Tag Archives: security

Increasing Schwab Security

There are two things I did to increase the security of my Charles Schwab account despite the 6–8 character password restrictions:

  1. Changed my username for secrecy
  2. Added an Authenticator Token

With the 8 character password limit, I set a 20 character random username. While many security researchers recommend a random username, I generally rely solely on strong passwords. In this case, going form 8 to 28 characters an attacker needs to guess is a very good improvement.

If you call Schwab, you can also request a physical authenticator token. It is a physical Symantec VIP token, so its an extra device to carry. It was easy enough to setup and Schwab allows you to sign in two different ways with it. You can concatenate <password><authenticator code> in the password field, or you follow the standard flow of entering your username and password before being prompted for the authenticator code. The concatenated option is nice because it enables the authenticator to work with financial management software that only supports username and password fields.

I verified that the authenticator works with the Schwab website, Schwab iOS app, and Mint.com.

Edit: May 14, 2014

If you have any programs or services that periodically updated, you should disable them when adding the authenticator. I think failed login attempts from one of these programs caused Schwab to lock my account.

Yodlee Security

This review was performed on February 5, 2014 and is part of a series of comparisons of financial management sites.

Yodlee Labs has been around for a while. While it doesn’t have the slickest interface, it seems to be compatible with the most financial institutions.

moneycenter.yodlee.com uses a EV certificate with a 2048 bit RSA key.

moneycenter.yodlee.com receives an A- on the Qualys SSL Test run on February 11, 2014. They support TLS v1.2, but they allow SSL v3.0 and prioritize RC4 cipher suites. They also allow 2 key TDES to be negotiated.

Security Claims

  • Yodlee Labs – Security Policy
    • “Data and Password Encryption”
    • “Network Intrusion Detection Systems”
    • “Physical Security Measures”
    • “Rigorous Audits and Inspections”
    • “No Yodlee employees have access to your password.”
    • “The transmission of data is protected using industry recognized encryption standards, such as 128-bit.”
    • “Users’ passwords are transmitted and stored in encrypted format at all times.”
    • “Access to servers requires multiple levels of authentication, including biometric (hand print scan) procedures.”
    • “multiple layers of firewalls are used to guard against unauthorized access to the network.”

Analysis of claims

Yodlee has all of the right security claims. They discuss solid site security and even electronic shielding. The shielding is probably more than is necessary, but it’s nice as long as there’s not a trade off to gain the shielding. They discuss firewalls and IDSs to provide logical network security. The encryption claims of data in transit and encryption of bank passwords is good. That no Yodlee employees have access to your [Yodlee] password, implies that they are hashing your Yodlee password instead of encrypting it. This ensures that someone who manages to compromise the password database cannot decrypt your Yodlee password. They also discuss frequent security audits of their infrastructure.

The two things Yodlee does not mention are how the encryption key for your bank passwords is protected and scanning of the Yodlee website for potential vulnerabilities.

Inconsistencies

I was able to identify 1 minor inconstancy.

  1. They claim 128-bit encryption; however, they support a cipher suite with a 112-bit key.

Conclusion

Since the the “how” for encrypting passwords is more of a nice to have, and vulnerability scanning might be included in the security audits, I give Yodlee an A- for their security policy.

LearnVest Security

This review was performed on February 1, 2014 and is part of a series of comparisons of financial management sites.

LearnVest mixes financial services, free advice, and account aggregation.

www.learnvest.com uses a EV certificate with a 2048 bit RSA key.

www.learnvest.com receives an B on the Qualys SSL Test run on February 11, 2014. They do not support TLS v1.2, but they allow SSL v3.0 and prioritize RC4 cipher suites.

Security Claims

  • Safe & Secure
    • “128-bit secure socket layer technology (SSL) and SHA-256 encryption”
    • “secured by VeriSign, scanned daily by McAfee SECURE”
    • “LearnVest’s data is guarded 24/7”
    • “We use biometric checkpoints, multiple keylock entry and constant video surveillance.”
    • “Your money can’t go anywhere.”
    • “LearnVest will never sell your username, password or any identifiable information about you to anyone.”
    • “LearnVest’s privacy policy has been vetted and approved by TRUSTe”
  • Security & Legal
    • None.

Analysis of claims

LearnVest’s security claims are pretty good. Their site physical security sounds great. The SSL/TLS claims sound good as does being VeriSign secured and scanned by McAfee. While secondary to security, their privacy policy sounds good and is vetted by TRUSTe. LearnVest also mentions that its user interface does now allow users to transfer money.

The three things that LearnVest does not discuss are protection of bank passwords, an Intrusion Detection System (IDS), and scanning/analysis for Site exploits (e.g. SQL injection).

Inconsistencies

With the very limited security claims, I was still able to identify

  1. “SHA-256 encryption” – None of the cipher suites supported by LearnVest include SHA-256 and some enabled cipher suites use MD5.

Conclusion

Without protecting bank passwords, using an IDS, or testing for security vulnerabilities; I can only give LearnVest a C for their security policy.

Credit Karma Security

This review was performed on January 19, 2014 and is part of a series of comparisons of financial management sites.

Credit Karma is primarily a site that allows you to receive free weekly credit reports from TransUnion, but it also has financial management features.

creditkarma.com uses a EV certificate with a 2048 bit RSA key.

creditkarma.com receives an A- on the Qualys SSL Test run on February 11, 2014. They support TLS v1.1 or v1.2 and have also disabled SSL v3.0.

Security Claims

  • Our Security Practices
    • Secure Connection using 128 bit encryption/li>
    • Secure Connection using a DigiCert EV certificate
    • “Our data center is monitored around the clock by security personnel.”
    • “We enlist independent, third-party experts in the field of application security to assess our site for vulnerabilities.”
    • “Read-only Access”
    • “Firewalls and Other Security Precautions”
  • FAQ
    • “industry-leading security precautions”
    • “security is independently assessed by third parties.”
    • “128-bit encryption”
    • “servers are physically protected”
    • “We only use your SSN for this first score retrieval, and we do not store it in our database.”

Analysis of claims

Credit Karma says most of the right things, although more details would make me feel better about what they do say. Their claims about connections to their web server are consistent with the SSL Test. They mention the physical security of their data center and firewalls. The 3rd party assessment and testing of their site security is where I would like to have a little more detail. What are the qualifications of the 3rd party testers and what types of vulnerabilities are they looking for. The Credit Karma web interface is also designed so it is read only and does not provide a method to transfer money. It is comforting that Credit Karma does not store Social Security Numbers. They must establish some sort of authenticated token with TransUnion when retrieving a credit score for the first time.

The two things that Credit Karma does not discuss are protection of bank passwords and an Intrusion Detection System (IDS).

Inconsistencies

I only identified one relatively minor inconsistency between Credit Karma’s security claims and the observable security of the site:

  1. None.

Conclusion

Without protecting bank passwords or using an IDS, I can only give Credit Karma a C for their security policy.

Personal Capital Security

This review was performed on January 17, 2014 and is part of a series of comparisons of financial management sites.

Personal Capital is a relatively new service with the following goal: “to build a better money management experience for consumers. That’s why we’re blending cutting edge technology with objective financial advice.”

personalcapital.com uses a EV certificate with a 2048 bit RSA key.

personalcapital.com receives an B on the Qualys SSL Test run on February 11, 2014. They do not support TLS v1.1 or v1.2. Overall, not a major concern, but areas where they could easily increase the security of the connection to the site.

Security Claims

I wasn’t able to find much about Personal Capital’s security.

Analysis of claims

Personal Capital’s description of their security is concerning. There is only one very high level descriptions of their security. Their privacy policy claims they describe their security and answer common questions; however, none of those links work. Personal Capital does not describe any protections for protecting usernames and passwords stored in their database. The positives are that they have multi-factor authentication and constantly watch for suspicious activity.

Inconsistencies

With the very limited security claims, I was still able to identify

  1. “best technology” – Personal Capital does not use the “best technology.” They do not support TLS v1.1 or v1.2. Both of these provide better security than TLS v1.0 or SSL v 3.0.
  2. “military-grade encrypted algorithms” – Personal Capital supports triple DES which is only allowed if required by legacy technology of the (US) military.
  3. Linking to non-existent pages that claim to describe security.

Conclusion

I find the number of problems in Personal Capital’s almost non-existent description of security very alarming. I give their claims a F.