About Ken Tumin

Ken Tumin founded the Bank Deals Blog in 2005 and has been passionately covering the best deposit deals ever since. He is frequently referenced by The New York Times, The Wall Street Journal, and other publications as a top expert, but he is first and foremost a fellow deal seeker and member of the wonderful community of savers that frequents DepositAccounts.

Popular Posts

ING Direct’s Personal Finance Access Code Solves Main Issue with Account Aggregators


Account Aggregators like Yodlee can be very useful for rate chasers who have many bank accounts. They can make it easy to monitor your bank accounts by automatically logging into them and displaying data for all of your bank accounts in one secure place. Last year I described my experience using Mint.com to track my bank accounts. The fundamental issue with using these account aggregators is that you’re disclosing all of your bank login info to one service. Even though these services keep your bank login info secure, nothing is 100% safe.

ING Direct has a good solution to this security concern. It’s called the Personal Finance Access Code. When you’re logged into your ING Direct account, you can create this Access Code, and this Access Code can be provided to Yodlee or other personal finance tools for read-only access to your ING Direct account. If someone hacks into the personal finance tool and steals your Access Code, they won’t have any ability to move money out of your account. If you think your Access Code has been stolen, you can log into your ING Direct account and create a new one.

It appears ING Direct has offered this Access Code for several months. I noticed the Access Code was being discussed at the Mint.com forum late last year. Many people reported problems in getting Mint.com to work with this Access Code. I guess ING Direct expects Mint.com and other services to have worked through these problems. So now ING Direct requires these services to use an Access Code. The reader shraz provided in the comments the following ING Direct email:

Starting May 25, 2011, you'll need an Access Code from us (along with your Customer Number or Saver ID) to pull your ING DIRECT info into any personal financial management tools (like Mint.com, Yodlee, etc.) that'll allow "read-only" access.

Here's how to create an Access Code:

1. Sign in to ingdirect.com with your Customer Number/Saver ID and PIN

2. Select the 'My Info' tab

3. In the 'Personal Finance Access Code' section, click on the 'Create Code' link

4. Click the 'Create Access Code' button

More details are listed at ING Direct’s Access Code FAQs.

In addition to eliminating the security risk, the read-only access code should make it easier for users to set up their bank accounts inside these personal finance tools. When I was setting up my bank accounts at Mint.com, the security questions and answers that most all banks require complicated the connect setup process. This read-only access code method should eliminate this issue.

With ING Direct, the largest US internet bank, now providing this read-only access code, hopefully, this will become the standard for all banks. I expect more banks will follow with their own read-only access code method. And hopefully, it won’t take too long. I would assume some other banks or credit unions already have this, but I’m not aware of any. If you know of any other banks with their own read-only access code, please leave a comment.

Related Pages: savings account, checking account

Related Posts

  |     |   Comment #1
Lets say the mint.com is hacked and someone has all the info to read your balances, account numbers, transaction and so on.

That is all a gangster needs, the pin is useless since all the info can be read and all passwords on earth can not save you, no matter how secure and complicated they are.

Only thing a bad person has to do is link his account to yours by sending and then reading the small deposits showing up in Mint.com display, sent from his/her bank via ACH and when the link is ready He/She will clean you up, since all the info of balances and transactions is open book. Reading discloses everything a gangster need and you will never notice anything until all of your money is gone. Good luck disputing the transactions, the bad guy accounts will of cause be fraudulently opened with someone’s stollen IDs.

Your other accounts at different banks are at risk too if there are transfers in or out of the other banks showing the account numbers at INGDIRECT or the other accounts you have provided passwords and user ID to congregate at Mint.com

I will never use any gathering account services for the reasons stated above.
  |     |   Comment #2
Why would I want to share my bank account info with a 3rd party? It's positively mind-boggling that anyone in their right mind would use this 'service.'
  |     |   Comment #3
I just read the Mint.com disclosure of the account, it basically says:

......We are not responsible for anything that can go wrong if your account is illegally accessed and no obligation of any kind can be imposed on Mint.com.......

It means they are of the hook and you are aware of the danger and they can not be held liable whats so ever for anything that now or ever will go wrong and no guaranty or right to dispute anything with them.....and so on....

Go read it for yourself and your hair will stand straight up.
  |     |   Comment #4
I agree...why would you share your login info with anyone? Especially a company whose business model is to aggregate everyone's login info on their servers...think they might possibly be a target of hackers?

  |     |   Comment #5
Sooner or later all financial institutions and places like Mint and Yodlee are prime targets for the criminals to attack.
Ken said it right, no one is 100% save and why play with fire and with gathering accounts in one place. Why advertise your finances to the wolves.
  |     |   Comment #6
Use the App 'Balance'.    Although you have to manually input your transactions, it takes just seconds and you can keep track of all your accounts!.
  |     |   Comment #8
Can anyone explain to me, what the pin at Ing will do to protect you at mint?
If your mint account is hacked and someone knows your mint log in info, your pin is already entered at mint for the access at Ing.
  |     |   Comment #9
If mint.com is hacked, ING Direct Access Code is useless.

