Since launching and at our TechCrunch40 conference three weeks ago personal-finance startup has been on a roll. On Friday. Mint was named at the 2007 Financial Innovations conference (along with peer-to-peer lender and mortgage-finder ).
CEO Aaron Patzer reports to us that in just the past three weeks. Mint has already helped organize more than $2 billion worth of people’s personal financial accounts and identified more than $40 million in potential savings for those members. (Mint helps you find better interest rates on bank accounts credit cards and other financial products). Interest in the site spiked right after TC40. At one point. Mint was signing up a new member every five seconds. Not bad for a service from a previously-unknown startup that asks for access to all of your private financial data including your bank and credit-card accounts.
Apparently getting consumers to give up that level of privacy has not been an issue so far. (The old axiom is true: people really will do anything to save a buck). Now comes the hard part. Getting all those people to keep coming back past the initial stage of curiosity.
Update: I asked Mint CEO Patzer for some more details on how many people are using Mint and he responded with the following data. Keep in mind this is only 18 days worth of data and thus should be treated as extremely preliminary (these are early adopters so they may be more likely to embrace such a service and use it more often than a mainstream user):
—That $2 billion is spread across 50,000 registered users.—About 70 percent (or 35,000) have come back more than once.—Those who have been in the system at least a week (including beta testers) visit Mint com 2-3 times a week.—About 10 percent (or 5,000) come to the site every day.—And 10 percent have signed up for mobile alerts.
As I had shared a lot of information. I decided it would be better to delete my account rather than let it linger. I spent about ten minutes looking all over their site and I found that it is not possible to delete one’s account.
I emailed their customer service department 5 times and after about a week they deleted my account (or so they say…). Apparently the process took so long because they had to do it “manually”.
For a service that requires such sensitive information it is pretty damn irresponsible even sleazy to make it so difficult to delete one’s account. I definitely wouldn’t recommend them after this experience.
Except for the privacy concerns the business idea actually is quite awesome. A service aggregating and analysing one’s financial transactions is a real killer. However the privacy concerns outweigh those benefits by far. Even if you are gullible enough to entrust your most personal information to that company how can you be sure some evil-minded crackers don’t steal your data? Mint claims to have as high a security level as your favourite online banking service. Sure a startup claiming to have established security standards equalling those of corporate-size banks who spend millions per year in order to secure their servers and even then don’t always succeed…Apart from that has anyone ever thought about that if Mint comes to aggregate a critical amount of data intelligences services (or Inland Revenue respectively IRS for that matter) will show some interest in this service as well?
Quite frankly my info got hacked on eTrade so no one is exempt. But Mint sends me an email once a week telling me what I’ve spent and when my bills are due. I have three bank accounts and four credit cards so I find this useful. Would be more useful if I could dump my brokerage data into it too. Before it. I used Quicken or Quickbooks — both are hackable too.
To all those who are concerned over Mint com security a few points: 1) You’re anonymous on Mint com 2) Our security is independently verified 3) Email & text-message alerts help identify fraud immediately…and being proactive is the best measure.
I’ll make a bold statement: You’re safer on Mint then with online banking. On Mint you’re completely anonymous. We never ask for a name address or SSN - just an email. We know about your finances…but not about you. We’re also independently verified by Verisign. TrustE and several outside agencies.
We also have serious physical security. Our servers are in a secure unmarked facility. To get in you need to pass 3 biometric scanners. 4 locked doors and several guards. We have our own cage so we’re physically separated from all other companies. Cameras monitor our servers and power supplies 24/7. The servers themselves have additional locks. The hard drives are encrypted. It’s like Mission Impossible (except without the electrified floors…maybe one day).
Perhaps more interestingly. 90% of all fraud actually occurs offline not online (e g someone swipes your card at a restaurant or from your mail). Because Mint sends proactive alerts for low-balance or unusually high spending you’ll know right away. It’s better than logging into 4-5 different banks every day or waiting 30 days for a paper statement before finding that something went wrong.
