Banking Via Twitter?

In the latest example of how just because you can do something doesn't mean you should, one credit union has decided to offer a new feature, dubbed "tweetMyMoney," that allows members to interact with their accounts via Twitter. Can't wait for the next version, "tweetSomeoneElsesMoney." "tweetMyMoney, available exclusively to Vantage members! With tweetMyMoney, you can monitor your account balance, deposits, withdrawals, holds and cleared checks with simple commands. And, you can even transfer funds within your account. It's all available on Twitter, 24/7!"

two words

[Dyinobal]

I've got two words for this "Bad idea" seriously I wonder what genius thought of this up.

Transactions need 3 elements to be safe...

1. Target needs to be authenticated to the user. This should require some positive action, as opposed to relying on certificates which are mostly ignored and whose provenance is not as strongly assured as was initially advertised.
2. Customer needs to authenticate to the target. Passwords are not enough since humans can remember approximately 1 password only, and only if they use it constantly. The authentication should change and replays should be rejected.
3. Customer must affirm details of the transaction before it is committed. This too must use some method that is changeable and disallows playback.

Ideally a transaction will have all these elements in one idempotent package, the way for example a check might if the signature were a better biometric than it is and if the signature were checked always. That is however technically awkward on a net, so the 3 elements listed may need to be separately done. Omitting any of the elements allows different classes of attacks. If all the elements are present and tied together, attacks become very hard. Also, note, step 3 makes it largely irrelevant whether the customer is declared not-present afterwards or not. It serves also to terminate the transaction. Whether another transaction is begun or not is for the most part immaterial. (A method I have advocated to accomplish these would allow several transactions to be tied together if desired, in one session, but there would always be a "signature" or "affirmation" step for each, even if the initial authentication steps were recent enough to continue to use them.)

This needs hardware. However it can be done very cheaply; the hardware needed can in quantity be had for perhaps $3 a copy, possibly less, even as electronics. Paper approximations could be far cheaper still.

Better hope that it's secure.

[LitelySalted]

This seems like a GREAT way to lose all your money quickly.

I guess after it happens, you'll at least have something to really tweet about (as opposed to the fact you bought the new Brittney Spears album - no one cares!).

"See anything seriously wrong with this story?"

[mcgrew]

How about the very idea of banking by twitter? What twit thought THAT one up??

With tweetMyMoney, you can monitor your account balance, deposits, withdrawals, holds and cleared checks with simple commands. And, you can even transfer funds within your account. It's all available on Twitter, 24/7! And, the best part is, our tweetMyMoney service is free!

So how is this mobile? If your phone can send and receive text messages and you're on Twitter, you're in! tweetMyMoney uses Twitter's Direct Message feature to return the account information you request.

I don't need Twitter for that -- I just call the bank and talk to a human.

Now we see why the banking industry is so screwed; it's run by morons.

Judge Orders Twitter Acct. Disabled

[retech]

So when I receive a twit from my bank about someone else's account will a judge order my account disabled?

Re:Not seeing the point

[YrWrstNtmr]

I also don't see the point of all the critics. Everyone alludes to how easily someone can steal your money with this. Ok... how?

Why would you purposely introduce another entity between you and the bank? A decidedly non-secure entity.