The bad guys will already have all the info they need to clean your bank accounts.

All other passwords and pins are rendered not needed.
  |     |   Comment #10
If you don't think mint is safe to use, then you even don't want to do online banking with any of your bank online.  The following is copied from mint: Security Technology Your trust is a privilege and a responsibility that is our first priority, every day. Here are some of the technologies and practices we’ve put in place to protect your identity and your financial information:

  • Mint.com always transmits personal and financial information securely.This prevents potential hackers from "tapping" a data conversation.
  • Your bank login credentials are encrypted.
  • Our servers are housed in a secure facility protected by biometric palm scanners and 24/7 security guards.
  • We apply bank-level data security standards. This includes encryption, auditing, logging, backups, and safe-guarding data.
  • We hack our own site. Intuit runs thousands of tests on its own software to ensure security. We scan our ports, test for SQL injection, and protect against cross-site scripting. We also employ Hackersafe to test our site daily.
  • Mint.com has received the VeriSign security seal.
  • We subscribe to an anti-phishing service to discover and take-down malicious sites intended to fool our customers
  |     |   Comment #11
Anonymous - #10, (mint.com)

You just admitted that your security is paramount, but you still do daily tests about security britches,  by which indirectly, you are admitting  that you are not 100% sure that someone still might hack the site.

Furthermore, if your site and procedures are bullet proof, why you have hand scanners, it imply that a rogue employee may get to the secure data  at the servers, which indicate that the servers can be accessed by the employees.

Nowhere on your site says that you guaranty 100% hacker proof nor I saw indemnity disclaimer about damages to your customers, which indicates you still have to keep one step ahead of the hackers. It only takes one hack to put your egos down the drain.

If you can guaranty hack proof site, make it in writing and buy lots of insurance , because sooner or later your security will be britched  and you will have to compensate your clients.

P.S. A security guard can be neutralized easy, either by distracting him, pay him off to look the other way or he may fall asleep or he has to go to the bathroom or he may be the part of the hackers. A security guard  indirectly shows the thieves where is the location of the servers.
  |     |   Comment #12
To #10,

You said:
“ Mint.com has received the VeriSign security seal.”
So are millions of web sites issued the same seal, does it mean the site is hacker proof, NO, does it mean the hackers will avoid your site, NO, does it mean your are 100%  secure NO,
do you have to fight on daily bases a hack, YES.

As you can see, nobody can claim 100% hacker proof site and you should indicate to your clients, that one day you may get hacked or someone from inside of your company may sell clients info to the bad guys and that you do not intend to compensate your clients for the loses. Is that to difficult to do?
  |     |   Comment #13
Wow. Disregarding the conspiracy theorists, I wanted to note that Sharebuilder, as a subsidiary of ING, has also switched to this method of account verification. I had to activate that code in my profile at Sharebuilder and then copy it into Mint for Mint to again be able to access my account.

I'm thinking some people here don't understand how internet security works. Verisign isn't their only protection, for Pete's sake. Mint attempts to hack their own accounts *daily* specifically to find and close any loopholes. That's probably more than your bank does. And bank-level encryption is pretty tough to hack in the first place.

Nobody can claim 100% "something"-proof anything. If you put money under your mattress someone might break into your house. Someone might rob your bank. Does that stop you from using a bank? The level of risk is reasonable. The level of paranoia here is not.
  |     |   Comment #14
Wow.  I am amazed that someone would criticize Mint for ongoing efforts to test their own security.  By the logic above, our military should not do continuing training and doctors shouldn't need to attend continuing education because if the training and education was adequate in the first place, there should never be a need to continue that training and education.  If there is, the original training is flawed.  

  |     |   Comment #15

Great post there. I think ING Direct is doing a great job and more banks should follow the read-only access code method.
  |     |   Comment #16
Note that the "ING Direct" subsidiary of "ING.US" was bought out and is now capitalone360.com.  They still support the laudable "access code" read-only access, though as noted in comment #1, since crooks can get withdrawal access using read-only access, that still leaves mint customers with a risk.  At least it is a smaller risk, since it takes longer and evidence is provided along the way.  Banks still have a ways to go to improve security, to say the least.

The financial institution, product, and APY (Annual Percentage Yield) data displayed on this website is gathered from various sources and may not reflect all of the offers available in your region. Although we strive to provide the most accurate data possible, we cannot guarantee its accuracy. The content displayed is for general information purposes only; always verify account details and availability with the financial institution before opening an account. Contact [email protected] to report inaccurate info or to request offers be included in this website. We are not affiliated with the financial institutions included in this website.