The good news is: Facebook has 400 million active users, 4Square.com is averaging around 100,000 new users a month, and Twitter is sharing around 1.2 billion tweets a month. The bad news is: Facebook has 400 million active users, 4Square.com is averaging around 100,000 new users a month, and Twitter is sharing around 1.2 billion tweets a month.
This explosion of social media and networking presents both a boon and a bane for online banking. On one hand, it promises dynamic relationships and deeper connections between customers and financial institutions. One the other hand, it poses a new sort of security and fraud risk. What goes around on social media sites can also come around to harm the institution.
Social media and networking sites are designed to express individuality on a massive scale. For fraudsters, that means access to individual data on a massive scale. The amount of personal data shared publicly on social media and networking sites such as Facebook, MySpace and LinkedIn – including full names, employers, education, age and date of birth – constitute a form of “one-stop shopping” for fraudsters and helps them commit their crimes as if they had dug through someone’s trash for personal information. Modern-day dumpster diving may be less smelly but can be equally damaging.
While social media is here to stay and evolving dramatically, the risks must be understood and reasonably mitigated. Social media helps bankers to “know your customer” but also assists fraudsters to “know your victim.” Are the financial risks greater than the benefits? It’s more than an academic question.
Search for Identity
Like other popular Websites, social networks are exposed to security attacks. Facebook took a pummeling from Zeus, the Trojan horse malware that steals banking information by keystroke logging. Fake messages claiming that Facebook was deploying a new login system to offer more features and security were sent to millions of users who were encouraged to click on a link, purportedly taking them to a site where they could update their account. Users who did so were then prompted to install an “update tool” which, in reality, was the Zeus Trojan. It was estimated that fraudsters delivered about 1.65 million of these emails at a rate of 1,000 messages per minute per domain.
Not surprisingly, large banks and financial institutions are taking a cautious approach to engaging their customers in digital conversations. Rather than opting to establish Twitter channels or Facebook pages to push out news and promotions, many are instead setting up Twitter channels to monitor customers’ “tweeting” about concerns and issues in order to address these problems in the early stages. Take for example BofA’s social media initiative via Twitter, which goes to great lengths to reassure potential users of its authenticity and to remind customers not to share personal data.
Likewise, many banks are using Facebook for purely promotional and social responsibility initiatives. This cautious and highly managed approach is critical considering the potential for fraud. For example, go to Twitter and seek out the top 20 financial institutions in the U.S. and you’ll find several Twitter profiles for each one. Which profiles are legitimate and which are scams and channels for pushing out content to attract unsuspecting victims? For the consumer, the answer is not easily apparent.
In fact, the very nature of Twitter and its 140-character micro blog drives the urgency for small and quick responses. So, an innocuous “Look at this pic I found of you!!” message will be opened without a second thought, which is all the time needed to install malware on the user’s PC.
On Facebook, you can find promotions of high-profile consumer brands. Which profiles are legitimate and which ones are scams? Again, the answer is not readily obvious. Of course, if something sounds too good to be true, it probably isn’t. But consider the success of the recent Facebook phishing scam promoting “Free $500 Whole Foods gift cards to the first 12,000 fans.” This scam fast gained traction by Facebook users adding it to their fan pages and attracting more victims through their own Facebook networks. Once hooked, victims were asked to fill out a credit assessment form comprising personal data critical to the fraudster’s success.
The fast growth in social media and networking has also been a major cause behind the significant increase in man-in-the-browser attacks. According to the Anti-Phishing Working Group (APWG), some 50% of corporate and personal PCs in 100 countries have been infected by malware.
For financial institutions, the rewards of increased brand relationships and loyalty that social media and networking can bring are immense. But for this reward to have sustainable and substantive value, banks and financial institutions need to be planning ahead and deploying advanced solutions that anticipate and intercept fraud originating through these channels.
Mitigating the Risk
Clearly, it’s important for banks to proactively limit exposure. Once a social media attack creates a point of compromise, the customer’s entire banking portfolio, including deposit, savings and credit cards, becomes vulnerable to financial fraud. Fraudulent new accounts and transactions may result.
While social media and networking fraud relies on the innocent sharing of seemingly unimportant data by customers, the power of prevention and mitigation of risk lies with the financial institutions. A strategic path many financial institutions are investigating is the enhancement of user authentication technology with advanced, 360-degree, event monitoring.
Multifactor authentication – such as tokens, one-time passwords, keystroke identification or IP profiling – reduces the risk of man-in-the-browser attacks. It also limits attacks generated from password compromise via information collected by fraudsters from social media sites. Advanced multi-factor authentication systems track customer patterns and behaviors such as time, frequency, amounts and destinations. When customer activities show variances or anomalies, such a system is able to issue an alert to shut out fraud before it happens, whether from bad IP addresses, false destination accounts or other blacklisted locations.
While real-time protection from fraud with systems such as multifactor authentication is important for credit card transactions, it is beyond critical for debit and ATM card transactions, where consumers’ bank accounts are debited immediately. With real-time protection, systems can identify payments events that demonstrate high probability of fraud, thus avoiding any loss to the bank or consumer.
Real-time protection is only one piece of the puzzle. The other piece is to approach fraud detection and protection as a customer relations strategy – one which improves the account holder’s security throughout their banking relationship. When financial institutions manage their customer’s products and services in silos – i.e. separate units for debit cards, credit cards, checking accounts, etc. – fraud can be shut down in one silo but still remain a point of vulnerability in another. However, when financial institutions build enterprise platforms which give a cross-channel, 360 degree-view of a customer’s banking portfolio, they are able to identify suspicious activity that would have appeared normal if viewed through a single lens.
For example, if a fraudster collects data from a variety of social media sites that enables them to access basic checking information, they can use that to begin to access credit account information or move funds into dummy accounts. By being able to track across channels and the entire customer relationship, anomalies are more quickly detected and the fraud activity shut down.
People are not going to stop sharing personal data any time soon; in fact, the trend is going to grow exponentially. Imagine, then, if a fraudster trawls your social media sites and now knows your birthday, your pet’s name, the school you went to and name of your employer. Imagine the number of points of vulnerability this creates in your financial dealings.
Now, imagine you post a note on your Farmville game that you need someone to help feed your animals while you’re on holiday. Your absence creates a perfect opportunity for a fraudster to begin attacking your financial positions while you’re not paying attention. The speed and cunning of social media-based fraud demands a real-time, 360-degree response. By deploying a broader consumer protection strategy banks are able to mitigate the risk of fraud and deploy a strategy that aligns with the new cultural and technical paradigm of social media.
Mr. Nussenbaum is vice president, global risk solutions, with New York City-based ACI Worldwide Inc., a global provider of electronic payments solutions. He can be reached at David.Nussenbaum@aciworldwide.com.