the user. An "attacker" is far more likely to get your account information from you then he is from the site your registered with.

Why you're the weakest point:

When you enter your account information, your password is never saved exactly how you enter it. It's passed through what is called a "one way function", these functions are easy to compute one way but given the end-result is EXTREMELY difficult to compute in reverse. So in a database if someone looked up your password they would see it something like this "31435008693ce6976f45dedc5532e2c1". When you log in to an account your password is sent through this function and then the result is checked against what is saved in the database, if they match you are granted access. The way an attacker would go about getting your password is by entering values into the function and checking the values against yours, this is known as a brute force attack. For our example (31435008693ce6976f45dedc5532e2c1) it would take someone 5 million years to decry-pt using a basic brute force attack. I used "thisismypassword" as my example password, it's 12 characters long. This is why most sites urge you to create long passwords with a mix of numbers, uppercase, lowercase and symbols.

This is a very basic explanation of security and both sides have better tools then the one explained but this gives you an idea of how security works for sites like these.

You're far more likely to get a virus or a key logger steal your information.

I do use Mint.

Edit:
From the Mint FAQ:

Do you store my bank login information on your servers?
Your bank login credentials are stored securely in a separate database using multi-layered hardware and software encryption. We only store the information needed to save you the trouble of updating, syncing or uploading financial information manually.

Edit 2: From OFX

About Security

Open Financial Exchange (OFX) is a unified specification for the electronic exchange of financial data between financial institutions, businesses and consumers via the Internet.

This is how mint is able to communicate with even your small local bank.

FINAL EDIT: ( This answers everything )

For passwords to Mint itself, we compute a secure hash of the user's chosen password and store only the hash (the hash is also salted - see http://en.wikipedia.org/wiki/Sal... ). Hashing is a one-way function and cannot be reversed. It is not possible to ever see or recover the password itself. When the user tries to login, we compute the hash of the password they are attempting to use and compare it to the hashed value on record. (This is a standard technique which every site should use).

For banking credentials, we generally must use reversible encryption for which we have special procedures and secure hardware kept in our secure and guarded datacenter. The decryption keys never leave the hardware device (which is built to destroy the key material if the tamper protection is attacked). This device will only decrypt after it is activated by a quorum of other keys, each of which is stored on a smartcard and also encrypted by a password known to only one person. Furthermore the device requires a time-limited cryptographically-signed permission token for each decryption. The system (which I designed and patented) also has facilities for secure remote auditing of each decryption.

Source: David K Michaels, VP Engineering, Mint.com - http://www.quora.com/How-do-mint-com-and-similar-websites-avoid-storing-passwords-in-plain-text

