Banking Via Twitter?

In the latest example of how just because you can do something doesn't mean you should, one credit union has decided to offer a new feature, dubbed "tweetMyMoney," that allows members to interact with their accounts via Twitter. Can't wait for the next version, "tweetSomeoneElsesMoney." "tweetMyMoney, available exclusively to Vantage members! With tweetMyMoney, you can monitor your account balance, deposits, withdrawals, holds and cleared checks with simple commands. And, you can even transfer funds within your account. It's all available on Twitter, 24/7!"

two words

[Dyinobal]

I've got two words for this "Bad idea" seriously I wonder what genius thought of this up.

Re:two words

[Captain+Splendid]

I see your two words and trump you with one.

That's right folks, this is indeed the Apocalypse.

Re:Two words

[dgatwood]

Or the LOLCats version

http://bighugelabs.com/output/lolcat6528288a5fbaabe890a88dbfecccb45635d9ef59.jpg

Re:two words

[VisualD]

Even if its secure from the perspective of other users (which it's not - does twitter even have a password policy?), it's ripe for abuse by twitter staff members, and anyone working in their co-lo centres (I'm assuming tweets are stored unencrypted). After all the push for two factor authentication and security management, we get this? Truly a WTF of the highest calibre.

Re:two words

[SEWilco]

"Hey, everybody, Susan has a balance of $347.88."

Re:two words

[maxume]

How disappointing to find out we live in such a pussy-ass universe. I want some fire and brimstone, or at least a few nuclear detonations.

Re:two words

[Runaway1956]

Obligatory post, really:

"But, what could go wrong?"

Re:Two words

Your epic fail is having an epic fail.

Page not found (/.d already?)

Re:two words

[Tanktalus]

"Not anymore!" *snicker*

Re:Two words

[dgatwood]

Yeah, apparently that site deletes the generated images after an hour or so. It showed a cat on a keyboard and said "I'm on ur Twitter" at the top, and at the bottom, "Sendin monee to Switzerland."

Re:Two words

[_Sprocket_]

Twitter meets banking: a whale too large to fail.

Re:two words

I was laughing . . . until I realized it was my bank.

Suddenly the humor in it escapes me.

Two words

[dgatwood]

Epic FAIL!

Transactions need 3 elements to be safe...

1. Target needs to be authenticated to the user. This should require some positive action, as opposed to relying on certificates which are mostly ignored and whose provenance is not as strongly assured as was initially advertised.
2. Customer needs to authenticate to the target. Passwords are not enough since humans can remember approximately 1 password only, and only if they use it constantly. The authentication should change and replays should be rejected.
3. Customer must affirm details of the transaction before it is committed. This too must use some method that is changeable and disallows playback.

Ideally a transaction will have all these elements in one idempotent package, the way for example a check might if the signature were a better biometric than it is and if the signature were checked always. That is however technically awkward on a net, so the 3 elements listed may need to be separately done. Omitting any of the elements allows different classes of attacks. If all the elements are present and tied together, attacks become very hard. Also, note, step 3 makes it largely irrelevant whether the customer is declared not-present afterwards or not. It serves also to terminate the transaction. Whether another transaction is begun or not is for the most part immaterial. (A method I have advocated to accomplish these would allow several transactions to be tied together if desired, in one session, but there would always be a "signature" or "affirmation" step for each, even if the initial authentication steps were recent enough to continue to use them.)

This needs hardware. However it can be done very cheaply; the hardware needed can in quantity be had for perhaps $3 a copy, possibly less, even as electronics. Paper approximations could be far cheaper still.

Better hope that it's secure.

[LitelySalted]

This seems like a GREAT way to lose all your money quickly.

I guess after it happens, you'll at least have something to really tweet about (as opposed to the fact you bought the new Brittney Spears album - no one cares!).

"See anything seriously wrong with this story?"

[mcgrew]

How about the very idea of banking by twitter? What twit thought THAT one up??

