Facebook's Messenger app has allowed users to send money to friends using their debit cards since last spring, but recent reports indicate that Facebook may be considering a move into the retail payments space as well, following in the tracks of Apple, Samsung and Google. Facebook will need to be careful, however, not to simply become yet another channel for criminals, security experts say.
For many users, logging into Facebook is not a major security issue - after all, it's a fun social platform, not a bank. That means short, easy-to-remember passwords, for example.
Unfortunately, the Messenger app uses the same login and password, said Kayvan Alikhani, senior director of technology at RSA Security. And there is also a concern about the lack of strong authentication enforcement.
This means that criminals would have an easier time taking over multiple accounts and sending money between them, evading some risk controls, since the payments would be going through a trusted network to friends.
Alikhani recommended the use of two-factor authentication for money transfers, especially when they come too frequently or are for high dollar amounts.
"In addition to the ongoing risk-based authentication, the app should enforce either on-device biometric authentication methods available to the user, when and where possible, or one-time-password based authentication, or at a minimum -- as unpopular as it is -- require complex passwords for money transfers," he said.
Another approach is to use Facebook to create brand-new accounts, connect them to stolen credit cards, and then use Messenger to transfer money out or make purchases, said Neil Bergman, consultant at Cigital.
"In theory, Facebook could strengthen the registration process via additional identity verification, but that would require collaboration with the issuing banks," he said. "For example, Apple Pay requires additional verification via email, SMS, or a call center depending on the bank when adding a card to the Apple account."
In fact, despite Apple's verification steps, there were still numerous incidents of fraud when Apple Pay was rolled out.
Facebook payments come with an extra layer twist when it comes to security. Not only does the platform have the capability to send money, but it also collects an enormous trove of personal information about its users, making it a gold mine for social engineering hacks.
"Facebook creates enough data which the hacker can easily correlate and cross correlate in order to create a convincing and reliable story," said Amit Ashbel, product marketing manager at Checkmarx. "You can never know who you are really talking with on Facebook. If a hacker has successfully infiltrated a Facebook account of one of your friends, they are now your friend, family or colleague."
Sign up for Computerworld eNewsletters.