Hacker News new | past | comments | ask | show | jobs | submit login

1) How did CFPB come to investigate Dwolla? Does it originate it's own audits or was it tipped off?

2) Was the offending behavior just the marketing misrepresentation? Or does the CFPB actually require certain data security standards to be met (regardless of any marketing messages)?




Well, I still see it as an accepted method of payment by the Treasury Department. https://www.pay.gov/public/form/start/4624405

The Order is interesting. http://files.consumerfinance.gov/f/201603_cfpb_consent-order... (As well as being one of, if not the, smallest monetary orders the CFPB has ever made.) It is not based on Dwolla being breached in any way, or particularly insecure security practices (IMHO). Nor is it based on any particular legal requirement Dwolla has to follow. It's based on Dwolla advertising how secure they are, and the CFPB decided that, in their opinion, they were not that impressive. Hence they felt Dwolla misrepresented itself.

Specifically (on their main complaint), encrypting data at rest (as opposed to encrypting data in transit, as well as tokenizing data, which they do, and is very important) is the least important part of securing data...because the only way that stored data is used is by decrypting it...any anyone who has gets far enough to access that encrypted data at rest, would also be able to access the private security key that is decrypting it at the same time. Encryption for at rest data is more important for backups.

It's also interesting that it appears (maybe) Dwolla got on the CFPB's radar by writing them a letter two years ago, in part discussing how secure they are... http://blog.dwolla.com/net-neutrality/

And from the "Isn't that Ironic" section... http://www.gao.gov/assets/670/666000.pdf The CFPB failed its own audit by the GAO, for its security practices for personal financial data it holds.


Yeah, the whole thing seems odd to me. And the whole "Labs" story sounded fishy, too. I wonder if when that letter was written that they were already under investigation considering the grievances date back to 2102 and before?


Yeah, compare to say, http://www.cutimes.com/2016/02/26/coast-central-credit-union... Most credit unions have really poor technology. And too much of the order is yammering about policies, procedures, and training. Like that is a magical panacea, vs. a good tokenized architecture. I can see sending Dwolla a notice (perhaps as an example to others), but a fine is way overreaching, in my opinion.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: