Vendors
日本語

Social Networks Are Not Secure!

Create a vendor selection project & run comparison reports
Click to express your interest in this report
Indication of coverage against your requirements
A subscription is required to activate this feature. Contact us for more info.
Celent have reviewed this profile and believe it to be accurate.
24 April 2009
Jacob Jegher
I just returned from the RSA Conference in San Francisco. The turnout was quite strong and its encouraging to see the emphasis being placed on security and anti-fraud measures. I attended an interesting session on the security risks presented by social networking sites (e.g. Facebook, Twitter, etc.). Although the presentation was quite basic, it got me thinking about the risks that banks (and their customers) face when they start dabbling with social networking: Fake Sites and Social Engineering. Many banks have decided that they would like to have a presence on Facebook or Twitter. What they often don't realize is that there may be a few fraudsters out there (or money hungry brand squatters) who will register usernames that contain Bank XYZ's brand. They may actually call themselves Bank XYZ or they may select a derivative such as BankXYZ_Page. They then have the ability to do one of 2 things:
  • Pretend they are Bank XYZ in order to steal customer information and credentials. I can see this happening on Twitter where a fraudster could setup a fake customer service page. Or a phishing site that looks just like Twitter or Facebook. When a customer makes contact the fraudster could attempt to ask for username/passwords, social insurance numbers, birthdays, addresses - you get the picture. Twitter can be a great tool for banks (see my post on What Banks Can Do With Twitter), but it can also present great danger to unsuspecting customers. This is where customer education comes in. It needs to extend to the risks posed by social networking sites.
  • Sell the handle back to the bank. A squatter may just want Bank XYZ to buy the username they grabbed from them. This is not a new practice - we saw this occur in the early days of the web when domain names were being squatted. This is now moving on to social networking sites. Banks should reserve their brands on Twitter and Facebook (even if they don't want to use them) and keep on the lookout for fake pages.
Compliance Issues. I wonder how many bank compliance departments are actually aware that their institution has a Twitter page. How is the bank logging interactions on Twitter (they probably aren't)? What can banks disclose on Twitter and what issues can they address with customers without veering from bank policies? These are all issues that need to be explored. My recommendation is to redirect and reply to questions that come up on Twitter via other mediums such as email or phone. Banks are entering uncharted waters when it comes to social networking. It's important to get out there, just make sure to proceed with caution and keep educating customers about the risks presented online.

Comments

  • Undoubtedly, the simple bank to FB integration is not the way to go, but Social Networks are extremely important for banks and their future, specially with the fast pace of change for Gen Y and beyond. Including also payment solutions over social networks, banks need to consider this area as they considered the risky card payments business when it emerged 30 years ago and then to adopt the best solution possible to make it right. But avoidance is not an option.

  • [...] Banks need to monitor for new anti-bank Twitter Users. More anti-bank users will pop up and their follower base will grow. It is important for banks to manage their brand and make sure their company name is being used appropriately. Banks also need to watch for username squatters who will try to social engineer credentials from unsuspecting customers (see my post, Social Networks Are Not Secure!) [...]

  • Jacob, you might be interested to learn that BofA is working with a third-party vendor to create a client program that tracks Twitter "service tickets." There's no announcement as of yet. I figured this out with some sleuthing yesterday.

  • [...] while back I blogged about the security risks associated with social networks (see http://bankingblog.celent.com/?p=430). One of the risks of social sites like Twitter is the ability for a fraudster to pretend they are [...]

Insight details

Insight Format
Blogs
Geographic Focus
Asia-Pacific, EMEA, LATAM, North America