Ask HN: Why would people trust their banking credentials to a service like Mint?

49 points by xtrumanx 10 years ago | 57 comments

I wrote my own unofficial API for a banking website[0] (check balance, send money, view transaction history) by essentially writing a crawler that would do whatever the a user would do if they were navigating the website themselves. I built it for fun to see if it was possible and then shelved it along with the rest of the half-completed projects littering my hard drive.

I was wondering how feasible it would be to use it as a basis for a service to facilitate e-commerce. It would require the user to give me, a 3rd party, their credentials which isn't something I'd recommend someone to do. But then again, Mint has done well for themselves doing just that so perhaps my opinion on the matter isn't entirely relevant.

PayPal, BrainTree, Stripe, etc. are not available in my corner of the world and I feel that's too bad cause a good payments solution could be a big deal to businesses and consumers alike if available. I'd be happy if the bank shuts down my service as long as they (or someone else) provide an alternative.

Have you provided your bank credentials to Mint or another similar 3rd party service? If so why? Did you ever stop to think if it was a bad idea? Do you think most people do?

[0] https://github.com/xtrumanx/zapi

fiveoak 10 years ago |

I use Mint, and of course I don't think providing your bank credentials to a 3rd party service is a good idea. That said the company backing Mint currently (Intuit) also does TurboTax, so at least they have some experience with handling sensitive customer data. Also in the event that they did get hacked, there are a ton of other people also using Mint which hopefully will give me time to change my passwords before any real damage is done. Overall it's something I'm not super comfortable about using, but I really enjoy the convenience of having all my accounts in one place, automatically updated, etc, that I'm willing to accept the hopefully small risk of getting hacked.

That said, I still have a hard time convincing others of using the service due to security concerns. I also personally wouldn't really trust a startup/smaller company with my data either since they don't have as much on the line as a larger established company does.

ctdonath 10 years ago | |

Yes, it's a bad idea. Bugs me frequently. But...it's so dangblasted useful; throw some social/emotional motivations in there and a bunch of problems get solved well enough to tolerate the risk. Given Intuit bought Mint, and I've trusted my taxes to Intuit for decades, I'll grudgingly take that risk to solve other problems.

A core issue is the need for a next-level financial data aggregator, somebody to pull together one's info across multiple banks, cards, investments, etc. Much as Bank X wants to provide all those services to me, and much as I may even want them to, other companies get involved and there's a need for a one-screen view of all of it, preferably updated near-live, and working on whatever interface/device I choose to use (notebook, phone, tablet; app, web browser).

Trust is the main thing. I was mad at myself for signing up for Mint (in a fit of frustration attempting to solve some problem) when it was new & independent; I'm still irritated but less so now that Intuit is taking responsibility.

Amorymeltzer 10 years ago | |

This. It's (somewhat) analogous to the argument about Google/Apple/other-large-company knowing everything we do or say. Yes, it's creepy, and yes, it makes me uncomfortable time-to-time, but holy hell it is really convenient.

jdeibele 10 years ago |

My understanding is that they use http://www.yodlee.com for getting information from your accounts. That's pretty much what everybody does.

I turned it off and deleted my data because the bank or brokerage would change something and break the automatic downloads and things would get out of date.

I believe banks and brokerages should have two levels of access: one where you can move money and one where you can look but not touch. I'd be much happier using the second type of password with Mint, with the bank's own apps, etc. I'm not thrilled at all about the idea of losing my phone and having someone get "write" access to my bank account.

vishbar 10 years ago | |

My bank, Capital One 360, has something like this. You can give a read-only access token to an external service and change/disable it at will.

true_religion 10 years ago | | |

Bank of America has it. They call it Account Management, but AFAIK they charge for using it at least if you're a business account.

gkanapathy 10 years ago | |

I believe Mint does not use Yodlee, while most other sites that offer similar functionality do.

runamok 10 years ago | |

Totally agree. You could even limit it by whichever app you want to give access to.

angdis 10 years ago |

Yes, I've been a mint user since well before they were bought by Intuit.

I didn't think it was a bad idea, because it is clearly explained that Mint can't make changes to your accounts. It is only used for query. I am under the impression that the banks only allow Mint query capabilities. They've lately released a new service called "Mint Bills"-- which does make changes but that is separate from their main "Mint" service.

I've recommended Mint to friends and those who've tried it like it.

Things are changing lately, however. Banks are providing more and more "Mint-like" analytic services for their customers. These days, if you have your stuff at one bank there's little need for something like Mint.

I think there will always be room for a service that can work with multiple financial services/banks/accounts at the same time and with a uniform interface. Unfortunately, this is an exceedingly hard business for start-ups to crack (my opinion). To do it right (without asking users to literally surrender control of their accounts), services like Mint need to negotiate with multiple financial institutions-- not fun at all, just to get to the starting-point where one can compete with Mint.

