Traditional payments and banking institutions have long been struggling with fraud, he added.
"Paypal -- the king of online payments -- is still struggling with security and they have been around for almost 20 years," he said.
If Facebook continues to expand its payments platform to become a serious player, it will be facing the hackers' full arsenal of existing weapons, in addition to the social engineering issues, he said.
“Tying a social network to a payment system introduces insanely easy social engineering opportunities for cybercriminals," said Zach Forsyth, director of enterprise product line management at cybersecurity firm Comodo Group. "A botnet, for example, could be created with the sole purpose of using compromised Facebook accounts to social engineer users’ friend lists into sending payments. If the botnet is expertly crafted, then who would question its authenticity and not send one of their dear friends a few bucks for their latest cause or charity operation? This is the proverbial goldmine opportunity for the cybercriminal.”
The mobile aspect adds yet another wrinkle, according to Oren Kedem, vice president of product management at authentication security firm BioCatch.
Android devices are vulnerable to remote access scams, he said, where hackers use remote support tools and clever social engineering to take over someone's phone.
"We haven't seen any phone yet where it didn't work," he said.
Banks and other traditional financial institutions have gotten better at spotting these kinds of attacks, adding verification steps before, say, allowing users to add or change payee details via a mobile app.
Facebook's Messenger app is designed to make sending money to friends quick and easy, however, and as it becomes more popular with users, it may also become a convenient channel for theft, he said, if Facebook doesn't also upgrade its authentication measures.
"Linking real money to a Facebook account seems like a significant increase in personal attack surface," said Tod Beardsley, engineering manager at security firm Rapid7.
Many people prefer to err on the side of being sociable when it comes to accepting requests from strangers especially if they know people in common, or want to play games together.
"They're thinking that the worst thing that can happen is a loss of privacy and pictures," said Dotan Bar Noy, co-founder and CEO at Re-Sec Technologies. "However, with money on the table along with the other new commerce-related bots, the level of effort that a cybercriminal is willing to invest to get into your account and your money is much greater. Hacking a Facebook account is now a business, just like ransomware or any other money-driven hack.”
Sign up for Computerworld eNewsletters.