With tweetMyMoney, you can monitor your account balance, deposits, withdrawals, holds and cleared checks with simple commands. And, you can even transfer funds within your account. It's all available on Twitter, 24/7! And, the best part is, our tweetMyMoney service is free!

So how is this mobile? If your phone can send and receive text messages and you're on Twitter, you're in! tweetMyMoney uses Twitter's Direct Message feature to return the account information you request.

I don't need Twitter for that -- I just call the bank and talk to a human.

Now we see why the banking industry is so screwed; it's run by morons.

Re:"See anything seriously wrong with this story?"

[xaxa]

"Welcome to [...] telephone banking. Please enter your account number, followed by hash"
beep boop beep biip boop beep beep boop baap
"Please enter the fourth digit of your PIN"
boop
"Please enter the last digit of your post code"
beep
"In the word 'money', 'N' is in position three. In your password, what position is 'F' in?"
boop
"Your balance is £1234.56. Press 1 to..."

I feel more comfortable communicating with a robot.

(Having said that, I've only ever checked my balance. I'm not sure I'd do anything more than that over an unencrypted channel.)

uh oh

[wesslen]

Tweet: you're broke. :) Thank you for choosing stupidity banking.

Re:uh oh

[hoggoth]

> Tweet: you're broke. :) Thank you for choosing stupidity banking.

And, Its gone...

Pffft

[MyLongNickName]

120 characters isn't big enough for my account balance.

Re:Pffft

[PrescriptionWarning]

Yeah I guess that negative symbol would carry your message over to 121 wouldn't it.

Re:Pffft

[eln]

It would be if you didn't insist on displaying your account balance to the 119th decimal place.

Re:Pffft

[megamerican]

He's from Zimbabwe you insensitive clod!

"Hey, I know what'd be great!"

[djkitsch]

"This Twitter thing, yeah, it's all, like, Web Two Point Oh, and customer synergy interaction right, and then people can, like, interact with their data and it'll be all like, in the Cloud! Yeah!"

I can guarantee something very much like the above took place in their marketing department shortly before this was built. I've spent 10 years listening to this from marketing geeks - nothing more dangerous than a new technology half-understood.

Re:"Hey, I know what'd be great!"

[sadness203]

Yeah, so what ? It's perfect, it's genius!
Now I only have to fit the nigerian scam letter in a 120 characters tweet... and they can, in one or two simple click, send me the money!
Can't you see the advancement ?

Re:"Hey, I know what'd be great!"

[masshuu]

U r heir 2 $200k, send bank info 2 this tweet long with $2,000 4 holding and verification.

Re:"Hey, I know what'd be great!"

[netsharc]

Yeah, does the bank also have a branch in Second Life? Come on man, Second Life, it's the future! Even CNN has an office there!

Oh wait, it's not 2007 anymore...

I'd Prefer to Bank via MySpace

[swanzilla]

As long as Iâ(TM)m throwing caution to the wind, Iâ(TM)d like to hear some embedded MIDI while I bank.

A new joke every day!

[wastedlife]

Dear Vantage customer, our free joke service will send you a tweet every day with a new hilarious joke. Please tweet "#tran $1000 f1 t123456" to @myvcu to start!

What's so bad?

[LMacG]

Lots of OMGWTF!!! responses here, but having looked over the information they're providing (balances, holds, cleared checks, etc) and noting that there's no transmission of account numbers, PINs or other identifying information, I'm not seeing a major problem.

Just because you can have a knee-jerk reaction doesn't mean you should.

Re:What's so bad?

[Chris+Pimlott]

While the public messages get all the press, people who don't use twitter may not realize that you can send direct messages on twitter, which are private. That's what this system is using.

Re:What's so bad?

[rjolley]

They also let you do transfers. Which was in TFS if you bothered to read it. You can do this without sending account numbers (just use account suffixes) but what happens when your twitter account gets hacked and someone transfers all of your money from your checking suffix to your savings? Say hello to overdraft fees.

Re:What's so bad?

Let me show you why this is a bad idea. Even if it is just 'check 153 cleared' or 'ATM: amt withdrawn 300 dollars'.

