

Ask HN: Why would people trust their banking credentials to a service like Mint? - xtrumanx

I wrote my own unofficial API for a banking website[0] (check balance, send money, view transaction history) by essentially writing a crawler that would do whatever the a user would do if they were navigating the website themselves. I built it for fun to see if it was possible and then shelved it along with the rest of the half-completed projects littering my hard drive.<p>I was wondering how feasible it would be to use it as a basis for a service to facilitate e-commerce. It would require the user to give me, a 3rd party, their credentials which isn&#x27;t something I&#x27;d recommend someone to do. But then again, Mint has done well for themselves doing just that so perhaps my opinion on the matter isn&#x27;t entirely relevant.<p>PayPal, BrainTree, Stripe, etc. are not available in my corner of the world and I feel that&#x27;s too bad cause a good payments solution could be a big deal to businesses and consumers alike if available. I&#x27;d be happy if the bank shuts down my service as long as they (or someone else) provide an alternative.<p>Have you provided your bank credentials to Mint or another similar 3rd party service? If so why? Did you ever stop to think if it was a bad idea? Do you think most people do?<p>[0] https:&#x2F;&#x2F;github.com&#x2F;xtrumanx&#x2F;zapi
======
fiveoak
I use Mint, and of course I don't think providing your bank credentials to a
3rd party service is a good idea. That said the company backing Mint currently
(Intuit) also does TurboTax, so at least they have some experience with
handling sensitive customer data. Also in the event that they did get hacked,
there are a ton of other people also using Mint which hopefully will give me
time to change my passwords before any real damage is done. Overall it's
something I'm not super comfortable about using, but I really enjoy the
convenience of having all my accounts in one place, automatically updated,
etc, that I'm willing to accept the hopefully small risk of getting hacked.

That said, I still have a hard time convincing others of using the service due
to security concerns. I also personally wouldn't really trust a
startup/smaller company with my data either since they don't have as much on
the line as a larger established company does.

~~~
ctdonath
Yes, it's a bad idea. Bugs me frequently. But...it's so dangblasted _useful_ ;
throw some social/emotional motivations in there and a bunch of problems get
solved well enough to tolerate the risk. Given Intuit bought Mint, and I've
trusted my taxes to Intuit for decades, I'll grudgingly take that risk to
solve other problems.

A core issue is the need for a next-level financial data aggregator, somebody
to pull together one's info across multiple banks, cards, investments, etc.
Much as Bank X wants to provide all those services to me, and much as I may
even want them to, other companies get involved and there's a need for a one-
screen view of all of it, preferably updated near-live, and working on
whatever interface/device I choose to use (notebook, phone, tablet; app, web
browser).

Trust is the main thing. I was mad at myself for signing up for Mint (in a fit
of frustration attempting to solve some problem) when it was new &
independent; I'm still irritated but less so now that Intuit is taking
responsibility.

------
jdeibele
My understanding is that they use
[http://www.yodlee.com](http://www.yodlee.com) for getting information from
your accounts. That's pretty much what everybody does.

I turned it off and deleted my data because the bank or brokerage would change
something and break the automatic downloads and things would get out of date.

I believe banks and brokerages should have two levels of access: one where you
can move money and one where you can look but not touch. I'd be much happier
using the second type of password with Mint, with the bank's own apps, etc.
I'm not thrilled at all about the idea of losing my phone and having someone
get "write" access to my bank account.

