Dwolla clients build on a solid foundation. With an extensive Information Security program and a platform built with security and reliability in mind, we like to say “Security is in our DNA.” On top of this foundation, each client has the freedom to build amazing product experiences for their own customers and we get no bigger thrill than seeing our clients grow and succeed.
Protecting users from cyber attacks is a partnership between Dwolla and our clients, in the same way Dwolla’s platform is built on top of world-class providers like Amazon AWS and Cloudflare.
Every Dwolla client goes through an application review as part of onboarding, in some ways similar to publishing an app in the App Store or Google Play. If you’re an existing client, you’ve been through this, but some additional information on cyber security best practices would be worthwhile. If you’re already working with Dwolla, you should already have been given access to our Customer Integration Guide, which is the best and most comprehensive resource to see all the things you are required to do to clear onboarding.
Reports of cyber crime are on the rise. The FBI Internet Crime Complaint Center’s (IC3) most recent report showed an increase in reported incidents of credit card fraud, denial of service, identity theft, non-payment/non-delivery, phishing, ransomware and a number of other types of crime between 2019 and 2020. The 2021 Verizon Data Breach Incident Report—derived from a broad community of vendors, responders and analysts—showed incident impacts can reach seven-figure dollar costs and that financially-motivated breaches have increased in six of the past eight years. The DBIR also showed that bank account and card information are some of the most discussed terms on criminal forums.
And must we even discuss the prevalence of Ransomware, seemingly in the news daily for resulting in massive disruptions to businesses and eventually requiring the White House to step in with an executive order and a $10 million reward for information leading to the arrest of ransomware perpetrators?
Below are some important points for protecting your users from a cyber attack. Additional technical details and cyber security best practices can be found in the related blog posts.
Strong Authentication: Make Sure You Know Who You’re Dealing With
Most of us wouldn’t let a random stranger into our house to sleep on our sofa (let alone rifle through our personal belongings or start doing renovations). Failing to put strong authentication into place in your application is no different. Unfortunately, there are many ways for someone to fake their identity online. You’ll want to ensure that you know who is signing up for your application (and that they’re not doing so maliciously). Have processes in place to verify that anyone moving money or accessing sensitive information is who they say they are, which is both the digital equivalent of ensuring you remember to lock the front door to your home and a cyber security best practice.
Strong passwords, multi-factor authentication and email validation are some of the best ways to prevent this type of abuse.
Vulnerability Management: Make Sure You’re Keeping Systems Up to Date
Maintaining a software system or application is a bit like tending a garden. You carefully plan the layout, maybe put up a fence, select your favorite plants, tenderly plant them when the weather’s right, and make sure they stay watered until it’s harvest time. But what about weeds? Sure a weed here or there is no big deal, but without constant vigilance you soon have a towering forest of deeply rooted monsters that totally choke out what you were trying to grow and kind of ruin the whole experience.
Software is like this. Preventing vulnerabilities in your own code and keeping dependencies up to date is a day-in, day-out, never-ending responsibility. Exploiting vulnerable systems is one of the most common ways attackers get into systems. Plus, the longer you put this off, the harder it’s going to be to get caught up when you finally do put on the gardening gloves, er, package manager?
Using guidance such as the OWASP Top 10 can help in keeping your own code secure and protect against cyber threats; ensuring you are regularly updating dependencies will ensure you’re at least not susceptible to vulnerabilities that could have been easily prevented.
Encryption & Hashing: Make Sure You’re Protecting Sensitive Data (Wherever It Is)
If you walked into a bank intending to open a bank account and found that there were piles of cash lying all over the place, safe deposit boxes hanging open, loan applications sitting on the counter, a teller with a bag of checks getting onto their bicycle—how confident would you be signing that account request form?
When we store sensitive information like social security numbers, bank account numbers, dates of birth, addresses, phone numbers or anything else that can identify an individual or grant access to their money or identity, we need to think about it in this way. Sure, the bank might have never had a single instance of employee theft, it might be a small town where nothing exciting ever happens—but it only takes one incident to have a devastating impact.
This is why we ensure sensitive information is encrypted (converted into a secret form that can only be converted back with a secret key) or hashed (converted into a secret form that cannot be converted back but is fast to compare) before we store it or transmit it. Passwords should never be stored in a reversible form and hashing is usually used. Encryption is typically used otherwise, but specific cases might call for different techniques and other cyber security best practices.
Logging & Monitoring: Make Sure You’re Paying Attention to What’s Actually Going On
If I walk into my local electronics megamart with an empty backpack and then twenty minutes later I climb over the security gates on my way out struggling to drag my bulging backpack behind me, I would expect to be challenged. Even if no one catches me at the time, when someone notices a stock discrepancy they’d go to the surveillance cameras and I’d have a problem.
Many cyber breaches are the digital equivalent of just this type of scenario. Are you ensuring someone trying to guess passwords or usernames triggers a lockout and alert? If someone suddenly downloads 100GB of data out of your system, would you know?
Ensure you have reasonable limits in place on activity, and are alerting on and investigating potentially anomalous activity. Then, have sufficient logs to retroactively investigate an incident to minimize the damage of a breach, if not stop a breach before it happens.
Backups: Make Sure You Keep Secure & Reliable Copies of Critical Data (Not Just Replicas)
We’ve perhaps all experienced the white-knuckled adrenaline rush of realizing we just overwrote or deleted a document we spent the last four hours writing. Live and learn, right?
But when we take that scenario to enterprise-scale, the impacts can be truly disastrous for your company and customers. This has, unfortunately, become even more critical given the current ransomware epidemic where criminals might delete or encrypt your data and demand exorbitant amounts of money or cryptocurrency to maybe give it back.
Ensuring you have a true backup of critical data can literally be the difference between your business surviving or shuttering. One common mistake is relying on replication and thinking you have a backup. Replication means a process where your data is automatically kept in-sync between multiple locations (think about Google Drive or Box Sync for example). The problem with this is that if the primary copy is corrupted, encrypted, or deleted, your “backup” will be as well!
Having what we call a “non-addressable” or “offline” backup that attackers can’t impact is critical to ensuring (if all else fails) you can restore to some recent point in time. By the way, if you haven’t tested your backup restoration process recently, you don’t have backups!
While cyber security is a constantly evolving challenge and this isn’t a comprehensive list of what’s necessary, doing these things well will give you a big advantage against many attackers.
Learn more about utilizing the Dwolla API.