How Secure Is Your Information On Yodlee?

by golbguru on October 4, 2006

When I tell people about how great Yodlee’s MoneyCenter is, the first concern they express is “Did you say it saves all your passwords? Doesn’t that sound risky?”. I then try to alleviate their fears by mentioning a word on Yodlee’s security measures. Also, mentiong Yodlee’s customer base has helped in the past. This post summarizes some of Yodlee’s security measures. I am hoping this will encourage more people to get their financial management in order through Yodlee. This is NOT pay-per-post, just in case it sounds like an advertisement.

Here, I will quote an Yodlee employee’s response to a query on it’s security (with minor typographical edits). This and more useful information can be obtained from Yodlee Forum.

  1. We encrypt everything between your browser and our servers using industry standard 128bit SSL encryption.
  2. After it gets to our side, it is protected by multiple layers of firewalls - the number of which I cannot tell you for security reasons, nor the vendors, but we use many and many vendors.
  3. All sensitive field data is encrypted and stored in our databases encrypted internal to the tables with multiple rotating keys.
  4. All databases are protected from employee access both physically and logically.
  5. All databases are encrypted physically, and all drives and tapes are encrypted with different keys.
  6. No employee can put any content on any unsecure machine (i.e., nothing can be taken from the database and put on a
    laptop).
  7. All servers are customized and utilize an ultra locked down version of linux.
  8. Multiple layers of intrusion detection systems both software and people running 24×7.
  9. Automated software auditing of our source code to check for problems in the code.

From a process point of view we’re constantly audited by all of our customers to ensure that we have the utmost security policies and practices, including:

  1. Background checks for all employees.
  2. Auditing of all servers.
  3. Continuous security training.
  4. Dedicated security office with the authority to shutdown any system to investigate a breach.
  5. Systematic engagement of ethical hackers to attempt to break into our systems.

In another response from Niall Browne, Yodlee’s Director of Information Security:

Yodlee goes through in depth audits and examinations on an ongoing basis from:

  • Our clients as per the list above.
  • Leading security consultants including KPMG, Deloitte, Verisign Consultants, amongst others.
  • Federal Examiners including the Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC) as well as the Federal Reserve.

The client list that he mentions above can be found here.

Information about Yodlee security on their website can be found here.

Tags: , ,

Related Articles:

{ 5 trackbacks }

A Guide To Efficient Credit Card Management #2: Use Yodlee MoneyCenter To Manage Your Credit Cards
11.25.06 at 2:27 am
Yodlee - Financial Management Begins Here
12.19.06 at 9:40 am
Anyone Else Addicted to Yodlee ?
12.20.06 at 12:26 am
Step Into My Time Machine And Read Some Tales Of Yore
01.19.07 at 1:12 pm
Yodlee - Powerful Mobile Money Management at Wap Review
04.08.08 at 9:28 pm

{ 17 comments… read them below or add one }

1 Anonymous 10.04.06 at 10:20 pm

I feel incredibly more secure with Yodlee. With Yodlee I get to log in once a day and see all transactions across all my bank accounts, investment account and credit cards.
So if any one of my accounts gets directly compromised, I should notice it within one day. If Yodlee gets compromised, well, then I have a lot of banks to call and get fixed, but I’ll live.

2 GolbGuru 10.05.06 at 12:36 am

Anon: If Yodlee gets compromised, you can be sure that most large banks will get compromised along with it as well :)….may be I am too optimistic, but my guess is that’s never going to happen.

3 Jonathan 11.12.06 at 10:49 pm

Good stuff to know. Now if only they’d add Tradeking and E-Loan :)

4 GolbGuru 11.13.06 at 12:04 am

jonathan: the last time I logged in to Yodlee Forum, I remember seeing some discussion about E-loan. It has gained weight in recent times because of it’s high interest savings account. I am pretty sure they are working on E-loan right now.

I am not so sure about Tradeking though. But you can go ahead and put in your request.

5 boborojo 03.19.07 at 4:35 pm

I find the Yodlee service interesting, but falling short of state of the art in security and accountability. My stock broker, a major “full service” firm, offers (for free) to integrate or consolidate my account(s) into Yodlee. So I carefully read three disclosures provided on my broker’s web site (Terms and Conditions, Privacy, and Security), then *declined* to sign up for the service.

Terms and Conditions creates a limited power of attorney for “the service” (albeit for the “limited purpose” of “retrieving information”) while at the same time they reject any notion of liability in the event they mis-use that power of attorney.

Although you highlight some of the Yodlee security measures, there is no binding commitment by Yodlee to notify all users if there is any breech, or discovery of a vulnerability, and to do so within X days. For example, notification could be required in the event of loss or theft of company data (user names even in encrypted files, backup tapes, etc), discovery of vulnerability in the company’s scripts (Java applications are mentioned in their Terms & Conditions).

I am asked to accept a promise that they are “state of the art” which seems to be loosely aluded to by the Security terms, where a few technologies and products are listed. But a “list of technologies” is nothing if the execution and corporate accountability are found lacking.

‘Required notification’ is a topic gaining momentum in the last few years; some state legislatures have enacted laws requiring certain institutions to disclose to customers the fact that data has been stolen or may have been exposed. I like these laws (especially if there are serious financial penalties for non-compliance) and wish there was an effective federal standard. Also, look to Europe to see how a higher standard of data privacy protection can be enacted.

It’s one thing to have a collection of separate online accounts. It’s another to have a single point of entry that provides access to all online accounts: this constitutes a “rich target.” There is a security maxim: threat follows value. As the number of Yodlee accounts grows, it will inevitably become a target of increasingly sophisticated crooks who will try harder to break the system.

I’d feel a little better if there was a security key (USB dongle that is unique and time-coded) that I must posess even to access my password-protected the Yodlee system (doesn’t American Express offer these?). This is called multi-factor authentication (am I really who I say I am?) Yodlee appears to use only a password to protect all my passwords. If it lacks any added security factor, Yodlee security falls way short of state of the art.

6 Peter Hazlehurst 09.01.07 at 9:25 am

Hi,

Just a quick note that Yodlee will be launching Yodlee SiteVerify in the next few days that will add multi-factor-authentication on Yodlee.com.

With Yodlee SiteVerify (an implementation of RSA’s PassMark) you will be able to pick an image and a security question and we will identify your computer to make sure you are who you say you are.

With Yodlee SiteVerify, Yodlee MoneyCenter will be as safe for authentication as all the financial institutions that implement multi-factor.

Hope this helps!

Regards

Peter Hazlehurst
SVP Products
Yodlee Inc.

7 dotkam 10.10.08 at 1:10 pm

Everything that is made by humans, can be broken by humans.

First, and the most frequent successful gain of access to your account would involve a human error/mistake. From either client or Yodlee’s side.

Secondly, no matter how strong is the server (Yodlee’s) side, the biggest weakness is not the server, but the client side. Let’s say client is browsing Yodlee account in unsecured wireless network (many people do that), or even more people browsing in WEP secured networks, which are extremely easy to get in to by attackers, or just kids from the block, who want to play.

The client, “you”, can also leave PC/laptop unlocked, when going to lunch/or bathroom break - having Yoodlee’s account open.

The point is Yoodlee can be the most secured online business on Earth, but how secure are you on your end? Do you even know how secure you are? Do you even know how to be secure online? If you answered “yes” to all three questions, than Yoodlee is for you.

However if your answer “no/I don’t know” to at least one of them, think twice before joining in - Yoodlee is “one point of failure” system - that means if somebody gets to your Yoodlee’s account, s/she will get into ALL of your accounts.

Happy Yoodling :)

– dotkam

8 Jordan 10.11.08 at 9:49 am

dotkam,

we think a lot about server security at Yodlee. It drives produce features like our MFA to help prevent phishing, our URL tokens to help prevent URL manipulation and cross-site scripting, our re-authentication flows to help protect users that walk away from their machine, along with many other standard and innovative protection schemes.

We also think a lot about how we can protect the user from themselves. While you can argue it both ways (and we do), I believe people who are not secure gain safety and security from using a Yodlee service. Many people have money spread out across a lot of different accounts such as a primary bank, a credit card issuer, an investment account, an IRA, a 401(k) and others. The average person is not taking the time to check all of those accounts on a frequent basis to see if there has been malicious behavior on their account. So if one of those accounts is compromised, it might take them until the bank statement shows up in the mail (up-to a month) to even realized they’ve been hacked.

How does Yodlee help?
1) Most people using a Yodlee service are logging in every day or every few days and are able to check all of their accounts balances and recent transactions in a couple minutes. It converts the risky behavior of not reviewing accounts into the strong behavior of consistently reviewing every account. The faster you catch financial fraud, the less you are liable for.
1a) Yodlee services also allow a user to setup alerts across all of their accounts for large transactions, low balances, etc. A user can be pro-actively notified of suspicious or abnormal behavior.
2) Most users have simple often guessable passwords at their financial institutions and re-use their passwords on many places. If you store your passwords safely in a Yodlee service, and know you’ll be able to log into any of your accounts when required, it promotes the behavior of using extremely long and complex passwords. If you only have to remember one password for your Yodlee service, you’re also more likely to make it a longer and more complex password.

That’s my two cents,
..Jordan
Yodlee, Inc.

9 smart paranoid 09.10.09 at 2:21 pm

The “security” of Yodlee service is a lesser issues. The more important is the “liability”. If I understand correctly they do not have any “liability”. My bank is liable if something wrong happens with my account or my credit card etc. - that’s the only way to do the business. Without this the tech aspects of the “security”are irrelevant.

10 payday loan online 07.05.13 at 5:14 am

Hello, after reading this awesome post i am too glad to share my
know-how here with mates.

My website; payday loan online

11 fat burner 10.14.13 at 6:29 am

I’m not that much of a online reader to be honest
but your blogs really nice, keep it up! I’ll go ahead and bookmark your website to come back later on.

All the best

12 www.epapyrus.com 11.17.13 at 5:33 pm

This blog was… how do you say it? Relevant!! Finally I’ve found
something that helped me. Appreciate it!

13 best fiverr seo gigs 02.08.14 at 2:59 pm

Wonderful bl?g! I found it whijle surfing aro??? on
Yahoo News. D? you have any tips ?n how to gett listed
in Y?hoo News? I’ve been trying for a while but I nev?r seem to get there!
Thank you

14 garcinia cambogia extract reviews 02.18.14 at 5:04 pm

?retty nice post. I just stumbled u?on your blo? and
wanted to say that I have trruly enjoyed surfin? around your blog ??sts.
After all I will be subscr??ing to y?ur feed
andd I hope you write again very soon!

15 buy Colic Calm 08.10.14 at 9:26 am

I’m gone to say to my little brother, that he should also pay a quick visit this blog on regular basis to obtain updated from newest reports.

Here is my page … buy Colic Calm

16 Casbarro 09.06.14 at 3:33 am

Great weblog right here! Additionally your web site quite a bit up very fast! What host are you the use of? Can I get your affiliate link for your host? I wish my site loaded up as quickly as yours lol|

17 internet providers conklin mi 09.17.14 at 3:16 pm

This is my first time go to see at here and i am really
happy to read all at alone place.

Leave a Comment

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>