We need a new way to log into sensitive online accounts because what we’re doing just now is not working. Whether we’re banking, checking the balance on a peer-to-peer loan, or paying a credit card bill, the plethora of passwords, passcodes and security questions to keep our details safe are rich pickings for fraudsters.
But all too often the carefully engineered security systems fall victim to a very human error: the inability to remember more than one password. The credit checking agency Experian has warned that many bank customers use the same password for online shopping accounts, social media and other services, meaning that a criminal hacking into one of the weaker accounts would then have access to a wide range of data and information. There’s been a recent surge in current account fraud thanks to people using the same passwords for all their online services.
And yet there’s also increasing demand for a smooth, easy-to-use customer experience, one that is at odds with the need for several layers of security when accessing financial services online.
And now it’s been suggested that, instead of being part of the problem, social media like Facebook could be the solution.
There’s a growing idea that the web would be a safer place if users had one online identity that they used to verify themselves across a range of services. And few online footprints are as rich and detailed as people’s social media accounts, like Facebook for instance.
Rob Sobers, director at data protection firm Varonis, explains: “Using a single social ID to access to other applications and conduct secure transactions eliminates the problem of storing passwords and other personal information with dozens, if not hundreds, of sites and services. If one of those sites is breached, my password would remain safe.
“In fact, more and more sites are now providing the option to authenticate with Facebook or Google; and some are making it the only option.”
Dr Neil Costigan, CEO of behavioural biometrics enterprise BehavioSec, thinks that using social media to ID a user could become necessary because customers are impatient with anything other than a rapid, easy login experience.
He says: “Embracing social media services as identity providers could enable banks to provide the all-important seamless user experience we have come to expect from our digital services. We don’t want to be burdened with multiple authentication processes when trying to make a simple payment. However, the challenge is securing these social media platforms, without simply relying on us to keep our passwords safe.”
And there’s the rub. We’re not secure enough with social media even now, which can make us easy targets for data-gathering fraudsters. So relying on social media as a means of verifying identity for a new credit account or to log into our bank would carry serious risk.
“Having a single social ID act as a master key has its dangers,” agrees Mr Sobers. “That social ID becomes an extremely valuable target for attackers, since compromising it would theoretically lead to ubiquitous access… Even Facebook—the least anonymous social network—still doesn’t do rigorous validation to determine that you are truly who you claim to be.”
And even if the security were tightened, human error could still be a factor. A study into the psychology of online behaviour carried out by BehavioSec showed that one in three people said they had shared their login information for sites like Facebook, even though these websites can be a treasure trove of personal information that makes identity theft easy.
“Introducing social media logins to verify identity will only be successful if the security behind social platforms is made reliable – while maintaining the same seamless, frictionless experience users expect,” concludes Dr Costigan.
We’re a long way off a secure, personalised online identity that can be used to provide a seamless experience, whether the customer is accessing their current account or their Facebook.
But that doesn’t mean that social media couldn’t be used as part of a multi-strand method of online identification. Nick Mothershaw, ID and fraud expert at Experian, says: “Social media data could only be used as one of several factors to prove a person’s identity. But it cannot be used as the only factor, especially where a high level of trust in a person’s ID is required, such as in banking. Other data sources or ID evidence would be needed as well, such as a passport or driving licence validation.
“Social data could help younger people who don’t often have many other data footprints to prove their identity. The challenge is that it’s quite easy to take over a social media account as it’s only secured with a password and the login details are usually the person’s email address. There is no ‘second factor’ such as a one-time code via SMS to the user’s mobile to log on. So, even if there is a long history of activity on the social media account, the takeover possibility could make this a risky source of data to rely upon on its own.”
And, of course, security issues wouldn’t be the only concerns over synchronising a social media identity with various other online services; there are also serious questions over privacy to be considered.
Douglas Crawford, an online security specialist at BestVPN.com, says: “Banks using social media to aid logging in to personal accounts would be another nail in the coffin of privacy. Facebook, Twitter and other social platforms would know even more about you, and banks would have direct access to your social media profiles, which hold additional personal things such as party pictures. Depending on your party tricks, they may not be too good when applying for a loan.”
Register for free to continue reading
Registration is a free and easy way to support our truly independent journalism
By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists
Already have an account? sign in
Join our new commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies