Templates Plugins Courses

🏦 Dwolla Bank and ACH payments - New Plugin from Zeroqode


#1

dwolla

Enable ACH/Bank payments and transfers in your application with the Dwolla API. (Works only for US users)


For demos and other details please visit: https://zeroqode.com/plugin/dwolla-achbank-payments-plugin-1568285782768x592616517541273900

Please support us with a retweet

Levon Terteryan

Founder @ Zeroqode

zeroqode-for-web-160x120

Bubble Templates

Zeroqode Blocks

Bubble Plugins

Bubble Courses

Convert Web to iOS & Android

No-code Development Services


#2

I’m going through the application processes with Dwolla right now. Can you please help answer these questions? Not sure if there are standard answers for a bubble site for these?

  • How is sensitive data (such as social security numbers, bank account numbers, or other personally identifiable information and not including passwords) encrypted at rest? Please include the algorithm and cipher mode, as well as information regarding how encryption keys are stored and rotated.

  • How are passwords hashed at rest? Please include the hashing algorithm, how they are salted, and parameters such as work factor, rounds, parallelism, etc.

  • How is sensitive data (such as transaction details, passwords, social security numbers, bank account numbers, or other personally identifiable information) encrypted in-transit? Please specify the minimum allowed version of TLS and the issuing certificate authority.

  • Please describe where the Dwolla API key/secret are stored, how they are protected, and how they are used by your application.

  • What kind of rate limiting do you have in place for your login form?

  • What tools do you use to scan your servers and applications (including applications you write) for known or unknown security vulnerabilities?

  • Do you receive notifications from vendors or other third parties about security advisories related to your software components? If so, please list some of the sources of these notifications.

  • What is your process for identifying vulnerabilities (such as the OWASP Top 10) in applications you have developed, or have had developed for you?

  • Do you make use of a web application firewall to protect your web application or API? This is different from a network firewall and inspects traffic at the application level for potential abuse.


#3

Hello @cole,

Thank you for reaching out.

Regarding your questions, it is important to mention that we are using Bubble infrastructure to develop our applications and store data. From what we are aware Bubble uses the best-practice tools for the security of the data link1 link2. In order to provide a detailed answer to your questions, we will send a request for information related to security to check with Bubble. Another important mention will be that to simplify the process of adding a bank funding source, the Dwolla plugin is designed to work with the Plaid plugin created by Copilot. Plaid is used to collect the user’s account details and then continue the process with Dwolla. We will do our best to provide as many details as possible regarding the security of the data on our side, meanwhile to find out more details about securitization procedures on Dwolla and Plaid side please consult the following sources:

Dwolla:
https://www.dwolla.com/platform/security-and-privacy-matter/

Plaid:

I will come with an answer when all the required information will be confirmed.

Best Regards,
Alex


#4

Hello Cole,

We reached Bubble and they provided the following answers. Please consider that this information is valid as of the 1st of Jan 2020 and may be changed in the future as the Bubble team continue improving security settings.

  • We use Amazon RDS’s AES-256 encryption
  • We use Amazon Web Service’s KMS to manage encryption keys.
  • We use sha256 with a randomly-generated salt that is prepended to the password
  • Bubble has documented key management procedures that govern where keys are stored, who owns them, how the keys are used, and the lifecycle of the keys. We use Amazon Web Service’s KMS to manage encryption keys.
  • We prevent parallel login attempts, and apply a linearly-increasing time penalty for subsequent failed password attempts
  • All production code changes pass through a code review process prior to release. This code review includes evaluating the changes for potential security defects.
  • Bubble uses automatic vulnerability detection software, both internally and hosted by a third party service, to detect application and network vulnerabilities.
  • Yes, GitHub + NPM
  • Bubble’s software development lifecycle incorporates industry best practices at all stages. We have a number of controls including code review, automated code testing tools, automated and manual vulnerability testing including OWASP top ten testing, and continuous monitoring.
  • Bubble uses code analysis tools to detect security and vulnerability defects. These tools are integrated with our continuous deployment workflow, and code that does not pass is prevented from being deployed.
  • All production code changes pass through a code review process prior to release. This code review includes evaluating the changes for potential security defects.
  • We do an annual internal audit that includes identifying and prioritizing security, privacy, legal, and business continuity risks, as well as a review of our business processes and governance.
  • Bubble currently protects its networks via intrusion prevention systems including firewalls and authentication layers. Bubble logs application-level events to detect and respond to security incidents. Evaluating IDS systems or web application firewalls for possible implementation is on our security roadmap.

I hope this information does clarify all of your queries.
Best Regards,
Alex


#5

Thanks, Alex! I’ll let you know if Dwolla needs further clarification.


#6

Hi Alex, Dwolla came back with one more question.

Where is the Dwolla API key/secret stored? Is it encrypted in a database on the backend, stored in an environment variable, etc?

Thanks,
Cole


#7

Hello @cole,

Let me check this out. We will do our best to provide an answer ASAP.

Best Regards,
Alex


#8

Hello Again,

We double-checked with Bubble and as far as we know: Bubble has documented key management procedures that govern where keys are stored, who owns them, how the keys are used, and the lifecycle of the keys. Bubble uses Amazon Web Service’s KMS to manage encryption keys.

Hope that helps!

For more details, you can reach their support at [email protected]

Best Regards,
Alex


#9

Thanks, @alex.grimacovschi. Here is what I heard back from Dwolla.

After reviewing your use-case and the previous client who has utilized bubble, we were unfortunately unable to find any evidence or cause to lower or accept the risk-based upon their password hashing procedures. However, we also weren’t able to confirm via Bubble’s official documentation that the SHA256 scheme you provided in the questionnaire is Bubble’s current practice.

They have had one other client try and connect using Bubble but were unsuccessful. For alternatives, this is what they responded with.

The other options largely center around offloading your authentication flow outside of bubble. That would likely require a small tech lift and/or further plugin purchases on your end. We can certainly talk about this more if desired but as these options have the highest added tech debt I recommend we proceed by reaching out to bubble for confirmation of their practices first.

We are going back to confirm if Auth0 would meet your standards. I just thought I would keep you and @levon update so you can update the plugin docs once we find out more.

Best,
Cole


#10

Hello @cole,

Thank you for updating us! We will keep track of the concerns mentioned by Dwolla and will ensure updating of the plugin docs accordingly.

By any chance are you referring to connecting Dwolla services through Auth0? In this case, I assume you will connect the Dwolla services directly through Auth0 without using our plugin. Otherwise could you please let me know how do you envision the connection will be made?

Best Regards,
Alex


#11

Hi @alex.grimacovschi,

My developer and I haven’t gotten the workflow put together yet and tested with Dwolla. But we sent them the Auth0 plugin link and they said it would meet their security standards.

I’ll keep you update once we have everything put together and approved by Dwolla.

Best,
Cole