Monarch Money and ad networks

In late 2023, Intuit announced that Mint was going to be shutting down and migrating everybody to Credit Karma. I could try out Credit Karma, but maybe it’s time to explore alternatives. Since that announcement came out, I launched a massive time sink to try and find a new option I liked.


Different people have different goals for a finance tracking app. My requirements are not so much about following a strict budget, but more focused on transaction tracking, tracking stocks and other assets, and future planning. I looked around and found a few.

The first one I tried is Monarch Money.

Monarch Money was interesting. It was $99/yr, but with a MINT50 discount it was only $50/yr. I don’t mind paying for services. Especially ones that add value. I tried it out. It had a mechanism to import data from Mint.

Importing from Mint

This is broken down into the transactions and the balance history. This was tedious, but largely worked. I first discovered that Mint truncated the transaction.csv history to 10,000 records and lost data.

Alt text

To fix this, export each section independently until you have under 10k in each export and join them together into a single CSV.

Alt text

The next problem is that Monarch Money requires all accounts to be created before importing which meant I couldn’t import accounts that were closed. This is not a huge deal, but I had 70+ accounts at one point or another.

This was fine, took effort to work. I had to create all the accounts first, the import transactions. It also struggled with CDs which got opened and closed.

Ad networks?

But then I noticed something interesting in NoScript. It loaded tons of assets from other domains. Why is a financial institution that has access to all my financial data loading data from!

A screenshot of the NoScript browser extension showing what domain names Monarch Money is trying to load content such as JavaScript, fonts, etc. from. It shows a variety of domains including Spotify, Tiktok, and Reddit. More analysis below.

<script src="/analytics.js"></script>
<script src="/reddit.js"></script>
<script src="/spotify.js"></script>
<script src="/tiktok.js"></script>
<script src="/clarity.js"></script>
<script src="/userleap.js" userleap_id="jhOvgs1si6">

<script type="text/javascript" async="" src="">

I looked at /reddit.js, and at the time it showed this:

!(function (w, d) {
  if (!w.rdt) {
    var p = (w.rdt = function () {
      p.sendEvent ? p.sendEvent.apply(p, arguments) : p.callQueue.push(arguments);
    p.callQueue = [];
    var t = d.createElement('script');
    (t.src = ''), (t.async = !0);
    var s = d.getElementsByTagName('script')[0];
    s.parentNode.insertBefore(t, s);
})(window, document);
rdt('init', 't2_5u6sm01h');
rdt('track', 'PageVisit');

Now this looks like a tracking pixel which is used to ad conversion tracking. It’s intended to track if a user were to click on an ad, then sign-up, it would count towards marketing as a success. This means it does not appear to be sending any net worth information to Reddit to build up a profile (at least in this code), it is trying to see how many people are clicking ads on Reddit, Spotify, TikTok and signing-up. However, since it is loaded as a script tag, nothing stops those companies from injecting code in your browser.

They even call this out on their help page here. However, there’s no reason that click attribution scripts should be loaded while signed-in to my account. At the very least they should only be loaded on user sign-up pages prior to creating an account. Even better is not to load it at all, but that’s always a battle with the marketing departments.

To me, it shows poor security practices. Not a great look when dealing with critical financial software. I’m still signed up for the demo, but I’ll continue to update my opinion as I use it.

Copyright - All Rights Reserved


Comments are currently unavailable while I move to this new blog platform. To give feedback, send an email to adam [at] this website url.