For an additional security measure we’re working with banks to pass through the custom pictures sometimes associated with two-factor authentication. That should be available sometime next year.
You’ve rattled off a lot of physical security measures which are the least likely to be compromised. The most obvious attacks take place over the network and application.
What’s your password complexity?How many invalid attempts can a user have in a certain period?What’s your application coding like? Is there a secure application lifecycle?Do you have IDS/IDP’s or Application Firewalls(Cisco ACS) stopping bogus queries?What’s your Denial-of-Service Mitigation like? If the service takes off that bad guys will DOS you. What’s your application logging like?What’s your sever access like? 2 factor auth for local access?
Also of course you want the big companies to tell you your secure the less they rock the boat the happier you are. There’s a fairly big trend for the large guys to find nothing but those in the know the boutique companies like Security-Assessment com to find 50+ holes where “the big guys” find nothing.
For that matter neither do your bank user names and passwords. Mint com uses Yodlee for account aggregation. Yodlee is the back-end piping that connects all the banks credit cards and brokerages together. They’ve been around for about a decade and are used by Bank of America. Fidelity. Microsoft Money and Mint com to provide the raw transactions and balances. They’ve never had a major security breach and with clients like BofA. Fidelity. Charles Schwab and HSBC they’re audited all the time.
So are we. Not just by Verisign and TrustE. Mint com works with Cryptography Research (www cryptography com) for security and network architecture…CRI’s Paul Kocher invented SSL 3.0 btw. We’ve also hired a number of “white knight” hackers to attempt system penetration. They have been unable to access user data. We also check the system routinely for SQL injection cross-site scripting and open-port attacks.
Also keep in mind our VP of Engineering. David Michaels ran PGP’s secure email product for 5 years. Java server security at Sun and financial services at ShockMarket. We designed Mint com for security from the ground up.
How many of the banks and other financial institutions have you spoken with regarding security? What I mean is this: when your system is hacked and I go to xyz bank and tell them that $xx has been stolen they will ask me for the details. When I explain that I am using a 3rd party system which I gave my userid/pwd to will they still help me with my claim or will they insist that I deal with you since I provided my details to you?
The number one thing to realize about Mint is that their business model is disingenuous and flawed. It’s a company built for the advertisers not the users. To that end they have provided some nifty pie charts (quite possibly the worst of all types of charts) and some annoying auto-categorization all in the name of getting you to give them access to your financial transactions. All of this is built on top of a privace policy and terms of service that are about as ironclad as a bowl of jello. Moreover the whole idea that they go to Yodlee who fetches 2 or more day old financial data is rediculous and will be over in about 12 months. That’s when banks will basically change the rediculous model of Yodlee-like companies that scrape data to what consumers really want: You go to your online bank account tell them you want your OFX data sent to this URL every 12 hours or whenever there is activity. You give them a url and a login for the receiving url and vioala–your data is sent where you want safely without giving out your online banking password. This will make all kinds of companies that can create better software than mint (oh it IS awful this mint) and the consumer will have the power to determine where it goes. So what if you pay $1.00 a month for the privilige—it’s a great model for the consumer and the banks (or any company that wants to deliver statements) and then say goodbye to mint! Plus the Mint killer is coming in November…. I’ve seen it and it’s amazing! It’s WAY more powerful and WAY cooler…
As a TC reader(thanks mike). I get the chance to research Mint again only this time the Mint blog responses are seemingly a back and forth session between Mint and the TC audience over layers of security within Mint com.
One of the first things you don’t do in with your market is get defensive about your product. Whether your choosing to argue or not it seems that way to me and because of this now I think Mint really isn’t SECURE.
Make a “statement” about the level of your security (and here is where you make the “BOLD” statement) and then get your butt going on how to show your customers that Mint’s SECURITY is bar none.
Lt. Weinberg: “I strenuously object?” Is that how it works? Hm? “Objection.” “Overruled.” “Oh no no no. No. I STRENUOUSLY object.” “Oh. Well if you strenuously object then I should take some time to reconsider.” (courtesy of )
“Mint uses Yodlee to connect to your financial institutions. This is the same back-end aggregation system used by Bank of America. Fidelity and Microsoft Money. Yodlee’s security practices have been audited by the NSA. Visa. Mastercard and numerous major banks.”
