Just because Twitter is ubiquitous doesn't mean that it should be applied to everything.
Case in point? Vantage Credit Union has introduced a new feature called tweetMyMoney. It is exactly what it sounds like: people can now send bank account management commands--and receive bank account information--through Twitter. People can check balances, transfer funds between accounts, check recent transactions, and check recent holds.
The first question on the tweetMyMoney FAQ supposedly touches on why the feature is secure. It reads:
Q. How is mobile banking using Twitter secure?
A. As always, your account security is our utmost priority. When you use tweetMyMoney to access your account information, keep in mind that the information provided DOES NOT include account numbers, passwords, PINs or any other secure information. Also, tweetMyMoney uses the application’s direct message feature so no one else sees the account information you request.
Really?
Sensitive information should simply not be transmitted via Twitter. There's always the risk of a DM fail: if you accidentally tweet @myvcu without using a direct message, you are in effect announcing to the entire internet that you are using tweetMyMoney, and that control of your Twitter account gives them at least some control over your bank account. Furthermore, your Twitter direct messages are not encrypted--so, if someone is watching the network, they can have your username, your login credentials, and the fact that you use this service, even if you sent a direct message. They can also see what the credit union is sending back to you--including your account balances, as well as the code that supposedly authenticates that the message is from Vantage and not from someone else. If they're sending the code to you unencrypted, you get no assurance that the code hasn't been stolen.
I'm sure I'm just scratching the surface here, and that there are even more security flaws in this that I have yet to think of. I hope other banks don't follow suit on this, and I hope Vantage jettisons this feature soon. Otherwise, there could be some serious issues on the horizon.
(hat tip to @nickhacks for telling me about tweetMyMoney.)
Comments
I wanted to correct a couple Permalink
Submitted by anonymous on Mon, 09/28/2009 - 19:02
I wanted to correct a couple points in your post. One you assume we store or ask for your Twitter credentials, we do not. We are only associating a Twitter username with an account. Second the authentication codes are controlled by the member, they can change them anytime they want. At the core, tweetMyMoney is really no different than some of the alerting features of Mint.com or several popular online banking solutions. Those solutions email account information out based on certain logic. The main difference is that tweetMyMoney is real-time.
That said, we understand some people are not comfortable using tweetMyMoney and they can choose not to use it. I agree there are some DM fails that could occur, but most Twitter users would probably see those as just garbage in between their posts about Kayne and Britney's and move on. Keep in mind this feature is just one of several new services, we are building, as part of our mobile banking strategy. Some may take off and some may crash and burn. We are prepared to accept that, but I think the risks will be worth the rewards in the end.
BTW, Do you remember when online banking products first starting rolling out and how well those were received?
Thanks,
-Matt
Matt, Thank you for your Permalink
Submitted by anonymous on Tue, 09/29/2009 - 20:43
Matt,
Thank you for your feedback.
You are correct, you only ask for the username, not for the password to the Twitter account. I misread the enrollment instructions sheet when I was writing it. I'm sorry, and I have removed the part that referred to Vantage requesting Twitter passwords.
I do remember when online banking was unrolled. The main difference, in my perception, between online banking and tweetMyMoney is that online banking does not require anything to be posted publicly, and does not use a patently unencrypted channel for communication. There are still security concerns in online banking, such as the bank's computers or the user's computers being broken into, or the use of weak or repeated passwords. But, there are fewer flagrant possibilities for leaking out credentials. Online banking communications are generally encrypted using SSL; Twitter direct messages are not, and are therefore a lot easier to sniff. Online banking communications do not present the possibility of making a post to a public site; if someone types an @ symbol instead of a d before their message to tweetMyMoney, they will post their account information request to the rest of the internet, and allow people to use that information to compromise the account. You're right in that most Twitter users will probably chalk the DM fail up as junk and move on, but it would take a malicious person just a few minutes to write a program that sought out and captured all of the DM fails to tweetMyMoney, and could use that as a starting point for identity theft. That's worrisome, since it only takes one person.
Again, thank you for your input.
nicolle
Add new comment