

Mint.com in 2010 - Is it Safe? - jowens
http://www.jasonowens.com/mint-com-in-2010-is-it-safe/

======
Terretta
The Fox News trope in the opening line sets the tone that this is not
journalism, but an opinion piece.

> "To date _there have been_ security concerns and questions identified around
> mint.com."

Journalism should avoid using "there have been" or "some say"; such phrases
signal that what comes next will be an unattributed pot shot.

The first attack is on the zip code requirement. "Presumably this means
Mint.com ... will not be able to effectively send you email and text alerts."

On the contrary, this FUD statement was preceded by an attributed statement
from Mint: "Mint.com requires your Zip code ... to determine the time zone in
order to send timely alerts." If you don't give them the right time zone, your
alerts will be no less effective, you just might find them more inconveniently
timed.

As for the more complex assertion about categorization, that's because
business names are local. A business named "Scissors" might be a tailor in my
zip, and a salon in yours. Of course it will be hard to correctly categorize
when the locale is unknown.

Interestingly, when I reached the end of the article, I saw this reason was
clearly provided by the employee, but not mentioned in the article.

Mint wrote that the ZIP "allows the Service to provide you with accurate
automated categorization of your spending by improving our ability to identify
merchants both nationally and locally."

~~~
dalore
[http://www.cracked.com/article_18458_6-subtle-ways-news-
medi...](http://www.cracked.com/article_18458_6-subtle-ways-news-media-
disguises-bullshit-as-fact.html?cliffsnotes)

------
threepointone
I'm sorry, but this entire article sounds like FUD. I could point out various
parts I had issues with, but the bit that bothered me the most was the title
of the section "Recommendations to Improve Mint.com’s Security Posture". I
might be naive here, but can someone please point out the valid points raised
in this article that actually make Mint.com 'weak' when it comes to security?

~~~
rendezvouscp
Disclosure: I own a competitor to Mint.

I agree that most of the article is FUD, though the author does have some
valid points in the “Security Posture” section (e.g. Mint ought to validate
your email address before they depend on it for recovering an account).

The author suggests the use of challenge questions; I think on the surface
that sounds like a great idea, but most challenge questions can be guessed
based on what friends/family know or what a person writes online, and the
testing I did with user-provided questions showed that users will write
obvious questions or even write a question with an answer that is the question
itself.

I’m surprised that the author didn’t write more about _who_ has access to the
information. I think that’s a very valid question regarding their security and
privacy. Additionally, while their data-retention policies seem reasonable
(backups and aggregate data), some guidance as to how long those backups are
kept and what aggregate data is collected would be informative.

In short: the article is a good attempt to review Mint’s security policies,
but I think the author should have done a little bit more investigation.

------
Groxx
ya know... after all that, I actually think I would feel _better_ about the
site. It's a half-decent breakdown, though FUD-heavy (especially U and D), and
lots of parts of it point out _significantly_ better practices than my banks
currently employ.

------
jowens
Hey, thanks for the comments. If you're interested and want to help make the
article better there's a follow-up posting incorporating some of the feedback.
Thanks

<http://www.jasonowens.com/follow-up-to-is-mint-com-safe/>

------
dalore
Anyone know a good Mint alternative for the UK?

