patrick.net

I saw an article about mint a few months back. Checked out the site, and ran into the same problem. Once they asked me for anything more than my email address, I started to loose interest and never finished the registration process.

I'm a fan of mint. They do an incredibly good job of correctly categorizing all of your spending and earnings in one place. It really helped my wife and I to recognize where we were wasting money.

Kevin says

It really helped my wife and I to recognize where we were wasting money.

One thing. Get your own housekeeping book. :P
Once you figured it out, you will almost automatically know what's going on w/o help of website.

seaside says

Kevin says

It really helped my wife and I to recognize where we were wasting money.

One thing. Get your own housekeeping book.

Once you figured it out, you will almost automatically know what’s going on w/o help of website.

I used to use quicken to track my finances, I had several years worth of data until I got married. My wife wasn't as motivated to track finances, so I stopped using it.

I used quicken, and actually just signed up for mint the other day. It used to be an open source product and their biggest hurdle was getting people to trust them with accounts and passwords.

It was bought by intuit I believe (quicken owners) and thus it's probably backed by pretty large pockets now.

I was surprised at how well it worked. Although their "ideas" have already started to annoy me. Sign up for this credit card, we think you'll save on this insurance company! They're just middle men pedaling affiliate programs but probably making a killing doing so.

Mint kicked it. 1 M iPhone users in 1 year or somethign like that. Sold for hundreds o'millions to Intuit. Still waits to be seen if Intuit knows how to leverage the value. Killer several other PFS companies. CNN had some article about wesabe oe wesave or somethign company who was killed. Well, there a big O or two there but takes VC money to go for them. Intuit put in the money but we'll see if they see the big O's.

pkennedy says

I used quicken, and actually just signed up for mint the other day. It used to be an open source product and their biggest hurdle was getting people to trust them with accounts and passwords.
It was bought by intuit I believe (quicken owners) and thus it’s probably backed by pretty large pockets now.

I really don't care how "Big" the the company is, they are asking for accounts and passwords, the more people who know this information, the greater the risk someone will clean your accounts out. I only takes one dishonest employee or lax security policies for a hacker to obtain the information.

At least if the bank has dishonest employees or get hacked they are liable to make you whole again, it's even backed by the FDIC. But lets just say "Mint" get hacked and someone steals all your money. It's not the banks problem, after all you gave out your password info, tough luck. You would have to go to "Mint" for your money and even though it's owned by a larger corporation, Mint is most likely a Limited Liability Corporation which means that Intuit is protected if Mint implodes from lawsuits and liability claims.

I deem it an unnecessary risk, that should be easy enough to mitigate by just allowing users to enter there own information manually if they so choose.

TechGromit says

I really don’t care how “Big” the the company is, they are asking for accounts and passwords, the more people who know this information, the greater the risk someone will clean your accounts out. I only takes one dishonest employee or lax security policies for a hacker to obtain the information.

Yep, which is why you should be careful what you give them.

For instance, I only give them access to my accounts that can't actually perform actions. They can't make trades on my stock accounts (they don't have my trading PIN). They can't make bank transfers because I have disabled that from being done on the bank websites.

Also, if they really screw up, they'll be liable, or the bank will be. The law is generally on your side, and there's ample precedent on this issue.

If you're still paranoid, don't use it, or stick with local accounting software like quick books.

You *can* enter information manually, by the way, it's just not as convenient. I make dozens of transactions a week, and putting each one in would get tedious.

Previously I had worked at a company that sold security software to banks, the banks didn't really care either way though. The more complex it was for someone to get on, the more customers they would lose to other simpler banks.

In the end they basically looked at the ROI and it was better to allow theft, and simply reimburse people who complained, even if it was completely their fault.

I do like the way you have a few things setup though kevin. I might actually look at doing something like that for my accounts. I wanted something simple for my wife to see overview account information. This seemed like the simplest way to do it.

pkennedy says

The more complex it was for someone to get on, the more customers they would lose to other simpler banks.

It is interesting that they even noticed that customers didn't like complex login security procedures. I'm almost impressed, I thought they were completely clueless.

If they would only do simple things like making sure AND publicizing that passwords are always stored in salted-hashed-encrypted form on THEIR side, I would be much happier. It has occurred, although not recently, that call center people can see my password in plaintext. Now THAT is a security risk.