David Murdoch
  • 103
  • 4
Kirill Fuchs
  • 6,118
  • 36
  • 64
  • In the recent LinkedIn breach, it appears that LinkedIn were not using salts to store the passwords, which makes them much more vulnerable. Mere hash function is not enough, since many people use dictionary words or numbers which (without salt) can be easily reversed. +1 for the technical explanation by the way, and welcome. – littleadv Jun 08 '12 at 23:59
  • 15
    Sorry, but you're missing something important. Based on my understanding from http://security.stackexchange.com/questions/10820/could-mint-com-be-more-secure-and-if-so-how (maybe things changed?) mint.com does have to store your passwords to various banking sites. While those are encrypted, they do have to access them in clear text so they can authenticate to the bank. I think the risk is bigger than you suggest. – Tom Jun 09 '12 at 15:53
  • You may have misunderstood my explanation or the explanation in the link. What I state above is general security practices. I say that if mint does store your password they store it as an encrypted key not your actual password as you type it. The password you type is sent through a one-way function(see above) and the end result is stored. One-way functions are just that a function your computer can only handle performing one way. OFX is the way they communicate with the bank the link in my post provides information on how OFX works. – Kirill Fuchs Jun 09 '12 at 16:05
  • @KirillFuchs: I understand hash functions. I just think your answer is slightly misleading, especially to someone without a technical background. Reason: it sort of sounds like you're saying mint.com does not handle your plain password; it hashes it once and that's all. In reality, the plain passwords (while stored encrypted) are actually handled at times much later in order to communicate with banks. I think a system like that makes it more possible for someone to get access to your password. It's not like someone locks the password and throws away the key. The key is still around. – Tom Jun 09 '12 at 17:21
  • 14
    My point is is that the password they store is not a hash of your password... it is the password. They take serious measures to guard that... but it's less secure than what you describe. OFX or not, you're trusting another party with your password. That's a very real risk that you need to weigh before you decide to use mint.com. – Tom Jun 09 '12 at 17:24
  • @Tom your mistaken they do not store your password as "cleartext". The user who answered that question in your link provided no information, only assumptions he made from tests he conducted himself (which IMO didn't prove his conclusion.) If you read the specs on OFX there is a standard for this type of communication which is why Mint is able to support your local small bank. If you find a resource stating otherwise please link. – Kirill Fuchs Jun 09 '12 at 18:08
  • 5
    @KirillFuchs: FTR, I didn't mean they store as cleartext :-). I meant they store an encrypted version of your password, not a hash. Perhaps the real thing I don't understand here is OFX. The FAQ you linked to says the password is encrypted and that "We only store the information needed to save you the trouble of updating, syncing or uploading financial information manually." The real question is, "What does mint.com need?" to do that. I would say they need your actual password. Are you saying that OFX is a mechanism by which mint.com would not need your username/password? Kind of like OAuth? – Tom Jun 09 '12 at 18:20
  • OFX is a specification that tells banks and developers how they should handle information. Kind of like what w3.org is for html. The browsers (IE, Chrome, Firefox...) are told "here is the standards for html build your parser to read it this way." Here is the link for OFX Security ( http://www.ofx.net/SecurityPage/Security.aspx ) - it specifically states they use Public Key Cryptography and Hash. – Kirill Fuchs Jun 09 '12 at 18:28
  • 1
    @KirillFuchs: I don't see anywhere in that page where it says that it uses a hash for the passwords. It sounds like OFX is just a protocol for transmitting financial data but doesn't change the fact that mint.com would need present your credentials. In fact, if they did transmit hashes of passwords, it sounds like (1) you could have to agree on the hash function and (2) you would have to agree on a salt or not use salts. Do you know where in the spec or from that page it says that they use the hash in the way you describe? My read of the mint.com FAQ you link to suggests they do keep your pwd. – Tom Jun 09 '12 at 19:07
  • 1
    To me, OFX sounds like it is a protocol for formatting data and transmitting it (think xml and https... you do send your password over https, it's just encrypted). I don't see where it says third parties do not need your password. mint.com doesn't seem to use mechanism like oauth to grant access without having the users credentials. I've never signed up for mint.com, but my understanding is that you type your password in and give it to mint. They don't redirect you to your bank to authorize their access. – Tom Jun 09 '12 at 19:11
  • I have added information found from the VP Engineer at Mint. My description above was meant to serve as an example of how security works so the reader may make an informed decision based on some understanding of security. In my example I use MD5 however I am sure mint does not. I cannot say the method Mint uses is more or less secure then some other method, since neither can be proven without finding flaws within the system. But we do know that a malicious engineer at mint is unable to retrieve your password and the password is NOT stored as "cleartext", which is what was stated in your link. – Kirill Fuchs Jun 09 '12 at 19:51
  • 10
    Thanks for the link! Note, VP says "For banking credentials, we generally must use reversible encryption" which is my main point. Another poster on that question expresses my concern well: "To me it seems that the vulernable moment is when the password is decrypted for use and ready to be sent to the bank. If the server handling that job gets compromized, the attacker will gain access to all passwords that go through it." – Tom Jun 09 '12 at 20:05
  • 8
    So now we know: mint.com does have your password. It's stored in a secure way but there are ways to reverse the encryption and acquire the cleartext password. They take serious measures to safeguard it, but don't be fooled into thinking they store an irreversible version of your password and that there is not way to get the password. "This device will only decrypt after it is activated by a quorum of other keys, each of which is stored on a smartcard and also encrypted by a password known to only one person." – Tom Jun 09 '12 at 20:08
  • 1
    Btw, I think your answer has good stuff... I just didn't want the casual reader to interpret this answer as "mint.com has no way getting and using my password". I'm not against people using mint.com... I just want them to understand the risks... Thanks again for that link! That has been the most useful thing I've gotten out of this answer. – Tom Jun 09 '12 at 20:10
  • I appreciated it and thanks to the comments I dug deeper. I would like to add tho every password can be compromised even one that is stored with an irreversible hash. – Kirill Fuchs Jun 09 '12 at 21:01
  • 7
    "The system (which I designed and patented)" A patent is absolutely no guarantee that the system performs as one would want from a security point of view, just like copyright on computer software is no guarantee that the code is free of bugs. – user Jun 11 '12 at 09:30
  • 2
    Krill, your answer is misleading. Could you please update and reword it? Mint stores your bank password using a two-way (i.e. reversible) function, not a one-way function. It's encrypted, which is better than nothing, but it's still possible for Mint (or a hacker with appropriate access) to recover your bank password. – Cornstalks Jan 09 '16 at 19:50
  • @Tom I don’t think it matters that much how the banking credentials are stored. You would expect Mint to use proper encryption. However (!), the fact that Mint requires your actual banking credentials worries me. That means that regardless of how Mint encrypts it, it can be decrypted to a form that can be used to sign into your bank account. I would hope that the bank would only offer transaction details to Mint, because it lacks a two-factor authentication step. But still I wouldn’t feel comfortable with it. – Yvo May 21 '20 at 04:52
  • Ideally banks would come up with a modern, read-only API that uses API keys to access the information. You generate a key on your banking site and then provide that to Mint for access to (just) your transaction information. Unfortunately banks are really slow to innovate. A lot of banks are using ancient versions of OFX. Maybe in a few years we’ll see big tech (Apple, Google and Microsoft) entering the banking market. Hopefully then we’ll see some improvements. – Yvo May 21 '20 at 04:59
11

