Slashdot Mirror
Banking Via Twitter?
In the latest example of how just because you can do something doesn't mean you should, one credit union has decided to offer a new feature, dubbed "tweetMyMoney," that allows members to interact with their accounts via Twitter. Can't wait for the next version, "tweetSomeoneElsesMoney." "tweetMyMoney, available exclusively to Vantage members! With tweetMyMoney, you can monitor your account balance, deposits, withdrawals, holds and cleared checks with simple commands. And, you can even transfer funds within your account. It's all available on Twitter, 24/7!"
I've got two words for this "Bad idea" seriously I wonder what genius thought of this up.
Epic FAIL!
Check out my sci-fi/humor trilogy at PatriotsBooks.
1. Target needs to be authenticated to the user. This should require some positive action, as opposed to relying on certificates which are mostly ignored and whose provenance is not as strongly assured as was initially advertised.
2. Customer needs to authenticate to the target. Passwords are not enough since humans can remember approximately 1 password only, and only if they use it constantly. The authentication should change and replays should be rejected.
3. Customer must affirm details of the transaction before it is committed. This too must use some method that is changeable and disallows playback.
Ideally a transaction will have all these elements in one idempotent package, the way for example a check might if the signature were a better biometric than it is and if the signature were checked always. That is however technically awkward on a net, so the 3 elements listed may need to be separately done. Omitting any of the elements allows different classes of attacks. If all the elements are present and tied together, attacks become very hard. Also, note, step 3 makes it largely irrelevant whether the customer is declared not-present afterwards or not. It serves also to terminate the transaction. Whether another transaction is begun or not is for the most part immaterial. (A method I have advocated to accomplish these would allow several transactions to be tied together if desired, in one session, but there would always be a "signature" or "affirmation" step for each, even if the initial authentication steps were recent enough to continue to use them.)
This needs hardware. However it can be done very cheaply; the hardware needed can in quantity be had for perhaps $3 a copy, possibly less, even as electronics. Paper approximations could be far cheaper still.
This seems like a GREAT way to lose all your money quickly.
I guess after it happens, you'll at least have something to really tweet about (as opposed to the fact you bought the new Brittney Spears album - no one cares!).
How about the very idea of banking by twitter? What twit thought THAT one up??
I don't need Twitter for that -- I just call the bank and talk to a human.
Now we see why the banking industry is so screwed; it's run by morons.
Free Martian Whores!
Tweet: you're broke. :) Thank you for choosing stupidity banking.
You want to interact with your bank with a richer GUI than just text messages.
120 characters isn't big enough for my account balance.
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
"This Twitter thing, yeah, it's all, like, Web Two Point Oh, and customer synergy interaction right, and then people can, like, interact with their data and it'll be all like, in the Cloud! Yeah!"
I can guarantee something very much like the above took place in their marketing department shortly before this was built. I've spent 10 years listening to this from marketing geeks - nothing more dangerous than a new technology half-understood.
sig:- (wit >= sarcasm)
Is that at least a better reason than because I *can* do something, I *should* ?
As long as Iâ(TM)m throwing caution to the wind, Iâ(TM)d like to hear some embedded MIDI while I bank.
0 = 1 + e^(Alt something)
RE: Foreign Exchange From U.S. Dollars To Euro
Please initiate paperwork for our new oil account from
cheapo U.S. dollars to resilient and persistent Euro .
Yours In Commerce,
M. Ahmedinejad
P.S.: Your lame attempt to start a revolution in Iran was
entertaining although seditious.
Dear Vantage customer, our free joke service will send you a tweet every day with a new hilarious joke. Please tweet "#tran $1000 f1 t123456" to @myvcu to start!
Said, "It's just like dice but it's got more sides And it tells me who lives and who dies"
Lots of OMGWTF!!! responses here, but having looked over the information they're providing (balances, holds, cleared checks, etc) and noting that there's no transmission of account numbers, PINs or other identifying information, I'm not seeing a major problem.
Just because you can have a knee-jerk reaction doesn't mean you should.
Slightly disreputable, albeit gregarious
I mean, twitter is for twits, and some twat thought this up, but no where NO WHERE, does it say anything about actually moving money BETWEEN accounts. Only MONITORING and Transferring WITHIN your account.
Banking via twitter = mainframe terminal for customer on pc/mobile phone.
cmd: deposit $xx.xx to acct:1234567
I cannot wait to see how many twitter IP addresses start originating from Nigeria.
Twanking
I will be Twishing your details
After (literally) one minute of reflection, I've come up with the following *major* issues related to doing this:
1) I can see a list of people that (very likely) use VCU online banking. It's their "Followers" list. Phish much?
2) Twitter does not seem to use secure connections. I hope the bank does, but even if they do, that's not going to help when someone grabs a twitter user's login while monitoring a network.
3) Since it doesn't seem like they thought this through very well, there could be lots of holes in the commands. Can I spoof someone else's account info with a series of @ commands on twitter?
