Mint.com and saving passwords in plain text

Discussion in 'Networking & Security' started by Restrikted, Jan 22, 2011.

  1. Restrikted

    Restrikted n00bie

    Messages:
    3
    Joined:
    Jan 14, 2011
    I've been doing a bit of researching on storing login data securely and obviously the last thing you want to do is store the data in plain text. As I logged on to mint.com today I realized that in order to connect and download data from other financial institutions they must first give them the user's login data. I'm assuming that since not everybody uses the same method of encryption, they can't just send them their user's hashed password, but plain text or just using two way encryption. My question is how do they securely store this data if they are relying on two way encryption methods and is it possible to cheaply do myself?
     
  2. gimp

    gimp Pound Me Too

    Messages:
    10,179
    Joined:
    Jul 25, 2008
    while I haven't used mint so I don't really know how it works...

    my guess would be SSL. Just like when you log in to your account, you're entering your info into an SSL-secured page.
     
  3. Skud

    Skud Gawd

    Messages:
    589
    Joined:
    Sep 4, 2002
    The data they transmit may be in plain text, but the session is most likely secured via SSL.
     
  4. StarTrek4U

    StarTrek4U Gawd

    Messages:
    1,011
    Joined:
    Jan 8, 2003
  5. InvisiBill

    InvisiBill 2[H]4U

    Messages:
    2,619
    Joined:
    Jan 2, 2003
    And the only part of that which is really applicable to this thread is "Your bank login credentials are encrypted."

    If they simply impersonate you and login to the other financial institutions just like you would, then they have to have the credentials available in plaintext (just like you type them in). They may store them with some form of encryption, but their automated system that connects to your other accounts would have to be able to decrypt it to get the plaintext credentials in order to login. Keeping something in a safe is good, but to be able to use it, you need to have the key to the safe. If the decryption key is kept on the same system as the encrypted data, it's sort of like taping the key to the side of the safe. I'm assuming that Mint wouldn't actually keep the decryption key and the encrypted data on the same system, but if someone can get unauthorized access to the encrypted data, they can probably get to the decryption key too.

    If Mint has special access to those financial institutions, it's possible they could connect securely without needing to store your actual password in a retrievable format. For example, forum software stores a hash of your password rather than the actual password. When you login, it hashes what you typed and checks to see if that matches the hash it has on file. If it matches, then that means you typed the right password. If it doesn't, then you didn't. This way the software can validate logins without having to store an actual copy of the password. Similarly, Mint could have a setup like this with the financial institutions, where it stores a hashed or encrypted copy of your password, and the other end verifies it against the hashed/encrypted version of your password too. This would require them to setup a system to do this, as obviously just typing the hashed/encrypted password into the login fields isn't going to work.
     
  6. compslckr

    compslckr [H]ardForum Junkie

    Messages:
    8,904
    Joined:
    Jun 5, 2002
    Sending it from Mint to your bank is the same as logging in directly through a bank. It is an ssl encrypted connection.

    There are plenty of nasty ways to have your ssl traffic intercepted, stripped and viewed in plain text. (sslstrip for example). Your best bet is to avoid unsecured wireless networks and always make sure that you you are connected to legitimate sites through legitimate means, or use a VPN tunnel to access sensitive information.

    http://en.wikipedia.org/wiki/Secure_Sockets_Layer

    [​IMG]

    [​IMG]

    notice how the "s" is missing from https://chase.com? That means that something happened to its ssl encrypted connection (in that case my laptop was running ssl strip and arp spoofing, letting the "ssl" traffic flow through one interface and spewing it back out another with the encryption stripped off. Basically the laptop was able to view anything the user input in clear text (username "test" password 1234567)

    chase uses some other security measures, so even once you had a username and password you would still need access to their email to get a verification code. Not all that hard to do if you were already able to sniff out their username and password though.

    Not saying that any of this is a good idea, or even legal, but I think Mint's connection to your bank is really the least of your concerns in the scary world of modern computing.
     
  7. Thuleman

    Thuleman [H]ardness Supreme

    Messages:
    5,841
    Joined:
    Apr 13, 2004
    Issues like that is why I don't use mint.com
    I give props to the guy who came up with it, and good on him that he sold it for a billion dollars, but you couldn't pay me to enter all my accounts into mint.com and still sleep at night. That's just asking for trouble imho.
     
  8. compslckr

    compslckr [H]ardForum Junkie

    Messages:
    8,904
    Joined:
    Jun 5, 2002
    Its owned by the same people who do TurboTax. It made it amazingly easy to do my taxes this year since turbo tax can pull everything from Mint, ADP and schwab. I did not need a single piece of paper to do my taxes this year :cool:
     
  9. InvisiBill

    InvisiBill 2[H]4U

    Messages:
    2,619
    Joined:
    Jan 2, 2003
    Except he was specifically asking about storage of the credentials, not transmission.

    The method of transmission (simply impersonating you over SSL with the supplied credentials vs. some other authentication system set up with the financial institution) would obviously determine whether or not Mint actually needs to save your plaintext login credentials in a retrievable form. The FAQ states that they're storing and transmitting your info with encryption.

    However, if they're just impersonating you with your plaintext credentials on the standard login page, that means Mint has some way to decrypt your encrypted credentials (unlike a forum that only stores a hash of your password). If Mint can decrypt that information, so could a successful attacker. If someone were able to gain unauthorized access to Mint's systems, they now have login information for every single one of your financial accounts. They seem to be good about making sure that doesn't happen, but anything is possible. You're potentially giving up security and privacy in order to gain convenience.
     
  10. compslckr

    compslckr [H]ardForum Junkie

    Messages:
    8,904
    Joined:
    Jun 5, 2002
    For me the benefits outweigh the risks. Even if someone compromises my mint.com account they only have read-only access to my financial information. My mint.com password is different from any of my other passwords, so it is not really any additional risk.

    I don't really care is some scumbag can see my financial information (or lack there of).

    The passwords being stored somewhere is of some concern, but I still enjoy the benefits of using mint.

    Having credit card, addresses, and other info stored all over the net has been the norm for years now (amazon 1-click buying etc.)