Banks using Twitter need to proceed with caution, experts say

By Marcia Savage, Features Editor, Information Security magazine 04 Jun 2009 | SearchFinancialSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Banks are jumping onto the Twitter bandwagon but experts say financial institutions need to consider the fraud risk and other security issues associated with the micro-blogging site and other social networking services.

SearchFinancialSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Bank of America, Wells Fargo and ING DIRECT are among the many financial institutions using Twitter for marketing, customer service, community outreach, and other activities. According to a recent study by Williams Mills Agency, an Atlanta-based public relations firm serving financial services, financial institutions of all sizes, including community banks and credit unions, are using Twitter to communicate with consumers.

Types of information shared on Twitter by financial institutions include promotions, replies to followers, personal finance tips, links to industry news, community event news, and personal comments on mundane topics like the weather, the study showed. William Mills looked at 1,176 "tweets" posted by 63 financial institutions in March.

Banks on Twitter: Bank of America BoA_help Wells Fargo Ask_WellsFargo ING DIRECT INGDIRECT First American Bank BankFAB

However, banks moving into social networking should proceed with caution, said Jacob Jegher, senior analyst in the banking group at Celent, a Boston-based financial research and consulting firm. Jegher wrote earlier this spring about social networking risks for banks.

The biggest threat, he said, is fraudsters pretending they are a particular bank on Twitter or Facebook in order to steal online banking credentials. For example, a fraudster posing as a bank on Twitter could respond to a customer's question about an account problem by asking for account passwords, Social Security numbers, and other sensitive information. Unsuspecting customers, thinking they're on a legitimate bank Twitter page, could be duped.

"I see that as a huge risk – the social engineering of information out of people," Jegher said. "All it takes is a couple pieces of information and the fraudster can start piecing things together."

Online squatters also could register bank names on Twitter of Facebook and then try to get the banks to buy them back, he said.

There also are compliance issues with banks using services like Twitter, he said. Even though complex interactions with customers likely will get taken off of Twitter and onto phone or email, banks likely aren't logging interactions with customers on the service -- but they should, he said.

"There's still been an interaction there and it's important to keep track of it and manage it so things are tied together," Jegher said. "It becomes a question of how to deal with multiple channels." Criminals often use more than one channel to commit fraud, he added.

Chenxi Wang, a principal analyst at Forrester Research Inc., said there isn't much risk when banks use social networking sites for advertising purposes, but the phishing threat looms when they use it for customer interaction. She added that there have been attacks on Facebook and MySpace in which criminals have been able to compromise an account, view a person's contacts, and pose as a trusted friend or entity.

Social networking communications often include URLs, noted Fred Felman, chief marketing officer at MarkMonitor, a San Francisco-based brand protection company. If a criminal is pretending to be a trusted entity, the URLs could take unsuspecting recipients to phishing sites or malware-rigged sites, he said.

SearchSecurity radio:

But banks are actively monitoring their names and brands on social networking sites and working with the sites to stop fraudsters, Felman said. Facebook, Twitter, MySpace and others are "very quick to protect their customers," and also are patrolling their sites for fraudulent activity using various solutions, he said. MarkMonitor in April announced that Facebook was expanding its use of the vendor's AntiFraud Solutions.

"We recommend a very tight connection between financial institutions and the social networks," Felman said.

Banks should reserve their brands on Twitter and Facebook even if they don't want to use them, Jegher said.

Customer education also is critical, he said. Banks put a lot of effort into educating their customers about security risks online, and they need to extend that education to social networking, he said.

Some banks appear to be doing that on Twitter. For example, a recent Wells Fargo tweet advised customers, "While we want to be where you are on Twitter, we will never ask you for account info here. Please keep your hard earned money safe."

Twitter can be a great tool for banks; they can use it for building customer relationships, marketing and solving customer service issues, according to Jegher. But he said every financial institution should have a social media strategy with a heavy security component. The security team needs to be brought into the development of the strategy, which must look at how social networking integrates with an institution's online banking activities and all of its channels.

"There is such an importance on enterprise wide fraud management at banks today," Jegher said. "How are banks able to pull this external piece into that fraud management solution they may be running? It's not easy. Part of it is making sure that whatever happens on Twitter is minimal."

Tags: Emerging security threats and attacks,  Spam, phishing and social engineering attacks,  Data breaches and prevention strategies,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Emerging security threats and attacks FDIC warns of rise in "money mule" schemes FDIC warns of bogus emails Bank Trojan used against German accounts evades antifraud systems Wyoming bank sues Google after bank employee email mishap California man sentenced in online brokerage scam Zeus Trojan hitting banking customers hard FDIC: Educate business customers about the need for security How to combat the insider threat ACH fraud on the rise, experts say Download presentations from Financial Information Security Decisions 2009 Spam, phishing and social engineering attacks Judge rejects TD Ameritrade breach settlement FDIC warns of bogus emails Two Romanians suspected in phishing scheme extradited to U.S. Social engineering tests should make sense, not headlines Zeus Trojan hitting banking customers hard Five considerations for choosing network access control products Proposed expansion of top-level domains generates security concerns Online scammers exploit bank brands and consumers' financial woes BITS releases guide for implementing email authentication protocols Financial fraud affects consumer bank behavior, Gartner finds Data breaches and prevention strategies Bank computer technician indicated in identity theft scheme Survey: Consumers don't trust banks to keep their data secure ChoicePoint settles with FTC over second data security breach Data breach lawsuit puts spotlight on bank's security measures Google ordered to deactivate Gmail account after bank email error Threat of insider fraud growing with bad economy Data breach protection: Implementing vendor breach safeguards Zeus Trojan hitting banking customers hard TJX settles with banks for $525,000 RBS WorldPay agrees to market VeriFone end-to-end encryption

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Governance, Risk and Compliance  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary