Personal Finance

Mint.com now in Canada

  • Last Updated:
  • Nov 30th, 2011 10:29 am
Tags:
None
Sr. Member
Sep 25, 2007
550 posts
44 upvotes
Toronto
will2009wpg wrote: "As a TD Canada Trust Access Card Holder, you've agreed to not provide your confidential information to third parties. This would include divulging our password and Access Card number to Mint.com. So, this would include companies that try to aggregate your financial services under one roof.

We view the aggregation of services as a security issue and generally do not support it, so while you may be able to access your accounts initially, there will likely come a time when your information becomes blocked."

Which banks have said this is a security threat? TD? Anyone else? I suppose every bank has a policy somewhere in the fine print about a similar issue but just hasn't said anything specific about Mint?

I'm trying to not have to turn off Mint and change all my passwords. Just when I get it working right with all my banks...
Deal Fanatic
Feb 1, 2006
9618 posts
851 upvotes
Muskoka
I decided to just use Mint.com for tracking my spending going forward, so I removed my bank and other info. I didn't feel using it for other stuff was providing much value to me, and with the potential risks, just not worth it.

I am, however, really happy with the usefulness of having all my credit cards linked there, and being able to see every month what I'm spending in each category. I put nearly every expense on credit cards, don't use debit at all, cash very little, so this covers 99% of my spending. Before this, I was downloading to Excel and consolidating myself, which was a pain.
Newbie
Apr 26, 2010
9 posts
2 upvotes
Montreal
I'm an experienced software developer and so when I started looking for ways to automate my monthly budgeting, I found mint's auto-classification of transactions highly interesting... I mean, the data entry drudgery is largely eliminated, and you get all those nice pretty charts and tools for free.

However, the way that mint is linked to my bank account is not at all secure. They say it's read only access, but they are lying. They collect your access card number and web banking password. Each night they connect to your account and screen-scrape the information. screen-scrape means that they essentially automate what you would do yourself as a web banking user, capture the information presented on screen, and enter it into their database. This nightly recurring login means that they absolutely MUST be keeping your password in plain text somewhere. They cannot use a secure one-way hash. They probably encrypt it, but then, the nightly syncing application needs to have a decryption key in order to read it back plain text.

So essentially, your webbanking login and password is permanently stored by them in plain text readable format in some database somewhere. A hacker or disgruntled employee can get this information and log in to your web banking account as if they are you and perform transactions.

The mint application may be read only, but it stores the same credentials that can be used for full access.

When signing up, I got to the page asking for my TD easyweb access card and web banking password, and I almost fell off my chair! It was an instant deal-killer for me and I immediately deleted my account without entering anything. Requiring this kind of authentication is amateur at best, criminal at worst. They are preying upon the gullibility of people.

So, yes, mint has some nice automation and pretty charts... but ask yourself this question:

If a stranger on the street offered to automate your budgeting and make nice charts for you in exchange for your web banking password, would you give it to him?

This is essentially what mint is. The features are not worth the risk.
Deal Addict
Mar 2, 2005
2032 posts
332 upvotes
codon wrote: I'm an experienced software developer and so when I started looking for ways to automate my monthly budgeting, I found mint's auto-classification of transactions highly interesting... I mean, the data entry drudgery is largely eliminated, and you get all those nice pretty charts and tools for free.

However, the way that mint is linked to my bank account is not at all secure. They say it's read only access, but they are lying. They collect your access card number and web banking password. Each night they connect to your account and screen-scrape the information. screen-scrape means that they essentially automate what you would do yourself as a web banking user, capture the information presented on screen, and enter it into their database. This nightly recurring login means that they absolutely MUST be keeping your password in plain text somewhere. They cannot use a secure one-way hash. They probably encrypt it, but then, the nightly syncing application needs to have a decryption key in order to read it back plain text.

So essentially, your webbanking login and password is permanently stored by them in plain text readable format in some database somewhere. A hacker or disgruntled employee can get this information and log in to your web banking account as if they are you and perform transactions.

The mint application may be read only, but it stores the same credentials that can be used for full access.

When signing up, I got to the page asking for my TD easyweb access card and web banking password, and I almost fell off my chair! It was an instant deal-killer for me and I immediately deleted my account without entering anything. Requiring this kind of authentication is amateur at best, criminal at worst. They are preying upon the gullibility of people.

