2009/09/27

Mint Promises

Mint is a great service, and I'm actually trusting it quite a bit.  But their re-assurances are giving me the willies:
Your credentials are safe on Mint.com.  We use bank-level encryption to secure your login credentials, they cannot be compromised. We are establishing a read-only connection to your bank, we cannot move or transfer money. -- mint.com
Of these 3 statements, the first is hopefully true for some reasonable value of "safe".  The second and third statements are demonstrably untrue, and they undermine the first assertion.  (As a matter of fact, when my bank offered a "read only" username/password mechanism, I tried it out with Mint -- Mint choked on the results.)  Mint has full access and can impersonate me to my bank.  I strongly dislike this situation and want Mint and the banks to change this.

Mint + Banks:  Please implement a least-privilege access mechanism.  OAuth would be great, but frankly anything including a read-only password would be better than today's situation.  Mint: You really want to be able to prove that you couldn't be culpable if there is a leak or a bug.  Banks:  You don't want people impersonating your customers, do you?  Do it the right way, guys.

1 comment:

  1. Totally agree. I've posted this on the mint boards awhile back, but hope that a more open letter from the auth community may make this more visible. Even one bank implementing could start a movement.

    ReplyDelete

Suspended by the Baby Boss at Twitter

Well!  I'm now suspended from Twitter for stating that Elon's jet was in London recently.  (It was flying in the air to Qatar at the...