Tag Archives: creditkarma

Credit Karma Security

This review was performed on January 19, 2014 and is part of a series of comparisons of financial management sites.

Credit Karma is primarily a site that allows you to receive free weekly credit reports from TransUnion, but it also has financial management features.

creditkarma.com uses a EV certificate with a 2048 bit RSA key.

creditkarma.com receives an A- on the Qualys SSL Test run on February 11, 2014. They support TLS v1.1 or v1.2 and have also disabled SSL v3.0.

Security Claims

  • Our Security Practices
    • Secure Connection using 128 bit encryption/li>
    • Secure Connection using a DigiCert EV certificate
    • “Our data center is monitored around the clock by security personnel.”
    • “We enlist independent, third-party experts in the field of application security to assess our site for vulnerabilities.”
    • “Read-only Access”
    • “Firewalls and Other Security Precautions”
  • FAQ
    • “industry-leading security precautions”
    • “security is independently assessed by third parties.”
    • “128-bit encryption”
    • “servers are physically protected”
    • “We only use your SSN for this first score retrieval, and we do not store it in our database.”

Analysis of claims

Credit Karma says most of the right things, although more details would make me feel better about what they do say. Their claims about connections to their web server are consistent with the SSL Test. They mention the physical security of their data center and firewalls. The 3rd party assessment and testing of their site security is where I would like to have a little more detail. What are the qualifications of the 3rd party testers and what types of vulnerabilities are they looking for. The Credit Karma web interface is also designed so it is read only and does not provide a method to transfer money. It is comforting that Credit Karma does not store Social Security Numbers. They must establish some sort of authenticated token with TransUnion when retrieving a credit score for the first time.

The two things that Credit Karma does not discuss are protection of bank passwords and an Intrusion Detection System (IDS).

Inconsistencies

I only identified one relatively minor inconsistency between Credit Karma’s security claims and the observable security of the site:

  1. None.

Conclusion

Without protecting bank passwords or using an IDS, I can only give Credit Karma a C for their security policy.

Comparison of Financial Management Sites

This compares the observable security and the security claims of popular financial management sites. The security policy reviews were spread over a period of time; however, all Qualys SSL Labs tests were re-run on February 11, 2014 to ensure consistent grading.

The following aspects of each site were considered:

Summary

Service / Site EV Qualys
Grade		 Security
Policy		 Inconsistencies Date Checked
mint.com Yes A- B 1 January 16, 2014
PersonalCapital Yes B F 3 January 17, 2014
Yodlee MoneyCenter Yes A- 1 A- February 5, 2014
LearnVest Yes B C 1 February 1, 2014
CreditKarma Yes A- C 0 January 19, 2014

If you have other sites you would like added, please add them to the comments.

Methodology

EV – Extended Validation

Extended Validation (EV) is important, because it provides additional assurance that you are communicating with the site you believe you are. A corporate-proxy, cannot (with the exception of InternetExplorer) impersonate an EV certificate. This is a simple yes/no whether the site uses an EV certificate to identify itself.

Qualys SSL Server Test

The Qualys SSL Server Test provides a good snapshot of the Certificate, Key Exchange, cipher suites, and protocol version supported by the servers to secure the connection between the web server and your browser. This is the Qualys SSL Server Test letter grade (A–F).

Security Policy Review

The connection between your browser and the web server is only one aspect of site security. The design of the website and its supporting database contribute to security. Without being able to sit down with a developer and analyze the the internals of the website, the posted security policy and practices are the best the general public can review. This is my letter grade of whether the security policy includes feasible protections and adequately addresses security threats.

Inconsistencies

To try to determine whether the security policies can be taken at face value, I’ve compared the security polices agains security aspects of the site that can be observed and verified by the general public. This provides a feeling of how accurate, and therefore trustworthy, the security policies are. Granted, some of the inaccuracies might be to make the security policies understandable by the average person. This is the number of inconstancies identified between different areas of the security policy and/or the actual website.