15 / 2014

Notice Regarding Yahoo Email Addresses

Due to a recent change at Yahoo, any invoices, reminders or receipts sent through Wave have likely not been delivered.

What happened

On Friday April 4th, Yahoo made a change to its systems that had an unintended consequence: Emails from @Yahoo addresses, sent via a third-party service like Wave, were being flagged by Yahoo in a way that prevented them from getting to their destination.


The Wave team is currently investigating this, and we hope to have a solution in place in the near future. As we investigate, we're using emails and in-app notifications to contact all customers who may be impacted by this. While we investigate this, we recommend you change your primary email address from a Yahoo email to an alternate email, and re-send any invoices, reminders or receipt of payments you sent since April 4th.

Changing your email address in Wave

To update your primary email address, log in to your Wave account, and select Account, then Your profile in the top right corner. From here, select Credentials from the options on the left. Then, scroll down and select Add an email address. You'll then receive an email to verify that this new email address is yours. Once the email address has been verified, go back to the credentials page and select the star that will appear next to the new email address. This will set your new email address as your primary email. Once this is complete, re-send any invoices, receipts or reminders that you had sent to your customers since April 4.

We apologize sincerely for the inconvenience caused by this.

Continue Reading


15 / 2014

Payroll Design Series: Part three

You may have noticed that Payroll by Wave looks a bit nicer today, and that’s because we’ve made some further (good looking) improvements to the application. Our most recent changes were made as a result of some great customer feedback. 

Pay stubs

We get a lot of questions from employers about pay stubs, and specifically how to generate individual PDFs for their employees. Until last week, we had an employee portal option, but no way for employers to generate individual PDFs for their own use. You can now export PDFs individually, making the process of tracking employee pay even easier! To generate single pay stub PDFs simply select the download button on the right side of the pay stub that you’d like to export to PDF.

Exporting data

The second change we made sounds less exciting, but I promise, it’s awesome. 

Accountants have been asking us to make our data exports more detailed, so we did just that. Our .CSV payroll reports now contain more information on your payroll, so you (or your accountant) can get the right data, faster.

We'll continue to keep you updated with all of the exciting improvements coming for Payroll. If you have any feedback about these changes, please feel free to reach out to Sarah at sstockdale@waveapps.com! 

Continue Reading


14 / 2014

Heartbleed update

This is an update to an earlier blog post about the Heartbleed bug.

tl;dr – Wave was not compromised by Heartbleed and neither were our critical technology partners.

As promised, here's an update on the Heartbleed bug and what we've been up to in response to it.

As soon as the Heartbleed bug was announced, we knew and reported immediately that Wave's systems were not directly vulnerable. More specifically, the version of OpenSSL used by Wave was not a version that was subject to the Heartbleed bug.

Next step: Confirm with our critical partners whether they had been impacted — in other words, find out if Wave was indirectly vulnerable. Happily, we can report that our hosting provider was not vulnerable to the bug, and our bank data partners report no problems as well. 

After that, out of an overabundance of caution, we compiled a massive list of every service we use, and made sure that all of them were safe to use again. And we changed all our passwords, across our entire organization. 

For any company that couldn't provide the right assurances that they were safe to use, we have suspended their use pending their further actions. Fret not, this has no impact on Wave customers: The only companies in this bucket are tools for administrative use, like meeting planning or screen sharing.

What should YOU do?

You're reading this blog post about Heartbleed, so we're off to a good start. In my last post I suggested you follow an action plan similar to what we did:

  1. Think of all the services you use online (the size of this list may surprise you by the time you're finished).
  2. Systematically go through each one and verify if they were affected or not. 
  3. If they were affected, verify that they've fixed the vulnerability and then change your passwords. 

Most sites that were impacted by Heartbleed are reaching out to their users to tell them to change their passwords. If you haven't received something from a company, don't be afraid of reaching out proactively. The person best suited to protecting you is you. (Also, I hear you're pretty good at preventing forest fires.)

Are you done, then? No! I strongly recommend that you be extra diligent over the coming months. Watch out for phishing emails saying things like, “Hey Jim, I forgot to pay you back for that thing I bought — send me your bank credentials so that I can wire you some money.” If you get messages that ask for or talk about your money and you're not sure about the source, treat it with caution. For example, your bank wouldn't actually send you to a site like TD.passwordreset.12312312343.cn.com to change your credentials. If you're resetting a password, make sure you see the https in front of a URL you recognize. If you're following links from one page to another, verify that you actually ended up where you were headed, not a page that just looks like it.

