Are banks harvesting info from Facebook?
December 15, 2009 by Valerie HelmbreckPosted in: Communication, Facebook, In this week's e-newsletter, Latest News & Views, cloud computing, e-commerce, social networking
In a previous post, we wrote about the privacy expectations that aren’t exactly being met by social networking sites like Facebook. Now, there’s speculation that social networking sites may be providing info on users to their financial institutions.
Imagine that, if you will.
On his blog, security researcher Roger Thompson tells a truly cautionary tale of a recent trip overseas when his credit card got frozen by his bank for fear the card had been stolen.
Seems the U.S.-based Thompson never let his bank know he’d be in the U.K., so when he tried to check out of a London hotel, his card couldn’t be processed.
Thompson got on the phone with his bank, Wachovia, to verify that he was in fact the card holder.
That’s when things got weird.
The Wachovia security rep starting grilling him about details of his life Thompson never provided them with. Sure, he’d given up his mother’s maiden name to be used as identity verification.
But the security rep on the line starting asking questions about Thompson’s daughter-in-law, things he’d never told them about — her age and such. The security guy also used her maiden name, despite the fact she’d been married to Thompson’s son for nine years.
Ever the security researcher, he began to ponder where they could have gotten this data. His conclusion: The only place it existed online was Facebook, where his daughter-in-law was his “friend.”
In a follow up to his original post, Thompson wonders exactly what was pondered here at FinanceTechNews recently: If everybody’s using Facebook for free, but there are scores of pricey developers writing applications for the site, then how exactly are they getting paid?
The commodity Facebook has to sell is information. Who could blame them if they put a price tag on it?
All those “apps” on Facebook that ask to use your information must be doing something with it. Are the creators of those farms or gardens or quizzes really all that interested in your fertilizer preference or who’d play you in a biopic?
Tags: bank, blog, credit card, Facebook, information, Roger Thompson, security researcher
December 22nd, 2009 at 9:36 am
This nation needs laws which require any organization that collects information about individuals and sells it to do the following:
1) Notify the individual how the information is collected
2) Notify the individual each time the information is transferred, including to whom.
3) Tag the information so the obligation to notify passes to the purchaser of it
4) Allow the individual to receive a copy of the information AT NO COST
5) Provide means for correcting false information (with legal liability for damages when there is not due diligence in processing a correction)
Yes I know many readers of this magazine will whine that that is too costly. Perhaps it would be if we assume every byte of data in every database in the country is needed. I am convinced most of it is simply collected and propagated because it is so cheap to do and it might be useful.
Making it a bit more expensive may be a good thing because it will force data gatherers to ask them selves “Do I really need that information?”
December 22nd, 2009 at 12:40 pm
The user of “free” servicess like facebook is being “paid” by the provider fr the information, by the user acct. being “free”. it is clear who is getting the better deal and it is not the user. Sites like that are like a bucket of fish hooks. be carefull when stepping into them. users should ask themselves:
Do I really need this account?
What’s in it for me?
What’s in it for them?
How do I minimize the value of the information given?
What would happen if it were all made public?
TANSTAFL – “there aint no such thing as a free lunch”.
December 22nd, 2009 at 2:08 pm
This is a misunderstanding, but a frustrating situation.
I can shed a little light on what happened, how the information was obtained and why.
Trust me when I say this: Banks don’t want to spend the money to obtain, warehouse, and index that kind of information. In addition, they are incented by laws such as Graham-Leach-Bliley (GLBA) to hold as little sensitive information as possible, and are directly accountable to the Federal government if they fail to protect it properly. Add to this that most banks are behind from a technology standpoint, and it would simply not occur to most of them to use Facebook to obtain this kind of information.
Many brokers and banks that handle money on your behalf subscribe to a 3rd-party service who trolls sources of publicly-available information, such as criminal history, voter registration, vehicle and license registration, county tax records, and the like, that are all “owned” by local, county, and state government, and possibly even Federal sources, but that are all considered to be “public record”.
Most states have privacy and anti-stalking laws that prevent an individual from obtaining this information, except under specific circumstances, such as an investigation, a court matter, vechicle accidents, etc…
So what happens is that the bank’s security guy gets on the phone with you. They have some personal information, such as your name and Social Security Number (SSN). Due to Federal anti-money laundering laws, the bank is REQUIRED BY LAW to obtain your SSN and have it on file. They enter this information in to a feed from the third-party service, who crunches and grinds, researching and obtaining factoids about YOU, and uses them to generate questions. The interviewer sees the question, and types in the answer you provide. The verification service gives a green light or red light based on how the answer matches the information in its databases.
WHAT IS UNCLEAR is how this information is obtained, aggregated, protected, and stored. Meaning, is it stored on the 3rd-party’s systems? How is it transferred? What access control and access protections, as well as access logging is in place to make sure it’s not misused? What rights do I as an individual have regarding their access to that information? Opt-in? Opt-out? NONE. Just as with a credit union, whose fundamentally-unethical business practice is to aggregate information about you and how you handle your money, with no legal protections for the consumer, you have no legal protections about how your so-called “public records” are managed either.
The security guy asks you for verbal approval to go through this process, and then it’s pretty much outside of both his control, and yours.
I had to go through this process with e-Trade, who I believe to be a fundamentally unethical company to begin with, and who asked me some very sensitive and personal questions that I felt were inappropriate. Such as, questions about my deceased mother. My choices were: answer these questions, or hang up.
Just imagine how uncomfortable the questions will be once the government makes all health records a matter of public record. Once they are centrally-stored, selling our information is just a step away.
THE NEXT phone call with your bank might go something like this: “Well, Bob, I see you haven’t had a prostate exam in 13 mnonths, so while we’re verifying your identity, we’ll just sign you up for one. And, since the government dictates your health care, you can’t opt out.”
I’m completely tired of shadow organizations whose sole purpose is to make a buck off of my information, and here is what I’ve done:
1. I have patented my children’s DNA AND copyrighted it as an original work.
2. I have copyrighted my likeness and had it registered as a trademark. I have done the same for my wife and children.
3. I provide fake information wherever possible.
December 22nd, 2009 at 3:20 pm
Hey Bob -
You say “I have patented my children’s DNA”. Cool. To be granted a patent you must explain how a practitioner of reasonable skill in the art can reproduce your invention.
What are the patent numbers?
December 22nd, 2009 at 5:15 pm
Richard:
Patent system is a quagmire. I intentionally used obscure wording.
Let’s just say that DNA sequencing is very expensive, but well worth the cost.
I have built a device easily reproduced by any practitioner of reasonable skill — I’ll leave the details to your imagination.
Agreed that the copyright is much more straightforward.
December 23rd, 2009 at 9:03 pm
Bob,
I will search the web for that. It couldn’t be much more difficult to make than a magnetic resonance spectrometer. Does it require blood? heh. I like your ideas. Fake info could be amusing in one of those security question scenarios. I do it as well.