Why does mint send out emails with bank account balance information and transaction information in plain text, by default? I also got this information from my mint.com account.

How does mint.com respond to the questions raised in this review:

http://techlahore.wordpress.com/2007/10/03/the-fools-at-mintcom-or-mintcom-sucks/

I am really upset that on the one hand you guys are claiming all this great security, and on the other hand even your default settings seem to indicate that not enough thought has been given to a fully secure experience.

Sandy

The alerts will be changing soon. I've already raised this issue with Product & we will be making some changes.

Quick note: It is also quite possible to disable alerts.

I hope the plaintext email balances will remain an option. My credit union refuses to offer balance emails as an option (even though I pointed out Wachovia does), so that was one of the big attractions for signing up with mint.

testie testie

>>>I hope the plaintext email balances will remain an option

check one two, check

I would politely ask that you watch your language on the forums.

"buddy, why not request an export option to your local hard disk rather than allow you and your family to be compromised by allowing them to send confidential information like this through email!'

While I understand the very valid concerns, there actually isn't anything in the email that could actually lead to anything like ID theft (important information, like account numbers, addresses & names, are obviously not sent in any email).

Note: We're still in beta & making changes based on customer feedback. If something upsets our customers, we will most certainly look into changing it.

I'm not totally sure I want to step into this, but I do feel the need to point something out.

Damon is right that there is not nearly enough information in the email to lead to any sort of identity theft. I realize that some people might not like that it sends all your balances in plain text, but to those people (for now, until there is an option to encrypt, if there will be), just turn off the emails.

It is not a major security issue, and if there was actually a large risk (and risk of being sued, not sure why that's being thrown around) then companies like Bank of America would certainly take notice.

Point with Bank of America being... When I get an ebill, or when they schedule an electronic payment, they send an email notification (in plain text) containing the amount of the bill/payment, the company I paid, the confirmation number, and the last 4 of my account numbers (with the company, and at Bank of America)

Even further, most online stores send email receipts in plain text, containing the items you ordered, how much you paid, your name and home address, the last 4 of the card you used, and some even more information.

If anyone would like to complain about secure/insecure email and what information in contained in the email, the last place to look would me Mint. There is far more information passed around in other emails than most people probably realize. If you have some super high balance accounts that you don't want people to know about, don't add them to Mint (or just don't get notified).

Beyond that, this is the internet age, information will be passed around a lot, and if someone is that concerned about privacy I suggest... well I don't know what, cause I'm not sure where there is privacy anymore.

How is it a privacy concern. So someone see what I spent last week? Sees how much debt I have, how much money I have? It seems like nit picking to me. The blog makes the statement that his bank uses his last few transactions as security questions, the email lists 5 transaction from all accounts; at least from what I see. I don't see a concern at all, maybe I'm just stupid :D. HAHA!

I agree with the others. This is not in any way a security concern. It is maybe a privacy concern in that someone could find out what you're buying, but, as someone stated, you receive emails confirming online orders as well. This is simply not a big deal.

Mint has addressed the security issues with the notficiations and I'm satisfied with their response.

I guess you guys really don't have much professional experience---and that's ok---you're a startup. If you have been staying on top of security trends and issues you would be aware that criminals are getting taps into networks and they are sniffing emails en masse. Moreover, these companies are becoming more sophisticated and they are filtering and targeting email and then categorizing it and selling the lists. Mint is very much a target because it neatly bundles up information that WOULD be usefule to someone compiling these lists. And they ARE more revailing that typical email. Think about it. I can sense your "OH, darn it, it's like these are cool features and don't rain on our mint parade," but you're being grossly irresponsible to put out these features so you Aaron can sit there and say nice things about mint's feature set.

Just because you are screwing your community and they can't notice it right now doesn't mean you guys are off the hook.

First I'd like to say something about your post. The first couple sentences are dangerously close to "personal attack" language, which is not welcome here. Constructive criticism is one thing, attacks are another.

To continue...

Nobody said it wasn't being taken seriously. Right now the only option is plain text. All that I have pointed out is that there is far more revealing information in plain text email all the time, most of which I would be more wary of giving out than my bank account balances. Just to throw out a few (very common) uses:

order confirmation
travel information (including boarding passes, exact flight times, etc)
password reset urls
passwords themselves

In other words, this has been blown WAY out of proportion. The point is, what can you actually DO with knowing someone's account balances... essentially nothing. Yes, you will know a little bit more about that person, but that's it.

Of course Mint should be held to a high standard, that's what has been presented, but it has to be a reasonable standard as well.

I see your point. But it seems like your top guys like flames...

http://e5media.com/2007/11/02/mintcom-needs-a-hug/

I'm just a regular user that became a moderator on the forums. I don't actually work for Mint.