In closing:

You'll hear this from time to time: Here at Wave we take security very seriously. That's not a canned response. We mean it. Part of our commitment is being open and honest, even when the news isn't great. For many of you, your business is your life. We understand that, we respect it, and we'll continue to treat events like these as life-threatening.

Finishing where I started, though: I'll reiterate that Wave and our critical technology partners were not affected by the Heartbleed bug.

So you can...

keep calm

(a little accounting humor to lighten up a dry subject)

Continue Reading


10 / 2014

Why accept credit cards?

Many business owners are finding themselves asking, "Should I accept credit cards?"  Whether your business is new and you're planning to accept credit cards when you're a little more established, or you've been in business for years and can't see why you'd go changing things now, sticking to traditional forms of payment is tempting for many. But there are three great reasons why you should consider accepting credit cards today.

Your customers will appreciate it

While your customers may be willing to pay by cash, check, or other traditional forms of payments, polls are increasingly showing that they want to pay by credit card. 

And why wouldn't they? As fewer and fewer people find themselves carrying cash, credit becomes an increasingly convenient way to pay. It provides your customers with security, reliability, and a monthly record of their transactions.

In a recent infographic published by Community Merchants USA, it was found that 28.7% of consumers said ease of use was the most important payment characteristic. Of customers 18-24, 69% said they'd only shop at a business that takes multiple forms of payment. Of customers 35-44, it was 58% - numbers that only seem to grow year over year.

Your business will grow

A recent article in Entrepreneur.com spells out the number one reason you should accept credit cards - it increases the probability, speed, and size of customer purchases. Accepting credit cards can also lower your risks, and increase the likelihood of impulse purchases being made. In fact, Forbes wrote that when people are given more payment options, they're more likely to not only make impulse purchases, but also join loyalty programs and spend more per purchase. 

It's easy!

With Payments by Wave, we've made it easier than ever to accept credit cards. There are never surprise fees or hidden fees, so you'll pay the same fee no matter what credit card you're processing. In fact, there are no setup fees or card storage fees, so not only is setup fast, but it's free! Your customers will be able to pay directly in the invoices you send, or you can accept payments on your mobile device with our iOS appLearn more, or sign up now!

Continue Reading


8 / 2014

Wave not directly impacted by OpenSSL vulnerability

OpenSSL is a tool used to encrypt traffic on the Internet — it’s the reason you use https not http for secure browsing. Yesterday a vulnerability was discovered in OpenSSL (the industry is referring to it as the Heartbleed bug). This is not specific to Wave; it’s a widespread vulnerability and has affected a large majority of the Internet’s secured sites using certain versions of OpenSSL. More details are available here: heartbleed.com

We have confirmed that the Wave tools have not been directly impacted -- in other words, the version of OpenSSL Wave uses did not include the Heartbleed vulnerability. However, we will continue to investigate whether any third-party service providers may have been impacted, and what the resulting impact on Wave customers might be.

We will provide updates as more news becomes available.

We recommend strong caution in using secure sites for the next couple of days while companies update their systems to fix their own OpenSSL vulnerabilities.

More details about this vulnerability

This vulnerability is being referred to in the industry as Heartbleed. In its theoretical worst form:

  • it could permit bad actors to impersonate a site you’re trying to access, while still showing you that green https lock in your browser

  • the bad actors would leave no trace that they had exploited the vulnerability

This vulnerability has existed in certain versions of OpenSSL for a couple of years, but wasn’t discovered / disclosed to the general public until yesterday (April 7).

What is Wave doing?

As mentioned above, Wave was not using a vulnerable version of OpenSSL, and therefore Wave was not directly affected.

We will continue to investigate the matter thoroughly until its full impact is known, and will work with partners like our hosting provider to proactively update security measures.

As we do so, your sessions in Wave may be interrupted for brief moments and you may be forced to log back in. I trust you will agree that this inconvenience is for the sake of maintaining optimal security, and that the hassle is well worth the peace of mind.

What should you do?

We will update you on any further actions that you may need to take regarding your use of Wave. At this time, there are no actions needed.

As for your use of other Internet sites and services, watch for messaging similar to this from those organizations. Once you’re confident that they’ve handled the problem, change your password credentials and clear your cookies. It’s important to do this after they have given you the all-clear. Changing your passwords beforehand will mean they may again be exposed before the all-clear is given.

Continue Reading