So, yes, mint has some nice automation and pretty charts... but ask yourself this question:

If a stranger on the street offered to automate your budgeting and make nice charts for you in exchange for your web banking password, would you give it to him?

This is essentially what mint is. The features are not worth the risk.

+1. My thoughts exactly.
Newbie
Aug 10, 2009
47 posts
5 upvotes
codon wrote: I'm an experienced software developer and so when I started looking for ways to automate my monthly budgeting, I found mint's auto-classification of transactions highly interesting... I mean, the data entry drudgery is largely eliminated, and you get all those nice pretty charts and tools for free.

However, the way that mint is linked to my bank account is not at all secure. They say it's read only access, but they are lying. They collect your access card number and web banking password. Each night they connect to your account and screen-scrape the information. screen-scrape means that they essentially automate what you would do yourself as a web banking user, capture the information presented on screen, and enter it into their database. This nightly recurring login means that they absolutely MUST be keeping your password in plain text somewhere. They cannot use a secure one-way hash. They probably encrypt it, but then, the nightly syncing application needs to have a decryption key in order to read it back plain text.

So essentially, your webbanking login and password is permanently stored by them in plain text readable format in some database somewhere. A hacker or disgruntled employee can get this information and log in to your web banking account as if they are you and perform transactions.

The mint application may be read only, but it stores the same credentials that can be used for full access.

When signing up, I got to the page asking for my TD easyweb access card and web banking password, and I almost fell off my chair! It was an instant deal-killer for me and I immediately deleted my account without entering anything. Requiring this kind of authentication is amateur at best, criminal at worst. They are preying upon the gullibility of people.

So, yes, mint has some nice automation and pretty charts... but ask yourself this question:

If a stranger on the street offered to automate your budgeting and make nice charts for you in exchange for your web banking password, would you give it to him?

This is essentially what mint is. The features are not worth the risk.

As a software developer myself, I am embarrassed with your post. Everything is done in a secure environment and protected with full level of encryption. If someone were to "hack" your account, they would not be able to get the information. The only way is through data server access which is protected similar to banks (access cards, recognition, bypass security, more encryption, etc). Mint.com hires many hackers to make sure the system is hack-proof and there has yet to be an incident where the hackers got in.
Newbie
Aug 10, 2009
47 posts
5 upvotes
I'm not saying that it isn't secure proof (nothing is), but it is as secure as online banking.
Deal Addict
Mar 2, 2005
2032 posts
332 upvotes
geeEx wrote: I'm not saying that it isn't secure proof (nothing is), but it is as secure as online banking.

Agreed, anything can be hacked but I would much rather have my bank's servers hacked and let the bank take full responsibility for it than have a 3rd party's server hacked leading to all my accounts being comprimised and bank not taking any responsibility for it because it was me who decided to use an application when the banks told me not to. To each their own I guess.
Sr. Member
Oct 28, 2007
634 posts
10 upvotes
Ottawa
Deal Grabber wrote: Agreed, anything can be hacked but I would much rather have my bank's servers hacked and let the bank take full responsibility for it than have a 3rd party's server hacked leading to all my accounts being comprimised and bank not taking any responsibility for it because it was me who decided to use an application when the banks told me not to. To each their own I guess.
I tend to agree with you. If more people read the fine print of their bank's online banking agreement, I'm not sure Mint would be as popular. If anything happens to your bank account and the bank can show that you gave your password to Mint, it would be too easy for them to absolve themselves of any responsibilities. Like you said, to each their own. Personally, I'll keep my password :)
Newbie
Apr 26, 2010
9 posts
2 upvotes
Montreal
geeEx wrote: As a software developer myself, I am embarrassed with your post. Everything is done in a secure environment and protected with full level of encryption. If someone were to "hack" your account, they would not be able to get the information. The only way is through data server access which is protected similar to banks (access cards, recognition, bypass security, more encryption, etc). Mint.com hires many hackers to make sure the system is hack-proof and there has yet to be an incident where the hackers got in.

I'm sorry, but you have completely failed to grasp what the real security issue is with mint.com.

First, you are entirely correct that if someone gains access to your mint.com account, they cannot steal any money from you. I repeat: The security issue is not about the mint.com web application. It's about the fact that their back-end is storing your FULL READ/WRITE banking credentials. You can have all the layers of fancy encryption you want, it's irrelevant in the end, because each night, the application will decrypt your password and connect to your web-banking portal in exactly the same way you would as a user.

