Tag Archives: banking

Yodlee Security

This review was performed on February 5, 2014 and is part of a series of comparisons of financial management sites.

Yodlee Labs has been around for a while. While it doesn’t have the slickest interface, it seems to be compatible with the most financial institutions.

moneycenter.yodlee.com uses a EV certificate with a 2048 bit RSA key.

moneycenter.yodlee.com receives an A- on the Qualys SSL Test run on February 11, 2014. They support TLS v1.2, but they allow SSL v3.0 and prioritize RC4 cipher suites. They also allow 2 key TDES to be negotiated.

Security Claims

  • Yodlee Labs – Security Policy
    • “Data and Password Encryption”
    • “Network Intrusion Detection Systems”
    • “Physical Security Measures”
    • “Rigorous Audits and Inspections”
    • “No Yodlee employees have access to your password.”
    • “The transmission of data is protected using industry recognized encryption standards, such as 128-bit.”
    • “Users’ passwords are transmitted and stored in encrypted format at all times.”
    • “Access to servers requires multiple levels of authentication, including biometric (hand print scan) procedures.”
    • “multiple layers of firewalls are used to guard against unauthorized access to the network.”

Analysis of claims

Yodlee has all of the right security claims. They discuss solid site security and even electronic shielding. The shielding is probably more than is necessary, but it’s nice as long as there’s not a trade off to gain the shielding. They discuss firewalls and IDSs to provide logical network security. The encryption claims of data in transit and encryption of bank passwords is good. That no Yodlee employees have access to your [Yodlee] password, implies that they are hashing your Yodlee password instead of encrypting it. This ensures that someone who manages to compromise the password database cannot decrypt your Yodlee password. They also discuss frequent security audits of their infrastructure.

The two things Yodlee does not mention are how the encryption key for your bank passwords is protected and scanning of the Yodlee website for potential vulnerabilities.

Inconsistencies

I was able to identify 1 minor inconstancy.

  1. They claim 128-bit encryption; however, they support a cipher suite with a 112-bit key.

Conclusion

Since the the “how” for encrypting passwords is more of a nice to have, and vulnerability scanning might be included in the security audits, I give Yodlee an A- for their security policy.

Credit Karma Security

This review was performed on January 19, 2014 and is part of a series of comparisons of financial management sites.

Credit Karma is primarily a site that allows you to receive free weekly credit reports from TransUnion, but it also has financial management features.

creditkarma.com uses a EV certificate with a 2048 bit RSA key.

creditkarma.com receives an A- on the Qualys SSL Test run on February 11, 2014. They support TLS v1.1 or v1.2 and have also disabled SSL v3.0.

Security Claims

  • Our Security Practices
    • Secure Connection using 128 bit encryption/li>
    • Secure Connection using a DigiCert EV certificate
    • “Our data center is monitored around the clock by security personnel.”
    • “We enlist independent, third-party experts in the field of application security to assess our site for vulnerabilities.”
    • “Read-only Access”
    • “Firewalls and Other Security Precautions”
  • FAQ
    • “industry-leading security precautions”
    • “security is independently assessed by third parties.”
    • “128-bit encryption”
    • “servers are physically protected”
    • “We only use your SSN for this first score retrieval, and we do not store it in our database.”

Analysis of claims

Credit Karma says most of the right things, although more details would make me feel better about what they do say. Their claims about connections to their web server are consistent with the SSL Test. They mention the physical security of their data center and firewalls. The 3rd party assessment and testing of their site security is where I would like to have a little more detail. What are the qualifications of the 3rd party testers and what types of vulnerabilities are they looking for. The Credit Karma web interface is also designed so it is read only and does not provide a method to transfer money. It is comforting that Credit Karma does not store Social Security Numbers. They must establish some sort of authenticated token with TransUnion when retrieving a credit score for the first time.

The two things that Credit Karma does not discuss are protection of bank passwords and an Intrusion Detection System (IDS).

Inconsistencies

I only identified one relatively minor inconsistency between Credit Karma’s security claims and the observable security of the site:

  1. None.

Conclusion

Without protecting bank passwords or using an IDS, I can only give Credit Karma a C for their security policy.

Personal Capital Security

This review was performed on January 17, 2014 and is part of a series of comparisons of financial management sites.

Personal Capital is a relatively new service with the following goal: “to build a better money management experience for consumers. That’s why we’re blending cutting edge technology with objective financial advice.”

personalcapital.com uses a EV certificate with a 2048 bit RSA key.

personalcapital.com receives an B on the Qualys SSL Test run on February 11, 2014. They do not support TLS v1.1 or v1.2. Overall, not a major concern, but areas where they could easily increase the security of the connection to the site.

