The One Thing Banks Should Never Do on Facebook and Twitter

On the surface, Facebook and Twitter are a bank marketer's dream.

Access to millions of people through a single social login process (whereby users don't need separate passwords and usernames for their Internet bank accounts). All of your customers right on the platform. And aid in registering and creating new online accounts.

But after both social networks admitted this month that they have been the targets of malicious attempts to hack their systems, bankers could soon adopt a new mantra: Don't use Facebook's or Twitter's sign-on services, no matter how appealing either seems.

The problem is that any breach of security that a user encounters on social networks could potentially spread to that person's online bank account — if that user's bank is completely reliant on those companies for its online banking authentication.

Most banks in the U.S., though, are just using Twitter and Facebook for marketing and customer service messaging rather than as a portal to online banking, says Nicole Sturgill, a research director in the cards and retail banking practice at CEB Towergroup.

"However, banks outside the U.S. are starting to allow direct access to [online banking] through Facebook and that's where there should be a concern about Facebook hacking," Sturgill says. "For those banks, Facebook should be used as a gateway to [online banking] but there should be an extra layer of security. No one should be able to log in to [online banking] with nothing but their Facebook ID and password."

Facebook, Twitter, Apple (AAPL) and at least 40 other companies were the victim of the efforts of a band of high tech criminals from Eastern Europe, according to Bloomberg. Twitter said in early February that 250,000 of its users' passwords may have been compromised.

In addition, high-profile hacks of the branded Twitter accounts of Burger King and Jeep show just how vulnerable social media identities are. In the Burger King case, hackers changed the logo on the company's Twitter page to the McDonald's logo and spread false information that the fast food chain had been sold to McDonald's.

Just last week, Facebook of Menlo Park, Calif. said it was targeted by thieves that loaded malicious software onto employees' computers directly through a compromised developer website.

Although Facebook was emphatic that no user data was stolen, the attack highlights the danger of doing business directly with the social network.

Indeed, Facebook is a prime target for hackers for much of the same reason that bankers might find it attractive — it's everywhere.

That compounded by the fact many unsophisticated users wouldn't think twice about clicking on a malicious link, for example, makes it particularly enticing for criminals.

"That's the very, very, very risky thing about social networks," says Dr. Ken Baylor, a research vice president at information security research and advisory company NSS Labs. "The idea of using them as an authentication platform really has its drawbacks. I really think it's a bad idea."

He says that social networking as an authentication factor is definitely not a smart move.

"It's just proven to be highly susceptible to malware, multiple times," Baylor adds.

Linkedin isn't much safer. It has endured attacks in recent memory that have compromised millions of users' passwords.

That doesn't mean there are no banks willing to take on the risk.

Moven, the brainchild of fintech entrepreneur Brett King, is one of the only a few domestic financial services startups that is even toying with the idea. In addition to Facebook, the early stage company is also planning to allow people to tie their bank accounts directly to Twitter. (Keep in mind that Moven has yet to launch, and has only just begun to beta test its technology in a limited release.)

"The benefits, for us, outweigh the potential risk," says King. "The fact is that Facebook's login platform is still magnitudes more robust than most Internet banks."

Still, Moven is employing those extra layers of security that Sturgill says are so important.

King says Moven plans to hedge against cybercrime by requiring multi-factor authentication any time someone wants to move cash. That includes an additional PIN number and a one-time password.

"The use of a social sign-in is twofold," King says. "One, it expedites the process of sign-in because it's a common platform. Secondly, we can use the Facebook identity to expedite [Know Your Customer protocol] because we can draw information out of the profile, also we actually use it as part of the identity check."

He highlights Gartner research that says in two years roughly half of new retail customer identities will be based on their social network identities, up from about 5 percent today.

There may be some truth to that, says Bradley Leimer, who leads digital channel strategy for Northern California-based Mechanics Bank, in an email to American Banker.

"The more I look at Facebook's authorization and reliance on open standards for encryption, and then compare to some existing bank credential code, I am fairly convinced that large fintech providers aren't necessarily doing any better job in physically coding and securing authorization than many of the social sites," he says. "Which means it is only a matter of time before we see larger scale breaches — all of it's testing our networks," he says. "I'm actually amazed we don't have more breaches that involve account data."

Regardless, bankers need to make those risk decisions for themselves, says Jim Marous, a senior vice president of corporate development at digital direct marketing agency New Control, and author of the Bank Marketing Strategy blog.

"I think this is all uncharted territory. It's one thing to have a small or a midsize bank overseas use Facebook sign-on or Twitter sign-on," he says. "But I think you move the needle exponentially when you talk about a large bank [in the U.S.] doing this where there is more risk."

An inquiry sent to Facebook's press office seeking comment was not immediately answered. A tweet sent to Twitter was not answered, either. An email sent to LinkedIn also received no response.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER