Banking Via Twitter?

In the latest example of how just because you can do something doesn't mean you should, one credit union has decided to offer a new feature, dubbed "tweetMyMoney," that allows members to interact with their accounts via Twitter. Can't wait for the next version, "tweetSomeoneElsesMoney." "tweetMyMoney, available exclusively to Vantage members! With tweetMyMoney, you can monitor your account balance, deposits, withdrawals, holds and cleared checks with simple commands. And, you can even transfer funds within your account. It's all available on Twitter, 24/7!"

two words

[Dyinobal]

I've got two words for this "Bad idea" seriously I wonder what genius thought of this up.

"Hey, I know what'd be great!"

[djkitsch]

"This Twitter thing, yeah, it's all, like, Web Two Point Oh, and customer synergy interaction right, and then people can, like, interact with their data and it'll be all like, in the Cloud! Yeah!"

I can guarantee something very much like the above took place in their marketing department shortly before this was built. I've spent 10 years listening to this from marketing geeks - nothing more dangerous than a new technology half-understood.

Re:"Hey, I know what'd be great!"

[sadness203]

Yeah, so what ? It's perfect, it's genius!
Now I only have to fit the nigerian scam letter in a 120 characters tweet... and they can, in one or two simple click, send me the money!
Can't you see the advancement ?

Re:"Hey, I know what'd be great!"

[masshuu]

U r heir 2 $200k, send bank info 2 this tweet long with $2,000 4 holding and verification.

Re:"Hey, I know what'd be great!"

[netsharc]

Yeah, does the bank also have a branch in Second Life? Come on man, Second Life, it's the future! Even CNN has an office there!

Oh wait, it's not 2007 anymore...

Funnily enough...

[djkitsch]

The same marketing people I can hear saying the above in my head did, honestly, suggest we "should be getting into Second Life" some years ago, but they were reluctantly dissuaded. A narrow escape for my development team, I think.

Re:

[BlindSpot]

We weren't so lucky... last year the department head where I was happened to be quite keen on Second Life and managed to sell it as a good idea to the rest of the organization. So, while a major project was tied up in the initial phases and there was nothing else to do, several of us were assigned to work on a "presence" in SL. Quite a bit of work was done, but I can't tell you if it ever got out of the "concept" stage because I left that organization shortly after. (*gasp*, what a shocker!) And no I am

Re:two words

[Captain Splendid]

I see your two words and trump you with one.

That's right folks, this is indeed the Apocalypse.

Re:

[maxume]

How disappointing to find out we live in such a pussy-ass universe. I want some fire and brimstone, or at least a few nuclear detonations.

Re:

[TheLink]

That pussy-ass universe you talk about is very intriguing, but I'm still stuck in the basement. Send some pictures you insensitive clod!

Re:

[bertoelcon]

If you want to see a pussy-ass universe go look at some porn. If you want to see the real world then check a news feed with images.

(Notice: Neither step involves leaving the basement.)

Re:

[VisualD]

Even if its secure from the perspective of other users (which it's not - does twitter even have a password policy?), it's ripe for abuse by twitter staff members, and anyone working in their co-lo centres (I'm assuming tweets are stored unencrypted). After all the push for two factor authentication and security management, we get this? Truly a WTF of the highest calibre.

Re:two words

[SEWilco]

"Hey, everybody, Susan has a balance of $347.88."

Re:two words

[Tanktalus]

"Not anymore!" *snicker*

Re:

[iamhigh]

I guarantee that the marketing guys will think this is a success. Banking is one of many industries that can benefit from "gettin'em young". I bet this will bring in a ton of new accounts; and that is worth far more than paying back a few thousand because someone's twitter account got pawned.

Re:

[xaxa]

I wonder how long that will last.

In their desperation to get people to switch accounts, most UK banks make it relatively easy to switch accounts -- they'll move all your direct debits (automatic bill payments) and so on.

A few years ago, when I opened my student account, I got a free 5-year railcard (gives 33% off train fares, worth over £100, I've saved way more than that).
I switched accounts 6 months after I graduated.

Re:two words

[Runaway1956]

Obligatory post, really:

"But, what could go wrong?"

Re:

[Anonymous Coward]

I was laughing . . . until I realized it was my bank.

Suddenly the humor in it escapes me.

Two words

[dgatwood]

Epic FAIL!

Re:Two words

[dgatwood]

Or the LOLCats version

http://bighugelabs.com/output/lolcat6528288a5fbaabe890a88dbfecccb45635d9ef59.jpg [bighugelabs.com]

Re:

[Anonymous Coward]

Your epic fail is having an epic fail.

Page not found (/.d already?)

Re:

[dgatwood]

Yeah, apparently that site deletes the generated images after an hour or so. It showed a cat on a keyboard and said "I'm on ur Twitter" at the top, and at the bottom, "Sendin monee to Switzerland."

Moderation

[commodoresloat]

I have mod points for this comment but I can't find the "+1, Recursive" option?

Re:Two words

[_Sprocket_]

Twitter meets banking: a whale too large to fail.

Transactions need 3 elements to be safe...

[Anonymous Coward]

1. Target needs to be authenticated to the user. This should require some positive action, as opposed to relying on certificates which are mostly ignored and whose provenance is not as strongly assured as was initially advertised.
2. Customer needs to authenticate to the target. Passwords are not enough since humans can remember approximately 1 password only, and only if they use it constantly. The authentication should change and replays should be rejected.
3. Customer must affirm details of the transaction before it is committed. This too must use some method that is changeable and disallows playback.

Ideally a transaction will have all these elements in one idempotent package, the way for example a check might if the signature were a better biometric than it is and if the signature were checked always. That is however technically awkward on a net, so the 3 elements listed may need to be separately done. Omitting any of the elements allows different classes of attacks. If all the elements are present and tied together, attacks become very hard. Also, note, step 3 makes it largely irrelevant whether the customer is declared not-present afterwards or not. It serves also to terminate the transaction. Whether another transaction is begun or not is for the most part immaterial. (A method I have advocated to accomplish these would allow several transactions to be tied together if desired, in one session, but there would always be a "signature" or "affirmation" step for each, even if the initial authentication steps were recent enough to continue to use them.)

This needs hardware. However it can be done very cheaply; the hardware needed can in quantity be had for perhaps $3 a copy, possibly less, even as electronics. Paper approximations could be far cheaper still.

Re:

[selven]

For 1: (I'm ignoring user friendliness, this is all theory)

1) User sends random string to bank
2) Bank encrypts with private key (impostors won't have this)
3) User decrypts encrypted message with the bank's public key and checks against the original random string. If they are the same, the authentication is successful.

Now, someone needs to create a Twitter implementation.

Re:

[icebraining]

"relying on certificates which are mostly ignored"

Re:

[selven]

It's not like a certificate - it doesn't rely on VeriSign or anything like that - it's a plain old digital signature.

Re:

[Nursie]

There's nothing wrong with certificates.

You just need the browser to not include all the broken ones, and potentially have a "bank mode" that only uses a CA run by your actual bank.

Better hope that it's secure.

[LitelySalted]

This seems like a GREAT way to lose all your money quickly.

I guess after it happens, you'll at least have something to really tweet about (as opposed to the fact you bought the new Brittney Spears album - no one cares!).

Re:

[A nonymous Coward]

Are you sure about that? [kovideo.net]

Nobody loves me, but my mother,
And she could me jivin' too.

Re:

[madsenj37]

Is the third one down [collegehumor.com] your mother?

"See anything seriously wrong with this story?"

[mcgrew]

How about the very idea of banking by twitter? What twit thought THAT one up??

With tweetMyMoney, you can monitor your account balance, deposits, withdrawals, holds and cleared checks with simple commands. And, you can even transfer funds within your account. It's all available on Twitter, 24/7! And, the best part is, our tweetMyMoney service is free!

So how is this mobile? If your phone can send and receive text messages and you're on Twitter, you're in! tweetMyMoney uses Twitter's Direct Message feature to return the account information you request.

I don't need Twitter for that -- I just call the bank and talk to a human.

Now we see why the banking industry is so screwed; it's run by morons.

Re:

[xaxa]

"Welcome to [...] telephone banking. Please enter your account number, followed by hash"
beep boop beep biip boop beep beep boop baap
"Please enter the fourth digit of your PIN"
boop
"Please enter the last digit of your post code"
beep
"In the word 'money', 'N' is in position three. In your password, what position is 'F' in?"
boop
"Your balance is £1234.56. Press 1 to..."

I feel more comfortable communicating with a robot.

(Having said that, I've only ever checked my balance. I'm not sure I'd do anything more t

Re:

[Dare nMc]

Right now what is missing on craigslist is the ability to safely do confirmed transfer of large purchases. With fake bank checks the norm now, their is no way, even face to face, to say you got my $5000 I got your car, transaction complete (that I know of, short of $5000 in bills, then your both ripe for robbery.) Paypal was close at one point, but you give a single piece of info your email, and you get back a single piece of info email confirmation to that email (just a spoofed paypal email, skip the mid

Re:

[Dare nMc]

Didn't add, the phone call to the bank needs to be private as well. Caller-id is too easy to spoof, so then you give out enough details to confirm your ID that whoever is within ear shot to know how to access your account as well. So you have to get privacy from the person your doing business with, but neither side can trust mid transaction for the other to leave to verify transfer...

