Sunday, April 20, 2008

Is Mint.com Safe?

Is mint.com really as secure as they purport it to be? The blogosphere tends to disagree, except for wilkinsonlaw and a few others. But is it really?

At least you are logged out automatically after ten minutes. But if you've ever submitted a password reset request on the Mint.com web site, the link stays active for a long time, much too long. It was still active a month after the request. I emailed the webmaster as I couldn't find any other contact address on the site, and got back a boilerplate response, naturally:

Please do the following to recover your password:

1. Go to the login page at: https://wwws.mint.com/recovery.event
2. Click on the “recover it” link next to “forgot your password”.
3. Enter in the email address you used to create your Mint account.
4. An email will be sent to the email address you specified (note: the link is valid for only two hours).
5. If you don’t see the information in your inbox, please be sure to check your spam and bulk mail folders as well (ISPs sometimes route emails to these folders).

At least the email got through to a person and didn't sit around forever in unread email lalaland. You have to give them credit on that, in this age of email inundation. On a tangent, is knowledge management the solution? Back to the topic, I emailed them saying that email can be captured and snooped. All I ever got back was the standard "a highly trained team of monkeys is feverishly working on the situation" automatic reply email.


Today I reset my password again, and the same thing happens. The reset link stays alive after using it. It's not a big deal if you use the link, because you'll notice if someone snooped and reset it. You'd think Mint would send an email alerting you that your password has changed.


Here's the reset email:
This email was sent in response to your request to recover your password. To reset your password and access your account, click on the link below.

Reset your password [https://wwws.mint.com/recovery.event?username=email@example.com&token=xxxxxxxxxxxxxxxxxxxx&utm_source=xxx&utm_medium=xxx&utm_content=xxx]

The link will reset your forgotten password, and let you create a new one. For security purposes, this link will remain active only for the next 2 hours.

If you did not request that we send this Forgotten Password email to you, please report this email to us at: support@mint.com

Thank you for using Mint.com!

Cheers,
The Mint Team
Also they are using a google analytics urchin tracking link, which is kind of irksome for the paranoidal borderline-schizo types like me.

One final thing, I also get a "Connection Partially Encrypted" message in the Firefox "Page Info" window.

3 comments:

matt @ Thrive said...

It never feels good to not be able to get someone from a company on the phone, especially when it is a company you are trusting with your financial information. That is one of the reasons that at Thrive (www.justthrive.com), we have our phone number on every page: we want to make sure that you can let us know how we can help. Not just through a form e-mail, not with some auto response, but a real live person addressing your needs.

With regard to resetting passwords, it is a tough one: you want it to be easy enough that you will do it, but hard enough that no one will try to hack it. I think we went too far in one direction on our first pass: we currently require that you verify transaction level data, which is hard, since most people use Thrive to monitor their transactions! We're working on a revision that uses a combination of e-mail and security questions to make it hard, but not too hard. If you ever use Thrive, hope it meets with your approval!

Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...
This comment has been removed by a blog administrator.