Web 2.0 and Personal Finance: Why I’m Not Using Yodlee, Mint, or Wesabe – Yet

I get contacted quite regularly by groups who are creating Web 2.0 personal finance applications, and I’ve taken test drives of a lot of them. I’ve even been asked to advise on a few that are in the pipeline. If you’d like to sample a few, I’ve linked to a few of the best ones at the bottom.

What are they? These tools are basically online versions of Quicken. They allow you to aggregate all of your personal finance data in one place so you can get a clear picture of how you’re doing. Most of them have very slick user interfaces, too. Even better, they allow you to share some aspects of the data so you can compare goals with other users.

Yet, even though the features of many of them are amazing and I can easily see the usefulness of them, I haven’t yet reviewed any of them in detail, nor do I plan to.

Why not? All of these systems have one key issue that concerns me: personal security. I’m not talking about whether your data is safe from hackers. What concerns me is trusting my key personal finance information to a Silicon Valley startup company. Almost all of these products come from relatively small, non-public startups that are currently running on venture capital money.

To me, this is a giant red flag waving around in the sky. I watched an awful lot of dot-coms blow up in 2001 and their data went away to … who knows where. Where will the data go if these companies go under? Will the owners dispose of that data ethically? Will they sell it? Most of them have privacy disclaimers, but a legal document doesn’t really help if your bank login information and your credit card data is floating around on a laptop in Armenia.

The one key piece that these organizations forget is that your personal information and logins are extremely valuable. Your logins provide access to your money and your personal data, and if these logins fall into the wrong hands, bad things can potentially happen – lost funds, identity theft, and so on.

The best solution to this is to minimize the number of places that have your key personal data. I trust my banks and my credit card holders – and that’s pretty much it. The fewer places that my personal data resides, the better.

This sounds like an indictment of these tools, but it’s not – they have a lot of potential. But that potential lies with integration with the banks themselves, like ING or HSBC. Make it so that the access to your accounts lie with the bank itself, the entity that already has your information, and the risk to personal data issues is reduced. These tools shouldn’t be a separate entity from these institutions, but integrated into their online interface.

In other words, Mint et. al. should evolve to be the front end for online banking services. I like the ING Direct interface (after all, it’s my primary bank), but if that site had the interface of Mint, with all of the interesting tools and such and was already within the secure environment of a bank that already had my data, I’d feel far more secure about trying out such a tool.

In the future, I hope to jump into such a tool head first – my enthusiasm would know no limits. But the security issues keep me from signing up with this first generation of Web 2.0 personal finance tools.

Want to see what I’m talking about? Here are three of the best Web 2.0 online personal finance tools. I recommend looking at them, but I don’t recommend giving them any personal information.

Mint is the “hot” one at the moment, having recently won the TechCrunch 40 “contest.” I also think their user interface has the most potential if used in the ways I describe above.
Wesabe is probably the most personable of the lot – the CEO will directly answer your questions. I also think their security model is the best of those out there right now, but it still makes me nervous.
Yodlee is the most established of the group, but the interface isn’t nearly as slick.

If you enjoyed reading this, sign up for free updates!

Loading Disqus Comments ...
Loading Facebook Comments ...
  1. Eric Falcao says:

    I believe mint stores all their data on yodlee (they license from yodlee). Yodlee’s technology is actually licensed by large and reputable financial institutions.

    I guess my overall opinion is that yodlee is “safe” (given their history and business relationships). By extension, that makes mint “safe” (i’m pretty sure they only aggregate yodlee data to try and provide insight).

    I have been using yodlee for years and I love it. It keeps getting better and better. I think mint is way too over-the-top, over designed, web 2.0.

  2. Zook says:

    I use Bank of America’s ‘My Portfolio’ which I believe uses Yodlee’s software.

    I THINK this covers my tush about security. Would you feel safetr knowing BOA is running the software?

    It is really amazing to have all of your transactions filtered into neat graphs and to have ALL brokerage accounts at one place. It’s actually addictive checking to see the ups and downs on a daily basis. I try to refrain from it, but its just so darn easy.

    It’s almost like having a financial advisor do up a cash flow and net worth statement at any time.

  3. Mike says:

    Eric is right. Mint uses the Yodlee backend to access and store the data. Most banks that have their own online finance managers (such as Bank of America’s “My Portfolio”) are also using the same Yodlee technology.

    The biggest difference between all these services that use the Yodlee technology is really just how they secure your data. For example, a quick read of Mint’s website states that all the data on their servers is highly encrypted, and those servers are physically protected in locations that require biometric data to access.

    I haven’t used Mint or Yodlee’s own website yet, but given the fact they are using a combination of the highest levels of digital and real security to protect customer data, I would not have too many qualms about it.

  4. I agree with Trent. I just can’t take the plunge to use one of these sites. Just using my own online bank accounts is enough risk, I don’t need to put more personal info out there in more and more places.

    What happens to your data when Mint (or any of them) gets purchased by a large corporation???

  5. As a couple of people have already mentioned–Yodlee powers Bank of America’s My Portfolio feature, which is absolutely brilliant. If I switch away from B of A, I’ll probably join Yodlee–that’s how important that feature has become to my money management.

  6. Samir says:

    I have settled on Yodlee, as its been used by most of the banks. Though i’m also worried (paranoid) about the security concerns, i’m currently using yodlee for aggregating all the credit card and categorizing them to get a spending snapshot. So at the end of month i can get clear picture of my expenses from one website rather jumping around few credit card websites.

  7. Trent Hamm Trent says:

    Bank of America has strict laws governing what they can do with your personal information, as do other banks. On the other hand, most of these startups exist in what amounts to the Wild West. I’d be willing to use BoA’s “My Portfolio” (I think) because it’s through BoA and thus subject to banking industry regulations.

  8. Mary says:

    I had some initial concerns too. I use Mint but only for credit card accounts not bank accounts with real money in it.

    Also, Fidelity has a “Full View” feature which is also run by Yodlee and I love it. I can see all of my transactions for all of my accounts at the same time. Mint uses the same “Yodlee” technology as well.

    Having all of the accounts in the same place makes it easier to login and change my password as well if I get too concerned about anything.

    Having the account # means nothing since it is printed at the bottom of a check.

  9. Debty Betty says:

    I have tried all of the above applications that you mention, plus more (Budget Pulse, etc.). I came to two realizations after trying so many.

    1) No application will ever be as flexible and fit my needs as much as a good ‘ole, self-designed, spreadsheet.

    2) After I designed my own spreadsheets to track my finances, I went back and tried to delete my accounts with many of those applications. No easy task! Mint has no “delete my account” selection, and neither do many others.

    So now I am very nervous as well that my account information is just floating around out there somewhere.

  10. girlrobot says:

    good point, i’ve actually signed up for mint and wesabe (i prefer mint so far) but i had qualms about the security as well but i really wanted a way to manage my money that’s easy and these online services seemed the best. still debating if it’s worth it…i guess we’ll see!

  11. guinness416 says:

    I couldn’t agree more with Trent, but I’m a cynic like that. Further I’m not convinced that us ordinary Janes with just retirement accounts, mortgages and bank/investment accounts need multi-coloured graphs and multiple reports and other bells and whistles to manage our finances. The last thing I personally want is to become more OCD about account balances!

  12. When TWiT did a podcast episode that talked about this I blogged about their concerns and looked at Mint.com & Wesabe.com. I like Wesabe’s security model because it doesn’t directly access your account. The CEO of Mint.com left a comment on my post and assured me that they were more secure than bank sites. This is definitely an area for people to keep their eyes peeled as its a great concept, but security is, as you say, critical!

  13. Jon says:

    For the last 2 months, I’ve made every single purchase on a credit card with a cash-back reward. I love seeing pie charts and bar graphs on Mint showing how much I spent in each category. It’s sure easier than sitting down with a printout of the account activity and manually calculating it (which I did last month).

  14. Jim says:

    I also do not use any of these services. The security thing is one issue. The other issue I have is if these places go out of business, all my historical data is gone. I like the data it sitting on my computer (and offsite backup location), where I know I can get to it.

