LearnVest Security

This review was performed on February 1, 2014 and is part of a series of comparisons of financial management sites.

LearnVest mixes financial services, free advice, and account aggregation.

www.learnvest.com uses a EV certificate with a 2048 bit RSA key.

www.learnvest.com receives an B on the Qualys SSL Test run on February 11, 2014. They do not support TLS v1.2, but they allow SSL v3.0 and prioritize RC4 cipher suites.

Security Claims

  • Safe & Secure
    • “128-bit secure socket layer technology (SSL) and SHA-256 encryption”
    • “secured by VeriSign, scanned daily by McAfee SECURE”
    • “LearnVest’s data is guarded 24/7”
    • “We use biometric checkpoints, multiple keylock entry and constant video surveillance.”
    • “Your money can’t go anywhere.”
    • “LearnVest will never sell your username, password or any identifiable information about you to anyone.”
    • “LearnVest’s privacy policy has been vetted and approved by TRUSTe”
  • Security & Legal
    • None.

Analysis of claims

LearnVest’s security claims are pretty good. Their site physical security sounds great. The SSL/TLS claims sound good as does being VeriSign secured and scanned by McAfee. While secondary to security, their privacy policy sounds good and is vetted by TRUSTe. LearnVest also mentions that its user interface does now allow users to transfer money.

The three things that LearnVest does not discuss are protection of bank passwords, an Intrusion Detection System (IDS), and scanning/analysis for Site exploits (e.g. SQL injection).

Inconsistencies

With the very limited security claims, I was still able to identify

  1. “SHA-256 encryption” – None of the cipher suites supported by LearnVest include SHA-256 and some enabled cipher suites use MD5.

Conclusion

Without protecting bank passwords, using an IDS, or testing for security vulnerabilities; I can only give LearnVest a C for their security policy.