When I tell people about how great Yodlee’s MoneyCenter is, the first concern they express is “Did you say it saves all your passwords? Doesn’t that sound risky?”. I then try to alleviate their fears by mentioning a word on Yodlee’s security measures. Also, mentiong Yodlee’s customer base has helped in the past. This post summarizes some of Yodlee’s security measures. I am hoping this will encourage more people to get their financial management in order through Yodlee. This is NOT pay-per-post, just in case it sounds like an advertisement.
Here, I will quote an Yodlee employee’s response to a query on it’s security (with minor typographical edits). This and more useful information can be obtained from Yodlee Forum.
- We encrypt everything between your browser and our servers using industry standard 128bit SSL encryption.
- After it gets to our side, it is protected by multiple layers of firewalls - the number of which I cannot tell you for security reasons, nor the vendors, but we use many and many vendors.
- All sensitive field data is encrypted and stored in our databases encrypted internal to the tables with multiple rotating keys.
- All databases are protected from employee access both physically and logically.
- All databases are encrypted physically, and all drives and tapes are encrypted with different keys.
- No employee can put any content on any unsecure machine (i.e., nothing can be taken from the database and put on a
- All servers are customized and utilize an ultra locked down version of linux.
- Multiple layers of intrusion detection systems both software and people running 24×7.
- Automated software auditing of our source code to check for problems in the code.
From a process point of view we’re constantly audited by all of our customers to ensure that we have the utmost security policies and practices, including:
- Background checks for all employees.
- Auditing of all servers.
- Continuous security training.
- Dedicated security office with the authority to shutdown any system to investigate a breach.
- Systematic engagement of ethical hackers to attempt to break into our systems.
In another response from Niall Browne, Yodlee’s Director of Information Security:
Yodlee goes through in depth audits and examinations on an ongoing basis from:
- Our clients as per the list above.
- Leading security consultants including KPMG, Deloitte, Verisign Consultants, amongst others.
- Federal Examiners including the Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC) as well as the Federal Reserve.
The client list that he mentions above can be found here.
Information about Yodlee security on their website can be found here.