Warning: session_start() [function.session-start]: open(/home/content/30/7423630/tmp/sess_1rf569ge34bhrhc0gnr180ms17, O_RDWR) failed: No such file or directory (2) in /home/content/30/7423630/html/wp-content/plugins/simple-twitter-connect/stc.php on line 33

Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /home/content/30/7423630/html/wp-content/plugins/simple-twitter-connect/stc.php:33) in /home/content/30/7423630/html/wp-content/plugins/simple-twitter-connect/stc.php on line 33

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/content/30/7423630/html/wp-content/plugins/simple-twitter-connect/stc.php:33) in /home/content/30/7423630/html/wp-content/plugins/simple-twitter-connect/stc.php on line 33
security Archive - TransSwipe - Merchant Services and Credit Card Processing

TransSwipe - Merchant Services and Credit Card Processing

Archive for the ‘security’ Category

5 Tips For Protecting Customers (And Yourself) From Identity Theft

This is a guest post from Odysseas Papadimitriou, CEO of the personal finance website WalletHub, which offers free credit scores, full credit reports, 24/7 credit monitoring and customized money-saving advice.

Identity theft and the various forms of fraud that come with it pose a lurking problem for both merchants and consumers in our increasingly digitized economy. And while no one is completely safe in this “brave new retail world”, there are some simple steps that you can take to not only protect yourself, but also to do right by your customers.

We’ll highlight a handful of options below. The overarching theme, as you’ll see, is that strategic outsourcing to specialists can save you significant amounts of time, money and market share in the long run.

  • Find a Payments-as-a-Service (PaaS) Solution: Sometimes the smartest strategy is to stick to what you know best, which probably isn’t the inner workings of the payments infrastructure . So why not pay someone (like Dwolla) to help you handle all the red tape of payments APIs , so you can focus on the product?

    Assuming the price is right, this is an investment that could pay huge dividends in terms of your own personal peace of mind and, perhaps most importantly, customer satisfaction. After all, customers aren’t always familiar with how your site is being protected. What matters most to them is the safety of their personal information.
  • Outsource Email Management: Email might seem like a trivial task to pay someone else to do, but that can actually save you and your customers in the long run. After all, one of the most common forms of fraud is phishing.. Roughly 10% of email phishing leads to a data breach, and CEO email phishing in particular has cost businesses more than $2 billion since 2013, according to the Internet Crime Complaint Center.

    A well-implemented email management system can reduce the  likelihood of someone falling victim, while ineffective email practices have the potential to destroy both your deliverability and reputation.
  • Invest In Server Security: Little is more important to an online business’s success than security.f. “If experience in other countries is a predictor of the effects in the U.S., merchants should anticipate an increase in online fraud,” according to the Norton Rose Fulbright Data Protection Report. And to think you are prepared to face this expected onslaught alone would be the height of hubris.

    So, to continue the theme of this advice, find a reputable security service that can handle your web-server protection. Countless companies, from boutiques to conglomerates, operate in this space, so you should be able to find something that meets your exact needs and price point. For example, I would recommend checking out CloudFlare, which has a solid reputation and a variety of inexpensive service options.  
  • Formalize Employee Policies & Contingency Plans: Teamwork and clear communication are essential to identity-theft avoidance, so make sure to establish and share will all employees any company policies and expectations that you foresee being necessary. This should include policies regarding the use and upkeep of electronic devices (e.g., antivirus software, password conventions, the acceptability of external drives, etc.); as well as the company’s data retention, storage and disposal procedures; and rules regarding customer confidentiality.Furthermore, you should have a clear plan for what each member of the team will do if one of your customers’ identities is stolen, including how to handle the respective individual and patch up any related vulnerabilities. Should the unfortunate happen, you’ll be glad to have a simple checklist to fall back on.
  • Get Stress-Tested By a Third Party: Once every year or so, it would be wise to have an independent security consultant “come in” to review all of your company policies and practices – everything from the manner in which employees share information to the external security settings of your marketplace. You have a plethora of qualified consultants to choose from, many of which can do their work remotely, so if you can afford it, there’s little reason not to engage in this sort of preventative care.

At the end of the day, it’s worth noting that strong security features and a blemish-free reputation are strong signals of quality for consumers. So emphasize your data protection policies and other security practices on your website, including any related certifications you may have received. Even something as simple as an “https” address or a “captcha” on payment pages can help you win the perception game.

