Addressing Security Concerns on Mint.com
By Virginia Heffernan
In response to last week’s post about Mint.com, many readers posted comments saying there’s no way it can be secure. I contacted Aaron Patzer, the site’s founder & CEO. Here’s his reply:
First, Mint has bank-level data security. That means we have the same level of encryption your bank does, along with outside third-party verification through Verisign and Hackersafe. We also have routine security audits where so-called “white knight hackers” try to break into our system — they’ve never been successful. We also have bank-level physical security. Our servers are located in an unmarked secure building which requires a palm scan to gain entry. After making it past guards, you have to go through a “man-trap” where one door will not open until the other closes and you again have biometric access. Once you get inside, our servers are in a locked cafe monitored with 24/7 video surveillance. Get inside, and the racks themselves are locked. Break those open, and our hard drives are encrypted. It’s seven layers of protection. All that’s missing are the electrified floors…
Second, Mint is a read-only system. Even if someone managed to gain access to your account, they cannot move money around, your accounts cannot be drained. Mint is also an anonymous system. If you notice at sign up we don’t ask for a name, address, SSN or anything personally identifying. Nor do we ever ask for your account numbers or credit card numbers. When you provide your bank username and password, this simply establishes a secure one-way connection with your bank authorizing Mint to download your transactions, balances, and bill due dates on your behalf. Quicken and MS Money have asked for this same information (in desktop form) for the past 10 years.
Third, Mint can actually help keep you safer than online banking. It may seem counter-intuitive to your readers (”All my accounts in ONE place???”
, but Mint can monitor all your accounts for fraud or mis-charges every day. Javelin Research finds that 90 percent of all fraud starts offline, not online. Meaning you’re much more likely to be ripped off at a gas station or restaurant than online. Given that the average American has four or five different credit and bank cards, you can either login to all those websites every day looking for fraud, or wait 30-45 days for a paper statement (by then it’s too late). Instead, Mint looks for “unusual spending” across all your accounts every day. Hundreds, if not thousands, of people have written in to say that Mint was their first line of defense against fraud. In fact, we can often do this better than banks. See, for example, when we notified our users about a widespread fraudulent charge first reported in the Washington Post from “Adele”.