4) There was a fourth, but my mind is completely blown and I cannot continue.
the only command I will tweet would be ...
Tweet: SELECT All Money FROM All_Accounts TO My_Account NOW!
Is there a list of banks that support this? Just so, you know, the intelligent people can move their cash OUT of these banks?
I don't see the point of the service, but then I don't use Twitter.
I also don't see the point of all the critics. Everyone alludes to how easily someone can steal your money with this. Ok... how?
I see a bunch of functionality where you can monitor your account status. The only thing I see that mentions affecting your account status is transfering money within your account. I guess that's enough that you could mess with someone, but where's the profit motive? You're going to commit wire fraud just to piss someone off?
Harper's had the foresight to publish an anthropomorphized metaphorical tale of the interactions between Twitter and banks, some years ago:
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Site: https://twitpay.me/
Basically you attach your twitter account to your paypal account, then you can send money to any other twitter user with a simple message to that effect.
Of course, the catch is that the money never actually gets transferred until you "settle" the account. It just keeps a running tally for everybody, then you settle and pay the whole shebang at once.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
So when I receive a twit from my bank about someone else's account will a judge order my account disabled?
This sounds to me like "another hole in the wall".
I get it.. it's SO enormous.. and since we're not April 1st, I can only conclude the web site was hacked and some witty nerd pranked them..
Ah ah.. tweet banking.. uh uh.. funny..
--Ivan
It's as if they made people forget about this little thing called the Internet. Pretty soon they will tell me that I can look at lol cats and porn via twitter and expect me to be super excited.
I herd u liek twitter and online banking, so we put ur bank in ur twitter so you can bank while u tweet.
when I first read this description, I thought it was about people using twitter to by open and public about their money.
In most other parts of the world the Internet is driving companies and products to "out-open" each other. more transparency wins, more obvious pricing models win, easier services win. People who are more open and more public about their lives are more successful generally (though its not clear which are the causes and which are the effects).
This drive toward open has not reached financial matters (yet). People and companies are still extremely private about how much money hey have and what they do with that money, for good reason.
Eventually I see the intersection of "open" culture drivers - and the privacy of personal and organizational finance hitting a crossroad. It may not be pretty. I think that once the norm is forced to be more open in order to compete, then eventually there will be a drive to be open about money and transactions - how much people and orgs have, and exactly how they use it. Financial information may be protected for some time legally, but with ever increasing information available about everything, it will get out, be shared, and used to make decisions. I think we'll see on 10+ year timelines some organizations and people and orgs being "open" about their money voluntarily and it will be a very good thing. Totally open finance.
Consumers will have data never before imagined: consider at point of sale knowing exactly what the producers of a product paid in capital and marginal costs to produce a product you might buy, the breakdown of costs and profits to which organizations, and which people are benefiting from that potential purchase? I think we'll see this faster than you might imagine.
I can not believe they actually thought of this crap! What's next, post your banking information on Facebook or Myspace huh?
This idea is truly for the birds!
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
Since the launch of our new MyVantage online account management system in April, many members have asked for a mobile banking solution. We'r
And this is what you've come up with? Not ... I don't know, secure email, hell even text messages... no, we'll use twitter for submitting private banking info? And oh, just happen to share it with the twitter corp as well? Genius, pure genius.
Do any of you use services like Mint, Quicken Online or Wasabi? They would be even more dangerous as they actually store your login credentials for pulling the your banking info. This service from this credit union just uses direct messages. This is similar to SMS banking that other institutions offer. I don't see a problem. This would be great for the twitter kids.
I herd u like security holes, so we put Twitter in yo online banking software so you can have security holes in your security holes!
this has got to be the dumbest idea from a financial institution since that guy from the anti-identity theft company gave out his social security number and then has funds withdrawn from his account and credit cards opened in his name...
Ave Molech Setting
What really surprises me about the idea of 'banking via twitter' is how the originating bank got this concept past their internal compliance officer/team/department. I just came off of a 6-month stint at an up-and-coming regional bank. While there, I learned a couple of really interesting lessons about banking in general: 1. Absolutely every breath they take and every move they make (rock on, Police) is filtered through federal and state regulatory compliance. 2. To my surprise, most non-national banks think nothing of throwing money at software solutions with outside vendors and these banks rarely require direct interconnectivity with what is referred to as their 'core' system. This, as it happens, is often an expression of point #1. So, I say #1 to point out that *someone* familiar with regulatory compliance must have signed off on the Twitter-banking idea. Many here have noted that the communication with a user's accounts is pushed into a private realm at Twitter, but that doesn't sound like an adequate separation to me. 'Private' tweeting or not, it seems to me that most compliance auditors would reel at the mere suggestion of tossing any account information into that electronic pool. They would also likely need to get some kind of compliance statement from Twitter itself to make the bank tweeting product available. I say point #2 just to say that I'm convinced there's alot of untapped opportunity in banking for hosted applications. ;-)
I do know of a popular CMS that has some Twitter integration code, where for a proof of a really-bad-concept, a developer modified the module before a live audience to evaluate anything between php tags in a tweet within the global scope.