We are never done

Posted in Blog, CFPB, compliance, infosec, security on February 29th, 2016

When we first started in Iowa, we were a young company trailblazing new technologies, possibilities, and concepts in payments. Our biggest challenge was describing to customers the innovation and value we were creating for them.

One item we were specifically proud of was the way we were rethinking payments and developing a system that did not disclose sensitive financial information at the time of transaction, such as credit card numbers on file with merchants, and bank account numbers printed on checks.

Dwolla was incorporating new ideas because we wanted to build a safer product, but at the time we may not have chosen the best language and comparisons to describe some of our capabilities. It has never been the company’s intent to mislead anyone on critical issues like data security. For any confusion we may have caused, we sincerely apologize.

Since its launch over 5 years ago, Dwolla has not detected any evidence or indicators of a data breach, nor has Dwolla received a notification or complaint of such an event. We’ve continuously matured our data security practices since that snapshot in time and have never been more proud of our information security policies, procedures, and technologies.

Below are just a small handful of the meaningful protections we’ve implemented up, down, and across the company.

Data Protection and Encryption

The Dwolla platform is equipped to protect sensitive data by encrypting it when it moves, when it is stored, and replacing it with tokens in transactions.

In transit

Data in transit is information as it moves across networks, like the Internet. For example, when users submit their credentials and logs into Dwolla.com the data moves from their computer to Dwolla’s systems. During this ride, the data needs protection. To do this, Dwolla and other companies, like Google and Wells Fargo, use Transport Layer Security (TLS) to encrypt the information and prevent data from being captured or seen by bad actors. Other protection measures, like TLS downgrade attack prevention and HTTP Strict Transport Security (HSTS), also help provide data integrity between you and Dwolla.

At rest

After the data moves across networks, it is received and may be stored. This is called “data at rest” and the Dwolla platform is equipped to protect sensitive data from exposure. To enable this, we use a trusted and specialized encryption service for storage based on the Advanced Encryption Standard (AES) algorithm with strong 256-bit keys with automated rotation capability and Galois Counter Mode (GCM) providing authenticated encryption. In addition to encryption, Dwolla also protects sensitive data (like passwords or tokens) using strong, iterated password-based hashing.

Tokenization

Sensitive information, like social security, bank account, and routing numbers, are valuable to bad actors because of the privileges they represent. That’s why for nearly five years, Dwolla has been using tokenization. This process replaces “high-value” information with specialized low-value digital cryptographic tokens. So instead of sharing your bank account and routing numbers each and every time you’d like to send or receive money with another party, Dwolla generates and exchanges unique tokens to facilitate authorization and transactions. Tokens can only be used between two specific parties, expire after a short period of time, and can be revoked at any time.

Layered Approach

Like customer data, Dwolla’s software platform needs protection too. That’s why we’ve built layers of technology and processes that complement each other and provide a holistic security model. The layers used include strong border protection, an industry-leading hosting provider with security and compliance capabilities (e.g. ISO and SOC), network firewalls, intrusion prevention and segmentation, access control, continuous security monitoring (24x7x365), and strong authentication. Dwolla offers two-factor authentication, an optional feature that helps safeguard your account and data at login. In addition, Dwolla employees use two-factor authentication for remote access and administration of the Dwolla platform.

Security by design (including culture)

But how do you innovate new products and services and still maintain security? At Dwolla, we’re placing security in the software platform’s DNA. That means that we manage and develop using consistent automation, test-driven development and security testing during the build process. As new products and features are integrated, Dwolla aligns with established protocols and frameworks (e.g. OAuth) and uses Threat Modeling to deliver secure solutions. Our platform is routinely scanned for vulnerabilities, is subjected to bi-annual penetration tests and follows a responsible disclosure process to support and manage concerns reported by the community.

Dwolla employees participate in mandatory information security awareness training with additional technical developer training based on the Open Web Application Security Project (OWASP) top 10 risks. The company performs social engineering, pre-texting and phishing exercises and reinforces these topics through both routine internal messaging and externally shared best-practices such as Tips for Information Security.

Security is never done

Dwolla recognizes that security is never done, rather, it is a process. We are proud of our information security program and our continual focus on providing a platform to safely move money. Please reach out to security@dwolla.com with questions and comments.

Introducing Two-Factor Authentication for Dwolla

Security is always top of mind at Dwolla, and it’s something we’ll never stop improving and iterating upon. While Dwolla has always required multiple elements for user sessions, such as email address, password and PIN, we’ve continued to work toward empowering our users with additional security measures.

