ICICI is opening its customers up to fraud
ICICI’s Twitter Page

ICICI Bank has launched a new Twitter-based banking service, only the second such service in the world the bank proudly claims. That is two too many. Some things are meant to go together, but banking and social networking are not.

While many news and tech sites in India reported on this feature, most outlets faithfully reproduced the bank’s press release on how the service will work and the benefits, with little additional analysis or a third-party evaluation of the service. So for what it’s worth, here is an quick independent analysis of the service as it has been reported. I am not an ICICI bank customer and I have not used this Twitter banking service myself.

  1. First things first, the service relies on the Direct Message (DM for short) feature of Twitter. This service is infamous for how many people use it incorrectly, including Anthony Weiner. For a bank to rely on customers using a feature that is so frequently misunderstood seems like a bad idea.
    People often make the mistake of tweeting rather than using direct message
    Examples of people tweeting rather than using direct message.
  2. Speaking of who the bank is following, the entire world now has access to a fairly good pool of possible ICICI Bank customers. This is making the job easier for phishers and scamsters. It’s not hard to imagine people seeing tweets from @iciciibank stating that customers urgently need to follow the link and change their password. If the millions that “Nigerian” scammers have made tells us anything, it’s that people are gullible.
  3. One of the actions available through this service is sending money to another Twitter user. The process as described by the bank sounds very simple:

    Step 1: Create an voucher by sending a direct message to @icicibank in the following format: #Pay <Receiver’s Twitter handle> <Amount>
    Step 2: Share the passcode received from @icicibank with the receiver (the person you want to send money to)

    And the process is indeed nearly that simple for the sender. For the recipient, there are quite a few more steps.

    Receiving money is not all that simple
    ICICI Bank’s Twitter money-transfer process
  4. The sender must also convey (privately, natch) a 4-digit code to the recipient. Some reports specify that the passcode will be sent to the sender by SMS, ICICI’s site itself does not say. However, if the idea behind this is to make it convenient for the sender, things are getting complicated.
  5. The recipient, who does not have to be an ICICI bank customer, will see a Tweet in their timeline with a link to follow. So it seems that the tweet with the link will be public, and anyone could follow the link (see image to the right). If the recipient follows enough Twitter handles, one tweet among the hundreds or thousands that come across each day will be easy to miss…although Twitter notifications may help. Moreover, every tweet that ICICI Bank sends will be visible to the world. Think about that.

    ICICI Bank exposes transactions to the world.
    Tweets clearly tell who is transferring money to whom.

    The recipient then has to authenticate their Twitter account, then enter the 4-digit code. From a security standpoint, it is not unreasonable to assume that hackers could gain access to the recipient’s Twitter account, and I am guessing that it would take a good hacker network a couple seconds to try all 10,000 possible 4-digit combinations.

  6. The recipient will have to enter their bank’s IFSC code, their account number…not details that people carry around with them everywhere. If India’s Internet use is indeed going to be predominantly on mobile devices, this doesn’t seem like a very practical solution.
  7. This service is great news for the tax department, since every time that someone receives money the whole world will be put on notice. It’s not so great if you want to maintain your privacy, even if there’s nothing illegal to hide.
  8. ICICI Bank seems to have gone to a lot of trouble to set up a system using a platform which relatively few Indians use. Who is the target audience? People with mobile accounts who have data plans that accommodate Twitter traffic. How big is that market? This feels more like a gimmicky move to appear relevant (Twitter Banking sounds cool, doesn’t it? Look at the press coverage it got!) than serving any real need. As part of the service relies on SMS messaging, does it provide that much more convenience over SMS-based banking? #genuwinkoschins
  9. If on the other hand, this service really does take off, and tens of thousands of Twitter users sign up for the service, will ICICI’s systems, automated and human, be able to cope? Do they have processes in place for mistakes, lost transactions, unclaimed money, hacks and scams? #MoreGenuineQuestions
  10. How India’s Reserve Bank allows a Rube Goldberg idea like this to be launched and has so far balked at the use of credit cards without 2-factor authentication is beyond understanding.

Links to some news sites: Economic Times, Trak.in, NDTV, Medianama.

Are you a security expert? Do you know more about this ICICI plan? Do you have a strong opinion? Do you think this article is weak tea? Please comment and add your insights!

Updated: an earlier version said that all money-transfer tweets would be visible in every follower’s timeline–that’s not so. They would be visible on ICICI’s Twitter page or profile.

Leave a Reply