Blog article
See all stories »

An article relating to this blog post on Finextra:

Facebook users want Web 2.0 banking

New research has found that around half of Facebook users would use Web 2.0 applications for online banking, while a quarter would even consider switching banks to obtain Web 2.0 services.


See article

Web 2.0 Banking Authentication

Web 2.0 and banking seems like an interesting mix.  This article (http://www.finextra.com/fullstory.asp?id=18544) actually mentions several loosely coupled items related to this:
  • Providing online banking services through widgets in web 2.0 sites such as Facebook, Myspace and others.
  • Integrating web 2.0 functionalities such as wikis and blogs into the core online banking website of the bank
  • Offering 'social lending', which is basically a community lending scheme in which banks don't really play, as consumers lend to each other

Out of the three, the first item strikes me as particularly interesting from an online security perspective. 

Facebook isn't a launching pad in which you click on a link and go to another web site – say, an online banking website. To fit into Facebook's open source applications framework, you need to use its shared infrastructure. Theoretically, the same infrastructure that is used to build a "find out who else likes the movies you like" application will be used as the platform for online banking. 

And sharing the infrastructure means sharing the authentication. 

Oops. 

Facebook, which uses a username/password to authenticate users, is already heavily phished and appears in the 'top 10 non financial websites to steal credentials from' in every online fraudster's to-do list.

This can only mean one thing for banks wishing to integrate into Facebook's open platform. 

Trouble. 

Now, there are several ways to overcome this hurdle. One way is to convince Facebook that applications that require access to sensitive personal data should have other authentication options.

Perhaps Facebook will realize that certain applications must rely on external authentication, and develop APIs that allows authentication against the bank's systems. I'm not sure Facebook users will appreciate it, though. All they care about is lightning-quick service. Security? Bah!

The bank can also decide to disable some high-risk functions such as money transfers to new destination accounts. But that's not a long term strategy.

Another idea is to use invisible device authentication, a technology currently deployed by many financial and non financial organizations these days, and run robust transaction monitoring behind the scenes to make sure the activity conducted using the Facebook widget isn't suspicious. The invisible nature of the defense mechanism will confuse fraudsters and stop most fraud. 

I'm interested to see if you have other ideas or thoughts?

4893

Comments: (0)

Uri Rivner

Uri Rivner

Chief Cyber Officer

BioCatch

Member since

14 Apr 2008

Location

Tel Aviv

Blog posts

83

Comments

36

This post is from a series of posts in the group:

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.


See all