Should Social Sign-in be Used For Financial Services?

Dec 2nd, 2011 | Posted by
Bookmark and Share

Earlier this week, startup Movenbank came under fire for allowing users to its alpha site to sign in using Facebook credentials. Should Facebook be used to identify and authenticate users at a banking site? I commend the Movenbank team for trying something different and for attempting to use a standard that’s already in place. I understand the concept and the idea behind using a social tool. However, I don’t believe that a Facebook Connect login has a home on a secure banking site. Firstly, Facebook and privacy don’t exactly go hand in hand. Even more importantly, Movenbank is a front end solution and is going to require bank partners sitting in the background. I’m not aware of too many banks that are going to be comfortable with the notion of a Facebook login. Facebook and banking are still like oil and water and it’s going to take quite some time before that changes. There’s good reason for this. Facebook is still too much of an open book and Facebook Connect isn’t exactly the most secure thing around. The online video site Hulu is an excellent example. Earlier this year, a small number of Hulu users found this out the hard way – users were being erroneously logged into the accounts of other users. Hulu claimed, “that it was a coding and configuration error on Hulu’s side, and not the result of hacking, or other third party actions, or a vulnerability in Facebook Connect.” Sure Hulu, this had nothing to do with the third party tool…

Facebook Connect isn’t ready for prime time for online or mobile banking. There are many who are going to disagree with me here, particularly given the popularity of Facebook Connect. Sure, it’s cheap and fast to get up and running. Cheap and fast doesn’t equate to secure or private, particularly once the FFIEC gets into the picture. To be fair Movenbank does plan to, “supplement the registration and login features with additional authentication channels, including a private, Movenbank-specific user identity.” Now I’m not sure what “supplement” means here exactly, but I take it to mean that the user will have options and a second factor of authentication. I hope one of the options is not Facebook.

  1. Chris Fleischer
    Dec 2nd, 2011 at 15:41
    Reply | Quote | #1

    Word is that supplemental registration will come from Sony’s Playstation Network :) All kidding aside, great post, Jacob. The balance of security / fraud issues with convenience is completely tilted one way. But the innovative spirit to simplify menial tasks is appreciated. I think the use of Facebook isn’t so much to simplify sign-in, but a more concerted effort to make banking … er, sorry, bad term, can’t say “banking” anymore … er, financial transacting more social. Instead of telling people you just ate at Subway, now you can tell people you spent $6.75 at Subway. Interesting? Maybe. Compelling? Not sure. Worth pursuing and seeing where it goes (hit or miss)? Absolutely!

  2. Jim Marous
    Dec 5th, 2011 at 08:12
    Reply | Quote | #2

    With supplemental insight available from other sources, social sign-in provides a wealth of insight around behaviors and trends in addition to security safeguards. Recent studies show that while consumers are concerned about privacy, they are still willing to share their social information as long as there is a benefit from this sharing. Finally, I don’t think Movenbank or any financial would make social sign-in a requirement for opening a new account.

  3. Jacob Jegher
    Dec 5th, 2011 at 09:22
    Reply | Quote | #3

    Chris and Jim, thanks very much for your comments.

    I’m not sure it matters if consumers are willing to use social sign in or not (if there is a bank in the picture). Most banks can barely get the go ahead from compliance and legal to move ahead with a static Facebook page. Moving to social sign in would be a stratospheric leap.

  4. Jim Marous
    Dec 5th, 2011 at 10:39
    Reply | Quote | #4

    Again, I don’t see social login as a replacement for some of the current strategies, but as an enhancement. If the bank (either existent today or not) combines social login with other accepted verification tools, the value to the customer and the bank can be enhanced. As mentioned in my post on the subject last week (http://bit.ly/uPOeIr), there are still significant security and privacy issues to be resolved, but the best banks will find a way to leverage social insights for the benefit of the customer while speeding up the new account opening process. As long as there is a 50% new online account abandonment rate, there will be organizations looking for improved processes.

    The idea of social login may not look like it is today, but the simplicity and value of combining social and non-social tools is invaluable

  5. Andy Miller
    Dec 5th, 2011 at 16:11
    Reply | Quote | #5

    I have no intention of ever using any common log-in elements between general websites including social networking sites and financial sites. The reason is I want to keep hold of my money.

    I take Jims point that there would be other security unique to the bank BUT the reason the additional security check is mentioned is because the doubt is already there in people’s minds that the social media security may be compromised. Hence the bank’s security is weakened to the extent of the common items.

  6. Jack
    Dec 7th, 2011 at 12:14
    Reply | Quote | #6

    Questions:
    1) Why would a bank want to put Facebook in between itself & its customers?
    2) Why would a customer even contemplate mixing banking information with the typical information that is captured on Facebook?
    3) What % of bank customers either don’t complete the “log-in” process because they forget their username & passwords or the sign on process is too cumbersone?
    4) What about single point of failure?

  7. Rich Clow
    Dec 8th, 2011 at 20:53
    Reply | Quote | #7

    Jacob- great post and engagement here.

    I commend the Movenbank team to drive customer experience as the priority.

    That said, Alpha is just that and FFIEC regulations are very black and white– in it’s current state neither OAuth or Facebook will pass muster…

    I think the key here is that Movenbank’s bold move is a stalking horse– conversation has begun (when was the last time a 2 paragraph post solicited this much engagement this quickly?) and that’s progress. The irony is that there’s much more innovation behind CRED and the overall products offered Movenbank which justify more conversation.

    cheers.

  8. Tod Yates
    May 25th, 2012 at 10:22
    Reply | Quote | #8

    One very important thing being overlooked in this conversation is “how is Movenbank using its social integration”? And also, if using OAuth, what protected resources are they exposing to those authenticated using Facebook or any other third party? The assumption appears to be that Movenbank is using Facebook authentication for sensitive transactions (new account registration). I doubt that, governance would have wagged a finger at the mere thought. If Movenbank is exposing only brochure information or promoting a partner (travel site, etc.), then I applaud them.

  9. Sunil Madhu
    Dec 17th, 2013 at 23:11
    Reply | Quote | #9

    Something worthwhile noting that most people aren’t aware of: Facebook has obtained remittance licenses in all 50 states in the US as it gears up features to compete against Amazon’s Login and Pay and as it looks at mobile digital wallets. The main point here is that in order to get those remittance licenses, Facebook has to be compliant with FFIEC, PCI DSS and a plethora of other requirements. So from a Customer Identification Program perspective (commonly referred to as Know Your Customer), it can be argued that a deep check of facebook data would serve to meet CIP requirements. From a risk management perspective, the existing CIP checks that most finserv companies implement involves checking against offline IDV service providers like Lexis Nexis, Experian, Equifax etc. all of whom look at offline breadcrumb trails for user identity elements. But then all of those elements are easily available from the shadow internet today for as little as 0.50 cents per stolen ID, and $20 for a “Fullz” — an identity with Bank account details, credit card numbers etc. worth at least $17,000 in bank balance. Email based n-boarding and CIP checks are weak because email addresses have no face to them, but social profiles do. That means that using Social Logins will result in considerably less identity fraud risk. Consider also the types of security measures that Facebook has implemented but that few people know about: multi-factor logins, out-of-band email and SMS token validation and notifications, device fingerprinting, spam and malware checks etc., which are equivalent to bank grade security.

    Older people may be unaware of the benefits of using Social Logins with financial services products, but Gen Y/Millienials are fast adopting. Easier on-boarding, safer from fraud risk, social banking features. Big banks are slow to change, but things like mobile on-boarding and payments and better banking experiences from players like Moven are going to pave the way for social banking.