I’ll guess my bank knows about “Yodlee” and hopefully doesn’t allow it to skim too much info. But this tells me the banks need to offer multiple access levels of online banking as web tools become more popular/useful/powerful.
@Aaron (17)This is a progressive idea but ultimately your service will be a predecessor to similar services that are offered by the country’s banking institutions. IMHO. Mint is targeting the middle/upper middle class market who have shown interest in products such as theirs by using online banks such as ING. While refreshing that the CEO of an unknown web startup can come onto an open web forum to talk about security but the problem of being an “unknown brand” will linger in the head of the consumer.
“I’ll make a bold statement: You’re safer on Mint then with online banking. On Mint you’re completely anonymous. We never ask for a name address or SSN - just an email. We know about your finances…but not about you. We’re also independently verified by Verisign. TrustE and several outside agencies.”Aaron PatzerFounder & CEO. Mint com
The success of Mint and Wesabe in the tech community demonstrates a need for consolidation of a personal finances but your target market is afraid of you. They have no idea who you are and why they should trust you. In Mint’s case we are “anonymous” but they have sensitive data that is being shared with outside companies. It is difficult for us to trust a company whose revenue generation model is to disclose that data to advertisers.
@techcrunchInstead of using Mint. I am going to use Virtual Private Bank (http://virtualprivatebank com) which is a free service offered by Commerce Bank (http://commerceonline com). - -To be transparent. I am an employee of the Bank.- - Virtual Private Bank (VPB) is the finished product in a market that Mint has just entered and includes the following features:
* A comprehensive view of all financial information in one place no matter where that financial information is held. * Access to your complete financial information 24/7 from anywhere with an Internet connection. * Access to numerous reports and calculators to enable you to get a better understanding of your financial picture. * The Vault which acts like an online safe deposit box gives you one safe place to scan and store personal and private information. * Tracking of frequent flyer miles and rewards points in one place plus set alerts to receive a notification when redemption levels are reached.
VPB is a non-transactionable system no money moves in or out of VPB. VPB has numerous security features to ensure your data is secure including: * Firewalls * Watchfire’s AppScan Technology * Certified Hackersafe * 128 bit encryption * 24/7 monitoringWhen you log on for the first time you will be asked a Security Question. The security response is used to validate your identity in the event of a forgotten password.
All data is stored at SunGard Data Systems the most secure facility available in the industry and the home to data from the 500 largest companies in the country.
With Mint’s market covered by regulated financial institutions there are three other “markets” available: high net worth subprime and consumer. The first two markets are outliers the former because they have professionals managing their money and the latter because financial tracking is not a primary concern. That leaves the consumer market as a prime target because they are not skeptical of new technology and tend to “embrace the chaos”.
What surprises me is that with all the talk of personal financial aggregation. Geezeo and their iWant Facebook application have slid under the radar. Geezeo started as a simple concept: check your account balances through SMS. 24/7. Their service takes advantage of a simple technology available to most people in their target market (non-skeptical consumers) and they employ college students (a significant portion of their market) to help build brand recognition. For Security Geezeo uses CashEdge who provides services to large financial institutions including Bank of America. Citibank. HSBC. Wachovia and Royal Bank of Canada.
