Elusive Wealth

Recently on Consumerism Commentary, Flexo posted about the upcoming discontinuation of Microsoft Money.  First and foremost, this was a great post and important information for consumers of either Money, Quicken, or one of the similar on-line options. Unfortunately on the desktop, Quicken will no longer have significant competition (unless you like the free alternative, GNUCash). Quicken has been my personal choice for the past 5-6 years, despite its relatively higher cost.

Because of the removal of MS Money from the market, the discussion of alternatives such as Mint.com and Quicken On-line came up. These tools are considered on-line account aggregators because they typically connect to your accounts at various institutions and download statements. Below is a list of common account aggregators:

• Mint.com
• Wesabe
• Yodlee
• Geezeo
• Quicken On-Line

The most common concern of using these on-line account aggregators is security. How safe are these on-line account aggregators?

Mint

Current Security Measures

First let’s take a look at the security the sites do provide, before we get into the possible weaknesses. We are going to focus on Mint.com, though all of the sites provide similar security. Mint.com’s security features can be viewed here. But here is a basic rundown of those features:

• Anonymimity
• 128-bit SSL encryption
• Secure facility protected by biometrics palm scanners and 24/7 security guards
• Bank-level data security standard (encryption, auditing, logging, backups, and safe-guarding data)
• The site has the VeriSign seal.
• Mint has anti-phishing protection provided by RSA

So what does all of this mean? Well, first, anonymimity means that Mint does not ask for personally identifying information, for the most part. This includes data like name, social security number, etc. However, they do ask for e-mail. The point here, though, is that the data that they have on you (financial account balances and transactions) cannot easily be traced specifically to you.

The 128 bit SSL means that the data you submit from your browser to Mint’s network is encrypted in a fairly difficult to decrypt manner. This is the web standard SSL that you see when you use a bank or a web site that has the security lock on your browser. This is good, it protects your data as it travels to Mint. The VeriSign seal primarily validates that this SSL encryption is in place between your computer and Mint’s servers. Once it gets to Mint, they can encrypt your data using SSL as they pass it around internally so that no one at Mint can see it. And when they send it to your bank or other service providers it can be and likely is encrypted with SSL.

The bank level data security helps give some assurances about what happens with your data, including your bank log on credentials, while it is inside Mint’s network. If encryption of your credentials and data is maintained always while in Mint’s network, then only a security breach of the encryption key could compromise the data. Usually it takes more than just having the key, you also have access to the devices that have the data stored on it. The bottom line is that once it reaches Mint’s servers, we have to take their word for it that it remains encrypted, and I will give them the benefit of the doubt on this based on what they have stated here.

Of course physical security like biometric palm scanners and security guards means they don’t just let anyone into their facility. That is a good thing.

Where Are the Issues?

Mint handles two types of sensitive data. One type of information it holds consists of records of your account balances and transactions that it has aggregated from various sources. This information is valuable to you, but has limited valuable to anyone else. As long as the login information for your bank is not stored along with the account data, you cannot do damage just knowing the location and amount of the account. That brings us to the second type of information, your login information, or credentials.

According to Mint.com, the credentials information is not stored within their network. From their site:

“We need your online banking user name and passwords so that we can help you organize and manage your accounts, that information is encrypted and transferred in a secure manner. We store only the information needed to save you the trouble of updating, syncing or uploading financial information manually. Your banking login credentials are securely stored by our online financial service providers. Your Mint login credentials are not shared with these providers.”

This is reassuring, the bank user names and passwords are not stored by Mint. Instead those credentials are stored by their online financial service providers. Basically after the first time that you enter your credentials for a financial institution, Mint connects to their online service provider to retrieve the account data, and also received an ID or token at the same time. That token allows them to retrieve, read only, account balance and transaction information in the future to keep Mint in sync with your accounts. Although it isn’t stated directly, on-line financial service providers seems to imply banks. In fact, banks could provide this service. However most of them do not. Most banks and financial institutions require your login information, including possibly additional information like answers to your “secret” questions.

