Should you use Twitter for Online Banking?

Today, a credit union in St. Louis, MO called Vantage Credit Union announced that they are offering a service through Twitter called tweetMyMoney to conduct online banking.  Banking credentials, PINs and account information are not passed through tweets made via direct message to the @myvcu Twitter account (from the FAQ listed on the bank’s website), only commands to get account balance, recent transactions, etc.

However, there are a few potential security issues/concerns with this type of service.  While it seems that VCU has made this system with good intentions, most of these concerns center around the fact that you are putting in requests for account information and even transferring money to other accounts through Twitter which is a third-party service not owned or managed by the bank.

  • Plain and simple, Twitter is a third-party service.  When you send a direct message (DM) to another Twitter user this message is stored on Twitter’s servers.  Not the banks.  The bank is simply retrieving these messages.  You should never have any expectation of privacy from DMs *at all*.  Sure, they are “private” to you and the user you are sending it to but think about who on Twitter’s end might be able to view these DMs.  Remember, security at Twitter is not very important currently as we have seen several times in very recent history.
  • What about the scenario of a local “man-in-the-middle” attack where someone could be sniffing your network traffic to modify your banking requests?  A simple attack like this could easily compromise the users Twitter account.  Guess what, people like to reuse user id’s and passwords…we all know where that could lead to.  I am not sure if they are using any form of two-factor authentication for their online banking application so you may only need a login id and password to access a compromised online banking account.  Again, not sure this is the case with VCU but yes, some banks are still using single factor authentication!
  • How about the security of the @myvcu Twitter account you send your direct messages to?  Attackers *will* target this account, it’s only a matter of time.  You are trusting that the folks at VCU are properly securing this account and there are no vulnerabilities or exploits on the Twitter site to compromise the account as well.  It also looks like this account is used for communicating with customers…it could be possible that these credentials could be phished and/or compromised through multiple avenues of attack.
  • I question the correspondence authentication codes that they have put in place.  Relying on the user to change these multiple codes is an interesting choice.  I could see this being spoofed quite easily.
  • Lastly, the users of this system could also be targeted if say a user accidentally tweeted something like “#l5d 7” to their followers instead of by DM (known as #dmfail)?  Attackers can easily script a bot to look for these patterns and target these users.

I don’t want to knock the folks at VCU as it seems that they are a very “progressive” bank and it looks like they want to push the envelope of new technology.  My opinion is that it just seems that there are too many points of security “fail” in this system.  Potential failures in the Twitter service, @myvcu account and Twitter users of the VCU system in addition to the third-party privacy concerns all make for something that you shouldn’t be trusting your online banking to.  Social networks are not for online banking in any form…srsly.

Thanks to @rogueclown and @nickhacks for the tweets and comments about this new service.


Share with your friends!
  • Facebook
  • Twitter
  • Google Plus
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

  1. Thanks for the well written post and mentions. We are always looking to differentiate our services in new and innovative ways. With banks and credit unions failing at the rate of 10-20 a month, we have to. That said, we are serious about security and work hard to keep our members educated on the risks and potential issues they face online. You mention transferring money as a potential concern. This is legitimate risk, but low because your Twitter account can only be associated with one account number. The transfers are only allowed inside the associated account and between suffixes. (Share to Share, Share to Loan, etc…). So, at worst someone could make a loan payment or move money from savings to checking. This is something we can easily track and correct.

    Finally, I would argue your point about social media not being a channel that can be used for banking information. In fact there are several businesses doing just that: twitpay.me, Wesabe.com, Mint.com, Geezeo.com, Billeo.com to name a few. The same concerns and red flags were raised a couple years back when these businesses first appeared, but they have continued to grow. In fact Intuit just purchased Mint.com for $170 Million (wish I had thought that one up). So, there is definitely a place for social media and we believe it would be foolish to NOT have a strategy. TweetMyMoney was the first in a list of new features we are adding to our mobile banking strategy. It’s possible some of our endeavors will fail, but we believe it’s worth the shot.