Geezeo has expanded its service to offer features similar to their competitors including a blog discussion groups and categorization of transactions but was first to take the next step and build a Facebook application iWant helps users set goals recruit donations and monitor their banking accounts setting Geezeo apart because they have created an intuitive application that is easily accessible to 40 million+ consumers.
fyi the back-end service Mint is using for account aggregation is Yodlee which is also used by a few well-known financial services & banks such as Ameriprise Financial. AOL. Bank of America. Fidelity. JPMorgan Chase. Merrill Lynch and Microsoft.
i also wonder if all of you folks in the comments are as concerned & as inquisitive about your local banks and medical institutions which have just as much if not more access to sensitive data and probably much more lax security procedures than Yodlee or Mint.
however all security concerns aside my alter ego #29 FDM took the words right out of my mouth security is a feature but it’s not the only feature and for many users of Mint who don’t have a lot of money — indeed who might be a single mom with 2 kids — saving money on bills & having a better handle on how they spend their finances might be a helluva lot more important than biometric security measures & two-factor authentication she’s probably a lot more concerned with how to save $1000 in the next 6 months that she can spend on new clothes a bike for the kids and maybe trying to pay off some credit card bills.
Allen: no disrespect but the guy who built the first Citibank online credit card processing system isn’t exactly the target user for Mint we hope you find it useful but if it doesn’t meet your security requirements then by all means don’t use it.
meanwhile there are plenty of busy people out there who could use a better way for them to track their finances help them save some money and remind them when they need to pay a bill to avoid late fees.
while those folks are concerned about security too we’re pretty confident we’ve done our homework to provide them a high level of assurance their information is being handled responsibly.
I’m pretty sure that using a service like Mint where I hand over my account number and password to a third party would break the terms of my bank’s online access agreement. As such my bank would not be responsible for any fraud in my account and I would stand to lose a lot of money. Not something I would want to risk.
And Aaron what you are missing re: anonymity is that once a hacker has some anonymous account numbers and passwords they can log into the bank’s site and get the name address. SSN etc.
* Don’t give out your credit card number(s) online unless the site is a secure and reputable site. Sometimes a tiny icon of a padlock appears to symbolize a higher level of security to transmit data. This icon is not a guarantee of a secure site but might provide you some assurance. * Don’t trust a site just because it claims to be secure. * Before using the site check out the security/encryption software it uses. * Make sure you are purchasing merchandise from a reputable source. * Do your homework on the individual or company to ensure that they are legitimate. * Try to obtain a physical address rather than merely a post office box and a phone number call the seller to see if the number is correct and working. * Send them e-mail to see if they have an active e-mail address and be wary of sellers who use free e-mail services where a credit card wasn’t required to open the account. * Consider not purchasing from sellers who won’t provide you with this type of information. * Check with the Better Business Bureau from the seller’s area. * Check out other web sites regarding this person/company. * Don’t judge a person/company by their web site. * Be cautious when responding to special offers (especially through unsolicited e-mail). * Be cautious when dealing with individuals/companies from outside your own country. * The safest way to purchase items via the Internet is by credit card because you can often dispute the charges if something is wrong. * Make sure the transaction is secure when you electronically send your credit card numbers. * You should also keep a list of all your credit cards and account information along with the card issuer’s contact information. If anything looks suspicious or you lose your credit card(s) you should contact the card issuer immediately.
Nevertheless like it or not the internet will house ALL of your financial data and everything else about you SOONER OR LATER…and many financial institutions like Bank of America provide customers with not only increased Fraud Protection and Security features for Online transactions but also Fraud/Identity Theft Resolution where they reimburse stolen funds.
Don’t get stuck on the SSN issue… your SSN is Already Everywhere on the net and most ‘techies’ can tell you how to find anyone’s SSN.
Aaron it is great to see you on the thread. This is a big improvement from last time. And. I always respect Dave’s comments even though some might argue that he is saying there are more important features at Mint besides security. Obviously he didn’t mean that or that a mom with 2 kids wasn’t smart enough to care.
I am wondering though why no one from Mint will answer Allen’s question about fraud protection. It was posed over and over after TC 40 here and on other blogs. A straight answer (even if it is “we are working on agreements with banks to cover you in the future”) would go a long way toward building trust. I can understand sidestepping Wade’s points although I think that these should be answered too on your site but you can’t keep dodging Allen or the beauty queen.
Forex Groups - Tips on Trading
Related article:
http://www.techcrunch.com/2007/10/07/mint-rakes-it-in/#comment-1664078
comments | Add comment | Report as Spam
|
