This review was performed on January 16, 2014 and is part of a series of comparisons of financial management sites.
Mint.com is run by Intuit, well known makers of Quicken and QuickBooks.
mint.com uses a EV certificate with a 2048 bit RSA key.
mint.com receives an A- on the Qualys SSL Test run on February 11, 2014.
Security Claims
- Home Page
- McAfee Secure Seal
- VeriSign Security Seal
- Safe and Secure
- Bank-level security
- “128-bit encryption”
- Security Audits – VeriSign
- Read-only
- Safe and Secure “Watch security video”
- Bank-level security
- Security Audits – HackerSafe, VeriSign
- Read-only
- Security FAQ
- “…bank login credentials are stored securely in a separate database using multi-layered hardware and software encryption.”
- “Your bank account and credit card numbers are stored securely.”
- read-only – “Your online banking user names and passwords are never displayed”
- Security Technology and Practices
- “Your bank login credentials are encrypted”
- “Our servers are housed in a secure facility protected by biometric palm scanners and 24/7 security guards.”
- “We apply bank-level data security standards. This includes encryption, auditing, logging, backups, and safe-guarding data.”
- “We hack our own site. Intuit runs thousands of tests on its own software to ensure security. We scan our ports, test for SQL injection, and protect against cross-site scripting. We also employ Hackersafe to test our site daily.”
- “Mint.com has received the VeriSign security seal.”
- Privacy and Security Policy #12
- “…use a combination of firewall barriers, encryption techniques and authentication procedures, among others…”
- “…servers are in a secure facility. Access requires multiple levels of authentication, including biometrics recognition procedures.”
- “…databases are protected from general employee access both physically and logically.”
- “…encrypt your Service password so that your password cannot be recovered, even by us. All backup drives and tapes also are encrypted.”
- “No employee may put any sensitive content on any insecure machine.”
- “Intuit has been verified by Verisign for its use of SSL encryption technologies and audited by TRUSTe for its privacy practices. In addition, Intuit tests the Site daily for any failure points that would allow hacking.”
Analysis of claims
- McAfee Secure Seal
- VeriSign Security Seal
- Bank-level security
- “128-bit encryption”
- Security Audits – VeriSign
- Read-only
- Bank-level security
- Security Audits – HackerSafe, VeriSign
- Read-only
- “…bank login credentials are stored securely in a separate database using multi-layered hardware and software encryption.”
- “Your bank account and credit card numbers are stored securely.”
- read-only – “Your online banking user names and passwords are never displayed”
- “Your bank login credentials are encrypted”
- “Our servers are housed in a secure facility protected by biometric palm scanners and 24/7 security guards.”
- “We apply bank-level data security standards. This includes encryption, auditing, logging, backups, and safe-guarding data.”
- “We hack our own site. Intuit runs thousands of tests on its own software to ensure security. We scan our ports, test for SQL injection, and protect against cross-site scripting. We also employ Hackersafe to test our site daily.”
- “Mint.com has received the VeriSign security seal.”
- “…use a combination of firewall barriers, encryption techniques and authentication procedures, among others…”
- “…servers are in a secure facility. Access requires multiple levels of authentication, including biometrics recognition procedures.”
- “…databases are protected from general employee access both physically and logically.”
- “…encrypt your Service password so that your password cannot be recovered, even by us. All backup drives and tapes also are encrypted.”
- “No employee may put any sensitive content on any insecure machine.”
- “Intuit has been verified by Verisign for its use of SSL encryption technologies and audited by TRUSTe for its privacy practices. In addition, Intuit tests the Site daily for any failure points that would allow hacking.”
Overall, Mint.com says the right things. “Bank level security” is more of a marketing term that a real security claim, but 128 bit encryption is good enough for most uses. Looking at the SSL Labs scan, 128 bit AES or RC4 is the smalles key size mint supports.
In case an attacker can obtain your password, it is good that the standard user interface is read-only and does not display account numbers, usernames, or passwords.
It’s good that their site is tested by themselves, McAfee, VeriSign, and HackerSafe; because this is the most likely way an attacker could potentially access the database which contains bank credentials. Fortunately bank credentials are encrypted; however, the security practices do not discuss how the encryption key for bank credentials is protected. Firewalls are good, but a properly secured web-server shouldn’t really need a firewall. It would be nice if they also had an Intrusion Detection System (IDS) since an IDS has some chance to detect zero day exploits.
Physical site security of mint’s data centers and personelle policies are impossible to say much about how determined an attacker might be. Even with policies against copying customer data onto an unsecured laptops, humans always seem to be the weak link (e.g. Edward Snowden).
Everything Mint.com says about their security sounds good, except for the lack of an IDS. I give their security claims a B.
Inconsistencies
The only inconsistency in Mint.com’s security claims are the 3rd party tests and certifications performed. Mint.com consistently claims they have the VeriSign Security seal, but it is unclear whether the site is tested by McAfee or Hackersafe.