Banks are using Facebook apps to acquire user details illegally, according to security veteran Roger Thompson from AVG. Roger has reached this conclusion as a result of his own personal experience. Apparently he was in London to attend a conference. Because of being abroad Rogers bank suspected his credit card transactions and decided to decline and suspend his credit card. Till here everything is pretty standard procedure, that banks use to weed out fraudulent transactions.
However things became complicated when Roger called the bank to have his card get unsuspended. The bank asked him personal identifying questions such as the last four digits of his social security number and so on. But then suddenly, the representative from the bank started to ask him questions about his daughter-in-law, using her maiden name. The representative claimed that they know about her from publicly available information.
Roger went through his bank documents and couldn’t find any document in which he gave information about his son or daughter-in-law to the bank. What’s more surprising is the fact that Roger’s daughter-in-law has been married for nine years and hasn’t used her maiden name since then. So for the past nine years she has been using her husband’s name, expect for one place – her Facebook profile.
Rogers insists that the only connection that links him to her daughter-in-law are their Facebook profiles, and its this place where she uses her maiden name too.
Encountering such an event, Rogers went on to drive an internal AVG research that reveals the existence of shadow startups, that exists for no useful reason except to access the personal information of all the users who approve these apps. It is highly likely that these good for nothing apps are actually being used for something very purposeful, that is to construct user information databases for financial, and military espionage on users.
Rogers entire account of the incident is pasted below:
Hi folks,
I’ve been doing computer security for a looooong time, and not much scares me. But this does.
This week, I had occasion to visit London for a couple of days on biz. Trip went well, and Thursday morning, I fronted up to the hotel desk to check out.
To ensure I was ready to do my expense account paperwork, I asked the young lady for a fresh copy of my bill, and she said “I’m sorry sir… your card has been declined.”
Me: Blink, blink… “No… I just want a copy of my bill”
Her: “Your card has been declined, sir.”
Me: Pause… blink…”Declined?”
Her: “Yes sir. Do you have another card to use?”
Me: “But there’s lots of money on that card… could you retry it, please?”
Anyway, the conversation went on like that for a while, and eventually it became clear I’d have to call my bank, so I did. Of course, I had the usual struggle to get to speak to a human, but eventually someone explained that because I hadn’t told them I would be traveling, they had decided that the transactions were “Unusual” and had suspended the card, and I’d have to speak to the Fraud Department to un-suspend it.
Ok, so that’s a pain, but at least they’re looking out for me, so I answered all the questions… “Last four of social, please”… “What accounts do you have with us?”… “Mother’s maiden name?” etc.
Here’s the scary bit… The guy says, “And now, sir, just a couple more questions, please. This is from publically available information. What age-range would best describe this person?”, and he proceeded to ask me about my _daughter-in-law_…. Using her maiden name, and she’s been married for nine years!!!!!
Now I answered the question correctly, and they un-suspended the card. I paid the bill, and headed for the airport.
I had one question thundering through my mind.
How did the bank associate me with her??????????????????????
I _refuse_ to believe it was “publically available information”.
We have no connection on _any_ bank accounts, or legal documents.
She hasn’t used her maiden name for nine years. I’d have been less suspicious if they’d asked me about her married name.
She’s _not_ a big computer user.
The _only_ place we connect as far as I’m _aware_ is that she’s a friend on Facebook!!!!!!!!!!
Now, I’m not accusing Facebook of _anything_, but one wonders…. I can’t believe Facebook would sell our data, so … is someone “harvesting” it?
Not long ago, we found some Facebook apps that had been hacked, and were reaching to attack sites in Russia, and while investigating that, we found a site that looked very similar but wasn’t actually attacking. We’re not mentioning the name of this company, because we can’t yet figure out whether they’re good or bad, but they look really suspicious. Their webpage shows no “Contact us” details… just a crudely-drawn graphic. When we did a whois to see who they were, we found that the ownership was hidden behind Privacy Protector.
They had written a cancer support group application that had over 250k members. _All_ of these applications require a user to allow access to their profile, their contacts, and their pictures “In order to work”.
This means that 250k women had ponied up their details to an at-best shadowy organization, who doesn’t want us to know who they are. Googling for their name reveals that they make many “surveys” and game-type apps for many social media properties… not just Facebook.
I’m _not_ accusing Facebook of anything (I like Facebook) , but _someone_ other than the government, has a honking-great database on me. And that probably means that they have a similar amount of data on _you_, Dear Reader.
_Someone_ is _seriously_ invading our privacy.
The current financial catastrophe has made it clear that banks only trust in greed and can go to any length to maximize profits. If it means invading user privacy, so be it. In such environments, the only defense against privacy invasion is continuous and strict vigil.
1 Trackback or Pingback for this entry:
[...] and phishing are not the only worries of Facebook. According to recent research by security company AVG, banks are using shadowy apps to harvest user data to be used for financial purposes – without [...]