The One Thing Banks Should Never Do on Facebook and Twitter
Sposito, Sean, American Banker
Byline: Sean Sposito
On the surface, Facebook and Twitter are a bank marketer's dream.
Access to millions of people through a single social login process (whereby users don't need separate passwords and usernames for their Internet bank accounts). All of your customers right on the platform. And aid in registering and creating new online accounts.
But after both social networks admitted this month that they have been the targets of malicious attempts to hack their systems, bankers could soon adopt a new mantra: Don't use Facebook's or Twitter's sign-on services, no matter how appealing either seems.
The problem is that any breach of security that a user encounters on social networks could potentially spread to that person's online bank account -- if that user's bank is completely reliant on those companies for its online banking authentication.
Most banks in the U.S., though, are just using Twitter and Facebook for marketing and customer service messaging rather than as a portal to online banking, says Nicole Sturgill, a research director in the cards and retail banking practice at CEB Towergroup.
"However, banks outside the U.S. are starting to allow direct access to [online banking] through Facebook and that's where there should be a concern about Facebook hacking," Sturgill says. "For those banks, Facebook should be used as a gateway to [online banking] but there should be an extra layer of security. No one should be able to log in to [online banking] with nothing but their Facebook ID and password."
Facebook, Twitter, Apple (AAPL) and at least 40 other companies were the victim of the efforts of a band of high tech criminals from Eastern Europe, according to Bloomberg. Twitter said in early February that 250,000 of its users' passwords may have been compromised.
In addition, high-profile hacks of the branded Twitter accounts of Burger King and Jeep show just how vulnerable social media identities are. In the Burger King case, hackers changed the logo on the company's Twitter page to the McDonald's logo and spread false information that the fast food chain had been sold to McDonald's.
Just last week, Facebook of Menlo Park, Calif. said it was targeted by thieves that loaded malicious software onto employees' computers directly through a compromised developer website.
Although Facebook was emphatic that no user data was stolen, the attack highlights the danger of doing business directly with the social network.
Indeed, Facebook is a prime target for hackers for much of the same reason that bankers might find it attractive -- it's everywhere.
That compounded by the fact many unsophisticated users wouldn't think twice about clicking on a malicious link, for example, makes it particularly enticing for criminals.
"That's the very, very, very risky thing about social networks," says Dr. Ken Baylor, a research vice president at information security research and advisory company NSS Labs. "The idea of using them as an authentication platform really has its drawbacks. I really think it's a bad idea."
He says that social networking as an authentication factor is definitely not a smart move. …