Dwolla dwamned for destroywing defwences: $100k fine for insecurity

Payment upstart encouraged people to send passport scans, SSNs in plain email

Updated US payment processor Dwolla has been slapped with a US$100,000 fine for wrongly claiming it was super secure.

In fact, its staff were left with so little training that in an IT penetration test in 2012, nearly half of them opened a phishing email, 62 per cent of those opened the link it contained, and 25 per cent of employees tried to give their credentials to the hired attacker.

The US Consumer Financial Protection Board (CFPB) fined the Iowa-based biz on March 2, saying the punishment is for “deceiving consumers about its data security practices and the safety of its online payment system.”

The fine seems almost lenient: among a litany of infosec failures the CFPB lists is in-the-clear transmission and/or storage of customer information including their PINs and the identifying personal information they provided when opening their accounts.

In its full report [PDF] the CFPB says between 2011 and 2014, Dwolla told people transactions on its platform were safer than credit cards, and “less of a liability for both consumers and merchants,” that everything was encrypted, and that it was PCI-compliant.

“In fact, [Dwolla] failed to employ reasonable and appropriate measures to protect data obtained from consumers from unauthorised access”, the watchdog states. The company lacked data security policies, procedures, or a data security plan to “govern the collection, maintenance, or storage of consumers’ personal information.”

To make registration easier, the company “encouraged consumers” to use clear-text email to submit sensitive personal information including social security numbers and scans of driver licenses, utility bills and passports.

Its side-operation, Dwollalabs, wrote similarly insecure apps and handed them out to folks.

As well as the fine, the order requires Dwolla to fix its security practices, stop misrepresenting its services to consumers, appoint “a qualified person to coordinate and be accountable for the data-security program,” and conduct twice-yearly risk assessments.

It's also ordered to patch its systems, including mobile apps, and undergo an annual security audit.

The Register notes that the CFPB's document would serve as a handy checklist for anyone else hoping to launch a payment-processing system without making fools of themselves. ®

Updated to add

Dwolla has pinged The Register to direct our attention to an apology on its website.

In an email, the biz added:

"Dwolla understands the bureau's concerns regarding the protection of consumer data and representations about data security standards, and Dwolla's current data security practices meet industry standards.

"Since its launch over 5 years ago, Dwolla has not detected any evidence or indicators of a data breach, nor has Dwolla received a notification or complaint of such an event. During this time, Dwolla had many other layers of data security practices and technologies in place that were not found to be deficient, which we believe helped to prevent harm to consumers." ®

Sponsored: Minds Mastering Machines - Call for papers now open

Biting the hand that feeds IT © 1998–2018