  15. kman says:

    I had used MVelopes for the past 2-3 months. It was pretty cool as far as financial software goes. I found it wasn’t worth the time I had to put into it.
    My budgeting system is fairly simple and we have built in wiggle room, mvelopes would be good for someone with a tighter budgeting need.

  16. Anthony says:

    Thank you! Finally someone else is concerned about their personal data. I don’t care who uses what as a backend. My worry is how are they going to make money? Most of these services are going to need to make a profit someday to stay alive. I’m guessing that most of these companies are going to turn to data mining to sell advertising to actually make money.

  17. Aaron Patzer says:

    Trent,

    As it says on out “How Mint Keeps You Safe” page (http://www.mint.com/safe.html), “your data is yours”. If you’re worried Mint may one day go under, you can purge your account from our system at anytime. This is done upon request now, and we will be adding a way to purge your account online in a few weeks.

    Considering startups being in the unregulated “Wild West” you are limited by law to $0 liability on a credit card, and $50 liability on a bank account. You retain that protection when using Mint.com.

    Also, remember that Mint.com never asks for your name, address, or SSN. We know about your finances, but not about who you are.

    As I’ve said before on other forums, you are _safer_ using Mint.com than not using it. 90% of all fraud actually occurs offline, not online (e.g. someone swipes your card at a restaurant or from your mail). Because Mint sends proactive alerts for low-balance or unusually high spending, you’ll know right away. It’s better than logging into 4-5 different banks every day, or waiting 30 days for a paper statement before finding that something went wrong.

    Aaron Patzer
    Founder & CEO, Mint.com

  18. mcallen says:

    is it possible to create a straightforward mashup of an interface similiar to Mint etc.?

  19. lorax says:

    Aside from the security concerns, mint is rather buggy at the moment: http://kurt.karmalab.org/articles/2007/10/08/programmers-need-to-learn-how-to-do-math

  20. Mariette says:

    It always struck me as a great idea, but I never thought about the security question. I also haven’t actually used any of them either – I feel more comfortable with my excel spreadsheets at home or Quicken, so perhaps I was concerned about the security thing on a subconscious level.

  21. Matt G. says:

    Great post Trent. I’ve looked into these and decided against it and decided to stick with excel. I asked a little while ago if you might be willing to share what you do in excel to track your finances, but never got a response. Would you be willing to share your template? I would love to see it. Thanks!

  22. Jeremy says:

    A good discussion but people should do their research before posting about or commenting about a product. Yodlee, as a company, isn’t even in the same category as the others mentioned: it’s not a web startup. Their main product is sold to big banks (thus the monetization that some commentors think is non-existent), but they also allow individual access to their product for testing and marketing purposes. If you’re “afraid” of using Yodlee technology then you should also be afraid to login to your own bank’s website/aggregator, by extension (since Yodlee is running it).

  23. @DebtBetty
    I would be greatly concerned about a delete option as well. It’s so difficult to cancel most services online I have a hard time believing I could really break from one of these services if I wanted to. Just seems like a road not worth traveling to me.

  24. Jordan says:

    Security is always the number one concern at Yodlee. Yodlee goes through constant audits by government and security oganizations:
    “Yodlee’s security is tested on a continuous basis by industry leading security firms, the FFIEC, and leading financial institutions. Yodlee’s security meets industry standards such as SAS 70 Type II, ISO 17799 Compliance, and Visa CISP Level One Compliance.”

    http://corporate.yodlee.com/technology/security_overview.htm

    I’m a generally believer that people people are safing storing all of their credentials in a trusted 3rd party provider. It allows them to use strong and unique credentials everywhere. It allows them to check all of their accounts every day. It allows them to get fraud-alerts on all their accounts, even at institutions that don’t directly support it.

    ..Jordan, Yodlee Inc.

  25. I share the same concerns as you do. I worked at a dotcom that went up in smoke. We didn’t handle any customer information but when we all got laid off, nobody really knew what happened to the company and client data we collected. I also personally doubt I’d put any of my financial information into an online application. Do these startups have the same compliance rules as big banks and institutions? These regulations are *very* strictly followed by financial institutions and I wonder if the smaller startups have the proper procedures in place to ensure our data’s security.

  26. mapgirl says:

    While I agree with the Mint CEO that most identity fraud takes place offline, say from stealing someone’s mail and opening a credit card without their knowledge, I still don’t trust a site that aggregates a lot of data in one spot to be lifted. It creeps me out. I am just paranoid about security that way. I know a few professional white hat hackers and the fact of the matter is, if they were really determined to break-in, they’ll find a way. They get paid to hack and find the holes.

    If these sites aren’t targets now, they will be. It’s just a matter of time.

  27. Tyler says:

    There is already something out there that gives you a daily picture of what you spent your money on, what your balances are, etc. It’s called MS Money and/or Quicken. Why someone would want to know the balances at all times of the day is beyond me. If you do your finances correctly, reviewing your Money or Quicken once or twice a week is all you need.

    Security is not really an issue with the softwares because it resides on your PC. It’s up to you to protect it.

    Forget these 2.0 machines out there. Trust only yourself and you’ll get more sleep.

  28. azphx1972 says:

    Good post. I am reluctant to trust third party sites with my private logon data because of the liability issues.

    For example, it’s one thing if Bank of America gets hacked and my username or password is stolen, and I’m sure they would reimburse me for any damages. However, if I voluntarily provide my logon info to a third party site and they become compromised, I highly doubt B of A would be so generous.

    I work in IT, and I know there’s no such thing as a 100% secure software solution. I am not willing to take the gamble (no matter how small) that my information will be safe from thieves, external or internal. One of the most important rules of safe computing is to never share your password with others.

  29. cms says:

    The concern about security is exactly the same as the early days of all the electronic innovations with our money. How many people waited years before using an ATM? (How many still don’t use them?) And then, how many waited even more years before they would make a deposit to an ATM? I even remember people not wanting direct deposit of paychecks when they were first offered by large companies. That one really blew my mind.

    People resist change, and when it comes to their money, if it’s different than they’ve done it in the past, they don’t trust it. It’s understandable to some degree, but just because you don’t trust it, doesn’t mean it is not trustworthy.

  30. dong says:

    I’m generally not that paranoid so I use Yodlee and Mint and feel comfortable with it. I’m not all that worried about it because 1) I check my account regularly so I think I’d be tipped off if there were a problem 2) even if someone hacked into my account, I’m not sure how much damage they could do with my online account. In general my credit card numbers and checking numbers do not appear as a part of the online account. I guess they could schedule a payment. Obviously if they could hack into the bank systems and get my account information they could do damage. However as it is right now if they hack into Yodlee they can only get my logon information and not my account information for most accounts. It’s the hack into the bank system that is the larger issue.

  31. chris says:

    the way i look at it is if mint were hacked and thousands of private logins became available, how long would it take for this data to become public? and in that time what are the odds that the hackers have cleaned out my account before I change my password?

    I played around with mint yesterday after reading this post, I enjoy it more than wesabe because it’s a bit cleaner to categorize my spending. I like the tags on wesabe more than on mint, but mint still wins so far.

    I only wish i could get my data for the entire year to date on there. I’m just too lazy to spreadsheet it all

  32. Swamproot says:

    I would say that if you already use anything online, you should be far more concerned about your own computer’s security than an online third party. I think the cause of a lot of the “fast and loose concerns” of the Dot.com era have diminished as a lot of those companies were Information Superhighway Roadkill when the bubble burst.

    The ones that remain will probably have their stuff together, especially if they anything to do with banking, more so than the average computer user will keep their own computer system secure.

    While I am aware of some recent well publicized hacks of some major sites, my biggest concern is something (a worm, email virus) beating the virus protection (possibly before THEY are able to put out an update it) on my personal computer, installing a key-logger and stealing my passwords that way. Since I do not have dedicated professionals charged with the security of my personal computer, I feel this is a weaker link than most of the threats to third party providers.

    The only financial institution that I use that has addressed this possibility is ING Direct (with their little picture keypad thing where you either use your mouse to punch in, or you type an ever changing combination of letters representing those numbers).

    I have also used Wesabe, and felt better using the Firefox add-in they provide. If I understand it correctly, it stores your information locally on your computer, and uploads only the financial transaction data within the account, not the actual account data. I liked it when I used to charge everything, but I have since drank the Dave Ramsey Koolaid and have tried to move to using more cash.

    While there are some facilities in Wesabe that take care of that, there is a loss of some of the auto-mojo that you get from the service that detracts from its usefulness when you are more cash based.

    Sorry for the long post.

  33. Lazy Man says:

    Here’s the thing… you’ll never see these applications usefully integrated to an online bank. Pretend that HSBC buys Mint and integrates it’s software securely. Does HSBC get information about my credit cards that I want Mint to keep track of? That’s scary to me. So then I have Mint only monitoring my HSBC account since I don’t want them knowing about my other accounts. Suddenly the Mint functionality isn’t that useful, no one uses it, and it dies.

    These aggregators have to live outside of the financial institutions themselves to be useful.

  34. azphx1972 says:

    “The concern about security is exactly the same as the early days of all the electronic innovations with our money. How many people waited years before using an ATM? (How many still don’t use them?) And then, how many waited even more years before they would make a deposit to an ATM? I even remember people not wanting direct deposit of paychecks when they were first offered by large companies. That one really blew my mind.”

    This is not the same at all. ATMs are backed by banks (or their associated networks), so if someone actually stole your money, you have assurance from your financial institution that you will get your money back. These aggregate sites, on the other hand, is like giving your ATM card and PIN to a friend, and trusting that friend not to lose it. Banks have no obligation to give your money back if your friend gets robbed and the thieves steal funds from your account.

    I have some ideas about how to make these sites more secure, and will post about it on my blog.

  35. Bill says:

    It doesn’t matter if you don’t provide your Social Security number.

    Once you have a relationship with a business, it is legally permitted to pull your credit report and get it anyway.

    When I moved to my current city of residence, I paid hefty deposits to the local utilities rather than provide my SS number for a credit check.

    But they pulled my SS number anyway, and they ask for the last 4 digits before they’ll do anything for you over the phone.

    Most posters missed Trent’s point – if any of these companies run into trouble, there’s no obligation on the part of their purchasers to observe the previous company’s privacy policies.

    Do you really believe you can force a bankruptcy trustee NOT to sell your personal info, if such info is an asset of the business?

  36. Chris says:

    This may be a long post so please bear with me!!

    Paranoia around online security is mostly unfounded. Trust of big financial institutions is also misplaced. I have been an IT security consultant for 12 years and have specialised in the financial sector. I have worked at 3 of the top 5 worldwide Banks and 12 of the top 50. I have a couple of comments to make about both personal security and the perception around big financial institutions expressed here.

    Firstly companies like Yodlee whom I have had some dealings with over the revent years are very, very secure. Their very existence depends on it. Yodlee have somewhere in the region of 10 million end users at present and aggregate $400m every day. Your credentials are stored with 256 bit encryption. This makes it impossible for anyone to physically view any credentials. The encryption key is split and half stored at Yodlee and the other half stored by the Federal Reserve. The physical and logical security of these establishments is for want of a better word inpenetrable. So in simple terms to get access to an account you would need to get the encrypted credentials from Yodlee. Get access to and steal the correct algorythmic encryption key at Yodlee, Get access to and steal the correct corresponding algorythmic encryption key at the Federal Reserve. Bearing in mind Yodlee have 10 million end users and the levels of securty being employed I would say in my opinion that this is more or less impossible.

    Secondly the big financial institutions many of you seem so keen to trust are from my experience of working with them completely untrustworthy. They really dont care a whole lot about your data. I have personally witnessed events around personal data, and internet security which would make you think twice about depositing a dime let alone your life savings. The only saving grace for some of them is that they actually use Yodlee to run their online banking operation for them. A move which makes their web presence infinitely more secure.

    Another point to make is that the very last place you should ever store passwords or sensitive data is on your home PC. DO you think that it is easier to break into the federal reserve or into your house? Any laptop/desktop PC will always be a burglars first priority when ransacking your home for valuables.

    Thanks for reading, and apologies for the rant.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>