Mason Yaksh, Account Manager | Safe Systems
I’ve recently done a little extra research before and during my meetings with financial institutions. Mostly my interest surrounds whether a bank or credit union has a Facebook page, and if so, whether they’ve got a strong policy surrounding the use of social media. Often times I’ll find out both by visiting the institution’s official website and then logging on to Facebook to do a quick search.
You’d be surprised what you can learn about a person or their financial institution simply by playing around on Facebook for half an hour. In one instance, I was able to find a bank on Facebook, see the names and pictures of bank employees and their families, find out a few of their hobbies and even learn where many went to church. On a visit to that bank several days later, we spent a little time talking about social media and – more importantly – their social media policy. They were hesitant to go into much detail at first. From the institution’s point of view, it was just a little harmless marketing. “What information could you possibly get from a Facebook page,” they asked, along with “What could you possibly do with it?”
Simply put, there’s plenty of personal information on there today. And while much of the data shared on social networks is fairly harmless, it can pose a significant threat in the wrong hands. For every Instagram photo of someone’s lunch, there’s a Foursquare check-in showing where a person lives, or a Facebook photo album showing the names and faces of the whole family. When you’re sharing it with friends, it’s fine. But in the hands of a fraudster, it could represent a treasure trove of valuable details and information for a social engineering attack. The right personal information can open many doors. For example, the biggest risk for financial institutions is pre-texting, and not necessarily password cracking. That is, if a bad guy can gain enough information about a customer online (such as names, places and important personal information), they might be able to pose as a customer contacting the financial institution for account access
For a financial institution and its employees, choosing what information to share and how to share it online is only part of the social media equation. But it’s also the part where you have the most control. The other, more difficult side to the equation is that upcoming guidance might also make the financial institution responsible for tracking all the things the general public is saying or sharing about the institution online. We’re still waiting on the final guidance from the FFIEC, but we expect social media will be something you need to understand for years to come.