Re:

[cayenne8]

"Right now what is missing on craigslist is the ability to safely do confirmed transfer of large purchases. With fake bank checks the norm now, their is no way, even face to face, to say you got my $5000 I got your car, transaction complete (that I know of, short of $5000 in bills, then your both ripe for robbery.)"

I'd do it the same way I've always done something like that...a car at least. I go down to the BANK, and let them handle the transaction. If not a bank check to bank...I like a wire transfer ev

Re:

[captaindomon]

I don't need Twitter for that -- I just call the bank and talk to a human.

You obviously don't do much banking. Or handle business accounts. Or do much company-reimbursed travel or entertainment. Or handle one of a hundred other things for which calling the bank every hour is not reasonable.

Now we see why the banking industry is so screwed; it's run by morons.

No, it's run by people that realize they make the most money off of people that do lots of banking, handle business accounts, do company-reimbursed travel, and other things for which contacting the bank IN PERSON every hour or so is not reasonable. People that "call the bank", on the phone, ar

uh oh

[wesslen]

Tweet: you're broke. :) Thank you for choosing stupidity banking.

Re:uh oh

[hoggoth]

> Tweet: you're broke. :) Thank you for choosing stupidity banking.

And, Its gone... [vodpod.com]

Re:

[dswensen]

Not anymore you don't. Poof!

tweet = text (for most part); step backwards

[peter303]

You want to interact with your bank with a richer GUI than just text messages.

Re:

[vlm]

You want to interact with your bank with a richer GUI than just text messages.

You mean, like show pictures of coins and bills for people whom are uneducated enough to not understand numerals or arithmetic?

Re:

[Mister Whirly]

Exactly. Except that we call them "Tweeters".

Re:

[Korin43]

Personally, i like interacting with my bank by text message. If all I need to know is my balance, text balance to the bank and found out. The problem I have with this is that I want to interact with my bank, not Twitter.

Pffft

[MyLongNickName]

120 characters isn't big enough for my account balance.

Re:Pffft

[PrescriptionWarning]

Yeah I guess that negative symbol would carry your message over to 121 wouldn't it.

Re:Pffft

[megamerican]

He's from Zimbabwe you insensitive clod!

Re:

[eln]

It would be if you didn't insist on displaying your account balance to the 119th decimal place.

I'd Prefer to Bank via MySpace

[swanzilla]

As long as Iâ(TM)m throwing caution to the wind, Iâ(TM)d like to hear some embedded MIDI while I bank.

A new joke every day!

[wastedlife]

Dear Vantage customer, our free joke service will send you a tweet every day with a new hilarious joke. Please tweet "#tran $1000 f1 t123456" to @myvcu to start!

What's so bad?

[LMacG]

Lots of OMGWTF!!! responses here, but having looked over the information they're providing (balances, holds, cleared checks, etc) and noting that there's no transmission of account numbers, PINs or other identifying information, I'm not seeing a major problem.

Just because you can have a knee-jerk reaction doesn't mean you should.

Re:What's so bad?

[Chris Pimlott]

While the public messages get all the press, people who don't use twitter may not realize that you can send direct messages [twitter.com] on twitter, which are private. That's what this system is using.

Re:What's so bad?

[PhxBlue]

While the public messages get all the press, people who don't use twitter may not realize that you can send direct messages on twitter, which are private. That's what this system is using.

Private? Yes. Encrypted? Not so much.

Re:

[Dare nMc]

sounds like their is a secure solution Cryttr [codeplex.com] mostly does that. although I am not sure this would really accomplish what you wanted unless the bank was willing to exchange keys with you as well.

Re:

[stephanruby]

So does email, text messaging, and the telephone. So what's your point?

Re:

[TheLink]

How about phone banking then?

Re:

[Paul Carver]

What's the point of involving twitter if you're sending a direct message? Why not just send the message directly and skip the step of sharing your message with twitter? Private? In what sense is a message that you send unencrypted to a company you have no contractual relationship with private? If Twitter isn't using your messages to somehow make money I can't imaging why not. They may not have a good plan, but I can't believe they don't have some scheme in mind to make money off of your messages.

