

How I Would Try to Hack Your Mint.com Account - jowens
http://www.jasonowens.com/how-i-would-try-to-hack-your-mint-account/

======
jrockway
What's the value of hacking my Mint.com account? Learning where I bank so that
you can send me phishing emails?

(Downmodded? Last time I checked, there's no "transfer all my money to an
offshore bank account" button, nor are the passwords to the linked sites
available. So while annoying that some dude on the Internet can see that you
have lunch at McDonalds every day, it's not going to cost you any money.)

~~~
cookiecaper
There probably wouldn't be much utility in doing this to some random stranger,
but it could be useful if you were trying to blackmail or embarrass someone.

For instance, say that you're a senator and you've made some enemies. If these
enemies could log in to your account, they could reveal some "suspicious
charges" from an escort or pornography service, or perhaps they'd notice some
large expenditures on airfare and travel when you were supposedly just off for
a weekend hike (Mark Sanborn). All of these things are bad.

That's a prominent example, but the same could be done to anyone you wanted
some leverage against, be it a teacher, supervisor, or anyone else. Yes, it'd
be ideal if people didn't do things that destroy their careers and/or families
in the first place, but often times that's not how people work.

~~~
hugh3
So it's only the same amount of damage that you could do by stealing my mail
and going through my bank statements.

You'd probably do far better at embarrassing someone by going through their
email, which is a necessary step for several of these methods.

------
rdamico
Great article. It seems that simply using Gmail over SSL would mitigate the
email-related issues here, no?

~~~
macrael
Absolutely. And, I can't think of any email service that sends passwords in
clear text. I'm not convinced it is this easy to compromise someone's email
account.

~~~
jowens
What I was thinking about was someone using say POP and a client like
Thunderbird. The POP traffic by default is clear-text, so when you send your
password to the server, it's in the clear unless you're either tunneling your
traffic or going to a secure port to your ISPs mail server.

~~~
For_Iconoclasm
This is sadly true. I cannot connect to my school's e-mail service with either
of the security schemes provided by Thunderbird (SSL, TLS, or STARTTLS). The
trade-off is a nice program versus a secure connection.

I'm not exactly concerned about the security of my school account, but it
could potentially suck to have it compromised.

------
shalmanese
Eh, the amount of ways anyone could hack anything is so much staggeringly
larger than the amount of times people actually end up getting hacked.

Pointing out one specific flaw in one specific service is about as useful &
damaging as pondering new theoretical ways terrorists could strike the US.