~~~
vishbar
My bank, Capital One 360, has something like this. You can give a read-only
access token to an external service and change/disable it at will.

~~~
true_religion
Bank of America has it. They call it Account Management, but AFAIK they charge
for using it at least if you're a business account.

------
angdis
Yes, I've been a mint user since well before they were bought by Intuit.

I didn't think it was a bad idea, because it is clearly explained that Mint
can't make changes to your accounts. It is only used for query. I am under the
impression that the banks only allow Mint query capabilities. They've lately
released a new service called "Mint Bills"\-- which does make changes but that
is separate from their main "Mint" service.

I've recommended Mint to friends and those who've tried it like it.

Things are changing lately, however. Banks are providing more and more "Mint-
like" analytic services for their customers. These days, if you have your
stuff at one bank there's little need for something like Mint.

I think there will always be room for a service that can work with multiple
financial services/banks/accounts at the same time and with a uniform
interface. Unfortunately, this is an exceedingly hard business for start-ups
to crack (my opinion). To do it right (without asking users to literally
surrender control of their accounts), services like Mint need to negotiate
with multiple financial institutions-- not fun at all, just to get to the
starting-point where one can compete with Mint.

~~~
IanCal
> I didn't think it was a bad idea, because it is clearly explained that Mint
> can't make changes to your accounts.

Mint can do anything that you could do with the same credentials. Unless you
have read-only credentials, they can technically make changes using your
details.

~~~
gcb0
i wouldn't expect people from this site falling for this marketing
shenanigans...

~~~
angdis
I wouldn't call it "shenanigans" unless there were ever a case of Mint making
any change to a user's account. So far none. They're clearly not trying to
trick people into giving up credentials for nefarious purposes.

~~~
jlgaddis
I sort of agree, but to say that they _can 't_ do anything besides query if
certainly false if they have the credentials that I, myself, use to log in and
perform transactions.

It's kinda like when Dropbox said they couldn't access user's files even
though they technically _could_.

~~~
angdis
The fact that I didn't need to provide answers to security questions for Mint
to use means (I think) that Mint has worked out some agreement with the banks
which allow "query-only" interactions.

Also, many banks have a way to alert users to logins from new machines and
many have things like 2-factor authentication and security questions which
would make it hard for a criminal to use my credentials if they were somehow
swiped from Mint.

------
eswat
I’ve been using Mint for several years. But there actually was a point two
years ago where I got concerned about them having all my credentials. I
deleted my account and changed all my passwords.

Fast-forward a few months later and I’m using them again. Whatever concerns I
had about data security did not outweigh having immediate information to all
my accounts and reports that would take me too long to generate myself. I
don’t worry so much about Mint abusing my data as someone hacking their
services. I wouldn’t have the same trust level with a startup or smaller
company though.

~~~
calinet6
That's a huge tell: the convenience and value of having all your accounts
aggregated far outweighs the security concerns, and frankly even the myriad
and difficult and frankly frightening methods of connecting your accounts.

That's why people do it, and there's clearly an opportunity for a better
experience...

~~~
jlgaddis
Absolutely there is. I only log in to Mint perhaps once every few weeks, but I
would much rather _not_ use it at all -- or, more correctly, I would rather
them not have my credentials.

But... I have personal checking and savings accounts at the local credit
union, personal checking and savings accounts at one of the large, major
banks, business checking and savings accounts at the (same previously
mentioned) credit union, as well as several store and major credit cards
issued by various financial institutions. (I tracked my vehicle loan within
Mint as well, until I decided to just go ahead and pay it off.)

The convenience of being able to see all of them, quickly, within the same
"single pane of glass" apparently outweighs the fears that I have or I
wouldn't use it. An attacker acquiring the credentials for most of those
accounts wouldn't be too much of an issue, honestly. The one account I _would_
worry about would be my (primary) personal checking account but, luckily, the
credit union's web site/software is pretty limited with regard to what kind of
transactions could be performed... and, now that I think about it, I'm not
sure I can initiate _any_ transactions via their web site. The one thing I
know I can do is the "online bill pay" but I would have to physically go into
one of their branches to sign up for that before it was even available.

------
phlo
SOFORT(.com) has built a strong market presence in Germany and is expanding
throughout Europe. They basically do the same thing you are talking about:
provide an easy "check-out" experience using customers' banking credentials
and custom crawlers.

