Wednesday, February 27, 2013

FaceBook, A Pickpocket's Best Friend

It's no secret that Facebook really wants all your information. What came as a complete surprise to me was that they were working just as aggressively to gain the same kind of knowledge over my banking accounts.

Facebook has some fun games to play if you are interested in wasting some time. To jump start your fun, you can spend a few dollars and get into the game faster. But if you ever spend money with Facebook, they will do everything in their power to make sure that they keep access to your financial information forever.

I spent a few dollars for my wife on one of these games. I didn't think it was a big deal. The purchase process went just like every other purchase process using PayPal. Using my wife's Facebook account I told Facebook what I wanted, I was transferred to PayPal, I had to enter my credentials including email address and password, and finally I was returned to Facebook with a message saying that my transaction went through.

Nothing funny happened during the transaction. There were no options or check boxes to opt in or opt out of anything. It was exactly like every other PayPal transaction I had ever seen, or so I though.

A couple of weeks later my wife wanted to spend a few more dollars on the game. No problem. I was prepared to walk her through the process, but there was no process to walk through. Facebook had kept the credentials and was able to take money directly out of my PayPal account with no passwords, credential checks, or any other form of security between the entire Facebook account and my bank accounts.

I was horrified! I wanted to know how this was allowed to happen. I checked with PayPal and sure enough, they honored the payment without so much as a whisper. I dug around in the transaction details and found there to be an open payment agreement between my wife's Facebook account and my PayPal account. Fortunately there was an opportunity to terminate the agreement. It was canceled on the spot.

I had my wife try to make another purchase from her Facebook account. Facebook tried to access my PayPal account again, but PayPal refused. After looking around in Facebook for exactly where the authorization to access my PayPal account was stored, I found their online help to be terribly out of date.

After the purchase failed, I tried again. This time I was brought to a screen asking me how I wanted to make the purchase. I selected PayPal again. While I was making the purchase I read all the fine print. There, buried in the print above the "agree and pay" button was the agreement for Facebook to retain open access to my PayPal account. There was no way to opt out. If I wanted to make the purchase, I had to allow Facebook access to my PayPal account.

I completed the purchase and dug around Facebook until I found where the information was kept. The only way to make sure that access to your accounts remains behind a password is to dig into Facebook's settings after the purchase and break the connection between your Facebook account and your bank account. It is a long, time consuming process that Facebook seems to change every time they redesign something on their site.

This is a horrible way to do business. Regardless of how many layers of security you have between random websites and your bank accounts, if you ever let Facebook through it will try to keep your accounts open to anything that access Facebook. And in this socially connected world, that makes your accounts potentially open to virtually the entire population of the Earth.

Security experts are constantly telling us about the number of people that fall victim to a confidence man cleaning out their bank account. With "features" like Facebook provides to assist you in your purchases, I am surprised that the number of victims is so small.

No comments:

Post a Comment