I took a look through the documentation on how to use their service.  Customers can perform simple functions such as view their balances, deposits, withdrawals, holds, and cleared checks.  They can also transfer money between accounts inside of VCU.  Nothing particularly earth shattering about this.  The commands are pretty basic and easy (at least to me) to remember.  To pull the last 5 deposits customers send a direct message to the credit union using the following command.

The credit union’s twitter account receives the message, then sends back the results.

Ok, that’s kinda neat and the actions available in the first release aren’t too worrisome. But I’m still concerned about the whole idea of this. If I’m a customer of VCU (I’m not), do I want Twitter to be the middle man for access to my account? The whole security model hangs on the idea that direct messages are completely secure and only visible to the two parties taking part of the exchange. While I suspect Twitter has gone to some lengths to protect these messages, do we think that they designed its security with banking in mind? I doubt it ever entered their mind. Keep in mind that all of this is being done without encryption too.

However, for the sake of argument, lets say that direct messages never become exposed due to a vulnerability. Do people only use Twitter with their browser directly on Twitter’s website? Not by a long shot. I personally use two other applications to keep tabs on my feeds. These apps also have their own issues. I don’t know of any Twitter apps that do this, but I have heard of some apps sending data back to the developers. They also are subject to vulnerabilities. So even if Twitter itself is perfectly safe (it’s not), the mediums with which we use it aren’t.

And last, the whole notion just strikes me as asking for trouble. VCU plans on offering functionality via Facebook and text messaging as well. They have in essence decided to teach their users to trust third parties with access to their bank accounts. These aren’t third parties that we know either. I don’t know the people who are, will or used to work at Twitter. VCU is training their customers that it’s ok to put access to their financials in the hands of others. This is a bad idea and one that may come back to bite folks who believe that Twitter has their back because otherwise their bank would have never offered it.

Technorati Tags: bad idea, banking online, twitter, web security

Now Linkedin generally lets people decide how much information they want displayed to people they don’t know. If you aren’t connected to them, all you may see is their description if you find them by company. No names. In my case, I’m connected with a lot of people, so this pollutes the process. So, I logged out of Linkedin to see how an outside might do this.

For this scenario, I’m an attacker who wants to find out about Company XYZ. I’m not employed by them, but they have something I want. I’m not connected to anyone on Linkedin at the target. In fact, I may not even have a Linkedin account. How do I get this information? Kevin Johnson at InGuardians has already done some awesome work on how people are willing to accept invitations on social networking sites from almost anyone. But lets say that I don’t want to get connected to my target. Who would have this information?

Google of course! Everyone wants Google to be able to find things on their website. Linkedin is no different. So I do a query on the company name like this “site:linkedin.com Company XYZ”. Sure enough, I get pages of people who work at or did work at Company XYZ. With a bit of Python scripting I download the results, mix the names into common username variations and I have my username list.

Here’s the script I hacked up to make this work. usernameGen.txt PDP at gnucitizen.org wrote the original script. I just polished up the regular expression and pointed the starting URL to Google’s mobile search to simplify the HTML. Then I added the username generation. Was a fun little puzzle for the evening.

Technorati Tags: social networking, username generation, web security