TMI? Facebook, LinkedIn Cited as Sites for Fraudster Forays
The very things that make social media so popular also make them a potential problem for credit unions, their members and those in charge of fighting fraud.
Millions of Americans use Facebook, LinkedIn, Twitter and other sites to share information with friends, colleagues and people who are, for all practical purposes, strangers, about their personal and professional lives.
Sometimes too much information. Even if they're not typically used as a launch site for transactions, social media can be a fertile ground for those who, as they did with phishing by e-mail, would use the growing new channels to ferret out access to accounts.
"Social media is based on social interaction. Social engineering is based on convincing someone that you're someone other than who you are. Unfortunately, they can come together in a lot of ways," said Gary Bahadur, CEO of KRAA Security in Miami and a security management veteran of major corporations, who's now consulting and writing a book about social media threats.
Social engineering, of course, is the broad term given to the techniques fraudsters use to convince people to freely give up personal information that can unlock the virtual door between the crooks and the cash. And when they do, those who fight online fraud for a living can quickly lose the upper hand.
"Look, you can have the most intense encryption algorithm ever created, but eventually some human will have the password, and if that human volunteers the information, there's only so much you can do," said David Coffey, vice president of engineering at Perimeter E-Security, a Connecticut-based provider of enterprise IT security solutions.
Phishing, using bogus e-mails to try to pry information from consumers, has long been a favorite tactic, and consumers for the most part should know by now not to go to websites that purport to be from their financial institutions, experts said, but the problem with social media sites is the trust and openness endemic to personal conversations, even though they're online.
"When you innocently mention that you're going to be out of town, that's potentially telling the world when your house will be vacant. Even listing daily activities can let strangers know your routine and put you at risk," said Gail Cunningham of the National Foundation for Credit Counseling in Silver Spring, Md.
"In other words, if you're too revealing, you're asking for trouble because predators often cruise these sites hoping to steal your personal information for their gain," Cunningham said. "With just a few clicks of the mouse, they can learn a lot about you."
That's potentially especially true at sites like Facebook and LinkedIn, where participants list personal and professional information that can be used in nefarious ways to mine for even more personal information such as logins and PINs.
"With the information I can get from your Facebook page, you could easily be giving me what I need to get someone on the tech side or help desk to give me what I need to make my way in," said Bahadur at KRAA Security.
"What does your bank or credit union ask you," Bahadur said. "They ask you for your name and address, your mother's maiden name, your birthday, favorite color, all that. A lot of times, you can find that on Facebook and other sites."
He added that LinkedIn, the professional networking site, poses a similar conundrum. "Say I work at AMD and you work at Intel. Or I work at Bank of America and you work at Citi. We might be likely to run across each other and begin communicating, and from there I might be looking for the place where you log into at work, and from there I just use the old password guessing game," he said.
Policies should be put into place and compliance with them monitored, experts said, especially when it comes to who is posting what on company Facebook pages and Twitter accounts. Some regulation and guidance, in fact, has already been established in that regard, such as FINRA's Regulatory Notice 10-06 from January on the supervision of social media networks and blogging sites.
That's on the corporate side, where it might be easier to keep the cows in the corral. Financial institutions need to pay attention to what their members and customers say and do online, too, and help common sense prevail, said Paul Schaus, managing partner with Catalyst Consulting Group in Phoenix.
"Remind them of things like not using the same password for Facebook as you do for your online banking, for one thing," Schaus said. "Credit unions, as community-oriented institutions, also can take the lead in instructing members about things like watching that children don't say things they shouldn't on their Facebook pages.
"You wouldn't walk out of a bank yelling, 'I just cashed a $30,000 check.' Well, don't announce on Facebook that 'Grandma just gave me a check for $250,'" Schaus said. "It's just as public."
Technology and policies can help, but "in the end, the only thing you can really do is educate," said Bahadur.