Mint.com – safe?

I was recently asked if it would be safe to use the consumer financial management site, mint.com.

From reviewing their site content and a few searches, it appears mint.com should be considered relatively secure and even if a security breach were realized the user/consumer would be protected from unauthorized financial transactions.

Tech-thoughts:

Mint.com states they do not even have access to your credentials. They go on to say that, all banking credentials are stored on Yodlee’s servers, which increases my level of confidence. Yodlee is a leading participant in BITS (ww.bitsinfo.org), which I’ve been involved with quite extensively. Additionally, Yodlee is audited by the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC) and the Federal Reserve. I’ve not worked with any of these regulatory entities, but I have worked extensively with with OTS (Office of Thrift Supervision), which I believe has a number of similarities to these entities. In essence, audits from these entities result in being FFIEC compliant. In my opinion, FFIEC compliance is of considerable value, due to the extensive evaluation process. Based a prior review of Yodlee from a third party perspective, Yodlee uses SAML for authentication, which further increases my level of confidence, due to SAML being a vetted, open standards authentication/authorization technology.

The front-end of Mint.com uses 128-bit SSL (Verisign provides certificates) for transmission of data between the user browser and Mint servers, which is of value, but shouldn’t have too much weight attributed to it, due it being fairly standard. The mint.com servers are indicated to be in a “secure” facility, which have biometric hand scanners and onsite physical security personnel. Based on an IP lookup and ARIN query, they use Internap, based in Atlanta, GA, for hosting, which seems to be a reputable company. Attack and penetration testing is conducted by 3^rd party (scanalert.com – now owned by McAfee), which granted will not catch every possible hack, but will likely catch most probable application vulnerabilities.

Non-tech thoughts – liability:

Several articles Mint.com has stated if the site were hacked and unauthorized transactions were to occur the account holder would be protected. For unauthorized ACH debits from a user’s checking account, this logic appears to be based on EFTA (Electronic Funds Transfer Act) / Regulation E (12 CFR 205). Per these enactments, if a consumer notifies their bank of the unauthorized transaction within 2 business days, their liability is limited to $50. If the consumer notifies their bank after the 2 days, but before 60 days, their liability is capped at $500. Even after 60 days, the consumer can argue that extenuating circumstances delayed their notification.

For unauthorized credit card transactions, this logic is likely based on provisions in Regulation Z (12 CFR Part 226), along with the Visa/Mastercard chargeback rules (based on requirements of the Fair Credit Billing Act (FCRA)). These rules provide even greater protection for the consumer than ACH transactions, mentioned above.

Conclusion:

The site seems to be relatively secure considering current standards and the users of mint.com would have little financial liability if the site were hacked. I suspect the consumer would likely endure some level of stress and hassle in enforcing their rights if the site were breached, though perhaps this risk is acceptable. If the service advantages benefit the user, including making their financial management less of a hassle, perhaps the possible risk shouldn’t outweigh the probable gain.