MOHELA Security Information
MOHELA takes security and privacy very seriously. We realize that your data is valuable and we take appropriate steps to protect that
data. To protect our borrowers, we have invested in the latest technology; including Web Application and Next Generation Firewalls as
well as an industry leading Security Information Event Management Dashboard. We promise to continue to invest in technology and staff
to keep your information secure.
Extended Validation Certification
When you login to www.mohela.com make sure your address bar has green text which shows “Higher Education Loan Authority of
the State of Missouri.” We invest in an extended validation certificate to ensure our customers know they are going to the
secure MOHELA website.
Learn more about Extended Validation Certification.
You will notice that if you try to login to your account from a computer not previously authorized, you will be presented
with a challenge question (e.g. “What is the name of your first pet?”). We do this to make your account more secure so if
a person obtains your password they will also have to know the answer to your security question to get into your online
account. This is a standard practice for financial websites.
DNS is an essential tool for browsing the internet that is transparent to most people. However, under its normal
implementation, DNS is not sufficiently secure. To mitigate this risk, MOHELA has deployed an enhanced version of DNS, known
as DNSSEC, to protect our site from third party web spoofing and to give users assurance that they will always connect to the
real www.mohela.com website.
Learn more about DNSSEC.
MOHELA monitors systems internally and externally (when applicable) from an availability as well as a security perspective. We use
multiple systems to ensure that systems are performing as expected and their integrity is maintained.
Audits / SSAE16
During the course of a year, MOHELA goes through multiple private and government audits which include our physical presence and
information systems. This includes ongoing SSAE-16 assessments which show we have appropriate physical, logical, and process
controls in place which were audited by a third party.
TLS Required Security
In response to security vulnerabilities identified in 2014, MOHELA has disabled the use of the older Secure Sockets Layer v3
protocol and requires the use of Transport Layer Security (TLS) for end user connections. This primarily impacts old browser
versions, such as Internet Explorer 6 from Microsoft.