Today, we’ve released the ability for full Dwolla account holders to enable two-factor authentication (2FA) on their accounts. By enabling 2FA, Dwolla members equip themselves with an additional layer of security in account protection.

How do I enable two-factor authentication?

Visit your account settings page within the Dwolla dashboard. You can navigate to this page by clicking on your avatar in the top right hand corner of your dashboard. From your account settings page, choose Security from the menu on the left.

Account Settings Page

You’ll notice the option to enable 2FA on your account security page. Choose to enable and re-enter your password.

Password on Security

When enabling 2FA, you will need to download and open an authenticator app, such as: Google Authenticator (iOS, Android), Duo Mobile (iOS, Android), Amazon Virtual MFA (Android), or Authenticator (Windows Phone).

Open your authenticator app of choice, and manually enter the key code or scan the QR code you’ll see on your Dwolla dashboard to generate a six-digit security code within the app.

iphone 2fa screenshot
Enter this six-digit code in step three to enable two-factor authentication on your Dwolla account.

Two Factor Enable

Next time you login to your Dwolla account from any device, you will be prompted to supply a six-digit security code from your authenticator app after you enter your email and password. You can choose to supply this code every time you log in from that device or every 30 days.

Security Code Screen

Why is two-factor authentication important?

Two-factor authentication helps protect your Dwolla account from the loss of credentials (e.g., your password being stolen). With 2FA enabled, a valid session requires something you know (your userID/Password) and something you have (your 2FA Time-based One Time Password). In short, it helps prevent online identity theft as a victim’s password is not enough for a fraudster to compromise an account.

Why use an authenticator app?

Dwolla chose Time-based One Time Password (TOTP) as our method of two-factor authentication given customer feedback and the high security level provided via the TOTP protocol. TOTP is also extremely strong as no transmission of the passcode is ever made as opposed to SMS (text) which, although unlikely, may be intercepted.

Have questions or feedback on this release? Please respond in the comments below, or on the Dwolla discussion board.

Developer Spotlight: Vaibhav Srikaran

At Dwolla, we’re proud of the technology we build and we’re equally proud of the men and women busy building it. With that, this post comes as part of a series, Dwolla Developer Spotlights, where you’ll get to know various members of our diverse team of developers. This is our fifth feature in the series, where we’ve given one of our talented interns the floor.

Vaibhav Srikaran

Name:   Vaibhav Srikaran
Twitter: @vaibhav430
Role: Builder Intern

Random Facts and things you love:

  • I love basketball. Lots of basketball. I am a Miami Heat fan (pre-2006), and I can talk pretty competently about any team since the 90’s. I play occasionally at the gym, but I watch a lot more.
  • I don’t know how to technically pronounce my name. I have just been winging it for 19 years.
  • I love Iowa. I didn’t fully appreciate it until I moved out to California, but there is a lot to be happy about in Iowa. The people are the nicest and it’s just homier. The weather might be unpredictable, but it keeps you on your toes—unlike the Bay.

What have you primarily focused on during your Dwolla Internship?

I am working with the team to set up Two Factor Authentication for the Dwolla website. I really like being able to work on everything from backend to front-end and discover where my interests lie.

As an intern at Dwolla, what have you found particularly interesting?

I never realized people were so opinionated about programming languages. I always thought my professors at school just said that people care a lot so they could indoctrinate me to code in the “right” way, but then I realized everyone is super passionate.

Read more: Getting started with dwolla-php

I feel ashamed that I haven’t developed my own little niche to be picky about, but that will come in time. I also didn’t realize that industry code has such meticulous processes for validation.

If you had to marry a programming language, which would you choose? Why?

Java was my first love and was wonderful for all of high school, but that love turned sour with time.

Once I got to college, my eyes shifted to Python—short, sweet and to the point. Its characteristics were super appealing for a while, but then I realized that there were some serious limitations.

I had a short fling with Scheme, but those parenthetical curves were a little too much for me to handle, and I got annoyed quickly.

I think I found one that might work, even though we haven’t had much time together. Scala has it all, some Pythonesque slickness with the depth of Java. I want to give Dwolla a shoutout for setting me up on a decent first date with Scala.

I think I will stick to dating different languages for the time being because marriage seems like too much commitment for me right now.

When and how do you get your best coding done?

Sleepless nights while rolling around in bed usually do the trick. Put on some headphones to jam out to Kanye West or Childish Gambino. Sometimes coffee shops are a good space, but the warmth and comfort of my bed and blanket are too tempting to pass up.

