40

This question is not about whether Mint.com is secure, or not. That is beside the point. (Refer to this question on the subject of trusting Mint.com and similar services.) Rather:

Are bank customers permitted, under whatever account agreement they typically sign, to provide their username & password or other account credentials to sites like Mint.com?

Would a banking customer be giving up some of the protection offered by their bank if they voluntarily disclosed sensitive account details to a third party service?

Are many people using Mint.com without understanding their responsibilities with respect to protecting their own account credentials? (Call me a skeptic :-)

Community
  • 1
Chris W. Rea
  • 31,999
  • 17
  • 103
  • 191

4 Answers4

15

The My Money Blog did an article on this very topic a while ago.

I think if you look in the T&C for Mint, it says somewhere that you are giving a "limited" power of attorney to Mint that allows them to login to various websites on your behalf.

For purposes of this Agreement and solely to provide the Account Information to you as part of the Service, you grant Intuit a limited power of attorney, and appoint Intuit as your attorney-in-fact and agent, to access third party sites, retrieve and use your information with the full power and authority to do and perform each thing necessary in connection with such activities, as you could do in person.

Sanjay Sheth
  • 444
  • 5
  • 6
8

Yes, the T&C for all banks I have accounts with say you must never tell anyone (or any software etc.) your password and the username.

Therefore if you make use of Mint.com, I would expect the bank to have a "get out of jail free card" if any money ever went missing from your account for any reason.

NL - SE listen to your users
  • 32,789
  • 19
  • 88
  • 145
Ian
  • 2,968
  • 19
  • 20
6

Mint.com relies on its users to break rules to use their service. Regardless of bank policies, in the end you are trusting a third party to login to your account on your behalf, where it will have full control of your account.

For at least some of the banks it links to, it is not using a well documented open standard, like say OFX. It needs to crawl the web site and impersonate you. This means entering your name, password, passmark, security questions, etc. You're giving them all the keys. This also means if the bank changes its layout or functionality, Mint will have trouble updating and you might not know.

Lastly, if you hardwire Mint to your bank accounts and begin relying on it, you will find it difficult to later change banking passwords because it becomes even more of a hassle.

spoulson
  • 277
  • 1
  • 3
3

This doesn't seem any different than telling my wife my username/password and both of us using the same login. Am I to assume that this is also against the T&C?

Actually, I don't want to assume and just tell you what I think would be allowed/disallowed. So let's use an actual terms of use statement: https://www.chase.com/ccp/index.jsp?pg_name=ccpmapp/shared/assets/page/terms

The only two clauses that deal with passwords are as follows:

Unauthorized use of JPMorgan Chase's Websites and systems, including but not limited to unauthorized entry into JPMorgan Chase's systems, misuse of passwords, or misuse of any information posted to a site, is strictly prohibited.

...

You agree that (i) you will not engage in any activities related to the Website that are contrary to applicable law, regulation or the terms of any agreements you may have with JPMorgan Chase, and (ii) in circumstances where locations of the Website require identification for process, you will establish commercially reasonable security procedures and controls to limit access to your password or other identifying information to authorized individuals.

The unauthorized use clause seems to be simply stating the obvious: that it is prohibited to access someone's account without authorization. (i.e. Don't steal someone's password and use it and don't hack into their servers.) That wouldn't apply here since the Mint.com / quickenonline user authorizes the company.

The second clause does seem to address this situation. As I read it, it basically just says to use sound security practices. I would say that means if you do your research and you trust Mint.com to protect your password then you are free to choose to authorize them to log in on your behalf.

Ganesh Sittampalam
  • 30,396
  • 8
  • 95
  • 119
Stainsor
  • 3,407
  • 2
  • 25
  • 35