If you feel

Re:

[rjolley]

They also let you do transfers. Which was in TFS if you bothered to read it. You can do this without sending account numbers (just use account suffixes) but what happens when your twitter account gets hacked and someone transfers all of your money from your checking suffix to your savings? Say hello to overdraft fees.

Re:

[BobMcD]

I have a password requirement for this kind of information from my bank. I'm not sure I'd want these kinds of information in public space.

I imagine attackers would find this to be of high value:

1) You can reasonably identify and even physically locate Twitter users

2) This information tells you the status of their bank account, along with usage data that gives one the idea of when it is most ripe (after payday, before the bills come out automatically)

3) This information could be used to predict your physica

Re:

[Anonymous Coward]

Let me show you why this is a bad idea. Even if it is just 'check 153 cleared' or 'ATM: amt withdrawn 300 dollars'.

'Hi this is XYZ from ABC credit agency we see that you have 300 dollars cash right now in your hands and you owe us 2389 and 48 cents please swing by and pay us'.

Or how about
'Hey I know where Jim lives and he has 300 in cash on him right now lets go rob him'.

Or how about

'We can glean information about peoples bank accounts from their twitter accounts and then connect it thru advertising' 'Monk

Re:

[mcgrew]

It's a dumb idea. You can do any of those things (at least with my bank) on your cell phone or even POTS. All you have to to do is call the bank and talk to a human.

Re:

[Monkeedude1212]

there's no transmission of account numbers, PINs or other identifying information

To set it up, those must be entered at least once. Which means they are being called SOMEWHERE in the process of using it on twitter. Which to hacker, means it can be accessed.

If Twitter can be hacked, your banking information can be stolen. Simple as that.

And I don't mean, login to your twitter, transfer the money, haha its gone,
I mean, login to twitter, get your info, go to your banks site, login there, haha its gone.

Re:

[captaindomon]

Yeah, I agree. Most banks already offer this over unencrypted email (including the big guys like American Express Business Accounts). It's just giving you your balance and some other information and allowing you to transfer within multiple accounts that you own. It isn't letting you perform a true wire transfer out of your account. Relax, everybody.

Twitter from Nigeria!

[retech]

I cannot wait to see how many twitter IP addresses start originating from Nigeria.

Twitter + Banking

[Anonymous Coward]

Twanking

I will be Twishing your details

Re:

[Anonymusing]

"Twanking" -- okay, I nearly spit up my coffee. Thank you.

Re:

[Tony Hoyle]

Genius.

I hope that becomes the official name.

Re:

[schon]

I think the term Twinking [wikipedia.org] would be more apt :)

Tweet money to my account

[gogowater]

the only command I will tweet would be ...
Tweet: SELECT All Money FROM All_Accounts TO My_Account NOW!

List of banks?

[Yvan256]

Is there a list of banks that support this? Just so, you know, the intelligent people can move their cash OUT of these banks?

Not seeing the point

[mea37]

I don't see the point of the service, but then I don't use Twitter.

I also don't see the point of all the critics. Everyone alludes to how easily someone can steal your money with this. Ok... how?

I see a bunch of functionality where you can monitor your account status. The only thing I see that mentions affecting your account status is transfering money within your account. I guess that's enough that you could mess with someone, but where's the profit motive? You're going to commit wire fraud just to piss someone off?

Re:

[bcmm]

Everyone alludes to how easily someone can steal your money with this. Ok... how?

Just off the top of my head, does Twitter require that one uses HTTPS to access it? MITM.

Re:

[Tony Hoyle]

Nope. Just HTTP.

Twitter is not secure. It doesn't pretend to be.

Re:

[mea37]

You didn't answer my question.

I'm not asking how you would subvert the system.

I'm asking how you would profit from subverting the system.

Yes, Twitter is insecure. And?

Re:

[bcmm]

It's a start. Your current balance to the penny is a common bank security question. Making it publicly available removes one step for someone trying to collect enough security question answers to impersonate you.

Re:Not seeing the point

[YrWrstNtmr]

I also don't see the point of all the critics. Everyone alludes to how easily someone can steal your money with this. Ok... how?

Why would you purposely introduce another entity between you and the bank? A decidedly non-secure entity.

Re:

[dword]

You're going to commit wire fraud just to piss someone off?

Yes. Maybe you're not worried if someone finds out the details of your bank accounts, but I am!

Re:

[mea37]

More allusion and still no explanation.

Go read what the service provides, and explain specifically what valuable information you think someone can intercept in this way. "Details of your bank accounts" is too vague to mean anything.

Re:

[dword]

With tweetMyMoney, you can monitor your account balance

'nuff said, my balance is very important and I'm sure it is also important to many others.

likely outcome predicted 152 years ago

[Trepidity]

Harper's had the foresight to publish [google.com] an anthropomorphized metaphorical tale of the interactions between Twitter and banks, some years ago:

Twitter laid down Halibut's money, with six cents additional drawn from his own pocket, on the counter, and took two cigars, one of which he presented to Halibut. Dukling scrutinized the dollar bill with provoking keenness.

"Have you another bill, Sir?" said Dukling, with an innocent smile.

"Nothing so small," answered Twitter, uneasily.

"This bill is bad," replied Dukling,

Don't forget about TwitPay

[Otto]

Site: https://twitpay.me/ [twitpay.me]

Basically you attach your twitter account to your paypal account, then you can send money to any other twitter user with a simple message to that effect.

Of course, the catch is that the money never actually gets transferred until you "settle" the account. It just keeps a running tally for everybody, then you settle and pay the whole shebang at once.

Re:

[Tony Hoyle]

No potential for massive abuse there... Nooooooo...

Seriously, I think that anyone who goes into marketing should immediately be shot for the good of society.

Judge Orders Twitter Acct. Disabled

[retech]

So when I receive a twit from my bank about someone else's account will a judge order my account disabled?

One more gateway for hackers

[dword]

This sounds to me like "another hole in the wall".

Re:

[dword]

Here's another thought: what if twitter.com gets hacked? I'm sure there's lots of other juicy stuff there, but why would anyone encourage you to post your financial details on a 3rd party server? Whoever had this idea should be shot and then hanged alive as an example for other "bright" marketers.

Web page defaced ?

[ivan_w]

I get it.. it's SO enormous.. and since we're not April 1st, I can only conclude the web site was hacked and some witty nerd pranked them..

Ah ah.. tweet banking.. uh uh.. funny..

--Ivan

gotta love twitter pr

[Edmund Blackadder]

It's as if they made people forget about this little thing called the Internet. Pretty soon they will tell me that I can look at lol cats and porn via twitter and expect me to be super excited.

financial open information intersection

[drDugan]

when I first read this description, I thought it was about people using twitter to by open and public about their money.

In most other parts of the world the Internet is driving companies and products to "out-open" each other. more transparency wins, more obvious pricing models win, easier services win. People who are more open and more public about their lives are more successful generally (though its not clear which are the causes and which are the effects).

This drive toward open has not reached financia

I have only one thing to say

[Cro Magnon]

This idea is truly for the birds!

Re:

[selven]

Banking over Avian Carriers?

Holy crap...

[thePowerOfGrayskull]

I'm usually first to argue with the vehement anti-twitter sentiment 'round here, but this is just an asinine and foolhardy idea.

Since the launch of our new MyVantage online account management system in April, many members have asked for a mobile banking solution. We'r

And this is what you've come up with? Not ... I don't know, secure email, hell even text messages... no, we'll use twitter for submitting private banking info? And oh, just happen to share it with the twitter corp as well? Genius, pure genius.

Yo Dawg

[kefler]

I herd u like security holes, so we put Twitter in yo online banking software so you can have security holes in your security holes!

wow

[greymond]

this has got to be the dumbest idea from a financial institution since that guy from the anti-identity theft company gave out his social security number and then has funds withdrawn from his account and credit cards opened in his name...

Spent a bit of time in banking industry

[FuturShoc1k]

What really surprises me about the idea of 'banking via twitter' is how the originating bank got this concept past their internal compliance officer/team/department. I just came off of a 6-month stint at an up-and-coming regional bank. While there, I learned a couple of really interesting lessons about banking in general: 1. Absolutely every breath they take and every move they make (rock on, Police) is filtered through federal and state regulatory compliance. 2. To my surprise, most non-national banks th

Your First Tweet After Using This

[BeaverAndrew]

Dear Twitter, I'm broke... follow me?

Obligatory South Park Reference...

[rotide]

Here let me invest that for you..and it's gone.

Why this is a bad idea

[twistah]

Does anyone else worry about sending sensitive information over a service like Twitter, which has had security issues in the past? And, assuming this works over DMs, what if a user instead accidentally uses a reply or just a straight Twitter post? What sort of information have they just inadvertently exposed?

Security issues in the past

[DragonWriter]

Does anyone else worry about sending sensitive information over a service like Twitter, which has had security issues in the past?

Is there any means which has ever been used to communicate sensitive information -- including contracted couriers, the USPS, telephones, and in-person oral conversations -- that has not "had security issues in the past"?

Re:

[PRMan]

Is? Or was?