Banks using Twitter need to proceed with caution, experts say

Financial institutions are using Twitter and other social networking services to communicate with customers but experts say they need to be aware of the security risks.

Banks are jumping onto the Twitter bandwagon but experts say financial institutions need to consider the fraud risk and other security issues associated with the micro-blogging site and other social networking services.

SearchFinancialSecurity.com:
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Bank of America, Wells Fargo and ING DIRECT are among the many financial institutions using Twitter for marketing, customer service, community outreach, and other activities. According to a recent study by Williams Mills Agency, an Atlanta-based public relations firm serving financial services, financial institutions of all sizes, including community banks and credit unions, are using Twitter to communicate with consumers.

Types of information shared on Twitter by financial institutions include promotions, replies to followers, personal finance tips, links to industry news, community event news, and personal comments on mundane topics like the weather, the study showed. William Mills looked at 1,176 "tweets" posted by 63 financial institutions in March.

Banks on Twitter:
Bank of America BoA_help

Wells Fargo Ask_WellsFargo

ING DIRECT INGDIRECT

First American Bank BankFAB

However, banks moving into social networking should proceed with caution, said Jacob Jegher, senior analyst in the banking group at Celent, a Boston-based financial research and consulting firm. Jegher wrote earlier this spring about social networking risks for banks.

The biggest threat, he said, is fraudsters pretending they are a particular bank on Twitter or Facebook in order to steal online banking credentials. For example, a fraudster posing as a bank on Twitter could respond to a customer's question about an account problem by asking for account passwords, Social Security numbers, and other sensitive information. Unsuspecting customers, thinking they're on a legitimate bank Twitter page, could be duped.

"I see that as a huge risk – the social engineering of information out of people," Jegher said. "All it takes is a couple pieces of information and the fraudster can start piecing things together."

Online squatters also could register bank names on Twitter of Facebook and then try to get the banks to buy them back, he said.

There also are compliance issues with banks using services like Twitter, he said. Even though complex interactions with customers likely will get taken off of Twitter and onto phone or email, banks likely aren't logging interactions with customers on the service -- but they should, he said.

"There's still been an interaction there and it's important to keep track of it and manage it so things are tied together," Jegher said. "It becomes a question of how to deal with multiple channels." Criminals often use more than one channel to commit fraud, he added.

Chenxi Wang, a principal analyst at Forrester Research Inc., said there isn't much risk when banks use social networking sites for advertising purposes, but the phishing threat looms when they use it for customer interaction. She added that there have been attacks on Facebook and MySpace in which criminals have been able to compromise an account, view a person's contacts, and pose as a trusted friend or entity.

Social networking communications often include URLs, noted Fred Felman, chief marketing officer at MarkMonitor, a San Francisco-based brand protection company. If a criminal is pretending to be a trusted entity, the URLs could take unsuspecting recipients to phishing sites or malware-rigged sites, he said.

SearchSecurity radio:

But banks are actively monitoring their names and brands on social networking sites and working with the sites to stop fraudsters, Felman said. Facebook, Twitter, MySpace and others are "very quick to protect their customers," and also are patrolling their sites for fraudulent activity using various solutions, he said. MarkMonitor in April announced that Facebook was expanding its use of the vendor's AntiFraud Solutions.

"We recommend a very tight connection between financial institutions and the social networks," Felman said.

Banks should reserve their brands on Twitter and Facebook even if they don't want to use them, Jegher said.

Customer education also is critical, he said. Banks put a lot of effort into educating their customers about security risks online, and they need to extend that education to social networking, he said.

Some banks appear to be doing that on Twitter. For example, a recent Wells Fargo tweet advised customers, "While we want to be where you are on Twitter, we will never ask you for account info here. Please keep your hard earned money safe."

Twitter can be a great tool for banks; they can use it for building customer relationships, marketing and solving customer service issues, according to Jegher. But he said every financial institution should have a social media strategy with a heavy security component. The security team needs to be brought into the development of the strategy, which must look at how social networking integrates with an institution's online banking activities and all of its channels.

"There is such an importance on enterprise wide fraud management at banks today," Jegher said. "How are banks able to pull this external piece into that fraud management solution they may be running? It's not easy. Part of it is making sure that whatever happens on Twitter is minimal."

Dig deeper on Emerging security threats and attacks

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchSecurity

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

ComputerWeekly

Close