The reality is that Mint’s online financial services provider(s), if there are more than one, are not the banks and financial institutions. Instead it is a third party company, Yodlee. As mentioned earlier, Yodlee also provides its own on-line aggregation service for customers.  While it is difficult to find direct mention of Mint using Yodlee behind the scenes, looking through the forums and some other websites you can find that Yodlee is indeed their provider. Below is Mint’s statement on its liability for any loss with their third party system(s):

“However, it is important to understand that these precautions apply only to our Site and systems. We exercise no control over how your information is stored, maintained or displayed by third parties or on third-party sites.”

So, while it is by no means a secret, it is important to keep in mind that if you use Mint, your credentials are stored somewhere. And they are all likely stored in one location at Yodlee. To me it seems clear that Mint.com obscures this fact. You can see in their forums that they use Yodlee, but you see no reference to it on their site directly. Although they don’t directly say it, their wording implies that credentials are not stored by them and are instead stored only by financial institutions. One of the reasons they do not make this obvious may be for security itself, however I do believe they are intentionally vague on this for marketing purposes.

I do not want to give the impression that if you use Mint your credentials are being passed around in numerous e-mails at Yodlee or outside of Yodlee. Yodlee itself is no slouch on security. They provide many of the security precautions that Mint provides, probably quite a bit more. Broke Grad Student provides a good synopsis on Mint Myths Debunked where it is mentioned that Fidelity and Bank of America use Yodlee, for example. So even without using Mint, your credentials may be stored at Yodlee for other financial institutions.

With that said, many people have an issue with having ALL of their account information in a single place. An intelligent, disgruntled employee at Yodlee could find a way to get to that data. It would be difficult, but not impossible. Using the desktop version of Quicken reduces that risk. Desktop Quicken stores your credentials locally on your computer. So unless your computer is compromised, that information is safe. Even if your computer is compromised, someone would have to break Quicken’s security measures. However there are two slight risks, even to the desktop version of Quicken:

• There is nothing stopping Quicken desktop from passing credential information through Quicken’s servers on the way to the financial institution. I don’t believe they do this, and I don’t believe they intend to do it. But it would be difficult to detect if they started. If they did, eventually I would expect this to come out and there would be negative repercussions with Quicken for such a move. But if they chose to do this, it would put Quicken desktop in the same position of every other on-line account aggregator.
• Quicken provides automatic bill pay. So unlike Mint there is the possibility of moving money from within Quicken desktop if someone were to break in. (But if someone breached Yodlee, they would have access to full credentials, not just read only tokens)

The Banks Role

For services like these on-line aggregators and Quicken desktop to work, Banks and financial institutions must provide the mechanism to retrieve account information. For years they have provided the ability to download transactions from their site into desktop software using Quicken and MS Money formats. In the past 5 years or so it has been possible to download some financial institution’s transactions directly from within these tools. Some banks have been supportive of that capability while others have been wary of the security.

Regarding on-line aggregators though, many banks have a firm position. Below is an excerpt from an e-mail from ING Direct to a customer regarding Mint.com:

“I understand that you recently had an issue trying to connect to our website using Mint.com. This service is commonly referred to as an account aggregator. While this service may have worked in the past, most users are finding that their aggregator does not work with our New Sign In Process.

The security of your information is very important to us. Once your personal information leaves ING DIRECT, we have no control over your information or how it is used by third parties. Because we have no way of monitoring how account aggregators address security, privacy or the use of cookies we are unable to support the use of these services.

To best protect your personal information and your funds, we recommend that you do not share your personal information (including your Customer Number and PIN) with any third party.”

Many other banks have the identical position that using account aggregators is at your own risk.

Conclusion

In the end you have to do what you feel comfortable with. Yodlee’s servers are many times more secure than most people’s home computers. Take that into consideration when considering the on-line aggregators versus something like Quicken’s desktop version. Consider your bank’s and other financial institutions position on using such services.

For my own part, I have been using Quicken for many years after giving up on MS Money. Recently I gave Mint a try and I do like its ease of use and slick interface. But I had significant trouble interfacing it with my ING Direct account, which is what led me to research this information. In the end I am going to stick with Quicken.

Ultimately the best thing you can do to protect yourself is to periodicially change your password and use strong passwords. If you choose the desktop Quicken solution, be sure you have a quality firewall and virus protection in place. There are some other best practices here that we can tackle in a future post.