All the datacenter security, third party auditing and "white knight hackers" in the world don't mean squat. You can have the most impenetrable servers in the world, but all it would take is a single disgruntled admin or developer with server access and boom, guess what? Seeing as you violated your bank's TOS by giving your password to a third-party, they won't even cover you for any losses you incurred.

If you knew anything about security, you would never make the claim that mint.com has bank-level security. It's essentially a glorified man-in-the-middle attack (google it). If banks used mutual authentication and client-side certificates, mint.com would not work at all.

The bank is the authenticating agent, so it can afford to store your password as a secure one-way hash. mint.com simply cannot do this in a secure manner. It stores it encrypted, but it also stores the decryption key. Get access to both and it's game over for everyone who was stupid enough to enter their password in that database. Even if an attacker gets access to only the encrypted passwords without the decryption key, they can run an offline, GPU-assisted cracking tool to brute-force the key and then it's game over again. Also, don't forget those encrypted passwords need to be in HA servers (which means at least two copies) and backed up regularly to an off-site location (more copies).

Don't get me wrong. I like mint.com and the features it offers. However, the implementation of how they connect to your account to pull the data is a total security failure. Talking about their encryption and datacenter security is a complete red herring.

If you still think mint.com is secure, that's fine, you're entitled to your opinion. All I ask is that you please let me know what software you develop so I can avoid using it. Thank you.
Newbie
Apr 26, 2010
9 posts
2 upvotes
Montreal
geeEx wrote: I'm not saying that it isn't secure proof (nothing is), but it is as secure as online banking.

This assertion is provably false. The bank is the authenticating agent hence they can hash your password securely. Mint.com is a third-party agent that masquerades as you, hence they need to store your plain-text password.

encryption != security
Jr. Member
Feb 1, 2005
193 posts
28 upvotes
codon wrote: You can have the most impenetrable servers in the world, but all it would take is a single disgruntled admin or developer with server access and boom, guess what? Seeing as you violated your bank's TOS by giving your password to a third-party, they won't even cover you for any losses you incurred.
Agreed. Something tells me that if something fraudulent goes down unrealted to mint.com... the bank might still cry fowl and try to wash their hands of it. Neat idea... and when my bank (CIBC) decides to partner with mint.com to offer this service... i'll gladly sign up, until then... pass.
Deal Addict
User avatar
Apr 1, 2006
3370 posts
343 upvotes
Brisbane
Wait... So we're all talking about Mint.com's security problems and issues with the fine print agreement with our bank not to divulge our password to anyone else.

So what about services such as the RBC outside financial account linking? I can update and view transactions on my Amex card through RBC Royal Bank's online banking. Doesn't this introduce the same problems as Mint.com?
Newbie
Dec 4, 2006
35 posts
Truemana wrote: Wait... So we're all talking about Mint.com's security problems and issues with the fine print agreement with our bank not to divulge our password to anyone else.

So what about services such as the RBC outside financial account linking? I can update and view transactions on my Amex card through RBC Royal Bank's online banking. Doesn't this introduce the same problems as Mint.com?

Short answer is "maybe". I don't know the RBC service, but IF you sign up to it by giving them your credit card number *AND* your password(s), same problem applies. If, on the other hand, all you give them is your credit card number (and not any additional credentials), then it *MIGHT* be OK. In that case, I recommend a very careful read of the Terms of Service and, just to be safe, calling both Amex and RBC customer support to validate your understanding.

Come to think of it, accessing "credit card information" is less of an issue (especially without additional details such as expiry date and security code/CVV) than account information.

The whole problem boils down to: under the current system (account/PIN), the banks have no way to tell if someone accessing the account wants to just view data or actually move money...
Deal Addict
Jan 12, 2008
1075 posts
421 upvotes
Vancouver
Wow, i downloaded this and set it all up, but after reading this thread, i've become very hesitant and deleted my account. Then went back and changed all my passwords on the accounts i linked.

I actually really really liked the application and how easy it was to use, how well it showed and budgeted my spending. I think it would have been very helpful over time, but just too risky. Just wondering what alternatives you guys are using besides paying for quicken? Does that program ever go on sale?
Sr. Member
Oct 28, 2007
634 posts
10 upvotes
Ottawa
thefeebster wrote: Wow, i downloaded this and set it all up, but after reading this thread, i've become very hesitant and deleted my account. Then went back and changed all my passwords on the accounts i linked.

