Recently, I had the opportunity to talk with Sharon Epperson (CNBC/Today/NBC News). She was preparing for a Today show segment on the security of mint.com. I address this topic in my 2011 FFIEC authentication guidance document.
Mint.com is Quicken for the cloud era. Like Quicken, it enables the analysis of personal financial data, including banking, loan, investment, and credit card transactions. Users can evaluate the transactions against a budget and calculate their net financial worth. Unlike Quicken, mint.com is currently “read-only”; it cannot execute transactions on behalf of the user.
Intuit—no strangers to securing personal financial data—has implemented reasonable security measures within the mint.com service. There aren’t any known security issues with mint.com, but two security considerations exist—one for the bank and one for the user.
First, banks lose some fraud detection capabilities because the traffic originates from mint.com—not the user’s device. Several of our banking clients have expressed their displeasure because they can’t leverage tricks like geolocation or device identification to improve user authentication.
Second, the user’s password for mint.com enables access to many financial services accounts. Therefore, the user must take great care with the mint.com password and PC security. The password is easily captured via workstation malware, enabling the fraudster to access the user’s financial services accounts.
The good news is that (for now, anyways) mint.com is “read-only”. If the password is compromised, the risk is limited to disclosure of personal data—not fraudulent transactions. Once mint.com becomes “read/write”, the risk changes dramatically. Intuit should augment mint.com’s internal fraud detection capabilities and enhance its ability to provide user session details to the banks.
The 2011 FFIEC Guidance on Authentication (subscription required)
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.