In order to properly mitigate from micro-deposit salami attack, it would be beneficial to know the fingerprint of a bank ahead of time of initiating micro-deposits. (This assumes that once micro-deposit is initiated, there isn’t a way to cancel that)
This is my plan for the prevention:
The user initiates micro-deposit → Our server requests micro-deposit init to Dwolla → Our server gets a callback of the result. (succeeded or failed) → Check the fingerprint from the callback if it’s dupped → If dupped, cancel the micro-deposit immediately.
The question is
- As soon as micro-deposit is initiated (meaning the client uses Dwolla’s API to request micro-deposit initiation), is it immediately executed? Or is it queued?
- If queued, can the client check on the fingerprint and cancel the microdeposit if a duplicate is detected?
- Would removing a funding source cancel the micro-deposits?
- If the funding source is removed immediately after checking the fingerprint, would micro-deposit fees still be incurred?