Is Credit Karma Safe? Need to Know Before Creating Your Account

[harlan4096]

 Credit Karma Cybersecurity Concerns. How to Keep Your Credit Karma Account Safe.

“Neither a lender nor a borrower,” says an old-world catchphrase. Still, there are times, trying ones at that, when one must disregard these mannerisms and do what must be done to keep the business afloat. Welcome to the world of credits, where one thumbs-up is worth its weight in gold. In today’s article, I’ll be discussing one of the most reviewed personal finances services on the market – Credit Karma.

The name probably sounds all too familiar – for our readers residing outside of the European Union, Credit Karma commercials are common appearances on TV and YouTube. In a nutshell, Credit Karma is a go-to and free-of-charge credit score improvement solution.

Not a money-lending app per se; rather a financial tool that coaches the user on how to increase their likelihood of getting a loan. Among the questions, I will be answering today are: “what exactly is Credit Karma?”, “is Credit Karma safe?”, “should you use Credit Karma?” and more. Enjoy!

What is Credit Karma?

Keeping a good credit score is a must-have in non-EU countries. Some publications, Investopedia among them, say that everything that falls below “good” can be problematic for the applicant. The problem becomes even more complicated as we learn that there’s more than one way to compute an applicant’s credit score – 50 of them to be precise.

I won’t even bother discussing how these credit scores are computed, but I’ll tell you this: if your personal finance officer says that an action you undertake, say postpone your medical bill payment, will affect your credit score you would be wise to remediate this as fast as possible.

The explanation’s rather simple – credit score computing models are roughly the same, but not identical. As a result, you may have a credit score with one company, but a not-so-great one with another company. Yes, this type of bookkeeping helps companies keep tabs on a client’s ‘creditworthiness’, regardless of which personal finance ‘coach’ the applicant prefers. Anyway, enough about credit scores. Let’s talk about Credit Karma.

Two major players dictate what credit scoring should encompass – FICO and VantageScore. As one would imagine, a polarized market doesn’t tell us much in terms of variety. This is exactly the reason why Credit Karma popped up on the market – as a free and highly ‘personalizable’ alternative to FICO and VantageScore. Think of Credit Karma as your personal and, sometimes, highly informal financial advisor.

Of course, as any respectable credit scoring company, Credit Karma will compute your creditworthiness based on information retrieved from credit bureaus such as Equifax and TransUnion. Your VantageScore creditworthiness is also factored in your Credit Karma score. The result is the likeliness of you getting a loan at any credit bureau in the United States.

Seen as the proverbial breath of fresh air, the company has more than 100 million customers in the US, UK, and Canada. The product became even more popular as the company offers more than credit scoring services.

One look at Credit Karma’s page reveals a bounty of features – credit monitoring, scoring simulations, financial aid (e.g., Credit Karma can help you file your taxes for free), and much more. You can review Credit Karma’s full features in your dashboard or on the official website.

What’s wrong with Credit Karma?

Let me rephrase that – is something wrong with Credit Karma? I would venture to say “no”.  The application, which is available on multiple platforms, has some great reviews. Credit Karma rounded up 4.8 stars on G Play and a whopping 4.0 stars on PC Magazine.

What I meant to say is that CK is held in very high regard considering the very nature of the app (i.e., personal finance caretaker). If you want to learn more about why these financial apps are viewed in this (sometimes ill) manner, you should check out my articles on PayPal and Venmo. Anyway, advertising a free-of-charge service that caters to the same needs as a pay-per-use one is bound to draw some (unwanted) attention.

More specifically, people were starting to wonder if this product is real McCoy or some sort of scam. In order to avoid a torch-and-pitchfork scenario, Credit Karma itself wrote an article debating and reaffirming its legitimacy. Let’s get this out of the way – how Credit Karma keeps its lights on. According to the article in question, the company does not monetize its financial consultation services.

In other words, Credit Karma does not charge its customers credit score-related services. If we are to take the company’s ‘About Us’ page for granted, the bulk of CK’s income comes from banks and/or (legitimate) lenders via recommendations. So, each time CK convinces a customer to purchase a financial service from a bank or lender, the company will receive a commission.

With that out of the way, let us now take a look at Credit Karma from a cybersecurity standpoint. Is Credit Karma Safe? Should the user take additional precautions when creating\using the Credit Karma account? Stick around and find out.

Credit Karma Cybersecurity Concerns

In order to answer the question “is Credit Karma safe?” we first need to take a look at the company’s cybersecurity practices.  To learn more about security, we once again turn to Credit Karma’s website.

In “Identity-Aware Encryption”, a CK engineering blog article authored by Danny Zion, Credit Karma uses what’s called application-level encryption with crypto anchoring. I’ll get to that in a moment. Taking a look at the bigger picture, CK’s IAM brick working is very user-centric. As a concept, Identity-aware encryption means that for data-at-rest decryption to occur, the user must provide his\her credentials.

The need for identity-aware encryption grows even direr, as practice shows that legacy encryption methods (e.g., disk- or database-level encryption) have outlasted their usefulness and can, potentially, become liabilities. Credit Karma’s identity-aware encryption relies on key management externalization. In other words, CK and many other companies go for app-level encryption using keys stored KMSs (Key Management System Platforms).

Google’s KMS and Amazon’s HSM are probably the most popular, but there are many other key-management platforms. Anyway, storing keys on an external platform means that if something should happen with the app, the data-at-rest cannot be decrypted. Thus, we arrive at the very heart of CK’s security which is called crypto anchoring.

This safeguards data against specialized cryptography aggressions such as low-latency attacks. Bear in mind that identity-aware encryption and crypto-anchoring are not two distinct components. Think of identity-aware encryption as being crypto-anchoring’s safety net. In tandem, the two ensure not only the connection’s security but also data integrity.  

So, is Credit Karma safe? I would wager to say “yes”.  One more thing before we sashay to the security recommendations section – envelope encryption. CK, like many others, uses this cryptographical technique in order to scale the ops, regardless of the handled data. This helps, a) keep the encryption key to a predetermined size and b) limit the service’s interaction with client data.
...

Continue Reading