Ask HN: Why would people trust their banking credentials to a service like Mint?

I use Mint, and of course I don't think providing your bank credentials to a 3rd party service is a good idea. That said the company backing Mint currently (Intuit) also does TurboTax, so at least they have some experience with handling sensitive customer data. Also in the event that they did get hacked, there are a ton of other people also using Mint which hopefully will give me time to change my passwords before any real damage is done. Overall it's something I'm not super comfortable about using, but I really enjoy the convenience of having all my accounts in one place, automatically updated, etc, that I'm willing to accept the hopefully small risk of getting hacked.

That said, I still have a hard time convincing others of using the service due to security concerns. I also personally wouldn't really trust a startup/smaller company with my data either since they don't have as much on the line as a larger established company does.

My understanding is that they use http://www.yodlee.com for getting information from your accounts. That's pretty much what everybody does.

I turned it off and deleted my data because the bank or brokerage would change something and break the automatic downloads and things would get out of date.

I believe banks and brokerages should have two levels of access: one where you can move money and one where you can look but not touch. I'd be much happier using the second type of password with Mint, with the bank's own apps, etc. I'm not thrilled at all about the idea of losing my phone and having someone get "write" access to my bank account.

Yes, I've been a mint user since well before they were bought by Intuit.

I didn't think it was a bad idea, because it is clearly explained that Mint can't make changes to your accounts. It is only used for query. I am under the impression that the banks only allow Mint query capabilities. They've lately released a new service called "Mint Bills"-- which does make changes but that is separate from their main "Mint" service.

I've recommended Mint to friends and those who've tried it like it.

Things are changing lately, however. Banks are providing more and more "Mint-like" analytic services for their customers. These days, if you have your stuff at one bank there's little need for something like Mint.

I think there will always be room for a service that can work with multiple financial services/banks/accounts at the same time and with a uniform interface. Unfortunately, this is an exceedingly hard business for start-ups to crack (my opinion). To do it right (without asking users to literally surrender control of their accounts), services like Mint need to negotiate with multiple financial institutions-- not fun at all, just to get to the starting-point where one can compete with Mint.

I’ve been using Mint for several years. But there actually was a point two years ago where I got concerned about them having all my credentials. I deleted my account and changed all my passwords.

Fast-forward a few months later and I’m using them again. Whatever concerns I had about data security did not outweigh having immediate information to all my accounts and reports that would take me too long to generate myself. I don’t worry so much about Mint abusing my data as someone hacking their services. I wouldn’t have the same trust level with a startup or smaller company though.

SOFORT(.com) has built a strong market presence in Germany and is expanding throughout Europe. They basically do the same thing you are talking about: provide an easy "check-out" experience using customers' banking credentials and custom crawlers.

The solution is well-liked by merchants. Banks generally don't like it (for obvious security/privacy reasons), but are cautious in actually preventing it. SOFORT actually used to be the only payment method to buy german train tickets online without a surcharge. In a recent ruling, a court deemed this to be an inacceptable intrusion to privacy, forcing the train operator to offer another free means of payment.

Pending EU legislation (PSD II) will force banks to offer some sort of limited API access that'll allow users to sensibly share access with services like Mint or SOFORT.

It's a bad idea, but if you want automated access it's the best we've got. Ideally banks would provide a nice API, but without a good enough reason they're just not interested.

I'm actually curious about this. How do popular web apps store your id/pw for other sites? I know personally that Mint (Yodlee), Zenefits, TriNet Expense, and BoA all log into other sites but I'm curious how/where they store the passwords? If they create a scraper then it means they have to store the password (encrypted) and then decrypt it so the scraper can use it? What happens if a master app (let's use Zenefits as an example) get's hacked? Are my other passwords compromised then?

To get insight into their budgets.

I have tried one or two services similar to mint in an effort to get more control on budgeting. The typical bank provided online banking interface is like something from 10-15 years years ago with a painful interface and no real facilities to either analyse your income/spending on the site or to easily export data.

The promise of these other services is to scrape at your data, gather it into an easily viewable/filterable format and allow you to group it semantically (i.e. this payment every month is for rent, food, socializing) The idea being that it can automatically analyze the accounts give you more control over your budget.

My experience was that for personal accounts the analysis was no better than I was doing myself and they cannot account correctly for cash withdrawls which kind of defeats the purpose of the exercise. Finally, my bank recently updated their online banking site so that it's just as good as that offered by these external services.

This is why some people use the "offline" applications like GnuCash[1] or cli-ledger[2]. These programs can be used in such a way that they don't even know the financial institutions you do business with, never mind usernames/passwords.

However, as others have stated, they view the convenience gained to be worthwhile enough to sacrifice the security of their accounts. Plus, I'm sure they asses the probability of Mint (and their employees, contractors, etc) using this information in any way other than "read-only" (at least intentionally) to be very close to zero.

[1] http://www.gnucash.org/ [2] http://ledger-cli.org/

Because they use OFX for read-only transactions and an HSM to store the passwords:

http://money.stackexchange.com/questions/15392/are-there-any...

