Comments on: Protecting Your Financial Data: Mint’s Approach to Security http://www.mint.com/blog/updates/protecting-your-financial-data-mint%e2%80%99s-approach-to-security/ The blog of the free, simple personal finance solution. Track all your spending automatically, find the best deals, save more money. And save the world. Fri, 20 Nov 2009 20:48:42 -0800 http://wordpress.org/?v=2.8.4 hourly 1 By: Lestat http://www.mint.com/blog/updates/protecting-your-financial-data-mint%e2%80%99s-approach-to-security/comment-page-1/#comment-32808 Lestat Sat, 11 Jul 2009 10:30:48 +0000 http://www.mint.com/blog/updates/protecting-your-financial-data-mint%e2%80%99s-approach-to-security/#comment-32808 I guess it is a great thing that something can now secure our financial information. It somehow lessened our worries of having our accounts or even identity hacked by some skilled hacker. I guess it is a great thing that something can now secure our financial information. It somehow lessened our worries of having our accounts or even identity hacked by some skilled hacker. ]]> By: Darren http://www.mint.com/blog/updates/protecting-your-financial-data-mint%e2%80%99s-approach-to-security/comment-page-1/#comment-13850 Darren Thu, 03 Jan 2008 00:16:42 +0000 http://www.mint.com/blog/updates/protecting-your-financial-data-mint%e2%80%99s-approach-to-security/#comment-13850 Hi Aaron, Have you seen this? http://www.davidairey.co.uk/google-gmail-security-hijack/ That's an interesting hack: basically any website that you might be logged into that anyone else can sign up for as well, could possibly become a target. A user just has to mimic a form post. Your site's security seems to handle this by nature: there would be no account number, password etc that a person could steal. But I thought it would be worth mentioning, since the solution seems simple enough: submit and validate the current session ID for every request. A hacker couldn't duplicate that without cross-site scripting or something. Looks like a great product, I'm seriously thinking about it! Cheers! ~Darren Hi Aaron,
Have you seen this?
http://www.davidairey.co.uk/google-gmail-security-hijack/
That’s an interesting hack: basically any website that you might be logged into that anyone else can sign up for as well, could possibly become a target. A user just has to mimic a form post. Your site’s security seems to handle this by nature: there would be no account number, password etc that a person could steal. But I thought it would be worth mentioning, since the solution seems simple enough: submit and validate the current session ID for every request. A hacker couldn’t duplicate that without cross-site scripting or something.

Looks like a great product, I’m seriously thinking about it!
Cheers!
~Darren

]]> By: Aaron Patzer http://www.mint.com/blog/updates/protecting-your-financial-data-mint%e2%80%99s-approach-to-security/comment-page-1/#comment-13835 Aaron Patzer Wed, 02 Jan 2008 19:20:38 +0000 http://www.mint.com/blog/updates/protecting-your-financial-data-mint%e2%80%99s-approach-to-security/#comment-13835 John, Specifically what I mean is that no data vulnerabilities have been found in our end production code shipped to users. A long while ago (early 2007, before launch), we had a PHP error in one dynamic banner ad page that could have allowed cross-site scripting. However, this was not on the product domain (https://wwws.mint.com), nor could any data have been exposed even if the product had been launched. John,

Specifically what I mean is that no data vulnerabilities have been found in our end production code shipped to users.

A long while ago (early 2007, before launch), we had a PHP error in one dynamic banner ad page that could have allowed cross-site scripting. However, this was not on the product domain (https://wwws.mint.com), nor could any data have been exposed even if the product had been launched.

]]> By: Wendy Leece http://www.mint.com/blog/updates/protecting-your-financial-data-mint%e2%80%99s-approach-to-security/comment-page-1/#comment-13771 Wendy Leece Wed, 02 Jan 2008 06:10:47 +0000 http://www.mint.com/blog/updates/protecting-your-financial-data-mint%e2%80%99s-approach-to-security/#comment-13771 I signed on today. But now that I am signed on, I am a little dubious that all that personal info is in someone else's hands and they have access to it. How do I know I am protected? I signed on today. But now that I am signed on, I am a little dubious that all that personal info is in someone else’s hands and they have access to it. How do I know I am protected? ]]> By: john andrews http://www.mint.com/blog/updates/protecting-your-financial-data-mint%e2%80%99s-approach-to-security/comment-page-1/#comment-13418 john andrews Sat, 29 Dec 2007 00:13:06 +0000 http://www.mint.com/blog/updates/protecting-your-financial-data-mint%e2%80%99s-approach-to-security/#comment-13418 Wow. I applaud your transparency (the comment here, for example). But I am put off by "to date, no one has found any data vulnerabilities". That seems so unnatural, it suggests trouble. Either your employees are inhuman, or your audits are limited, or reporting is not comprehensive, or something. There are always msitakes, and the more you catch the safer you are, right? But you're not catching any (?) I appreciate the secure colo bit, but again... I've been in datacenters with "biometric security" that was turned off pending a visit from the repairman, "locked" cages where the key was kept in the lock for convenience, etc. Rather than describe how "pick proof" your locks are, what's happens when someone notices scratches on the lock? Or won't they notice? I want to trust you guys... I really do ;-) Wow. I applaud your transparency (the comment here, for example). But I am put off by “to date, no one has found any data vulnerabilities”. That seems so unnatural, it suggests trouble. Either your employees are inhuman, or your audits are limited, or reporting is not comprehensive, or something. There are always msitakes, and the more you catch the safer you are, right? But you’re not catching any (?)

I appreciate the secure colo bit, but again… I’ve been in datacenters with “biometric security” that was turned off pending a visit from the repairman, “locked” cages where the key was kept in the lock for convenience, etc. Rather than describe how “pick proof” your locks are, what’s happens when someone notices scratches on the lock? Or won’t they notice?

I want to trust you guys… I really do ;-)

]]> By: Aaron Patzer http://www.mint.com/blog/updates/protecting-your-financial-data-mint%e2%80%99s-approach-to-security/comment-page-1/#comment-12921 Aaron Patzer Sat, 22 Dec 2007 05:35:38 +0000 http://www.mint.com/blog/updates/protecting-your-financial-data-mint%e2%80%99s-approach-to-security/#comment-12921 David, Yes, we do have internal security audits, network architecture audits, and physical infrastructure audits as well. We work with two outside agencies for security consulting and penetration testing...to date, no one has found any data vulnerabilities. I didn't mention in the main post, but we also have serious physical security. Our servers are in an unmarked colocation facility which requires a biometric scanner to unlock. After guards, the "man-trap" hallway, several more biometric scanners, and cameras monitoring both the servers and power supplies 24/7, we have our own locked cage (not shared with any other companies), locked server racks, and encrypted hard-drives beyond that. In total, there are 7-layers of physical security...we take this stuff seriously. Aaron David,

Yes, we do have internal security audits, network architecture audits, and physical infrastructure audits as well. We work with two outside agencies for security consulting and penetration testing…to date, no one has found any data vulnerabilities.

I didn’t mention in the main post, but we also have serious physical security. Our servers are in an unmarked colocation facility which requires a biometric scanner to unlock. After guards, the “man-trap” hallway, several more biometric scanners, and cameras monitoring both the servers and power supplies 24/7, we have our own locked cage (not shared with any other companies), locked server racks, and encrypted hard-drives beyond that. In total, there are 7-layers of physical security…we take this stuff seriously.

Aaron

]]> By: David Mackey http://www.mint.com/blog/updates/protecting-your-financial-data-mint%e2%80%99s-approach-to-security/comment-page-1/#comment-12911 David Mackey Sat, 22 Dec 2007 02:39:33 +0000 http://www.mint.com/blog/updates/protecting-your-financial-data-mint%e2%80%99s-approach-to-security/#comment-12911 I like a lot of what you guys have to say about security. Do you have internal security audits besides HackerSafe? HackerSafe, in its default scans, does not scan any pages that are behind an authentication page. Thus while the outside pages might be secure, this doesn't say anything about vulnerabilities once a user has logged in. I like a lot of what you guys have to say about security. Do you have internal security audits besides HackerSafe? HackerSafe, in its default scans, does not scan any pages that are behind an authentication page. Thus while the outside pages might be secure, this doesn’t say anything about vulnerabilities once a user has logged in. ]]> By: Aaron Patzer http://www.mint.com/blog/updates/protecting-your-financial-data-mint%e2%80%99s-approach-to-security/comment-page-1/#comment-12875 Aaron Patzer Fri, 21 Dec 2007 16:06:07 +0000 http://www.mint.com/blog/updates/protecting-your-financial-data-mint%e2%80%99s-approach-to-security/#comment-12875 If you have any questions on Mint.com security, I'm happy to answer them. Aaron Patzer Founder & CEO, Mint.com If you have any questions on Mint.com security, I’m happy to answer them.

Aaron Patzer
Founder & CEO, Mint.com

]]>