What can we find you doing outside of work?

I am usually at my apartment hanging out with friends or playing video games. All my roommates are avid Super Smash Bros players, so there are a lot of competitive disagreements on a nightly basis.

And, if I feel like being adventurous, I’ll try out one of the hundreds of places to eat in Berkeley.

Are there any side projects you’ve worked on?

Most of my side projects are hackathon projects I do with my friends. We have dabbled with various webapps, one of which was an anonymous question answer app. I have a few ideas for iOS I want to get into, and I really hope to learn more about crypto-currencies.

What advice would you give your fellow interns out there?

I feel like I should be taking in advice before doling it out to other developers…

I guess starting to become a developer took a super persistent effort. From getting an interview to setting up my machine, everything starts off as a struggle, but eventually once you break through, the grass is a lot greener on the other side.

Tokenization 101

In this post Ben Schmitt, Dwolla’s Information Security Risk Manager, explains the guiding principles and practices behind tokenization. This post is a breakdown of something very technical for our every-day user—basically, our goal is to improve your understanding of information security.

Tokenization Fisync

What is tokenization?

Tokenization is the concept of replacing high-value data with a reference or low-value representation of that data in a transaction. In the physical world, examples abound, think tokens at a carwash or an arcade. These physical tokens have no value in the real world—you can’t buy anything with them—but they can be redeemed to obtain access to a specific resource with a specific entity like the Skee Ball game at Chuck E. Cheese.

This concept of giving value to an otherwise value-less item has real application in the digital world, especially as it relates to security. Basically through tokenization, we’re making your sensitive, personal information less useful to a fraudster, thus improving security surrounding the data.

Guiding principles for protection

  • With tokenization, sensitive payment information is removed from transactions
  • Since information isn’t shared, it remains in your control
  • Tokens are not long-lived, but have a definite expiration date
  • Tokens can be revoked when necessary

Tokenization is a key element in securing data

A classic security approach is to classify and secure data based on value—the higher the value, the stronger the security. It makes sense, right? If something is worth more, you put it in a bigger safe with a more robust lock.

Many companies use this “ranking” strategy for sensitive data—think platform code, user information or a special engineering design. This is called Personally Identifiable Information (PII) or critical strategic information.

Read more about Dwolla Security: Secure Authentication

The value of these data elements is much higher and protection schemes must be significant and proportional to the risk of data exposure. It’s like putting on a big winter coat during a snowstorm as compared to a light rain jacket on a spring day; the risk of exposure is greater, so you need better protection.

However, an overall security strategy should do more than protect just high value data, it must also make data less valuable to an attacker where possible. This is where tokenization comes in: replacing high-value data in a financial transaction with a time-based, tokenized message.

tokenizationYour sensitive information becomes represented by a token. In turn, this token is worth far less than the personal information you’ve shared, and after a short period of time, this token ceases to exist altogether.

Tokenization and Data Protection

Tokenization protects data via reference, scope, timing and cryptography—each of these elements contributes to the Dwolla security strategy. Breaking these four pieces down further, we can better understand the real value of tokenization as a protective measure.

Reference: Dwolla does not share high-value data such as a Bank Account or Routing Number for transactions with the other party.

Network Level: The Dwolla Platform uses a reference number to replace your sensitive financial data. This is referred to as an OAuth Access token, and it represents you, the user. This token acts based on the permissions you’ve given; it serves as both a reference and a guide for the actions you’ve allowed within your Dwolla Account.

Bank Level: Bank account information for users is not shared on the bank’s end. Rather, another token is created from the bank representing the bank user.

Timing: Dwolla requires that tokens have a one-hour-long expiration time frame. If a token expires, this access token must be refreshed. These time-based tokens are used to complete transactions in seconds without moving high-value data. Once the message is received, it cannot be sent again. Basically, a token has a lifespan for use. Once that lifespan is exhausted you have to ask for permission to revive it.

Scope: Tokens have a collection of authorized actions in the form of a scope. The scope contains the range of actions that can be taken. In Dwolla’s case the scope is limited to the authorizations such as Transaction Details, Balance, Send Money, Receive Money. Establishing a scope is incredibly important as it strictly limits the use of the token so it’s not used incorrectly. Going back to our Chuck E. Cheese example, basically the scope limits what the token can do. You can only buy a game at Chuck E. Cheese, but you won’t be allowed to pay for the family meal with the token—you can only do what is permitted within the scope and nothing more.