If I remember correctly, a number of banks specify that providing credentials to a third party isn't allowed. If your credentials actually got stolen, the banks could deny assistance.

I use Mint though and I find it really helpful for monitoring my finances.

I use USAA, and it aggregates my accounts from multiple other sources all by itself. I log in to USAA and see my vanguard retirement investments, my joint checking account that I share with my wife, and my daughter's college savings account from another bank. I also see my mastercard bill and my insurance bills.

I also get an incredibly powerful mobile app, free checking, and ATM fee reimbursement.

The interesting part is that I was able to hook up those external bank accounts without providing username and passwords to USAA.

Note, their banking services are available to anybody, even non-military.

I already use TurboTax, so it's not like Mint is really giving Intuit a whole lot more data than I'm already giving them. Aside from debt-consolidation loans and credit card offers, there's isn't really any advertising that I see there, and I'm less worried about them selling off information about my transactions the way Google probably would to targeted advertisers.

Really, I would think that this data would in some sense be the holy grail for targeted marketing, short of the databases that Amazon has on its customers.

I don't use Mint, but to me, the main question is whether I perceive the company to have more to lose by abusing the power I grant them than they would gain from doing so. A small fly-by-night company might make a quick buck by embezzling people and then disappearing, but a bigger company has much more value tied up in its brand and customer base, so they would have too much to lose. It's not a bulletproof approach (as some high profile Ponzi schemes have shown) but it's managed to keep me out of trouble so far.

Get some kind of insurance. Show me that if you get hacked and I lose money (and for some reason the fraudulent transactions aren't just rolled back when I call my bank), I can take it out of you.

Also, post some info about your experience writing other secure apps. Social proof is about all we have to go on here, so play it up.

I'm currently doing the same thing for my own personal use. My bank has recently redone their mobile app and it's actually very nice, but I still don't have the insight I'd like without breaking out my calculator.

Where I'm from the banks run on ancient software (we're talking COBOL in most cases) and when an ATM breaks, you see it briefly boot through Windows 98.

Web scrapers could be feasible for an e-commerce service (that's mostly what Yodlee is, the service that powers Mint) the hard part is the regulatory issues surrounding banking web scrapers. It's a very very grey area.

In my opinion with this stuff, if there's demand, it's better to ask for forgiveness than permission and third party banking apps could/can provide endless functionality and insight.

I wouldn't this is why I chose a non connected financial app on my Android phone. It took me a week of try and miss to find a good one but there's no way I'm going to trust a third party with my banking info. Heck I don't even trust my bank (but admittedly I don't have a choice in the matter).

This is also why I don't seriously use Evernote. Yeah I'd love to have all my documents and bills there, but at one point you have to stop and think about the implications of a private company (in fact 2, since they're probably using AWS) knowing everything about you.

People's willingness to give their information depends on how much they trust the company. Mint is owned by Intuit which is the same company most all of us trust providing all our financial data to for tax purposes each year.

For customers to trust your company you will have to have a lot of financial backing and support of big names in the industry. And when Mint first launched people were a little less concerned about giving up data. Now a days people are much more aware of the implications so you would be fighting an uphill battle.

Mint provides value and it's a trusted brand, so people feel okay about giving them access.

I could potentially trust Mint but anything smaller and not based in the US definitely not.

FWIW, I would really like to be able to do scripted management of my finances. Stuff like automatically paying my credit cards as much as possible while maintaining some minimum balance in my checking account (moving money from savings if necessary), or if my checking account is over some value, use the excess to fill savings account to $X, or put it in an investment account.

I've wondered about this for a long time. It also appears to be in direct contravention of the terms of service for my bank (which mint doesn't support anyway so that's moot), which state that my access information is strictly personal. I wonder if mint ever got hacked and this led to damage for their customers what the liability situation would be.

Is there a self-hosted or client-side version of Mint that's also open-source? If not, I think there's an opportunity here.

If we have to resort to scraping for banking data, I'd personally prefer to do the scraping by myself and for myself rather than trusting any third parties with my credentials.

I think some banks provide a view only access so you can give it to sites like mint.

Giving full access would be really crazy at least to me.

Good luck

Not all trust them. Some do, some don't. But services like Mint exist because there are enough who trust out there to keep the service going. 100% trust is impossible for any service. There are people who don't even trust themselves.

There are a couple of banking startups (at least here in the UK) that want to give you API-like access to key stats (transactions, totals) without full access. Very excited for that to pan out.

y, I think providing your credentials is a bad idea and haven't done it. This came up in a thread a few weeks ago. I can't believe banks aren't required to provide a read-only access and/or API to your account. That would be a great solution for rolling your own budget tracker and allowing access for services like mint. Does anyone know if any banks have read-only passwords or an api?

Endorsement by TechCrunch and I think specifically by michael arrington told me I could use and adopt Mint.

And I did give them all of my passwords for everything.

I'm actually looking for a bank feed/API service for banks in Australia. Does anyone know of one?

I didn't connect my high value accounts to mint (like brokerages), just my spending accounts mostly.