    Thanks,
    -Matt

  2. d4ncingd4n left a comment on September 29, 2009 at 5:20 pm

    I applaud the innovation but, there are a few more issues that concern me.

    1) Denial of service attacks: If all of the money in your draft account is transferred to your share account in $10 increments through forged tweets, will you incur account overdrafts? Can your staff assist 300 members with the same issue at the same time?
    2) Multi-factor failure: If your smart-phone receives your e-mail, has a twitter client, and is the phone number of record for the account, a lost/stolen could become a security disaster. In actual practice, few people use passwords on their cellphones.
    3) Immature platform security: Mobile device security is in it’s infancy. Few people appreciate the need to properly secure bluetooth access, firmware upgrades are carrier specific and could potentially be trojaned, and few (if any) antivirus programs exist for mobile platforms.
    4) Application specific malware: A twitter worm that keylogs and retweets the correspondence authentication codes would cause massive ‘fail.’

    I would be interested to see how these issues are addressed.

  3. So, the only banking transactions that can occur are within one person’s account, or within nearly similar accounts that all reside in your bank anyway? Do or will people actually use this at all? I’m a bit skeptical if it is more hype than use (so far). :) Nonetheless, actually restricting use like that is a great first step as it truly limits risk…something all this hype and media coverage fail to mention. And the marketing received certainly offsets the cost so far!

    Of note, just because others are doing it does not prove its security value. Lots of people do stup…insecure things all the time. That argument might work for execs… :)

    In addition, Twitter is not meant to be a majorly trusted or secure service, if you ask me. It’s like having a simple padlock on a storage unit. Then using it to store gold. Then wondering why the storage unit isn’t more secure. The reason being is the use (gold storage) is forcing more security requirements than was inherent in the first place. A sort of usage mismatch.

    I’m also pretty sure Twitter is not going to guarantee anything in regards to security (or even uptime), which means you couldn’t guarantee much either. And I doubt you’ll troubleshoot user PCs in case they received a trojan which harvested their cached credentials including their Twitter account.

    Nonetheless, it’s an interesting development, and I certainly don’t knock anyone for trying it out and testing boundaries. I just don’t think it’s an entirely appropriate authentication/usage for banking. I mean, is this any different than using IM or hotmail emails to do banking? That’s a somewhat small, but important step beyond hosting logins on your own site (where you control logs, monitoring, access, identity…) for such purposes. Maybe doing this in conjunction with Paypal is better? I don’t know, but I see this as a sort of poor man’s outsourcing of an bank web portal, only more limited right now.

  4. Matt, thanks for the comment and starting some good conversation on this topic.

    I’m all for having a social media strategy no matter what business you are in. If you are not thinking about social media in your overall business strategy you are probably behind at this point. :-) However, what you are offering customers, in my opinion, is a “product offering”. Most companies focus a social media strategy on communication, marketing, customer service and PR. If conducting online transactions (things to interact with other products you offer) with Twitter and other social media applications is a strategy then it would seem to me that this falls under the products and services you are offering. Sure, there is some overlap since you seem to use social media to communicate with your customers but it’s a product you offer to your customers, especially since it’s tied to your online banking application.

    To counter your point about banking and social media. Mint.com and the other sites you mention really fall under “financial applications and tools” not social media. There just isn’t enough social functions in them except probably Twitpay (tweet to paypal) and wasabe (user forums). Twitter on the other hand is a “micro-blogging” social network where you communicate and network with other users via messages. I think a micro-blogging service like Twitter needs to stay that way. Tying in a social network (used to network with others) to an online banking application goes beyond what the system was intended for and has too many points of failure, mainly because you are trusting a third-party service that has been proven to be insecure.

    Having said all that, it should be interesting to see the feedback from your customers since that will be your determining factor of success. Your bank seems to want to accept more risk then other banks by putting in a service like this (not a bad thing) but I hope your bank is also prepared for security problems that might happen with using Twitter for these types of things and be prepared to explain this to your customer base.