IanCal 10 years ago | |

> I didn't think it was a bad idea, because it is clearly explained that Mint can't make changes to your accounts.

Mint can do anything that you could do with the same credentials. Unless you have read-only credentials, they can technically make changes using your details.

gcb0 10 years ago | | |

i wouldn't expect people from this site falling for this marketing shenanigans...

eswat 10 years ago |

I’ve been using Mint for several years. But there actually was a point two years ago where I got concerned about them having all my credentials. I deleted my account and changed all my passwords.

Fast-forward a few months later and I’m using them again. Whatever concerns I had about data security did not outweigh having immediate information to all my accounts and reports that would take me too long to generate myself. I don’t worry so much about Mint abusing my data as someone hacking their services. I wouldn’t have the same trust level with a startup or smaller company though.

calinet6 10 years ago | |

That's a huge tell: the convenience and value of having all your accounts aggregated far outweighs the security concerns, and frankly even the myriad and difficult and frankly frightening methods of connecting your accounts.

That's why people do it, and there's clearly an opportunity for a better experience...

jlgaddis 10 years ago | | |

Absolutely there is. I only log in to Mint perhaps once every few weeks, but I would much rather not use it at all -- or, more correctly, I would rather them not have my credentials.

But... I have personal checking and savings accounts at the local credit union, personal checking and savings accounts at one of the large, major banks, business checking and savings accounts at the (same previously mentioned) credit union, as well as several store and major credit cards issued by various financial institutions. (I tracked my vehicle loan within Mint as well, until I decided to just go ahead and pay it off.)

The convenience of being able to see all of them, quickly, within the same "single pane of glass" apparently outweighs the fears that I have or I wouldn't use it. An attacker acquiring the credentials for most of those accounts wouldn't be too much of an issue, honestly. The one account I would worry about would be my (primary) personal checking account but, luckily, the credit union's web site/software is pretty limited with regard to what kind of transactions could be performed... and, now that I think about it, I'm not sure I can initiate any transactions via their web site. The one thing I know I can do is the "online bill pay" but I would have to physically go into one of their branches to sign up for that before it was even available.

phlo 10 years ago |

SOFORT(.com) has built a strong market presence in Germany and is expanding throughout Europe. They basically do the same thing you are talking about: provide an easy "check-out" experience using customers' banking credentials and custom crawlers.

The solution is well-liked by merchants. Banks generally don't like it (for obvious security/privacy reasons), but are cautious in actually preventing it. SOFORT actually used to be the only payment method to buy german train tickets online without a surcharge. In a recent ruling, a court deemed this to be an inacceptable intrusion to privacy, forcing the train operator to offer another free means of payment.

Pending EU legislation (PSD II) will force banks to offer some sort of limited API access that'll allow users to sensibly share access with services like Mint or SOFORT.

captainmuon 10 years ago | |

SOFORTÜBERWEISUNG looked sketchy as hell the first time I tried it. Imagine IMMEDIATEWIRETRANSFER.COM (in capital letters) asking you to enter not only your bank account number, but also your password, and then a PIN from your secret list. The latter is something that the bank tells you to never, under no circumstances, give out, because you can use it to transfer money.

I find it really hard to believe that SOFORT does this without support or even consent of the banks. Scraping bank websites seems like something that could get you ruined or even jailed (I don't know, for dealing with bank customer's data in an improper way or something - at least I'd assume the banks could sue you for violation of their TOS). I only started using Sofortüberweisung at all when some trustworthy looking sites adopted it, and when it appeared to me as if it was a joint venture between SOFORT and the banks.

I guess if you want to build a successful business today, you can't ask nicely and wait for permission to do things (see also Uber et al).

germanier 10 years ago | | |

The federal antitrust commission intervened after banks filed a lawsuit to stop Sofort from using their websites. The passages of their TOS that forbid using such services are most likely void as they obstruct a free market of payment providers (as seen by the federal antitrust commission).

Personally, I avoid that service but it has the blessing of government agencies from operating that way.

Some banks (e.g. DKB) now started to cooperate with Sofort instead and the German banks will start a similar service themselves this year.

kennydude 10 years ago |

It's a bad idea, but if you want automated access it's the best we've got. Ideally banks would provide a nice API, but without a good enough reason they're just not interested.

basseq 10 years ago | |

The "nice API" comment is something that struck me after using mint for a couple years: there are banks/brokerages out there who are set up for this sort of thing and handle it well: tokens, revocation, etc. (Interactive Brokers is one.)

mikeokner 10 years ago | |

Hell, I wish everyone would provide a nice API.

kennydude 10 years ago | | |

We can only dream :(

mbesto 10 years ago |

I'm actually curious about this. How do popular web apps store your id/pw for other sites? I know personally that Mint (Yodlee), Zenefits, TriNet Expense, and BoA all log into other sites but I'm curious how/where they store the passwords? If they create a scraper then it means they have to store the password (encrypted) and then decrypt it so the scraper can use it? What happens if a master app (let's use Zenefits as an example) get's hacked? Are my other passwords compromised then?

Untit1ed 10 years ago | |

You've kind of answered your own question there - if they're able to log into other sites without using some kind of OAuth-type mechanism that doesn't require them to store your password, then a hack will compromise those passwords.

eoin_murphy 10 years ago |

To get insight into their budgets.

I have tried one or two services similar to mint in an effort to get more control on budgeting. The typical bank provided online banking interface is like something from 10-15 years years ago with a painful interface and no real facilities to either analyse your income/spending on the site or to easily export data.

The promise of these other services is to scrape at your data, gather it into an easily viewable/filterable format and allow you to group it semantically (i.e. this payment every month is for rent, food, socializing) The idea being that it can automatically analyze the accounts give you more control over your budget.

My experience was that for personal accounts the analysis was no better than I was doing myself and they cannot account correctly for cash withdrawls which kind of defeats the purpose of the exercise. Finally, my bank recently updated their online banking site so that it's just as good as that offered by these external services.

howeyc 10 years ago |

This is why some people use the "offline" applications like GnuCash[1] or cli-ledger[2]. These programs can be used in such a way that they don't even know the financial institutions you do business with, never mind usernames/passwords.

However, as others have stated, they view the convenience gained to be worthwhile enough to sacrifice the security of their accounts. Plus, I'm sure they asses the probability of Mint (and their employees, contractors, etc) using this information in any way other than "read-only" (at least intentionally) to be very close to zero.

[1] http://www.gnucash.org/ [2] http://ledger-cli.org/

dguido 10 years ago |

Because they use OFX for read-only transactions and an HSM to store the passwords:

http://money.stackexchange.com/questions/15392/are-there-any...

nailer 10 years ago | |

The bank should provide oauth, with 'see your transactions' as a permission you can revoke later.

Unfortunately, banks are technically backward and don't realise they're dumb vaults yet, much in the same way phone carriers are dumb pipes.

cody_taylor 10 years ago |

If I remember correctly, a number of banks specify that providing credentials to a third party isn't allowed. If your credentials actually got stolen, the banks could deny assistance.

I use Mint though and I find it really helpful for monitoring my finances.

knodi123 10 years ago |

I use USAA, and it aggregates my accounts from multiple other sources all by itself. I log in to USAA and see my vanguard retirement investments, my joint checking account that I share with my wife, and my daughter's college savings account from another bank. I also see my mastercard bill and my insurance bills.

I also get an incredibly powerful mobile app, free checking, and ATM fee reimbursement.

The interesting part is that I was able to hook up those external bank accounts without providing username and passwords to USAA.

Note, their banking services are available to anybody, even non-military.

ryan-c 10 years ago | |

NetBank was able to pull in information from my credit cards long long ago when it existed. I remember using this feature at least 10 years ago. I can't remember if it was transactions or balance only though.

megaman22 10 years ago |

I already use TurboTax, so it's not like Mint is really giving Intuit a whole lot more data than I'm already giving them. Aside from debt-consolidation loans and credit card offers, there's isn't really any advertising that I see there, and I'm less worried about them selling off information about my transactions the way Google probably would to targeted advertisers.

Really, I would think that this data would in some sense be the holy grail for targeted marketing, short of the databases that Amazon has on its customers.

m12k 10 years ago |

I don't use Mint, but to me, the main question is whether I perceive the company to have more to lose by abusing the power I grant them than they would gain from doing so. A small fly-by-night company might make a quick buck by embezzling people and then disappearing, but a bigger company has much more value tied up in its brand and customer base, so they would have too much to lose. It's not a bulletproof approach (as some high profile Ponzi schemes have shown) but it's managed to keep me out of trouble so far.

runamok 10 years ago | |

I think the main issue with this philosophy is Mint is a very juicy target for hackers and it only takes one person on the inside to "turn bad". The company itself can have the best of intentions.

That being said I use them too...

sp332 10 years ago |

Get some kind of insurance. Show me that if you get hacked and I lose money (and for some reason the fraudulent transactions aren't just rolled back when I call my bank), I can take it out of you.

Also, post some info about your experience writing other secure apps. Social proof is about all we have to go on here, so play it up.

mapierce 10 years ago |

I'm currently doing the same thing for my own personal use. My bank has recently redone their mobile app and it's actually very nice, but I still don't have the insight I'd like without breaking out my calculator.

Where I'm from the banks run on ancient software (we're talking COBOL in most cases) and when an ATM breaks, you see it briefly boot through Windows 98.

Web scrapers could be feasible for an e-commerce service (that's mostly what Yodlee is, the service that powers Mint) the hard part is the regulatory issues surrounding banking web scrapers. It's a very very grey area.

In my opinion with this stuff, if there's demand, it's better to ask for forgiveness than permission and third party banking apps could/can provide endless functionality and insight.

jmnicolas 10 years ago |

I wouldn't this is why I chose a non connected financial app on my Android phone. It took me a week of try and miss to find a good one but there's no way I'm going to trust a third party with my banking info. Heck I don't even trust my bank (but admittedly I don't have a choice in the matter).

This is also why I don't seriously use Evernote. Yeah I'd love to have all my documents and bills there, but at one point you have to stop and think about the implications of a private company (in fact 2, since they're probably using AWS) knowing everything about you.

webjprgm 10 years ago | |

I agree completely.

I'm using "Cha-Ching 2 beta" which was abandoned some 6 years ago when Intuit bought out the company working on it but the beta still works (I owned a copy of Cha-Ching 1 from some software bundle I picked up). The downside is (1) manual entry of every transaction, and (2) no analytics at all. The plus side is I wrote my own scripts to extract data from its Sqlite database so I can do analytics in a spreadsheet.

I definitely don't trust any one company. I don't want my bank or my credit card company to have 100% of my financial data.

heavymark 10 years ago |

People's willingness to give their information depends on how much they trust the company. Mint is owned by Intuit which is the same company most all of us trust providing all our financial data to for tax purposes each year.

For customers to trust your company you will have to have a lot of financial backing and support of big names in the industry. And when Mint first launched people were a little less concerned about giving up data. Now a days people are much more aware of the implications so you would be fighting an uphill battle.

hamidpalo 10 years ago |

Mint provides value and it's a trusted brand, so people feel okay about giving them access.

I could potentially trust Mint but anything smaller and not based in the US definitely not.

ryan-c 10 years ago |

FWIW, I would really like to be able to do scripted management of my finances. Stuff like automatically paying my credit cards as much as possible while maintaining some minimum balance in my checking account (moving money from savings if necessary), or if my checking account is over some value, use the excess to fill savings account to $X, or put it in an investment account.

jacquesm 10 years ago |

I've wondered about this for a long time. It also appears to be in direct contravention of the terms of service for my bank (which mint doesn't support anyway so that's moot), which state that my access information is strictly personal. I wonder if mint ever got hacked and this led to damage for their customers what the liability situation would be.

lewisl9029 10 years ago |

Is there a self-hosted or client-side version of Mint that's also open-source? If not, I think there's an opportunity here.

If we have to resort to scraping for banking data, I'd personally prefer to do the scraping by myself and for myself rather than trusting any third parties with my credentials.

cfontes 10 years ago |

I think some banks provide a view only access so you can give it to sites like mint.

Giving full access would be really crazy at least to me.

Good luck

aerialcombat 10 years ago |

Not all trust them. Some do, some don't. But services like Mint exist because there are enough who trust out there to keep the service going. 100% trust is impossible for any service. There are people who don't even trust themselves.

heeton 10 years ago |

There are a couple of banking startups (at least here in the UK) that want to give you API-like access to key stats (transactions, totals) without full access. Very excited for that to pan out.

saluki 10 years ago |

y, I think providing your credentials is a bad idea and haven't done it. This came up in a thread a few weeks ago. I can't believe banks aren't required to provide a read-only access and/or API to your account. That would be a great solution for rolling your own budget tracker and allowing access for services like mint. Does anyone know if any banks have read-only passwords or an api?

filoeleven 10 years ago | |

ING Direct had this feature, and it's been carried over when that changed to Capital One 360.

https://mint.lc.intuit.com/questions/1057341-known-issue-cap...

brokencup 10 years ago | |

Wells Fargo lets you create a read-only account:

https://www.wellsfargo.com/help/faqs/profile/

nashashmi 10 years ago |

Endorsement by TechCrunch and I think specifically by michael arrington told me I could use and adopt Mint.

And I did give them all of my passwords for everything.

laurencei 10 years ago |

I'm actually looking for a bank feed/API service for banks in Australia. Does anyone know of one?

NeutronBoy 10 years ago | |

I'm not sure if they have API access, but ANZ Money Manager [1] is basically the AU equivalent to Mint - consolidated reports/expense analysis/budgeting/etc across all your accounts (including non-ANZ accounts and cards).

[1] http://www.anz.com/ANZ-MoneyManager/

mjsilva 10 years ago | |

http://getpocketbook.com is not a feed/api but offers a similar service of what Mint does.

free652 10 years ago |

I didn't connect my high value accounts to mint (like brokerages), just my spending accounts mostly.