Tag Archives: learnvest

LearnVest Security

This review was performed on February 1, 2014 and is part of a series of comparisons of financial management sites.

LearnVest mixes financial services, free advice, and account aggregation.

www.learnvest.com uses a EV certificate with a 2048 bit RSA key.

www.learnvest.com receives an B on the Qualys SSL Test run on February 11, 2014. They do not support TLS v1.2, but they allow SSL v3.0 and prioritize RC4 cipher suites.

Security Claims

  • Safe & Secure
    • “128-bit secure socket layer technology (SSL) and SHA-256 encryption”
    • “secured by VeriSign, scanned daily by McAfee SECURE”
    • “LearnVest’s data is guarded 24/7”
    • “We use biometric checkpoints, multiple keylock entry and constant video surveillance.”
    • “Your money can’t go anywhere.”
    • “LearnVest will never sell your username, password or any identifiable information about you to anyone.”
    • “LearnVest’s privacy policy has been vetted and approved by TRUSTe”
  • Security & Legal
    • None.

Analysis of claims

LearnVest’s security claims are pretty good. Their site physical security sounds great. The SSL/TLS claims sound good as does being VeriSign secured and scanned by McAfee. While secondary to security, their privacy policy sounds good and is vetted by TRUSTe. LearnVest also mentions that its user interface does now allow users to transfer money.

The three things that LearnVest does not discuss are protection of bank passwords, an Intrusion Detection System (IDS), and scanning/analysis for Site exploits (e.g. SQL injection).

Inconsistencies

With the very limited security claims, I was still able to identify

  1. “SHA-256 encryption” – None of the cipher suites supported by LearnVest include SHA-256 and some enabled cipher suites use MD5.

Conclusion

Without protecting bank passwords, using an IDS, or testing for security vulnerabilities; I can only give LearnVest a C for their security policy.

Comparison of Financial Management Sites

This compares the observable security and the security claims of popular financial management sites. The security policy reviews were spread over a period of time; however, all Qualys SSL Labs tests were re-run on February 11, 2014 to ensure consistent grading.

The following aspects of each site were considered:

Summary

Service / Site EV Qualys
Grade		 Security
Policy		 Inconsistencies Date Checked
mint.com Yes A- B 1 January 16, 2014
PersonalCapital Yes B F 3 January 17, 2014
Yodlee MoneyCenter Yes A- 1 A- February 5, 2014
LearnVest Yes B C 1 February 1, 2014
CreditKarma Yes A- C 0 January 19, 2014

If you have other sites you would like added, please add them to the comments.

Methodology

EV – Extended Validation

Extended Validation (EV) is important, because it provides additional assurance that you are communicating with the site you believe you are. A corporate-proxy, cannot (with the exception of InternetExplorer) impersonate an EV certificate. This is a simple yes/no whether the site uses an EV certificate to identify itself.

Qualys SSL Server Test

The Qualys SSL Server Test provides a good snapshot of the Certificate, Key Exchange, cipher suites, and protocol version supported by the servers to secure the connection between the web server and your browser. This is the Qualys SSL Server Test letter grade (A–F).

Security Policy Review

The connection between your browser and the web server is only one aspect of site security. The design of the website and its supporting database contribute to security. Without being able to sit down with a developer and analyze the the internals of the website, the posted security policy and practices are the best the general public can review. This is my letter grade of whether the security policy includes feasible protections and adequately addresses security threats.

Inconsistencies

To try to determine whether the security policies can be taken at face value, I’ve compared the security polices agains security aspects of the site that can be observed and verified by the general public. This provides a feeling of how accurate, and therefore trustworthy, the security policies are. Granted, some of the inaccuracies might be to make the security policies understandable by the average person. This is the number of inconstancies identified between different areas of the security policy and/or the actual website.