Social Networks Are Not Secure!
24 April 2009
I just returned from the RSA Conference
in San Francisco. The turnout was quite strong and its encouraging to see the emphasis being placed on security and anti-fraud measures. I attended an interesting session on the security risks presented by social networking sites (e.g. Facebook, Twitter, etc.). Although the presentation was quite basic, it got me thinking about the risks that banks (and their customers) face when they start dabbling with social networking: Fake Sites and Social Engineering.
Many banks have decided that they would like to have a presence on Facebook or Twitter. What they often don't realize is that there may be a few fraudsters out there (or money hungry brand squatters) who will register usernames that contain Bank XYZ's brand. They may actually call themselves Bank XYZ or they may select a derivative such as BankXYZ_Page. They then have the ability to do one of 2 things:
Pretend they are Bank XYZ in order to steal customer information and credentials. I can see this happening on Twitter where a fraudster could setup a fake customer service page. Or a phishing site that looks just like Twitter or Facebook. When a customer makes contact the fraudster could attempt to ask for username/passwords, social insurance numbers, birthdays, addresses - you get the picture. Twitter can be a great tool for banks (see my post on What Banks Can Do With Twitter), but it can also present great danger to unsuspecting customers. This is where customer education comes in. It needs to extend to the risks posed by social networking sites.
Sell the handle back to the bank. A squatter may just want Bank XYZ to buy the username they grabbed from them. This is not a new practice - we saw this occur in the early days of the web when domain names were being squatted. This is now moving on to social networking sites. Banks should reserve their brands on Twitter and Facebook (even if they don't want to use them) and keep on the lookout for fake pages.
I wonder how many bank compliance departments are actually aware that their institution has a Twitter page. How is the bank logging interactions on Twitter (they probably aren't)? What can banks disclose on Twitter and what issues can they address with customers without veering from bank policies? These are all issues that need to be explored. My recommendation is to redirect and reply to questions that come up on Twitter via other mediums such as email or phone. Banks are entering uncharted waters when it comes to social networking. It's important to get out there, just make sure to proceed with caution and keep educating customers about the risks presented online.