Tag Archives: yodlee

Yodlee Security

This review was performed on February 5, 2014 and is part of a series of comparisons of financial management sites.

Yodlee Labs has been around for a while. While it doesn’t have the slickest interface, it seems to be compatible with the most financial institutions.

moneycenter.yodlee.com uses a EV certificate with a 2048 bit RSA key.

moneycenter.yodlee.com receives an A- on the Qualys SSL Test run on February 11, 2014. They support TLS v1.2, but they allow SSL v3.0 and prioritize RC4 cipher suites. They also allow 2 key TDES to be negotiated.

Security Claims

  • Yodlee Labs – Security Policy
    • “Data and Password Encryption”
    • “Network Intrusion Detection Systems”
    • “Physical Security Measures”
    • “Rigorous Audits and Inspections”
    • “No Yodlee employees have access to your password.”
    • “The transmission of data is protected using industry recognized encryption standards, such as 128-bit.”
    • “Users’ passwords are transmitted and stored in encrypted format at all times.”
    • “Access to servers requires multiple levels of authentication, including biometric (hand print scan) procedures.”
    • “multiple layers of firewalls are used to guard against unauthorized access to the network.”

Analysis of claims

Yodlee has all of the right security claims. They discuss solid site security and even electronic shielding. The shielding is probably more than is necessary, but it’s nice as long as there’s not a trade off to gain the shielding. They discuss firewalls and IDSs to provide logical network security. The encryption claims of data in transit and encryption of bank passwords is good. That no Yodlee employees have access to your [Yodlee] password, implies that they are hashing your Yodlee password instead of encrypting it. This ensures that someone who manages to compromise the password database cannot decrypt your Yodlee password. They also discuss frequent security audits of their infrastructure.

The two things Yodlee does not mention are how the encryption key for your bank passwords is protected and scanning of the Yodlee website for potential vulnerabilities.

Inconsistencies

I was able to identify 1 minor inconstancy.

  1. They claim 128-bit encryption; however, they support a cipher suite with a 112-bit key.

Conclusion

Since the the “how” for encrypting passwords is more of a nice to have, and vulnerability scanning might be included in the security audits, I give Yodlee an A- for their security policy.

Comparison of Financial Management Sites

This compares the observable security and the security claims of popular financial management sites. The security policy reviews were spread over a period of time; however, all Qualys SSL Labs tests were re-run on February 11, 2014 to ensure consistent grading.

The following aspects of each site were considered:

Summary

Service / Site EV Qualys
Grade		 Security
Policy		 Inconsistencies Date Checked
mint.com Yes A- B 1 January 16, 2014
PersonalCapital Yes B F 3 January 17, 2014
Yodlee MoneyCenter Yes A- 1 A- February 5, 2014
LearnVest Yes B C 1 February 1, 2014
CreditKarma Yes A- C 0 January 19, 2014

If you have other sites you would like added, please add them to the comments.

Methodology

EV – Extended Validation

Extended Validation (EV) is important, because it provides additional assurance that you are communicating with the site you believe you are. A corporate-proxy, cannot (with the exception of InternetExplorer) impersonate an EV certificate. This is a simple yes/no whether the site uses an EV certificate to identify itself.

Qualys SSL Server Test

The Qualys SSL Server Test provides a good snapshot of the Certificate, Key Exchange, cipher suites, and protocol version supported by the servers to secure the connection between the web server and your browser. This is the Qualys SSL Server Test letter grade (A–F).

Security Policy Review

The connection between your browser and the web server is only one aspect of site security. The design of the website and its supporting database contribute to security. Without being able to sit down with a developer and analyze the the internals of the website, the posted security policy and practices are the best the general public can review. This is my letter grade of whether the security policy includes feasible protections and adequately addresses security threats.

Inconsistencies

To try to determine whether the security policies can be taken at face value, I’ve compared the security polices agains security aspects of the site that can be observed and verified by the general public. This provides a feeling of how accurate, and therefore trustworthy, the security policies are. Granted, some of the inaccuracies might be to make the security policies understandable by the average person. This is the number of inconstancies identified between different areas of the security policy and/or the actual website.