That's probably much more dangerous ;)
Dear Twitter, I'm broke... follow me?
Here let me invest that for you..and it's gone.
That's *my* credit union!
Nothing for 6-digit uids?
I suspect that people who try this probably don't have any money to begin with. If they do, then they shouldn't and using this will take care of their problem. I see nothing wrong here.
"Hey Bob, can I borrow $20?" "I'm kinda tapped out right now..." Uh, no you're not! You twanked over $300 this morning!"
The same marketing people I can hear saying the above in my head did, honestly, suggest we "should be getting into Second Life" some years ago, but they were reluctantly dissuaded. A narrow escape for my development team, I think.
sig:- (wit >= sarcasm)
Does anyone else worry about sending sensitive information over a service like Twitter, which has had security issues in the past? And, assuming this works over DMs, what if a user instead accidentally uses a reply or just a straight Twitter post? What sort of information have they just inadvertently exposed?
I have mod points for this comment but I can't find the "+1, Recursive" option?
So you can interact with your ban 24/7 = 3,428571 times a day? I suppose that's the number of things you can do over twitter before your bank account gets emptied... or the average uptime of tweeter ?
Sorry, I could not resist the joke.
Not only does it seem a bad idea, but a pain in the a$$ too... http://www.vcu.com/page/tweetmymoney-videos
On the other hand, an ideal banking service should make it impossible to perform a real transfer or payment (when your account is debited) without letting the customer know and receiving a positive confirmation that the customer (and not someone else) has been notified and approved the transaction.
From that perspective if someone manages to break into my banking account but can only view the information, it is a significantly lower risk that doing the same with a ability to send money out. So having this information on twitter may actually increase the security (e.g. I will know immediately that someone used my credit or debit card number).
Of course, once it comes down to the implementation, another external service will just open another attack vector. But twitter here is no more or less secure than another account consolidation service or electronic bank statements.
Is there any means which has ever been used to communicate sensitive information -- including contracted couriers, the USPS, telephones, and in-person oral conversations -- that has not "had security issues in the past"?
Maybe banks should figure out a way to send me these kinds of updates by email before trying to Twitter them to me!
There are only 100X more email users out there than Twitter users...
(Yeah, I know there are security issues w/email - the same ones with Twitter)
In many countries customers have been able to set up sms notification for years now. They would receive an sms every time when a transaction is taking place
Without exaggerating the rag is like 80-90% advertisements. If their tag line were truthful it would say Maximum BS, Minimum PC.
hold on to your panties guys, this isn't any different from how financial institutions handle SMS. Bank or credit union needs or wants to communicate through some insecure medium (email, SMS, Twitter, Facebook). The customer logs into online banking through MFA (multi-factor authentication) which is now mandated by the FFIEC for all financial institutions. User then links their account, cell phone, Twitter name, or Facebook profile to their online account. Once linked, only that account can access any information. If their Twitter account is hacked, then the hacker could potentially use the published commands to get account balances or transfer money within the customers account. Same exact thing would happen if their email password was compromised or they lost their cell phone. Twitter has an open API. OFX has an open API which is exactly what they are using as it is the backbone of nearly all online banking applications. It is also what Quicken uses. If you're worried about this, then don't use text banking, Quicken, Mint, or any other app that uses OFX.
TwitDrugs: Monitor your morphine drip via Twitter as well as adjust it!
TwitChild: Keep track of your child on Twitter! Real-time coordinates are tweeted so the Twitiverse can help you keep an eye on your kid.
Honestly, what is so wrong with this idea? According the the website, "Q. How is mobile banking using Twitter secure? A. As always, your account security is our utmost priority. When you use tweetMyMoney to access your account information, keep in mind that the information provided DOES NOT include account numbers, passwords, PINs or any other secure information. Also, tweetMyMoney uses the applicationâ(TM)s direct message feature so no one else sees the account information you request." It seems like Vantage Credit Union has really thought it out and mobility is obviously the way of the future, they're just taking it somewhere no one else has yet.
i believe you can do this with Buxfer on any account if you are into opening security holes..
Create strong passwords
Connecting a paypal account to twitter will make it easier to send money to friends or people, however, it will just cause more problems in the future. Twitter should stay as it is, the way people like it right now. Many people don't like change (such as like changes in facebook) so Twitter should just stay the same as it is right now.
The Secure Remote Password protocol (SRP) solves all 3 of these requirements by proving that the server and client both agree that the other one is in possession of a shared secret without ever revealing that secret.
Support in SSL/TLS was standardized as part of RFC 5054.
It should be more like "Tweet My Lawsuit" :-) GRIN
Are you fucking kidding me?!!?!?!
Ha. Bad Idea is the perfect way to describe this.