The solution is well-liked by merchants. Banks generally don't like it (for
obvious security/privacy reasons), but are cautious in actually preventing it.
SOFORT actually used to be the only payment method to buy german train tickets
online without a surcharge. In a recent ruling, a court deemed this to be an
inacceptable intrusion to privacy, forcing the train operator to offer another
free means of payment.

Pending EU legislation (PSD II) will force banks to offer some sort of limited
API access that'll allow users to sensibly share access with services like
Mint or SOFORT.

~~~
captainmuon
SOFORTÜBERWEISUNG looked sketchy as hell the first time I tried it. Imagine
IMMEDIATEWIRETRANSFER.COM (in capital letters) asking you to enter not only
your bank account number, but also your password, and then a PIN from your
secret list. The latter is something that the bank tells you to never, under
no circumstances, give out, because you can use it to transfer money.

I find it really hard to believe that SOFORT does this without support or even
consent of the banks. Scraping bank websites seems like something that could
get you ruined or even jailed (I don't know, for dealing with bank customer's
data in an improper way or something - at least I'd assume the banks could sue
you for violation of their TOS). I only started using Sofortüberweisung at all
when some trustworthy looking sites adopted it, and when it appeared to me as
if it was a joint venture between SOFORT and the banks.

I guess if you want to build a successful business today, you can't ask nicely
and wait for permission to do things (see also Uber et al).

~~~
germanier
The federal antitrust commission intervened after banks filed a lawsuit to
stop Sofort from using their websites. The passages of their TOS that forbid
using such services are most likely void as they obstruct a free market of
payment providers (as seen by the federal antitrust commission).

Personally, I avoid that service but it has the blessing of government
agencies from operating that way.

Some banks (e.g. DKB) now started to cooperate with Sofort instead and the
German banks will start a similar service themselves this year.

------
kennydude
It's a bad idea, but if you want automated access it's the best we've got.
Ideally banks would provide a nice API, but without a good enough reason
they're just not interested.

~~~
mikeokner
Hell, I wish _everyone_ would provide a nice API.

~~~
kennydude
We can only dream :(

------
mbesto
I'm actually curious about this. How do popular web apps store your id/pw for
other sites? I know personally that Mint (Yodlee), Zenefits, TriNet Expense,
and BoA all log into other sites but I'm curious how/where they store the
passwords? If they create a scraper then it means they have to store the
password (encrypted) and then decrypt it so the scraper can use it? What
happens if a master app (let's use Zenefits as an example) get's hacked? Are
my other passwords compromised then?

~~~
Untit1ed
You've kind of answered your own question there - if they're able to log into
other sites without using some kind of OAuth-type mechanism that doesn't
require them to store your password, then a hack will compromise those
passwords.

------
eoin_murphy
To get insight into their budgets.

I have tried one or two services similar to mint in an effort to get more
control on budgeting. The typical bank provided online banking interface is
like something from 10-15 years years ago with a painful interface and no real
facilities to either analyse your income/spending on the site or to easily
export data.

The promise of these other services is to scrape at your data, gather it into
an easily viewable/filterable format and allow you to group it semantically
(i.e. this payment every month is for rent, food, socializing) The idea being
that it can automatically analyze the accounts give you more control over your
budget.

My experience was that for personal accounts the analysis was no better than I
was doing myself and they cannot account correctly for cash withdrawls which
kind of defeats the purpose of the exercise. Finally, my bank recently updated
their online banking site so that it's just as good as that offered by these
external services.

------
howeyc
This is why some people use the "offline" applications like GnuCash[1] or cli-
ledger[2]. These programs can be used in such a way that they don't even know
the financial institutions you do business with, never mind
usernames/passwords.

However, as others have stated, they view the convenience gained to be
worthwhile enough to sacrifice the security of their accounts. Plus, I'm sure
they asses the probability of Mint (and their employees, contractors, etc)
using this information in any way other than "read-only" (at least
intentionally) to be very close to zero.

[1] [http://www.gnucash.org/](http://www.gnucash.org/) [2] [http://ledger-
cli.org/](http://ledger-cli.org/)

------
dguido
Because they use OFX for read-only transactions and an HSM to store the
passwords:

[http://money.stackexchange.com/questions/15392/are-there-
any...](http://money.stackexchange.com/questions/15392/are-there-any-risks-
from-using-mint-com)

~~~
nailer
The bank should provide oauth, with 'see your transactions' as a permission
you can revoke later.

