Credit Karma Security

This review was performed on January 19, 2014 and is part of a series of comparisons of financial management sites.

Credit Karma is primarily a site that allows you to receive free weekly credit reports from TransUnion, but it also has financial management features.

creditkarma.com uses a EV certificate with a 2048 bit RSA key.

creditkarma.com receives an A- on the Qualys SSL Test run on February 11, 2014. They support TLS v1.1 or v1.2 and have also disabled SSL v3.0.

Security Claims

  • Our Security Practices
    • Secure Connection using 128 bit encryption/li>
    • Secure Connection using a DigiCert EV certificate
    • “Our data center is monitored around the clock by security personnel.”
    • “We enlist independent, third-party experts in the field of application security to assess our site for vulnerabilities.”
    • “Read-only Access”
    • “Firewalls and Other Security Precautions”
  • FAQ
    • “industry-leading security precautions”
    • “security is independently assessed by third parties.”
    • “128-bit encryption”
    • “servers are physically protected”
    • “We only use your SSN for this first score retrieval, and we do not store it in our database.”

Analysis of claims

Credit Karma says most of the right things, although more details would make me feel better about what they do say. Their claims about connections to their web server are consistent with the SSL Test. They mention the physical security of their data center and firewalls. The 3rd party assessment and testing of their site security is where I would like to have a little more detail. What are the qualifications of the 3rd party testers and what types of vulnerabilities are they looking for. The Credit Karma web interface is also designed so it is read only and does not provide a method to transfer money. It is comforting that Credit Karma does not store Social Security Numbers. They must establish some sort of authenticated token with TransUnion when retrieving a credit score for the first time.

The two things that Credit Karma does not discuss are protection of bank passwords and an Intrusion Detection System (IDS).

Inconsistencies

I only identified one relatively minor inconsistency between Credit Karma’s security claims and the observable security of the site:

  1. None.

Conclusion

Without protecting bank passwords or using an IDS, I can only give Credit Karma a C for their security policy.