'Hi this is XYZ from ABC credit agency we see that you have 300 dollars cash right now in your hands and you owe us 2389 and 48 cents please swing by and pay us'.

Or how about
'Hey I know where Jim lives and he has 300 in cash on him right now lets go rob him'.

Or how about

'We can glean information about peoples bank accounts from their twitter accounts and then connect it thru advertising' 'Monkey sees you have 1835.38 in your account isnt it time to buy that new plasma TV?!'

See why giving this sort of information away is a bad idea? Perhaps *YOU* can not think of anything bad to do with it that doesnt mean others cant connect the dots and do douchy things with it, and they will.

Re:What's so bad?

[PhxBlue]

While the public messages get all the press, people who don't use twitter may not realize that you can send direct messages on twitter, which are private. That's what this system is using.

Private? Yes. Encrypted? Not so much.

Re:What's so bad?

[stephanruby]

So does email, text messaging, and the telephone. So what's your point?

Twitter from Nigeria!

[retech]

I cannot wait to see how many twitter IP addresses start originating from Nigeria.

Twitter + Banking

Twanking

I will be Twishing your details

Tweet money to my account

[gogowater]

the only command I will tweet would be ...
Tweet: SELECT All Money FROM All_Accounts TO My_Account NOW!

List of banks?

[Yvan256]

Is there a list of banks that support this? Just so, you know, the intelligent people can move their cash OUT of these banks?

Not seeing the point

[mea37]

I don't see the point of the service, but then I don't use Twitter.

I also don't see the point of all the critics. Everyone alludes to how easily someone can steal your money with this. Ok... how?

I see a bunch of functionality where you can monitor your account status. The only thing I see that mentions affecting your account status is transfering money within your account. I guess that's enough that you could mess with someone, but where's the profit motive? You're going to commit wire fraud just to piss someone off?

Re:Not seeing the point

[YrWrstNtmr]

I also don't see the point of all the critics. Everyone alludes to how easily someone can steal your money with this. Ok... how?

Why would you purposely introduce another entity between you and the bank? A decidedly non-secure entity.

Don't forget about TwitPay

[Otto]

Site: https://twitpay.me/

Basically you attach your twitter account to your paypal account, then you can send money to any other twitter user with a simple message to that effect.

Of course, the catch is that the money never actually gets transferred until you "settle" the account. It just keeps a running tally for everybody, then you settle and pay the whole shebang at once.

Judge Orders Twitter Acct. Disabled

[retech]

So when I receive a twit from my bank about someone else's account will a judge order my account disabled?

Yo Dawg

[kefler]

I herd u like security holes, so we put Twitter in yo online banking software so you can have security holes in your security holes!

Spent a bit of time in banking industry

[FuturShoc1k]

What really surprises me about the idea of 'banking via twitter' is how the originating bank got this concept past their internal compliance officer/team/department. I just came off of a 6-month stint at an up-and-coming regional bank. While there, I learned a couple of really interesting lessons about banking in general: 1. Absolutely every breath they take and every move they make (rock on, Police) is filtered through federal and state regulatory compliance. 2. To my surprise, most non-national banks think nothing of throwing money at software solutions with outside vendors and these banks rarely require direct interconnectivity with what is referred to as their 'core' system. This, as it happens, is often an expression of point #1. So, I say #1 to point out that *someone* familiar with regulatory compliance must have signed off on the Twitter-banking idea. Many here have noted that the communication with a user's accounts is pushed into a private realm at Twitter, but that doesn't sound like an adequate separation to me. 'Private' tweeting or not, it seems to me that most compliance auditors would reel at the mere suggestion of tossing any account information into that electronic pool. They would also likely need to get some kind of compliance statement from Twitter itself to make the bank tweeting product available. I say point #2 just to say that I'm convinced there's alot of untapped opportunity in banking for hosted applications. ;-)

Your First Tweet After Using This

[BeaverAndrew]

Dear Twitter, I'm broke... follow me?

Obligatory South Park Reference...

[rotide]

Here let me invest that for you..and it's gone.