After following this debate of wesabe vs. mint (and thinking it was about delicious things like wasabi and mint when I first heard about it) I wanted to try out Mint.
It wanted my online banking username/password ... who the hell gives the username and password of their bank to a website? In light of unimportant social networks like twitter and facebook making damn sure you aren't sharing the username/password combination around ... people give their ... I'm confused.
How do these sites stay in business? Do people really care that little about security?
Have you MET the rest of humanity? :-) Of course they really care that little. Their primary password is their pet's name or "password1".
Seriously, though-- I know plenty of really smart geeks who used mint. AFAIK, they signed up MILLIONS of users and had exactly zero confirmed (or suspected?) security breaches.
People care a lot more about their immediate needs and desires than potential risks. How many people eat well and exercise? If you ask "how do these sites stay in business?", I assume you're also confused as to why most people are dangerously fat? And why people ride motorcycles when the fatality rate for doing so is about 3x that of cars?
I'm not sure if you don't realize it but the entire purpose and key feature of Mint (and perhaps Wesabe as well, I've never tried it) is to aggregate all of your banking information in one place. Of course to do so they need the credentials to your various accounts, as the banks don't offer any sort of open APIs or OpenID or anything like that.
If you're not comfortable with this then of course the product is not for you. You can read more about Mint's claims of security and privacy at http://www.mint.com/privacy/
Yeah I honestly don't feel safe sharing that kind of info. I would much rather use my bank's "export data" feature once a week or so and uploading it there.
Also, maybe my bank is weird, but how can Mint have access with just the user/pass combination? I can't do anything online without a RSA certificate ...
I don't think it is public info how they accomplish it but it seems that they are simply scraping the site, for a good number of my personal accounts at least. Mint has me answer a number of the individual bank's "security questions" to be able to fully set up the bank account in Mint. If the bank changes the login procedure in anyway, then I have to re-edit the info about the bank that Mint has.
Mint uses Yodlee [1] for website scraping. Wesabe built their own and apparently inferior scraper, and this could be one of the reasons of why they lost to Mint.[2]
Apparently after being acquired by Intuit, Mint started using the Intuit aggregation framework. They seem to have made the transition fairly transparent as I had no idea it had switched.
That's intriguing - I thought one of their privacy promises was that they don't hold on to the login information for your various accounts, that it lived with Yodlee.
Seems like to do a transition they'd have to break that promise.
Interesting. I thought my bank's security was lacking, but at least it is impossible to scrape my data off it even if I give you the password. You have to go through the browser's main security certificate thingy to "decode" the RSA key that is then sent to the bank. It's impossible to login without it or get to any sort of data (afaik)
There are solid laws and remedies in place for when someone steals money from your bank account. This happens all the time at banks and they just replace your money without even telling you. Mint and Intuit have every incentive in the world to protect your money.
Giving out your twitter/facebook/gmail password is much more dangerous because there are no easily enforceable laws in place for when someone spams all your contacts, damages your reputation, or locks you out of your web accounts.
I think theft and fraud both count as laws that are in place.
The FDIC has an entirely different purpose. The banks themselves usually cover customer losses themselves due to hacking. Identity theft can be more difficult to recover from, of course, but if Intuit/Mint/Yodlee had a major security breach, it would need to be cleaned up very quickly.
It is relatively commonplace to prosecute monetary theft compared to prosecuting "gmail theft" or "twitter spamming."
As an aside AFAIK many financial advisors have used aggregation services (CashEdge, ByAllAccounts, uMonitor), which require their clients to log in and provide essentially the same access to their financial institutions, for quite some time. I believe Yodlee was one of the first to make their aggregation services available to a consumer based business vs. an advisor.
In addition the onus of primary security (username/password) rests with the service provider (Yodlee), if I understand things correctly Mint would only store a unique identifier to access a user's information via a Yodlee API call. So after transaction data has been scrubbed it would be extremely difficult for a hacker to access a user's bank account information from Mint.
You're still very much correct if Yodlee has a security slip, but their business depends on securing that information.
This is one reason why Mint would never work in the UK. We have real security on our banking websites - hardware security (You get sent a hardware device to generate codes, or to put your card into etc).
(As an aside, our banks are simply crazy fast now. I logged into HSBC the other day, issued a bank transfer to a Barclays account. Logged out, logged into Barclays less than a minute later, and the money was there. Impressed I was).
Any banking website that simply accepts a username and password would scare the hell out of me.
I still don't quite understand what the value-add of mint is though. I'm guessing that banking websites in the US aren't very useful, or that some users value being able to collect all their financial data into one place (How many banks accounts from different banks do people need?)
> Any banking website that simply accepts a username and password would scare the hell out of me.
That's still most of them, I think. Halifax used to be username+pw+one security question. Now it's username+pw+3 letters out of a second pw (called "memorable information"). And to attempt to stop keylogging (or at least I presume this is why), the select boxes for the 3 letters don't let me hit the letter, I have to use arrow keys or the mouse. Which, frankly, makes me want to club somebody to death with a baby seal, even if it -is- theoretically more secure.
I don't know the technicalities, but I always considered Halifax a 'building society' rather than a grown up bank. That is worrying. And ++ for the irritation of arrow keys+mouse etc I've seen that before on others.
> I still don't quite understand what the value-add of mint is though.
For me personally it meant I could throw out MS Money but still track where my money is going w/ much less effort. Mint is pretty good about correctly categorizing transactions, so I have to spend very little effort manually categorizing transactions.
Wesabe actually used a Firefox plugin that was a macro recorder, you just enter the form and go to the export data part of your banks website, and then Wesabe would replay those actions once a week to get new data. Of course it still could have read your password and sent it off, but it was a little bit more control than mint.
I wish that content aggregators could use something like Kerberos tickets to delegate authentication. That way Mint could have a read-only ticket to access my bank that didn't require my password.
I still use Mint though. I asked them about their security measures in this thread: http://satisfaction.mint.com/mint/topics/can_i_trust_the_sec... . Their response was that you're not liable for fraud if you report it to your bank promptly, and Mint's reporting features make it more likely that you catch the fraud early enough to report it. It seems like a good security tradeoff to me.
US banks are so far in the past security-wise that it'll take aeons for them to adopt something like OAuth; most of them haven't even managed things like using email or telephone calls responsibly.
The thing that kept me from ever using Mint is that they said they then give your username and password to someone else without ever specifying who that is. Now I know that it's Yodlee, but there was no way I'm giving my password to someone when I don't even know who I'm giving it to.
As someone who tried using Wesabe seriously for several months, I will tell you why they went out of business: their product was not very useful.
I spent quite a while entering receipts and tagging things and all I ever got was a few charts that showed me how much money I had spent. There was no tool for budget estimation, there was nothing to help do mortgage calculations, cripes, there was hardly a point to using the website at all with the sole exception that they had some pretty good discussion forums.
The only reason I preferred Wesabe to Mint was because Mint wanted to reach into the guts of all your accounts and that felt kinda creepy.
I also used wesabe for several months. When mint.com launched I was tempted but I was initially turned off by the online-ness of it. I liked that wesabe was a desktop based product and I had ownership of my data. Now that idea seems a bit quaint. I think people (including myself) have gotten a lot more comfortable with their financial data being online.
I am not using mint (for my US-based accounts) and I like it a lot. The reason I stopped using wesabe was because 1.) I was MAc OS X and the desktop client they had was buggy. and b) I kept hitting bugs with the banks I used. I don't think they were able to keep up the pace. It was frustrating. I'm sure it was not lack of effort on their part. Perhaps they should have been willing to compromise more. It's really hard to say.
I really appreciated Marc dumping his thoughts on the matter.
I found the receipt-entering and thing-tagging useful in and of itself. The auto-labeling was awesome for watching my accounts - you generally only had to label/tag a business once.
I vastly, vastly prefer Wesabe's auto-labeling system to Mint's POS labeling. On Mint, any transaction from Chili Ave (a major road) gets autolabeled as Chili's, the restaurant - and so on. It makes Mint worse than useless for me. I get better info logging onto my bank's 90s era site.
They're talking about the signup process basically. Mint is a terrible product with a fantastic signup process. All those posts about how great it is are from people who signed up, looked around for 5 minutes, then never used it again.
Plus almost all of the users that do stick around go for the high-end financial referrals that Mint pitches them based on their data. Cost Per Action fees for rewards cards and mortgages are through the roof for complete signups of high-value people.
Their conversion rates are terrific even when you include the vast majority of people like us that sign up and never use it again. They were making quite a lot of money when they were acquired.
yeah it wasn't overly useful, but it was the best that I could get, being an Australian (thus, my bank was unsupported on Mint). The firefox plugin uploader of wesabe meant that any bank could be supported, I'm interested as to why Mint couldn't offer a similar thing?
I definitely, and intentionally, left out a lot of the detail about why we decided to turn the site off. My post was already huge and that final decision wasn't what I was writing about; I was writing about the competition between the companies and how people perceived it. Also, some parts of that decision are personal and I didn't want to write about them. Of course, though, we didn't just try one thing and then give up. We tried everything we could think of to keep it going.
That said, I addressed some of the reasons for the decision to shut down in the post announcing our closure:
This is the single question I had in mind reading the other article. why did mint's success have to mean death for wesabe? he even identifies a yet unsolved problem that the service is not accurate or helpful enough. Were the costs too prohibitive? I think you can cut the costs, downscale, and continue until finding the right spot and rise again. Also I expect the market to be very big and particularly accommodating for several startups in this area.
Yes, I am very uncomfortable with the logic that since Wesabi didn't lay out their every effort to save the company, they must therefore not have put any thought into it. That's an unjustified leap; perhaps they didn't think it made for a very interesting read, if nothing else.
The author claims that businesses often reinvent themselves in order to survive. As I understand it Wesabe _did_ reinvent themselves. I believe they were working closely with banks to have them implement some Wesabe related tools directly for the banks' customers. I didn't work at Wesabe so I may be wrong about this.
Personally, I stopped using Wesabe for the same reasons that DannoHung mentions in his comment. I wasn't getting a good 10,000ft view of what was happening to my money and there were no tools available to help me budget. Shame though because I'm not exactly thrilled about giving Mint/Intuit/Yodell my personal info.
Successful businesses often reinvent themselves for greater success in ways completely unanticipated beforehand. Most successful businesses in fact face more than one “going out of business” crisis in their lifetime.
The longer your business survives, the more chances there are to find new ways to thrive. Marc mentions they were near to running "indefinitely on revenue," but doesn't address why they didn't go that route. Sure, they were NEARLY failing, but running a business isn’t a sprint, it’s a marathon. You only "lose" when you go out of business.
And yes, Mint was "winning." But still, the fact that Marc chooses not to focus on what they could have done just to survive makes it seem like he doesn't understand that staying in business is crucial, even when you're "losing."
The author was making some sense until he held Tesla up as an example of not giving up. Using the government to raise further capital from others against their will is hardly a good example.
Personally, I don't think Marc gets it at all. He says the goal was to get people to change their financial behavior, and this is a noble goal. Maybe, but so is building a weight loss application for people who don't want to lose weight.
It wanted my online banking username/password ... who the hell gives the username and password of their bank to a website? In light of unimportant social networks like twitter and facebook making damn sure you aren't sharing the username/password combination around ... people give their ... I'm confused.
How do these sites stay in business? Do people really care that little about security?