This review was performed on February 5, 2014 and is part of a series of comparisons of financial management sites.
Yodlee Labs has been around for a while. While it doesn’t have the slickest interface, it seems to be compatible with the most financial institutions.
moneycenter.yodlee.com uses a EV certificate with a 2048 bit RSA key.
moneycenter.yodlee.com receives an A- on the Qualys SSL Test run on February 11, 2014. They support TLS v1.2, but they allow SSL v3.0 and prioritize RC4 cipher suites. They also allow 2 key TDES to be negotiated.
Security Claims
- Yodlee Labs – Security Policy
- “Data and Password Encryption”
- “Network Intrusion Detection Systems”
- “Physical Security Measures”
- “Rigorous Audits and Inspections”
- “No Yodlee employees have access to your password.”
- “The transmission of data is protected using industry recognized encryption standards, such as 128-bit.”
- “Users’ passwords are transmitted and stored in encrypted format at all times.”
- “Access to servers requires multiple levels of authentication, including biometric (hand print scan) procedures.”
- “multiple layers of firewalls are used to guard against unauthorized access to the network.”
Analysis of claims
- “Data and Password Encryption”
- “Network Intrusion Detection Systems”
- “Physical Security Measures”
- “Rigorous Audits and Inspections”
- “No Yodlee employees have access to your password.”
- “The transmission of data is protected using industry recognized encryption standards, such as 128-bit.”
- “Users’ passwords are transmitted and stored in encrypted format at all times.”
- “Access to servers requires multiple levels of authentication, including biometric (hand print scan) procedures.”
- “multiple layers of firewalls are used to guard against unauthorized access to the network.”
Yodlee has all of the right security claims. They discuss solid site security and even electronic shielding. The shielding is probably more than is necessary, but it’s nice as long as there’s not a trade off to gain the shielding. They discuss firewalls and IDSs to provide logical network security. The encryption claims of data in transit and encryption of bank passwords is good. That no Yodlee employees have access to your [Yodlee] password, implies that they are hashing your Yodlee password instead of encrypting it. This ensures that someone who manages to compromise the password database cannot decrypt your Yodlee password. They also discuss frequent security audits of their infrastructure.
The two things Yodlee does not mention are how the encryption key for your bank passwords is protected and scanning of the Yodlee website for potential vulnerabilities.
Inconsistencies
I was able to identify 1 minor inconstancy.
- They claim 128-bit encryption; however, they support a cipher suite with a 112-bit key.
Conclusion
Since the the “how” for encrypting passwords is more of a nice to have, and vulnerability scanning might be included in the security audits, I give Yodlee an A- for their security policy.