Some banks allow mint.com read-only access via a separate "access code" that a customer can create. This would still allow an attacker to find out how much money you have and transaction details, and may have knowledge of some other information (your account number perhaps, your address, etc).

The problem with even this read-only access is that many banks also allow users at other banks to set up a direct debit authorization which allows withdrawals. And to set the direct debit link up, the main hurdle is to be able to correctly identify the dates and amounts of two small test deposit transactions, which could be done with just read-only access.

Most banks only support a single full access password per account, and there you have a bigger potential risk of actual fraudulent activity.

But if you discover such activity and report it in a timely manner, you should be refunded. Make sure to check your account frequently. Also make sure to change your passwords once in a while.

nealmcb
  • 220
  • 1
  • 8
littleadv
  • 172,884
  • 15
  • 295
  • 479
  • 2
    Who refunds? The bank? If I've authorized a third party to act as an agent on my behalf, and given them my password, and that agent is somehow compromised, why would the bank be liable for any of it? – Chris W. Rea Jun 08 '12 at 17:58
  • And even if mint.com only gets read only access, I have given the one and only user / pass combo for my bank to mint. If that gets stolen, a thief could go directly into my money. (That being said, I use mint.com often.) – MrChrister Jun 08 '12 at 18:16
  • 1
    @MrChrister that's my point - not the one and only. For example, ING Direct and Sharebuilder have a different set of keys for mint.com, not the same you use when you log-in into their website directly. – littleadv Jun 08 '12 at 18:20
  • @Chris if you authorized the agent to act on your behalf, but the password is stolen by someone who is not authorized - then how is it different from your credit card being stolen from your wife? – littleadv Jun 08 '12 at 18:21
  • 1
    ...AND DON'T USE THE SAME PASSWORD FOR ALL YOUR BANK'S AND MONEY ACCOUNTS!! – MrChrister Jun 08 '12 at 18:25
  • @littleadv - I didn't know that. I don't have ING, but every one of my several banks uses the same info in Quicken, Mint and direct access on the site. Kudos to ING for thinking ahead. – MrChrister Jun 08 '12 at 18:28
  • 1
    @MrChrister and others: you might be interested in this question on the security stack exchange. (ING actually comes up there in the answers :-)... http://security.stackexchange.com/questions/10820/could-mint-com-be-more-secure-and-if-so-how – Tom Jun 09 '12 at 15:56
  • @Chris Doesn't Regulation E state that for non-business accounts, the bank is required to refund 100% of all unauthorized electronic transactions, regardless of customer negligence as long as you report the fraud to them within 60 days of receiving your account statement? In this case, Mint wasn't authorized to withdraw money (read only) and neither was the hacker. However, I think state law or customer/bank agreements can alter Regulation E. – Devin Garner Dec 07 '13 at 08:49
4

With Mint you are without a doubt telling a third party your username and password. If mint gets compromised, or hires a bad actor, technically there isn't anything to stop shenanigans. You simply must be vigilant and be aware of your rights and the legal protections you have against fraud.

For all the technical expertise and careful security they put in place, we the customers have to know that there is not, nor will there ever be, a perfectly secure system.

The trade off is what you can do for the increased risk. And when taken into the picture of all the Other* ways you banking information is exposed, and how little you can do about it, mint.com is only a minor increase in risk in my opinion.

*See paypal, a check's routing numbers, any e-commerce site you shop at, every bank that has an online facing system, your HR dept's direct deposit and every time you swipe your debit / credit card somewhere.

These are all technically risks, some of which are beyond your control to change. Short of keeping your money in your mattress you can't avoid risk. (And then your mattress catches fire.)

MrChrister
  • 25,230
  • 10
  • 68
  • 132
2

Here's a very simple answer, ask your broker/bank. Mine uses ofx. When asked if they would reimburse me for any unauthorized activity, the answer was no. Simple enough, the banks that use it don't feel its secure enough.

Ray
  • 31
  • 1