I actually really really liked the application and how easy it was to use, how well it showed and budgeted my spending. I think it would have been very helpful over time, but just too risky. Just wondering what alternatives you guys are using besides paying for quicken? Does that program ever go on sale?
You can give Wiser Wallet a try. We developed it mostly for Canadians - it supports most Canadian banks, but no need to give any banking passwords/information. Check it out, it could be what you're looking for :)
Newbie
Jan 3, 2010
70 posts
153 upvotes
I asked TD directly about Mint and their view of it. Their reply, which I think is reasonable:
"We are able to confirm the following with regard to Mint.com:

* Mint.com is currently not an approved TD partner; therefore we cannot endorse the service at this time.

* TD Canada Trust customers must provide their EasyWeb username and password to Mint.com in order for their personal data to be accessed, categorized and available for viewing on the Mint.com site.

* If you choose to share your EasyWeb login access information with Mint.com you will not be protected from loss if this information falls into the wrong hands, as this action violates the terms and conditions stated in the Cardholder and Electronic Banking Terms and Conditions document.

* Mint.com is not a bank - they aggregate existing data from financial institutions. There is no account access or money movement functionality for customers in the Mint.com site - it merely allows for viewing of financial information.

* TD is currently exploring Mint.com's offerings to see if this is a viable service we should provide to customers in the future. We are unable to confirm if this will occur in the future.

As with all third party services, we recommend that you fully explore the options they provide and that you completely trust them should you elect to make use of these services. Please be aware that if you do run into any issues with a third party service not endorsed by us, we are unable to provide assistance. "

I hope they are able to set up a separate system for logging in to only view account info (separate login credentials) which would eliminate the possibility of withdrawing funds I presume.
Jr. Member
User avatar
Nov 23, 2003
190 posts
49 upvotes
Montreal
Anybody having issues syncing their MBNA accounts?

It used to work fine for me, but I've been getting error messages for the past week or so
Deal Addict
Dec 9, 2006
1271 posts
115 upvotes
ninety09 wrote: Anybody having issues syncing their MBNA accounts?

It used to work fine for me, but I've been getting error messages for the past week or so

Login to your MBNA account, mine had a message that I needed to click through on that was preventing it. Works again for me.
Sr. Member
Sep 25, 2006
650 posts
92 upvotes
St. Lawrence, Toront…
spoont wrote: I asked TD directly about Mint and their view of it. Their reply, which I think is reasonable:
"We are able to confirm the following with regard to Mint.com:

* Mint.com is currently not an approved TD partner; therefore we cannot endorse the service at this time.

* TD Canada Trust customers must provide their EasyWeb username and password to Mint.com in order for their personal data to be accessed, categorized and available for viewing on the Mint.com site.

* If you choose to share your EasyWeb login access information with Mint.com you will not be protected from loss if this information falls into the wrong hands, as this action violates the terms and conditions stated in the Cardholder and Electronic Banking Terms and Conditions document.

* Mint.com is not a bank - they aggregate existing data from financial institutions. There is no account access or money movement functionality for customers in the Mint.com site - it merely allows for viewing of financial information.

* TD is currently exploring Mint.com's offerings to see if this is a viable service we should provide to customers in the future. We are unable to confirm if this will occur in the future.

As with all third party services, we recommend that you fully explore the options they provide and that you completely trust them should you elect to make use of these services. Please be aware that if you do run into any issues with a third party service not endorsed by us, we are unable to provide assistance. "

I hope they are able to set up a separate system for logging in to only view account info (separate login credentials) which would eliminate the possibility of withdrawing funds I presume.

Sounds reasonable. If a Canadian bank partners with mint.com, I'll gladly switch to them. After using mint.com though there's no way I can go back to not using it. I'm with RBC, and their "myFinanceTracker" (apparently built as an alternative to mint.com) is absolute rubbish, and is flash based. Why they chose to make it flash based in a time when the platform is in decline and supported by fewer and fewer devices is beyond me. So I'll risk it for now and continue to hope a Canadian bank partners with mint.com.
Sr. Member
User avatar
May 18, 2005
693 posts
29 upvotes
Toronto
I want to love mint. But the problems out weigh the benefits.

- I've lost several months of transactions that I re-categorized.
- to many issues with duplicate transactions


When they work out the bugs maybe I will go back.

Top