
Dwolla fined $100,000 for misrepresenting its data-security practices - pbreit
http://techcrunch.com/2016/03/02/dwolla-fined-100000-for-misrepresenting-its-data-security-practices/
======
pbreit
1) How did CFPB come to investigate Dwolla? Does it originate it's own audits
or was it tipped off?

2) Was the offending behavior just the marketing misrepresentation? Or does
the CFPB actually require certain data security standards to be met
(regardless of any marketing messages)?

~~~
phonon
Well, I still see it as an accepted method of payment by the Treasury
Department.
[https://www.pay.gov/public/form/start/4624405](https://www.pay.gov/public/form/start/4624405)

The Order is interesting.
[http://files.consumerfinance.gov/f/201603_cfpb_consent-
order...](http://files.consumerfinance.gov/f/201603_cfpb_consent-order-dwolla-
inc.pdf) (As well as being one of, if not the, smallest monetary orders the
CFPB has ever made.) It is not based on Dwolla being breached in any way, or
particularly insecure security practices (IMHO). Nor is it based on any
particular legal requirement Dwolla has to follow. It's based on Dwolla
advertising how secure they are, and the CFPB decided that, in their opinion,
they were not that impressive. Hence they felt Dwolla misrepresented itself.

Specifically (on their main complaint), encrypting data at rest (as opposed to
encrypting data in transit, as well as tokenizing data, which they do, and is
very important) is the least important part of securing data...because the
only way that stored data is used is by decrypting it...any anyone who has
gets far enough to access that encrypted data at rest, would also be able to
access the private security key that is decrypting it at the same time.
Encryption for at rest data is more important for backups.

It's also interesting that it appears (maybe) Dwolla got on the CFPB's radar
by writing them a letter two years ago, in part discussing how secure they
are... [http://blog.dwolla.com/net-neutrality/](http://blog.dwolla.com/net-
neutrality/)

And from the "Isn't that Ironic" section...
[http://www.gao.gov/assets/670/666000.pdf](http://www.gao.gov/assets/670/666000.pdf)
The CFPB failed its own audit by the GAO, for its security practices for
personal financial data it holds.

~~~
pbreit
Yeah, the whole thing seems odd to me. And the whole "Labs" story sounded
fishy, too. I wonder if when that letter was written that they were already
under investigation considering the grievances date back to 2102 and before?

~~~
phonon
Yeah, compare to say, [http://www.cutimes.com/2016/02/26/coast-central-credit-
union...](http://www.cutimes.com/2016/02/26/coast-central-credit-union-
website-hacked) Most credit unions have really poor technology. And too much
of the order is yammering about policies, procedures, and training. Like that
is a magical panacea, vs. a good tokenized architecture. I can see sending
Dwolla a notice (perhaps as an example to others), but a fine is way
overreaching, in my opinion.