My views and opinions are my own and don't reflect any sort of official Mint position.

If your sole intent is to disrupt the forums, I will state that it could lead to a restriction on your ability to post. Constructive criticism is always welcome, but it seems like your general posting reason is "Mint sucks because of...". You also seemed to completely ignore the fact that I mentioned we will be making changes to these alerts - so the issue has been addressed here & within the company.

The blog post issue you pointed to has been addressed internally. However, I don't see why you think it would be ok for the company to disclose what could be considered private information about its users in the blog post (the name, that they had an account with said company & the application, etc.)

Note: We're in the process of distributing community guidelines for all employees that post in a public forum (applies to on the Mint site and off).

I've been looking at the posts by dschinkel in this and other threads and have come to the conclusion he simply has a personal axe to grind.

I don't quite understand the motivations behind his hysterical rantings, but they seem to indicate he is also the person who has the blog mentioned at the beginning of this thread. At least, the person who created the blog claims to have done the same tests and had an uncanny resemblance in his reactions and choice of wording as dschinkel.

There is certainly nothing wrong with pointing out what one feels are inadequacies in software. It's just that dschinkel comes across as some self-appointed IT engineer extraordinaire who alone can solve the worlds IT issues. He also tends to start calling people stupid and architecture incompetent, and then predicts the imminent downfall of the software company he's attacking - all in the largest font he can find.

So, my point in all of this is to advise others to take what dschinkel says with a grain of salt. I'm not saying he doesn't have a point to make - just that he seems adamant about making it (beating a dead horse) when the most someone could obtain from this site is a possible view of unidentified transactions or balances. That's not going to help a crook too much. :cool:

I've been looking at the posts by dschinkel in this and other threads and have come to the conclusion he simply has a personal axe to grind.

I don't quite understand the motivations behind his hysterical rantings, but they seem to indicate he is also the person who has the blog mentioned at the beginning of this thread. At least, the person who created the blog claims to have done the same tests and had an uncanny resemblance in his reactions and choice of wording as dschinkel.

There is certainly nothing wrong with pointing out what one feels are inadequacies in software. It's just that dschinkel comes across as some self-appointed IT engineer extraordinaire who alone can solve the worlds IT issues. He also tends to start calling people stupid and architecture incompetent, and then predicts the imminent downfall of the software company he's attacking - all in the largest font he can find.

So, my point in all of this is to advise others to take what dschinkel says with a grain of salt. I'm not saying he doesn't have a point to make - just that he seems adamant about making it (beating a dead horse) when the most someone could obtain from this site is a possible view of unidentified transactions or balances. That's not going to help a crook too much. :cool:

I agree with snowdogg; I too have been following the linked-to blog posts and commentary on various other blogs because I was also concerned with my security at mint.com, but after doing pretty extensive reading and critical thinking I believe that mint.com is doing everything they can (and in some cases more than some banks do) to keep my information secure and will continue to do so. The usefulness of this site for me is too great to let some unfounded fears of mine prevent me from using it. I would also like to reiterate what has already been said about criticism: If you only have axe to grind, take it somewhere else (I'm talking to you, dschinkel); if you would like to contribute constructively, by all means stick around... that would be most beneficial for all of us users on this forum. Otherwise, don't waste anymore of your time or our time, really.

>>>I would politely ask that you watch your language on the forums.

ok, and you too

>>I've been looking at the posts by dschinkel in this and other threads and have come to the conclusion he simply has a personal axe to grind.


another good one. No, I was just able to create an account with the password of "password". Now THAT'S a problem

>>>There is certainly nothing wrong with pointing out what one feels are inadequacies in software. It's just that dschinkel comes across as some self-appointed IT engineer extraordinaire who alone can solve the worlds IT issues

I love this. No, just pointing out the weakness of mint. I dno't think that mint should be going around bloating such security when you can create passwords like this

>>If your sole intent is to disrupt the forums

not at all, again, just pointing out and I'm pretty annoyed that mint.com would gloat such security without strong password policies. To me, you're saying hey, your money is safe with us however we don't really cover all security holes...false advertising to me. For me, that's a problem. Anyway, feel free to delete the thread. I don't really care.

>>>First I'd like to say something about your post. The first couple sentences are dangerously close to "personal attack" language

give me a break

I think you're just better off deleting this thread and kicking me out then.

Looks like you already deleted my initial posts in this thread. Why not just delete the entire thread. How many posts did you delete cause I'm not even seeing the initial point I made here

I haven't deleted a single thread. The only threads I've deleted during my time hear have been spam threads.

>>I've been looking at the posts by dschinkel in this and other threads and have come to the conclusion he simply has a personal axe to grind.


another good one. No, I was just able to create an account with the password of "password". Now THAT'S a problem

My password is "feedback".