Security Claims

I wasn’t able to find much about Personal Capital’s security.

Analysis of claims

Personal Capital’s description of their security is concerning. There is only one very high level descriptions of their security. Their privacy policy claims they describe their security and answer common questions; however, none of those links work. Personal Capital does not describe any protections for protecting usernames and passwords stored in their database. The positives are that they have multi-factor authentication and constantly watch for suspicious activity.

Inconsistencies

With the very limited security claims, I was still able to identify

  1. “best technology” – Personal Capital does not use the “best technology.” They do not support TLS v1.1 or v1.2. Both of these provide better security than TLS v1.0 or SSL v 3.0.
  2. “military-grade encrypted algorithms” – Personal Capital supports triple DES which is only allowed if required by legacy technology of the (US) military.
  3. Linking to non-existent pages that claim to describe security.

Conclusion

I find the number of problems in Personal Capital’s almost non-existent description of security very alarming. I give their claims a F.

Mint.com Security

This review was performed on January 16, 2014 and is part of a series of comparisons of financial management sites.

Mint.com is run by Intuit, well known makers of Quicken and QuickBooks.

mint.com uses a EV certificate with a 2048 bit RSA key.

mint.com receives an A- on the Qualys SSL Test run on February 11, 2014.

Security Claims

  • Home Page
    • McAfee Secure Seal
    • VeriSign Security Seal
  • Safe and Secure
    • Bank-level security
    • “128-bit encryption”
    • Security Audits – VeriSign
    • Read-only
  • Safe and Secure “Watch security video”
    • Bank-level security
    • Security Audits – HackerSafe, VeriSign
    • Read-only
  • Security FAQ
    • “…bank login credentials are stored securely in a separate database using multi-layered hardware and software encryption.”
    • “Your bank account and credit card numbers are stored securely.”
    • read-only – “Your online banking user names and passwords are never displayed”
  • Security Technology and Practices
    • “Your bank login credentials are encrypted”
    • “Our servers are housed in a secure facility protected by biometric palm scanners and 24/7 security guards.”
    • “We apply bank-level data security standards. This includes encryption, auditing, logging, backups, and safe-guarding data.”
    • “We hack our own site. Intuit runs thousands of tests on its own software to ensure security. We scan our ports, test for SQL injection, and protect against cross-site scripting. We also employ Hackersafe to test our site daily.”
    • “Mint.com has received the VeriSign security seal.”
  • Privacy and Security Policy #12
    • “…use a combination of firewall barriers, encryption techniques and authentication procedures, among others…”
    • “…servers are in a secure facility. Access requires multiple levels of authentication, including biometrics recognition procedures.”
    • “…databases are protected from general employee access both physically and logically.”
    • “…encrypt your Service password so that your password cannot be recovered, even by us. All backup drives and tapes also are encrypted.”
    • “No employee may put any sensitive content on any insecure machine.”
    • “Intuit has been verified by Verisign for its use of SSL encryption technologies and audited by TRUSTe for its privacy practices. In addition, Intuit tests the Site daily for any failure points that would allow hacking.”

Analysis of claims

Overall, Mint.com says the right things. “Bank level security” is more of a marketing term that a real security claim, but 128 bit encryption is good enough for most uses. Looking at the SSL Labs scan, 128 bit AES or RC4 is the smalles key size mint supports.

In case an attacker can obtain your password, it is good that the standard user interface is read-only and does not display account numbers, usernames, or passwords.

It’s good that their site is tested by themselves, McAfee, VeriSign, and HackerSafe; because this is the most likely way an attacker could potentially access the database which contains bank credentials. Fortunately bank credentials are encrypted; however, the security practices do not discuss how the encryption key for bank credentials is protected. Firewalls are good, but a properly secured web-server shouldn’t really need a firewall. It would be nice if they also had an Intrusion Detection System (IDS) since an IDS has some chance to detect zero day exploits.

Physical site security of mint’s data centers and personelle policies are impossible to say much about how determined an attacker might be. Even with policies against copying customer data onto an unsecured laptops, humans always seem to be the weak link (e.g. Edward Snowden).

Everything Mint.com says about their security sounds good, except for the lack of an IDS. I give their security claims a B.

Inconsistencies

The only inconsistency in Mint.com’s security claims are the 3rd party tests and certifications performed. Mint.com consistently claims they have the VeriSign Security seal, but it is unclear whether the site is tested by McAfee or Hackersafe.