Security pros concerned about Facebook payment expansion

Experts have concerns about Facebook's move to allow retail payments

Facebook's Messenger app has allowed users to send money to friends using their debit cards since last spring, but recent reports indicate that Facebook may be considering a move into the retail payments space as well, following in the tracks of Apple, Samsung and Google. Facebook will need to be careful, however, not to simply become yet another channel for criminals, security experts say.

For many users, logging into Facebook is not a major security issue - after all, it's a fun social platform, not a bank. That means short, easy-to-remember passwords, for example.

Unfortunately, the Messenger app uses the same login and password, said Kayvan Alikhani, senior director of technology at RSA Security. And there is also a concern about the lack of strong authentication enforcement.

This means that criminals would have an easier time taking over multiple accounts and sending money between them, evading some risk controls, since the payments would be going through a trusted network to friends.

Alikhani recommended the use of two-factor authentication for money transfers, especially when they come too frequently or are for high dollar amounts.

[ ALSO ON CSO: Facebook sees challenges to sharing threat data with US ]

"In addition to the ongoing risk-based authentication, the app should enforce either on-device biometric authentication methods available to the user, when and where possible, or one-time-password based authentication, or at a minimum -- as unpopular as it is -- require complex passwords for money transfers," he said.

Another approach is to use Facebook to create brand-new accounts, connect them to stolen credit cards, and then use Messenger to transfer money out or make purchases, said Neil Bergman, consultant at Cigital.

"In theory, Facebook could strengthen the registration process via additional identity verification, but that would require collaboration with the issuing banks," he said. "For example, Apple Pay requires additional verification via email, SMS, or a call center depending on the bank when adding a card to the Apple account."

In fact, despite Apple's verification steps, there were still numerous incidents of fraud when Apple Pay was rolled out.

Social integration

Facebook payments come with an extra layer twist when it comes to security. Not only does the platform have the capability to send money, but it also collects an enormous trove of personal information about its users, making it a gold mine for social engineering hacks.

"Facebook creates enough data which the hacker can easily correlate and cross correlate in order to create a convincing and reliable story," said Amit Ashbel, product marketing manager at Checkmarx. "You can never know who you are really talking with on Facebook. If a hacker has successfully infiltrated a Facebook account of one of your friends, they are now your friend, family or colleague."

Amit Ashbel, product marketing manager at Checkmarx

Traditional payments and banking institutions have long been struggling with fraud, he added.

"Paypal -- the king of online payments -- is still struggling with security and they have been around for almost 20 years," he said.

If Facebook continues to expand its payments platform to become a serious player, it will be facing the hackers' full arsenal of existing weapons, in addition to the social engineering issues, he said.

“Tying a social network to a payment system introduces insanely easy social engineering opportunities for cybercriminals," said Zach Forsyth, director of enterprise product line management at cybersecurity firm Comodo Group. "A botnet, for example, could be created with the sole purpose of using compromised Facebook accounts to social engineer users’ friend lists into sending payments. If the botnet is expertly crafted, then who would question its authenticity and not send one of their dear friends a few bucks for their latest cause or charity operation? This is the proverbial goldmine opportunity for the cybercriminal.”

The mobile aspect adds yet another wrinkle, according to Oren Kedem, vice president of product management at authentication security firm BioCatch.

Android devices are vulnerable to remote access scams, he said, where hackers use remote support tools and clever social engineering to take over someone's phone.

"We haven't seen any phone yet where it didn't work," he said.

Banks and other traditional financial institutions have gotten better at spotting these kinds of attacks, adding verification steps before, say, allowing users to add or change payee details via a mobile app.

Facebook's Messenger app is designed to make sending money to friends quick and easy, however, and as it becomes more popular with users, it may also become a convenient channel for theft, he said, if Facebook doesn't also upgrade its authentication measures.

"Linking real money to a Facebook account seems like a significant increase in personal attack surface," said Tod Beardsley, engineering manager at security firm Rapid7.

Easy connections

Many people prefer to err on the side of being sociable when it comes to accepting requests from strangers especially if they know people in common, or want to play games together.

"They're thinking that the worst thing that can happen is a loss of privacy and pictures," said Dotan Bar Noy, co-founder and CEO at Re-Sec Technologies. "However, with money on the table along with the other new commerce-related bots, the level of effort that a cybercriminal is willing to invest to get into your account and your money is much greater. Hacking a Facebook account is now a business, just like ransomware or any other money-driven hack.”

He suggested that users may need to get more selective about approving friends requests.

"Friending one wrong account can lead to a domino effect of infecting a large branch of Facebook friends," he said. "For its part, it may be time for Facebook to increase the friction of connecting with people outside of your network to make it harder for widespread attacks to proliferate.”

Some security experts were also concerned about the increasing erosion of personal privacy.

"Now, besides everything else, Facebook also knows how you spend your money," said Guy Peer, co-founder and vice president of R&D at Dyadic Security.

Join the CSO newsletter!

Error: Please check your email address.

Tags cyber securityFacebook

More about AppleBioCatchComodoCSOFacebookGoogleMessengerRapid7RSASamsung

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts