Recently, I had the opportunity to talk with Sharon Epperson (CNBC/Today/NBC News). She was preparing for a Today show segment on the security of mint.com. I address this topic in my 2011 FFIEC authentication guidance document.
Mint.com is Quicken for the cloud era. Like Quicken, it enables the analysis of personal financial data, including banking, loan, investment, and credit card transactions. Users can evaluate the transactions against a budget and calculate their net financial worth. Unlike Quicken, mint.com is currently “read-only”; it cannot execute transactions on behalf of the user.
Intuit—no strangers to securing personal financial data—has implemented reasonable security measures within the mint.com service. There aren’t any known security issues with mint.com, but two security considerations exist—one for the bank and one for the user.
First, banks lose some fraud detection capabilities because the traffic originates from mint.com—not the user’s device. Several of our banking clients have expressed their displeasure because they can’t leverage tricks like geolocation or device identification to improve user authentication.
Second, the user’s password for mint.com enables access to many financial services accounts. Therefore, the user must take great care with the mint.com password and PC security. The password is easily captured via workstation malware, enabling the fraudster to access the user’s financial services accounts.
The good news is that (for now, anyways) mint.com is “read-only”. If the password is compromised, the risk is limited to disclosure of personal data—not fraudulent transactions. Once mint.com becomes “read/write”, the risk changes dramatically. Intuit should augment mint.com’s internal fraud detection capabilities and enhance its ability to provide user session details to the banks.
Suggested Reading
The 2011 FFIEC Guidance on Authentication (subscription required)
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
Comments are closed
2 Comments
Mint requires you to hand over your passwords to all your financial accounts? isn’t OAuth supposed to allow access without needing to hand over your passwords? And Mint only protects access to your financial information with another password? Why no OTP or two factor? I wouldn’t use it.
Hi Ned,
Thanks for taking the time to read the blog and comment!
Great points on the use of OAuth and stronger authentication. Paul Madsen (@paulmadsen) and Trey Drake (@treydrake) also thought that Oauth tokens were also a good idea (and I agree). I think that interoperability is the core challenge. I don’t think that every bank will support OAuth in the near future. As for multifactor authentication at mint.com’s front door, that is a great idea, too. It should be an option for users. But U.S.-based retail banking customers did not take well to the use of OTPs in the early days of the consumer authentication era (corporate banking/treasury users are a different story). The rest of the world (particularly AP) appears more tolerant of multifactor authentication.
Best,
Mark