Jump to content

Thoughts on Ironvest?

Sveeno
By Sveeno
in LMG Sponsor Discussion
 Share
Posted

Hey folks!

 

I wanted to gather the community's thoughts on Ironvest. Ironvest is a cyber-security company that offers a password manager, masked email address, masked credit cards, virtual phone numbers, and a lot more. They recently reached out to us inquiring about sponsoring our channels, but having insight from the community is always much appreciated.

 

Thanks as always,

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

I like the sound of it, but my two cents:
 

* Is it normal to keep biometric data for 3 years after your last interaction? That seems excessive to me? I recognise it's their vendor storing this, but equally what stops them from imposing a shorter period of time?

 

* The usual spiel about "bank grade security" - this is a very common term that could mean anything but is usually standard SSL/TLS that anyone can get. It just feels a bit disingenious, I'm sure they can find something better as a marketing point.

 

* I'm not sure I'm a fan of the following excerpt from their ToS, it seems very broad.

Quote

Don't sue us because of our products. You will indemnify and hold harmless IronVest Inc., its parents, subsidiaries, customers, vendors, officers, and employees from any liability, damage or cost from any claim or demand associated with your use of our Site or Services.

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
On 11/8/2023 at 9:45 AM, Sveeno said:

Hey folks!

I wanted to gather the community's thoughts on Ironvest. Ironvest is a cyber-security company that offers a password manager, masked email address, masked credit cards, virtual phone numbers, and a lot more. They recently reached out to us inquiring about sponsoring our channels, but having insight from the community is always much appreciated.

Thanks as always,

On 11/9/2023 at 11:12 AM, ImNiightt said:

I like the sound of it, but my two cents:
* Is it normal to keep biometric data for 3 years after your last interaction? That seems excessive to me? I recognise it's their vendor storing this, but equally what stops them from imposing a shorter period of time?

* The usual spiel about "bank grade security" - this is a very common term that could mean anything but is usually standard SSL/TLS that anyone can get. It just feels a bit disingenious, I'm sure they can find something better as a marketing point.

* I'm not sure I'm a fan of the following excerpt from their ToS, it seems very broad.

I'ma expand on your bullet points a little bit. Buckle up. 😄 

 

Data Retention Policies

I consider this abnormal - especially the part that implies they're happy to retain the data for longer if the law permits them to do so.

  • My expectation of ANY security / privacy company is to nuke ALL personal information IMMEDIATELY upon account closure, or at my request.
  • My data is mine. Period. Fail to uphold ANY request regarding my data, and you'll hear about it through legal. Don't mess with my data. Ever.
Quote

"IronVest will request that its Vendor permanently destroy your biometric data three (3) years after your last interaction with IronVest products and solutions unless a longer period is permitted under applicable law or regulation."

 

Security Claims

I cannot find ANY technical documentation, white papers, or open-sourced code that PROVES their service is more or less secure than any other of the other 50 billion password managers on the internet.

  • To be clear, nothing is 100% secure, but if you're operating a security company, I expect full transparency.
  • I perused these links, and attempted to poke around their site for anything else that supports their claims:
  • I perused the rest of their site but could not find anything that actually explains their security processes.

 

Terms of Service

No comment. There are several things in the Terms of Service that may or may not even be legal in certain jurisdictions.

  • Changing the ToS without notice to the end user? HARD NO.
    • The way the ToS are written means I cannot view the ToS without visiting their site ...
    • ... and viewing the site to read the ToS is "using the site" which constitutes acceptance of the ToS ...
    • ... so how do I view the ToS to determine whether I accept their changes without actually accepting them?
  • EXPECT companies to PROACTIVELY communicate ALL legal changes impacting me via a contact method I provide. (Usually Email.)
Quote

Things could change. We may amend or terminate any terms of this Agreement at any time and such amendment or termination will be effective at the time we post the revised terms on the site. We'll strive to make these terms understandable. You can tell when we last revised this Agreement by looking at the “last revised” date at the top of this Agreement. Your continued use of the site or services after we've posted revised terms signifies your acceptance of the revised terms.

  • "You're legally bound by these terms, but haha lol we're not. If something goes wrong, we don't have to do anything for you."
    • Uh, what? Not a chance. If end users / customers are legally bound by your ToS, so is the company.
    • Otherwise, this Canadian Citizen will pull the Unconscionability card if / when something goes wrong.
Quote

If something crazy happens, it's not our fault. You acknowledge that IronVest will not be liable for any failure to comply with these Terms to the extent that such failure arises from factors outside IronVest's reasonable control, like natural disasters.

  • I'm not going to get into the Masked Cards portion of the ToS. The dispute resolution process is NOT in favor of the consumer, among many other questionable issues one would not have if they instead carried on using their bank-issued Credit Cards normally.

 

Privacy Policy

Similar to the Terms of Service, got a few issues that need addressing below.

  • What exactly prevents "companies we've hired to do work for us" from being "able to share it with anyone else" ?
    • Does IronVest have vultures tracking my data through ALL systems, nuking it from orbit the moment someone merely thinks about misusing it?
    • Shouldn't make claims they can't back up, otherwise users will have grounds to take action should their data ever be shared or misused.
Quote

We never sell or share your data with anyone or any company without your express consent. Period. By using our Services or our products and services, you consent to us to share your data but only with companies we've hired to do work for us and only to carry out the services you want. They'll never own it or be able to share it with anyone else.

  • Gonna need to see source code and an independent 3rd party audit of their entire network stack to support this claim.
  • When it comes to security, I'ma worry unless you can prove that my data is encrypted in a way that only I can access it.
Quote

Your IronVest password (optional)

Only you know it. IronVest never knows your Master Password and even when we synchronize your data across "the cloud" it's all encrypted in a way we can't decrypt.

Your logins and account information (including passwords and where you have online accounts)

This is encrypted locally on your device. If you enable Backup & Sync, we will store your encrypted data. Don't worry, IronVest can *not* read your encrypted data.

...

All of your personal Masked Email, Masked Phone, and Masked Card data is encrypted using industry-standard 256-bit AES encryption. The information is accessed by the particular IronVest product in real-time when the information is needed. All of your accounts, passwords, and other browsing activity are stored locally in an encrypted database that we do not have the ability to decrypt. It's encrypted using industry-standard 256-bit AES encryption. 

 

Other Issues

It's quite concerning that...

  • ... I cannot locate a "Contact Us" form, email address, or mailing address easily in the footer of the site
  • ... the "Support" and "FAQ" links point to the same https://ironvest.com/faq/ page. (Where is customer support?)

It's EXTREMELY concerning the End User Support link found on the https://ironvest.com/biometric-data-policy/ page is broken...

image.thumb.png.c7cebfd792ff1f7305019de66c5d6f6c.png

  • Attempting to visit the link text https://help.ironvest.com/s/contactsupport results in a "This site can't be reached" error.
    • Does IronVest actually have support for their customers? If so, why can't a potential customer see them before purchasing?

image.png.5b4567a19f6af8de7cdb0418490c8a2d.png

 

 

Conclusion

If ALL of the above can be addressed in a way that I deem satisfactory, I may consider IronVest a worthy sponsor. Anything less than this is unacceptable within the security and privacy industry, and would reflect poorly upon any business taking IronVest on as a sponsor.

 

Seems their parent company Abine, Inc. and sister business DeleteMe exhibit similar problems with their legal policies, too.

Desktop: KiRaShi-Intel-2022 (i5-12600K, RTX2060) Mobile: OnePlus 5T | Koodo - 75GB Data + Data Rollover for $45/month
Laptop: Dell XPS 15 9560 (the real 15" MacBook Pro that Apple didn't make) Tablet: iPad Mini 5 | Lenovo IdeaPad Duet 10.1
Camera: Canon M6 Mark II | Canon Rebel T1i (500D) | Canon SX280 | Panasonic TS20D Music: Spotify Premium (CIRCA '08)

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing LMG Sponsor Discussion

×