If you have read my blog, you have probably seen the criticism I have aimed at companies like Mint.com. I feel the idea of their product is good, but the execution is poor. There are too many points of failure, but that is inherited in the type of service they offer. I decided to try and get some answers from Mint on several occasions becasue it really isn't fair to just bash a product without giving the makers a chance to respond. I emailed Mint.com's Support, and asked questions on message boards, and finally I got a response from a person at Mint who agreed to answer some questions for me, it was like the light at the end of the tunnel, this was in November. I sent a list of questions asking about the security of the software, what type of liability they have, their policies as far as holding customer info (since most of the information on their website was vague), and while I didn't expect all questions to be answered (for various reasons including proprietary processes needed to be safeguarded, security etc) I did expect some, and unfortunately I was given none.
The lack of assistance from the company, and their outright refusal to answer questions about their product is disturbing. With a regular piece of software this would be irritating, I don't think it is unreasonable to want to know how your information is handled, but with a piece of software that is designed to handle financial data, by a company who is asking you to trust them with all of your account information and your credentials to access that information, it is just scary that they are so hesitant to work with customers to settle their fears. Below are the questions I asked the representative of Mint.com, I received a reply saying they were working on it, then that somone would get back to me, then nothing. Now they are saying their marketing staff wanted to review the answers first. I'm hoping somone can provide some answers for me. As online financial aggregators become more popular (there are several already) they will become a major target of criminals, and I think it is important for customers to have as much information as possible about the services they provide and the steps they take to ensure the security of their clients data.
Mint.com if you read this, please feel free to reply in the comments or via an email to me and I will fill in the answers below.
I checked their website again, and it looks like they added more info, so I'm going to fill in some things that they already published answers for. Glad to see they are updating their website. Maybe my questions aren't falling on deaf ears.
Update: A Mint.com rep has responded and the answers they provided are in red below. My Comments are in parenthesis.
- Once an account is canceled, how long does Mint.com hold the information for?
We delete the account within 48 hours from our primary production
servers. We do not hold your information beyond that point.
- How long are backups held after an account is deleted?
See above (if this is true, then either they dont keep backups for more than a day, or they delete your info from the backup...both seem unlikely)
- What is the policy for turning over information when requested by a 3rd party (police, lawyers, etc)?
See link here: http://mint.com/privacy.html#a
In addition, Mint, like any other corporate entity, would have to comply with any legal requests from law enforcement for information.
- What liability does mint.com have if there is ever a security breach and information is stolen? Where is Mint.com's liability explained?
Important note: If the concern is about identity theft in the very unlikely scenario of a security breach, customers are protected by various consumer protection laws, including regulation E, if they advise their financial institutions within a specific period of time.
- It states here that mint does not actually hold a users info, but that Yodlee does. How do Mint and Yodlee interact and ensure the user is seeing their information and not some others if there is no identifying data shared? We generate a random identifier for each Mint user and use that identifier when communicating with Yodlee
- What type of encryption is in place between Yodlee and Mint? 128 bit SSL
- Which company do you contract for your co-location? many "secure facilities" aren't all that secure. Can't Answer this (no answer was expected since saying we store our servers at X would be pretty dumb)
- Is it a shared facility? Do you share hardware as well or does Mint use dedicated servers? Mint uses dedicated servers in a dedicated location, with our own biometric locks.
- You also state here that no Mint staff have access to user credentials. Is this true for both user names and passwords, or just passwords? If they have access to neither, how can they assist a customer if they are having access problems? This addresses bank credentials, not mint.com credentials, so the answer makes sense.
See link: http://mint.com/privacy.html#a
- Do you share customer information with any affiliates?
We will never share personal information. We will use aggregate data in various ways in the future, where it can be done to enhance the value of the service while
- How will you notify customers if there is a security breach?
- You again state here that you don't store any cc info. So is it safe to assume then, that mint just acts as a "front end" so to speak for Yodlee?
Mint leverages Yodlee's proven account aggregation service, as do most of the top US banks, MicroSoft Money, fidelity, etc. We then apply multiple patent-pending technologies to automatically categorize and analyze your transactions and find offers which will save you money.
- Has this been resolved? I can't say that it is very comforting that "administrators" are answering with "I think" instead of certainty. Or is this another case of Mint just being a front end and really we should be working with Yodlee?
No, this hasn’t been resolved. Security dongles aren’t supported because they create a random password every xxx number of seconds. There’s no way to support this right now.
- Do you think it is unethical to recommend credit cards as well as other financial services without knowing the full financial situation of a customer?
1. The offer is based on an algorithm about what we know about the customer at that time.
2. The customer has no obligation to accept an offer.
3. The customer doesn’t have to accept an offer to continue using the site.
4. We present the best possible offer (based on what we know), even if we don’t make any money.
Bookmark this post: