Finance Sites Collect Bank, Card Passwords - TheStreet

Finance Sites Collect Bank, Card Passwords

Millions of Americans are giving up bank account and credit card information to financial-management sites.
Publish date:

BOSTON (TheStreet) --Facebook users have grown concerned about the the privacy of their prom pictures, status updates and friend lists. But in the meantime, millions of Americans are willingly giving all of their banking and credit card information to finance-management sites that mine the data.

More than 3 million users have signed up for the free services of


(INTU) - Get Report


, which makes cost-saving and budgeting recommendations based on its customers' bank statements. To use the service, customers provide passwords to their online savings, checking and credit card accounts so Mint can automatically port bank statements to its customers' accounts. As such, Mint knows how much money its customers have, where they're spending it and what they're buying.

"The kinds of things we could do at Mint with that data are enormous," says Aaron Patzer, head of

Mint Software

. Recently, for instance, the company published a blog post saying coffee sales are rising among its customers -- except at


(SBUX) - Get Report


The potential privacy implications of specific metrics are scary, but Patzer says Mint renders its data anonymously.

"We would never produce a statistic that says the average spent on this product in this store in this small town," Patzer says. "We make sure that

each statistic has at least 100 data points."

That said, the nascent free-finance-management industry is aware of privacy concerns and is working on ways to allay them.

"It's always been a concern for our clients," says Ann-Marie Murphy, director of marketing communications for

, a Web site that provides customers with free credit-score estimates without asking for a credit card number. "When we first launched the site, we requested a Social Security number, and there were a lot of people who didn't feel comfortable with that. We figured out a way to do that without requiring a Social Security number."


, a personal-finance management Web site that competes with Mint, posts a

Data Bill of Rights

on its site. (While Mint generates revenue from the companies whose credit cards it recommends, Wesabe makes money by selling white-box versions of its finance-management software to banks.)

"If you're giving data to a Web site, it's reasonable to have a very clear statement of what's going to happen with that data," says Marc Hedlund, CEO of Wesabe. The company also gives customers the option of importing their banking information manually rather than automatically, which is time-consuming but lets customers keep their passwords to themselves.

Most financial-management sites make a point of saying they have "read-only" access to financial information, meaning they wouldn't be able to transfer money from one account to the next, for example. And most of them tout "bank-level security." But that might not be as secure as it sounds.

About 67% of financial-services Web sites,


online banking sites, have serious security flaws, according to Jeremiah Grossman, founder of

WhiteHat Security

, a company that provides risk-management services for corporations that do business online.

"Any level of illicit access to customer data, even read-only, is a cause for concern," Grossman says. "Often enough, one door leads a hacker/cracker to another, and they are persistent."

-- Reported by Carmen Nobel in Boston.


>>Facebook Unveils Privacy Overhaul

>>Quicken Online to Merge Into Fresher

>>Facebook Privacy Fix: New Tools Find Trouble Spots