Mark Diodati

A member of the Gartner Blog Network

Mark Diodati
Research VP
6 years at Gartner
21 years IT industry

Mark Diodati is a Research Vice President with Gartner's IT Professionals research and advisory service. His focus topics include mobility, authentication, cloud idenitity, federation, directory services, provisioning, identity services, Active Directory interoperability, Web access management…Read Full Bio

Coverage Areas:

It’s … Minty

by Mark Diodati  |  May 7, 2012  |  2 Comments

Recently, I had the opportunity to talk with Sharon Epperson (CNBC/Today/NBC News). She was preparing for a Today show segment on the security of mint.com. I address this topic in my 2011 FFIEC authentication guidance document.

Mint.com is Quicken for the cloud era. Like Quicken, it enables the analysis of personal financial data, including banking, loan, investment, and credit card transactions. Users can evaluate the transactions against a budget and calculate their net financial worth. Unlike Quicken, mint.com is currently “read-only”; it cannot execute transactions on behalf of the user.

Intuit—no strangers to securing personal financial data—has implemented reasonable security measures within the mint.com service.  There aren’t any known security issues with mint.com, but two security considerations exist—one for the bank and one for the user.

First, banks lose some fraud detection capabilities because the traffic originates from mint.com—not the user’s device. Several of our banking clients have expressed their displeasure because they can’t leverage tricks like geolocation or device identification to improve user authentication.

Second, the user’s password for mint.com enables access to many financial services accounts. Therefore, the user must take great care with the mint.com password and PC security. The password is easily captured via workstation malware, enabling the fraudster to access the user’s financial services accounts.

The good news is that (for now, anyways) mint.com is “read-only”. If the password is compromised, the risk is limited to disclosure of personal data—not fraudulent transactions. Once mint.com becomes “read/write”, the risk changes dramatically. Intuit should augment mint.com’s internal fraud detection capabilities and enhance its ability to provide user session details to the banks.

 Suggested Reading

The 2011 FFIEC Guidance on Authentication (subscription required)

2 Comments »

Category: Authentication IAM     Tags:

2 responses so far ↓

  • 1 Ned   May 7, 2012 at 3:28 pm

    Mint requires you to hand over your passwords to all your financial accounts? isn’t OAuth supposed to allow access without needing to hand over your passwords? And Mint only protects access to your financial information with another password? Why no OTP or two factor? I wouldn’t use it.

  • 2 Mark Diodati   May 16, 2012 at 9:58 pm

    Hi Ned,
    Thanks for taking the time to read the blog and comment!
    Great points on the use of OAuth and stronger authentication. Paul Madsen (@paulmadsen) and Trey Drake (@treydrake) also thought that Oauth tokens were also a good idea (and I agree). I think that interoperability is the core challenge. I don’t think that every bank will support OAuth in the near future. As for multifactor authentication at mint.com’s front door, that is a great idea, too. It should be an option for users. But U.S.-based retail banking customers did not take well to the use of OTPs in the early days of the consumer authentication era (corporate banking/treasury users are a different story). The rest of the world (particularly AP) appears more tolerant of multifactor authentication.
    Best,
    Mark