Today, a credit union in St. Louis, MO called Vantage Credit Union announced that they are offering a service through Twitter called tweetMyMoney to conduct online banking. Banking credentials, PINs and account information are not passed through tweets made via direct message to the @myvcu Twitter account (from the FAQ listed on the bank’s website), only commands to get account balance, recent transactions, etc.
However, there are a few potential security issues/concerns with this type of service. While it seems that VCU has made this system with good intentions, most of these concerns center around the fact that you are putting in requests for account information and even transferring money to other accounts through Twitter which is a third-party service not owned or managed by the bank.
- Plain and simple, Twitter is a third-party service. When you send a direct message (DM) to another Twitter user this message is stored on Twitter’s servers. Not the banks. The bank is simply retrieving these messages. You should never have any expectation of privacy from DMs *at all*. Sure, they are “private” to you and the user you are sending it to but think about who on Twitter’s end might be able to view these DMs. Remember, security at Twitter is not very important currently as we have seen several times in very recent history.
- What about the scenario of a local “man-in-the-middle” attack where someone could be sniffing your network traffic to modify your banking requests? A simple attack like this could easily compromise the users Twitter account. Guess what, people like to reuse user id’s and passwords…we all know where that could lead to. I am not sure if they are using any form of two-factor authentication for their online banking application so you may only need a login id and password to access a compromised online banking account. Again, not sure this is the case with VCU but yes, some banks are still using single factor authentication!
- How about the security of the @myvcu Twitter account you send your direct messages to? Attackers *will* target this account, it’s only a matter of time. You are trusting that the folks at VCU are properly securing this account and there are no vulnerabilities or exploits on the Twitter site to compromise the account as well. It also looks like this account is used for communicating with customers…it could be possible that these credentials could be phished and/or compromised through multiple avenues of attack.
- I question the correspondence authentication codes that they have put in place. Relying on the user to change these multiple codes is an interesting choice. I could see this being spoofed quite easily.
- Lastly, the users of this system could also be targeted if say a user accidentally tweeted something like “#l5d 7” to their followers instead of by DM (known as #dmfail)? Attackers can easily script a bot to look for these patterns and target these users.
I don’t want to knock the folks at VCU as it seems that they are a very “progressive” bank and it looks like they want to push the envelope of new technology. My opinion is that it just seems that there are too many points of security “fail” in this system. Potential failures in the Twitter service, @myvcu account and Twitter users of the VCU system in addition to the third-party privacy concerns all make for something that you shouldn’t be trusting your online banking to. Social networks are not for online banking in any form…srsly.
Thanks to @rogueclown and @nickhacks for the tweets and comments about this new service.