Source: Paul Johns, Complinet
Millions of bank customers are revealing all on Facebook, but are they putting themselves and their banks at risk, or does the new mania for online public living present useful information-gathering opportunities for banking institutions? By Paul Johns, chief marketing officer, Complinet
Finding out your ‘porn star name’ or your ‘stripper name’ on Facebook may seem like innocent fun – but to identity thieves, it’s a gold mine.
The popular social networking platform, which recently announced it has more than 30 million active members worldwide, has already gained a reputation for turning grownups into teenagers. Professional adults can frequently be found engaging in virtual public food fights, ‘poking’ each other, and drawing graffiti on each other’s ‘wall’.
Another of the myriad ways Facebook users amuse themselves is by using widgets (tiny pieces of software) to calculate their ‘porn star name’, ‘stripper name’ or ‘superhero name’, among many others. But these seemingly innocent games are encouraging Facebook users to reveal information about themselves that is of deep interest to identity thieves.
In one method of calculating their porn star name, users are asked to combine their first pet’s name with the name of the street they grew up on. If they grew up on Acacia Avenue and their first pet was a rabbit called Fluffy, the porn star name would be “Fluffy Acacia”. In other versions of the formula, their porn star name is their first pet’s name plus their mother’s maiden name.
All good fun, and Facebook users have no qualms about announcing their porn star name to the world and inviting other users to reveal theirs.
But to identity thieves, these games are a rich seam of that information that banks commonly use during security checks, and that people commonly use as passwords.
Facebook profiles already typically provide more than enough personal information to allow fraudsters to steal identities and establish fraudulent bank accounts. People regularly publish their name, address, email address, date of birth, phone number and relationship status here and on other social networking platforms.
When the same people also start helpfully revealing things like their first pet’s name, mother’s maiden name and memorable addresses, even the most amateur identity thief might be tempted to exploit the opportunity.
The first instances of Facebook identity theft are already coming to light. Daily Mail reported on 27 July that Londoner Victoria Sennitt was the victim of identity fraudsters using information from her Facebook profile to open a mobile phone contract in her name. With more and more people making more and more personal information public, identity theft of this kind will become commonplace.
It remains to be seen whether banks will address this threat to their customers’ privacy by tightening their security procedures. For the moment, banks are taking a rather contradictory approach to Facebook. On 1 August, Investment News noted that several global investment banks have banned employees from accessing it at work, citing productivity reasons. But at the same time banks are taking advantage of the wealth of personal information provided on Facebook for recruitment and even Anti-Money Laundering (AML) and Know Your Customer (KYC) purposes.
Like other employers, banks are beginning to experiment with Facebook as a tool to assist with the recruitment process. Financial sector recruitment firms are starting to set up shop on Facebook, hoping to attract candidates from among the network’s massive user base of recent graduates and job-changers. In-house recruiters are also finding it a useful way to gain additional insights into candidates they are thinking of hiring, sometimes finding that the information provided on candidates’ profile page’ are inconsistent with the information given on their resume or CV or during an interview.
Some institutions may even be going one step further and using Facebook for AML, identity verification and KYC purposes, reasoning that the ‘friends’ lists of suspect or blacklisted individuals can provide insights into those people’s associates. However, banks should be careful not to rely solely on this approach. The information provided on Facebook is not guaranteed accurate, many people appear under assumed names, and people listed as ‘friends’ may not actually be known to the owner of the profile in real life. Blacklisting an innocent person for appearing to be someone’s associate on Facebook may have all kinds of unpleasant repercussions – both for the bank and for the person involved. For anti-money laundering purposes, official watch lists remain far more reliable than social networking sites.
Social networking platforms like Facebook are emerging, evolving and diversifying at such speed that individuals and organisations are finding it difficult to keep pace with the change. But one thing is for certain: with millions of people around the world now publishing their most personal details online, banks and their customers can no longer afford to ignore the risks and opportunities that social networking brings.