Overall, banks are notorious for having crappy web sites. One of my pet peeves is to have to click-clack through four pages of crap for each monthly statement I need to download. Some of them still can't just have a download (NOT view) link for each statement.

Or even better, just give me a zip file full of pdf for the whole year. The file naming is also atrocious, names like Statement.pdf, rather than the obvious FULLDATE_ACCOUNTNUMBER_Statement.pdf. It is beyond lame. All the manual renaming is a PITA.

I don't think I've dealt with any banks that don't encrypt passwords. It would difficult to create a system like that in the first place, because most software has built in password functionality, creating your own would be extra work. Perhaps for the minor passwords, like the "three questions" type of deal. However those are just extra security, and it's possibly you're spelling things wrong and/or saying them wrong, while a human could identify what you typed and what you're saying is actually correct.

Regardless, encrypting passwords is only necessary for a technical reason. If the bank is hacked, then this slows down the hackers. They need to decrypt each password, the idea is that by the time they can decrypt your password you've changed it. Hence why there are "change your password" rules out there. In the even they were hacked, and didn't know about it, by forcing you to change your password you're nullifying all the work the hackers have done. Of course most people then choose way too simple of passwords or write the down, which makes it even worse.

pkennedy says

like the “three questions” type of deal.

Hey, thanks for humoring me. But the "three questions" type deal is horribly insecure. I can't tell you how many institutions across the country know the name of my first pet and high-school mascot. And these *definitely* are stored in plaintext, because I have had customer service verify the answers on the phone.

Asking people to change passwords often: Another terrible idea. It makes people write them down instead of remembering them. C'mon, there must be perfectly reasonable encryption schemes for safeguarding passwords. None of this is really necessary.

Sorry for venting, but this stuff is so much trouble and so completely avoidable with some judicious application of technology.

Yeah the company I worked for a perfectly good system, that didn't require much of this, and kept passwords safe even from hackers. But banks didn't really want to bother with it!

The three questions thing is a decent system, of course it's become less useful as time goes by. The questions have to be useful and selective, for example the school you went to could be phished pretty easily or figured out based on where you live. Your favorite color is probably blue, like 65% of the population, etc. It's useful at blocking some people and using 3rd person answers.

However, there is nothing to say you should use REAL answers for those questions. Your first pet, could be some ugly girl you dated. Whatever you can correlate and remember for later.

pkennedy says

However, there is nothing to say you should use REAL answers for those questions.

You guessed it, I never give them the real answers. But the problem is to recall which set of fake answers I used.

justme says

You guessed it, I never give them the real answers. But the problem is to recall which set of fake answers I used.

Yeah, that's one of the problem. Another problem is... when they asked me my pin number, I was like "wow, did I ever create a pin number?" I maybe did, but it was long time ago, so it was like "you tell me which is my pin number, is it XXXX or YYYY?". Then they asked me what's the name of my pet, and I was like "wth, I don't have a pet" LOL. The thing was, there's no such question required at the time I opened the account, then the questions are into play later and they never asked me do that.

I had that happen to me the other day, perhaps it to prevent you from guessing. Saying wt might be what they're looking for.

They answer phones all day long as well, so just getting you to "talk" is probably enough for them to determine if you're legit or not. Much like any other job, it gets so redundant, that when someone comes in answering questions oddly, you notice it right away.

It's probably not too important to get involved in making multiple sets of fake answers, it's more important that someone phishing your account can't figure it out online. If every bank has the same pet name, which you used your ex-gf's name for, you're pretty much set.

Just had another one of these security lapses:

Got an email from friendster (yeah,I know) and decided to login and change some settings so I would get less junk mail . Of course I forgot the PW. And what do these idiots do? THEY EMAIL IT TO ME IN PLAIN TEXT! They store my password in plain text on their server! And they even email them out. It is so lame I don't have words for it. It is like we have little irresponsible children running big dot.com sites. Wait, I knew that already ....

It could be encrypted through a password on their system. If done well, it can be decently secure. Of course it probably isn't. Although emailing passwords is never that safe either... plain text there too..

Ebay used to have 60M accounts with the password "password". So security really isn't a big deal for a lot of companies and people.

I have friends that worked in Banking Software. If you had any notion of how slipshod things were in financial back offices you'd keep your money under the mattress or buried in jars.

Security in commerce in general takes a back seat to convenience.