  5. Matt left a comment on September 30, 2009 at 12:17 pm

    Thanks for the comments all. Financial institutions are in a constant struggle between providing convenient access to information/funds while at the same time keeping the information secure. You’d be amazed at how upset people were when we first introduced multi-factor authentication a few years back. In fact many members were so upset, they closed their accounts. Which, to be honest, was probably a good thing for us… I’ll admit we have been a little surprised at how much attention and how quickly the news has spread on this. Another example of the power of Twitter. Anyway, we appreciate the discussions and concerns you have raised. Some of these concerns were thought through and prepared for, but not all and it’s good to hear them from the experts. This helps give us ideas on how to tweak and monitor the system.

    Tom, you make some excellent points about cell phones not being secure in a few ways and the possibility of bots or keyloggers trying to collect authentication codes. As laptops and SmartPhones continue to converge (e.g. netbooks, tablets?), I would expect to start seeing security issues bubble up more and hope that the general public starts learning more about protecting themselves. Hopefully the products will start to mature faster than they have been in recent years as they become more prevalent, but only time will tell. Unfortunately, demand is high for mobile offerings and we believe it’s importatnt to experiment in this space and find some offerings that our members/potential members will appreciate. We are providing as much information as we can, both in our branches and through online channels.

    Finally, our membership does have the ultimate say. If they adopt the new products we are introducing, then we’ll continue to work on making them as secure as we can and explain the risks. If they don’t like a product, then we’ll drop it and move on to something else. Time will tell.

  6. Tracey left a comment on September 30, 2009 at 5:15 pm

    Matt –

    I can appreciate your credit union’s creativity, but I’m reading this to be a pet project of someone on staff who didn’t consider what the members really want. Your press release stated that it was only targeted to 4,000 of your members which equates to just under 4% of your total membership. To me, that seems to be a lot of time and salary spent to please so few. I left your CU for that very reason many months ago and have gone to a CU who focuses on what they are supposed to – providing competitive rates that grow my balances while keeping my information secure.

    Regarding the security of this service, I beg to differ that account balances and transaction information are commonly given by other institutions as some of your staff have stated. I’d say it is the exact opposite and add that I certainly don’t want that information floating out there in clear text (I don’t see any mention of encrypting the transmission / man in the middle reference by Tom)regardless of how identifiable it may be. And why open up another hole into your banking platform to a known, un-secure, third party like Twitter? And then go the next step and say Facebook is next? You’d be better off, and save the development time and expense, by just laying your members money in the middle of Olive with a sign saying first come first serve. You can’t put the onus on your membership to protect themselves as you say above – they don’t view it as their job, they assume their institution is doing that for them.

    The press releases and counter arguments just leave out too many details that describe just how secure (or insecure) this service really is. Who is the highly reputable firm, with years of experience analyzing these sorts of things, that was mentioned in one of the releases? I suppose if a recognizable name was given, members may feel a little more comfort but it was convieniently left out. Who worked with the Twitter folks to determine how secure their system is?

    I’ll hand it to the CU for getting its name in the press and trying something new, but bad press is 10x worse than good press and this may have backfired. When the first breach occurs (email me in a year and tell me there haven’t been any breaches and I’ll say I was wrong), that bad press will multiply. I got phished constantly, and still do for that matter, when my account was at your CU. But since switching to First Community – nothing. Where once my money was a target for fraud, I now feel safe. You can’t let something go live and let online experts find all of the flaws for you as you mention above, that should have been done already.

    Good luck proving the masses wrong.

  7. Cam left a comment on October 1, 2009 at 4:14 am

    My name is Cam, I am the EVP of Technology @ Vantage. First, let me add that this is my first and last post on any outside blog regarding TweetMyMoney. So, take that for what it’s worth. I’m only posting to this site because the conversations that are taking place here have been cordial and respectful. I sense, at least, you’re trying to understand us.

    I have been in the financial service industry for over 20 years. Aside from normal table stakes such as providing great customer service, competitive rates, privacy, security, and putting an ATM and/or branch on every corner, a financial institution is governed by one basic thing which is risk management. In order to offer competitive rates and low fees, a series of complex risk management practices and controls are engaged that makes those of us who work in this industry head spin at times. For every risk you take you must put forth a set of controls followed by a set of polices and procedures that provides the necessary cover. In fact, not only are we governed by it but we’re also regulated by it. Perhaps, more than any other industry. Not just on the financial side but on the I.T. side as well. Especially on I.T. security. Most financial institutions like Vantage add additional layers of risk management and controls because we view the regulated standards as the floor and not the ceiling. Again, not just on the financial side but on the I.T. side as well.

    Why does this matter?

    Obviously, TweetMyMoney has caused quite a stir in the security ranks. Certainly, we knew that several would have a field day with it. I fully understand this concept is the mother of all disruption. Also, the vulnerabilities that Twitter is known for was also known to us. I can assure you that this was not someone’s “pet” project. I can also tell you that we did meet with security experts and the very concerns you raised here were discussed. However, as I mentioned we live and breathe risk every single day. So, we don’t arbitrarily have one sided conversations like the ones taking place here and on other sites. In determining whether or not we accept a risk we determine if we can put the proper controls in place to mitigate. There are controls that are in place of which I will not discuss here. Of course, we’ll tweak accordingly if the risk changes. If the risk changes than we’ll make the necessary decisions. @Tracey, you are incorrect about….”I beg to differ that account balances and transaction information are commonly given by other institutions as some of your staff have stated”. Several institutions have systems similar to ours that provides some level of account information such as balances via channels like email. What you don’t put in those communications is information like account numbers, addresses, etc. Regardless, it’s up to the member to decide whether or not they want this; fully understanding what the risks are. I can tell you and I’m sure that I speak for many financial institutions out there that these channels are utilized and are successful.

    I would also disagree that members should have no onus in protecting themselves. There has to be a partnership on between the member/customer and the financial institution. We spend a great deal of time and money in educating our members on how they need and should protect themselves. The vast majority of fraud that occurs is not because someone hacked into a financial system and got to the pot of gold. Some of it happens when the consumer is not protecting themselves. When this happens with one of our members, we view this as an opportunity to not only help them through this difficult time but also to educate them on how they can protect themselves in the future.

    @Tracey you mentioned that awhile back Vantage was targeted with some phishing attacks and obviously you were a victim of those attacks. I can tell you that during that time and to a lesser extent today, Vantage was not the only credit union nor financial institution impacted. There were several institutions as well as other businesses affected. At the peak was when the government rebate checks were going out. That being said; that doesn’t really matter. What matters is what you feel and you obviously made a choice that was right for you. Which, leaves me to my last and final point. In the end, it does not matter what you, I or anyone at Vantage thinks of TweetMyMoney. What matters is what our members think. While I agree that for most members they do want competitive rates while keeping their information safe. However, they also want a branch on every corner, they want 7×24 member service, they want to make their deposits online, they want an ATM outside their door as well they want products and services that will save them time and money. You can’t do that just by providing competitive rates. The table stakes are changing at a faster rate for financial institutions that I’ve seen in my 20+ years. I’m sure your credit union is feeling the pressure to innovate at higher levels as well. TweetMyMoney is not going to do that for us. To be honest, our expectations are low and I assure you that we’re not betting on it.

    Finally, what has been an interesting development. On day one, we were ridiculed, chastised, and called just about called every dirty name in the book by all the security folk as well as those who don’t get twitter. You’re right about that. We did get some bad press. However, on day two+, I was getting calls from other organizations across the country thanking us for being the first out because they too have discussed similar strategies but did not want to be the first mover. Whether or not we’re successful with this remains to be seen. As we’ve said on numerous occasions, TweetMyMoney will either be really smart or really stupid. In the end, it is about managing risk.

    Regards,
    Cam

  8. Cam,

    Thank you for your detailed and well written response. You make very valid points and I respect your opinions. Your right, it all comes down to risk management with any product offering you put out there. Any business (especially banks right now) have to make tough decisions about risk and it seems your bank is on top of the risk you are willing to accept. Again, I appreciate you taking the time to respond.

Leave a Comment

Your email address will not be published. Required fields are marked *

Email