Cryptography: Tokenization goes hand-in-hand with cryptography—it’s like peanut-butter and jelly. Tokenization enlists cryptography to secure the information in transit, and uses randomization to ensure each token is unique. In Dwolla’s case strict, standards-based cryptography is in place.

At Dwolla, protecting our users and ensuring the best security possible is of the highest importance. To learn more about Dwolla’s secure solutions, reach out.

Get educated: Phishing

Written by Dwolla’s lead security and risk builder, the “Get educated” series hopes to highlight the best practices, precautions, and trends that will help keep you safe in today’s high-tech world.  Want to join the Risk and Fraud Prevention team? We’re hiring!

Like any online service, Dwolla and our community  must stay vigilant against even the most common and rudimentary threats, like phishing.

What is Phishing?

Phishing attempts are fake interactions that appear to come from legitimate sources. These can take any form, but often appear as emails, pop-ups, fake landing pages, even tweets. Their tactics can range from the ridiculously obvious Nigerian email scam to the even more audacious and sophisticated fake federal subpoenas.  They all hope to do the same thing: get your login and/or security credentials.

While there are many SIMPLE things that you can do to prevent becoming a victim of a phishing attempt (which is explained below), we thought it might be  helpful to walk through a real-life example of something we caught early:

Phishing-email-example

What’s wrong with this picture?

  1. Grammar mistake: has a subject line that reads, “Unlock Your Dwolla Accountt.” (with two Ts)
  2. Unsolicited email: Did you recently try to log-in or have an issue with Dwolla? If not, chances are that any email engaging you or asking you for verification is bunk. If Dwolla does request verification, we will instruct you to log-in to the website separate from a link and follow the instructions inside our website or mobile app.
  3. Sent “via” a third-party server. Note: it’s pretty easy to mimic the name or email of a sender, but it’s nearly impossible to mimic the server from which an email is sent. How can you tell? Find the “received: from” section by looking at the Original Email (how email actually looks without a client, like Outlook or gmail.com). Dwolla emails will come from dwolla.com or google.com mail servers – not kundenserver.de for example.)
  4. This treads on #3, but, if you ever are in doubt, copy and paste or type out the link into your browser’s URL. If it is fake, clicking on the link will send you to a separate hyperlink outside of Dwolla.com’s domain name. Often times, this alternative link is cleverly disguised inside what may look like a Dwolla address (i.e. “https://dwolla.com…..). It’s like rickrolling, but with malicious intent.

If you have any suspicions, STOP, and alert our customer support team by emailing support@dwolla.com or call 1-888-289-8744. Do not click links inside emails that you believe may be suspicious. Instead, inform our support team and we will match up the existence of any email.

However, for the sake of educating you all, if you did click the link, the following website shows more warning signs:

Phishing-screen-shot

What’s wrong with this picture?

  1. It does not show a valid SSL certificate (usually represented by a green “lock” in the URL bar or bottom right hand corner, depending on your browser).
  2. It  redirects you to a website, like Acme.net or Dwalluh.com, instead of Dwolla.com.
  3. It asks its readers to unlock their account by providing PIN number.

REMEMBER: Dwolla will NEVER ask you to submit your Personal Identification Number (PIN) for account verification purposes.

Let’s recap:

Before providing your credentials to any website, be sure:

  • That the intended destination matches the appropriate domain name (i.e. Dwolla goes to Dwolla.com or DwollaLabs.com, not Dwolla12.net or ACME.com).
  • When dealing with sensitive information, look for a valid Secure Socket Layer (SSL) certificate in your browser window (often in your URL)

Beware of emails that:

  • secure-icon-dark-bigUrge you to act quickly because your account may be suspended or closed.
  • Don’t address you by name, but use more generic language like “Dear valued customer.”

  • Ask for account numbers, passwords or other personal information.
  • Are poorly formatted and use terrible grammar.

Learn more about Phishing in our help section, How to identify and prevent phishing.

Again, should you have suspicions about any email, please email us at support@dwolla.com or call 1-888-289-8744. At Dwolla, we work diligently to identify all possible risks, but when it comes to phishing – awareness and education is still the best form prevention. Luckily, it’s also the lowest tech.

We thank you for your vigilance and cooperation!

©2017 TransSwipe

 


Warning: Unknown: open(/home/content/30/7423630/tmp/sess_1rf569ge34bhrhc0gnr180ms17, O_RDWR) failed: No such file or directory (2) in Unknown on line 0

Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct () in Unknown on line 0