Facebook's Messenger app has allowed users to send money to friends using their debit cards since last spring, but recent reports indicate that Facebook may be considering a move into the retail payments space as well, following in the tracks of Apple, Samsung and Google. Facebook will need to be careful, however, not to simply become yet another channel for criminals, security experts say.
For many users, logging into Facebook is not a major security issue - after all, it's a fun social platform, not a bank. That means short, easy-to-remember passwords, for example.
Unfortunately, the Messenger app uses the same login and password, said Kayvan Alikhani, senior director of technology at RSA Security. And there is also a concern about the lack of strong authentication enforcement.
This means that criminals would have an easier time taking over multiple accounts and sending money between them, evading some risk controls, since the payments would be going through a trusted network to friends.
Alikhani recommended the use of two-factor authentication for money transfers, especially when they come too frequently or are for high dollar amounts.
[ ALSO ON CSO: Facebook sees challenges to sharing threat data with US ]
"In addition to the ongoing risk-based authentication, the app should enforce either on-device biometric authentication methods available to the user, when and where possible, or one-time-password based authentication, or at a minimum -- as unpopular as it is -- require complex passwords for money transfers," he said.
Another approach is to use Facebook to create brand-new accounts, connect them to stolen credit cards, and then use Messenger to transfer money out or make purchases, said Neil Bergman, consultant at Cigital.
"In theory, Facebook could strengthen the registration process via additional identity verification, but that would require collaboration with the issuing banks," he said. "For example, Apple Pay requires additional verification via email, SMS, or a call center depending on the bank when adding a card to the Apple account."
In fact, despite Apple's verification steps, there were still numerous incidents of fraud when Apple Pay was rolled out.
Facebook payments come with an extra layer twist when it comes to security. Not only does the platform have the capability to send money, but it also collects an enormous trove of personal information about its users, making it a gold mine for social engineering hacks.
"Facebook creates enough data which the hacker can easily correlate and cross correlate in order to create a convincing and reliable story," said Amit Ashbel, product marketing manager at Checkmarx. "You can never know who you are really talking with on Facebook. If a hacker has successfully infiltrated a Facebook account of one of your friends, they are now your friend, family or colleague."
Amit Ashbel, product marketing manager at Checkmarx
Traditional payments and banking institutions have long been struggling with fraud, he added.
"Paypal -- the king of online payments -- is still struggling with security and they have been around for almost 20 years," he said.
If Facebook continues to expand its payments platform to become a serious player, it will be facing the hackers' full arsenal of existing weapons, in addition to the social engineering issues, he said.
“Tying a social network to a payment system introduces insanely easy social engineering opportunities for cybercriminals," said Zach Forsyth, director of enterprise product line management at cybersecurity firm Comodo Group. "A botnet, for example, could be created with the sole purpose of using compromised Facebook accounts to social engineer users’ friend lists into sending payments. If the botnet is expertly crafted, then who would question its authenticity and not send one of their dear friends a few bucks for their latest cause or charity operation? This is the proverbial goldmine opportunity for the cybercriminal.”
The mobile aspect adds yet another wrinkle, according to Oren Kedem, vice president of product management at authentication security firm BioCatch.
Android devices are vulnerable to remote access scams, he said, where hackers use remote support tools and clever social engineering to take over someone's phone.
"We haven't seen any phone yet where it didn't work," he said.
Banks and other traditional financial institutions have gotten better at spotting these kinds of attacks, adding verification steps before, say, allowing users to add or change payee details via a mobile app.
Facebook's Messenger app is designed to make sending money to friends quick and easy, however, and as it becomes more popular with users, it may also become a convenient channel for theft, he said, if Facebook doesn't also upgrade its authentication measures.
"Linking real money to a Facebook account seems like a significant increase in personal attack surface," said Tod Beardsley, engineering manager at security firm Rapid7.
Many people prefer to err on the side of being sociable when it comes to accepting requests from strangers especially if they know people in common, or want to play games together.
"They're thinking that the worst thing that can happen is a loss of privacy and pictures," said Dotan Bar Noy, co-founder and CEO at Re-Sec Technologies. "However, with money on the table along with the other new commerce-related bots, the level of effort that a cybercriminal is willing to invest to get into your account and your money is much greater. Hacking a Facebook account is now a business, just like ransomware or any other money-driven hack.”
He suggested that users may need to get more selective about approving friends requests.
"Friending one wrong account can lead to a domino effect of infecting a large branch of Facebook friends," he said. "For its part, it may be time for Facebook to increase the friction of connecting with people outside of your network to make it harder for widespread attacks to proliferate.”
Some security experts were also concerned about the increasing erosion of personal privacy.
"Now, besides everything else, Facebook also knows how you spend your money," said Guy Peer, co-founder and vice president of R&D at Dyadic Security.
This story, "Security pros concerned about Facebook payment expansion" was originally published by CSO.