Unfortunately, banks are technically backward and don't realise they're dumb
vaults yet, much in the same way phone carriers are dumb pipes.

------
cody_taylor
If I remember correctly, a number of banks specify that providing credentials
to a third party isn't allowed. If your credentials actually got stolen, the
banks could deny assistance.

I use Mint though and I find it really helpful for monitoring my finances.

------
knodi123
I use USAA, and it aggregates my accounts from multiple other sources all by
itself. I log in to USAA and see my vanguard retirement investments, my joint
checking account that I share with my wife, and my daughter's college savings
account from another bank. I also see my mastercard bill and my insurance
bills.

I also get an incredibly powerful mobile app, free checking, and ATM fee
reimbursement.

The interesting part is that I was able to hook up those external bank
accounts without providing username and passwords to USAA.

Note, their banking services are available to anybody, even non-military.

~~~
ryan-c
NetBank was able to pull in information from my credit cards long long ago
when it existed. I remember using this feature at least 10 years ago. I can't
remember if it was transactions or balance only though.

------
megaman22
I already use TurboTax, so it's not like Mint is really giving Intuit a whole
lot more data than I'm already giving them. Aside from debt-consolidation
loans and credit card offers, there's isn't really any advertising that I see
there, and I'm less worried about them selling off information about my
transactions the way Google probably would to targeted advertisers.

Really, I would think that this data would in some sense be the holy grail for
targeted marketing, short of the databases that Amazon has on its customers.

------
m12k
I don't use Mint, but to me, the main question is whether I perceive the
company to have more to lose by abusing the power I grant them than they would
gain from doing so. A small fly-by-night company might make a quick buck by
embezzling people and then disappearing, but a bigger company has much more
value tied up in its brand and customer base, so they would have too much to
lose. It's not a bulletproof approach (as some high profile Ponzi schemes have
shown) but it's managed to keep me out of trouble so far.

~~~
runamok
I think the main issue with this philosophy is Mint is a very juicy target for
hackers and it only takes one person on the inside to "turn bad". The company
itself can have the best of intentions.

That being said I use them too...

------
sp332
Get some kind of insurance. Show me that if you get hacked and I lose money
(and for some reason the fraudulent transactions aren't just rolled back when
I call my bank), I can take it out of you.

Also, post some info about your experience writing other secure apps. Social
proof is about all we have to go on here, so play it up.

------
mapierce
I'm currently doing the same thing for my own personal use. My bank has
recently redone their mobile app and it's actually very nice, but I still
don't have the insight I'd like without breaking out my calculator.

Where I'm from the banks run on ancient software (we're talking COBOL in most
cases) and when an ATM breaks, you see it briefly boot through Windows 98.

Web scrapers could be feasible for an e-commerce service (that's mostly what
Yodlee is, the service that powers Mint) the hard part is the regulatory
issues surrounding banking web scrapers. It's a very very grey area.

In my opinion with this stuff, if there's demand, it's better to ask for
forgiveness than permission and third party banking apps could/can provide
endless functionality and insight.

------
jmnicolas
I wouldn't this is why I chose a non connected financial app on my Android
phone. It took me a week of try and miss to find a good one but there's no way
I'm going to trust a third party with my banking info. Heck I don't even trust
my bank (but admittedly I don't have a choice in the matter).

This is also why I don't seriously use Evernote. Yeah I'd love to have all my
documents and bills there, but at one point you have to stop and think about
the implications of a private company (in fact 2, since they're probably using
AWS) knowing everything about you.

~~~
webjprgm
I agree completely.

I'm using "Cha-Ching 2 beta" which was abandoned some 6 years ago when Intuit
bought out the company working on it but the beta still works (I owned a copy
of Cha-Ching 1 from some software bundle I picked up). The downside is (1)
manual entry of every transaction, and (2) no analytics at all. The plus side
is I wrote my own scripts to extract data from its Sqlite database so I can do
analytics in a spreadsheet.

I definitely don't trust any one company. I don't want my bank or my credit
card company to have 100% of my financial data.

------
heavymark
People's willingness to give their information depends on how much they trust
the company. Mint is owned by Intuit which is the same company most all of us
trust providing all our financial data to for tax purposes each year.

For customers to trust your company you will have to have a lot of financial
backing and support of big names in the industry. And when Mint first launched
people were a little less concerned about giving up data. Now a days people
are much more aware of the implications so you would be fighting an uphill
battle.

------
hamidpalo
Mint provides value and it's a trusted brand, so people feel okay about giving
them access.

I could potentially trust Mint but anything smaller and not based in the US
definitely not.

------
ryan-c
FWIW, I would really like to be able to do scripted management of my finances.
Stuff like automatically paying my credit cards as much as possible while
maintaining some minimum balance in my checking account (moving money from
savings if necessary), or if my checking account is over some value, use the
excess to fill savings account to $X, or put it in an investment account.

------
jacquesm
I've wondered about this for a long time. It also appears to be in direct
contravention of the terms of service for my bank (which mint doesn't support
anyway so that's moot), which state that my access information is _strictly
personal_. I wonder if mint ever got hacked and this led to damage for their
customers what the liability situation would be.

------
lewisl9029
Is there a self-hosted or client-side version of Mint that's also open-source?
If not, I think there's an opportunity here.

If we have to resort to scraping for banking data, I'd personally prefer to do
the scraping by myself and for myself rather than trusting any third parties
with my credentials.

------
cfontes
I think some banks provide a view only access so you can give it to sites like
mint.

Giving full access would be really crazy at least to me.

Good luck

------
aerialcombat
Not all trust them. Some do, some don't. But services like Mint exist because
there are enough who trust out there to keep the service going. 100% trust is
impossible for any service. There are people who don't even trust themselves.

------
heeton
There are a couple of banking startups (at least here in the UK) that want to
give you API-like access to key stats (transactions, totals) without full
access. Very excited for that to pan out.

------
saluki
y, I think providing your credentials is a bad idea and haven't done it. This
came up in a thread a few weeks ago. I can't believe banks aren't required to
provide a read-only access and/or API to your account. That would be a great
solution for rolling your own budget tracker and allowing access for services
like mint. Does anyone know if any banks have read-only passwords or an api?

~~~
filoeleven
ING Direct had this feature, and it's been carried over when that changed to
Capital One 360.

[https://mint.lc.intuit.com/questions/1057341-known-issue-
cap...](https://mint.lc.intuit.com/questions/1057341-known-issue-capital-
one-360-login-issue)

------
nashashmi
Endorsement by TechCrunch and I think specifically by michael arrington told
me I could use and adopt Mint.

And I did give them all of my passwords for everything.

------
laurencei
I'm actually looking for a bank feed/API service for banks in Australia. Does
anyone know of one?

~~~
NeutronBoy
I'm not sure if they have API access, but ANZ Money Manager [1] is basically
the AU equivalent to Mint - consolidated reports/expense
analysis/budgeting/etc across all your accounts (including non-ANZ accounts
and cards).

[1] [http://www.anz.com/ANZ-MoneyManager/](http://www.anz.com/ANZ-
MoneyManager/)

------
free652
I didn't connect my high value accounts to mint (like brokerages), just my
spending accounts mostly.

