ICICI Bank launched a new Twitter-based banking service in January 2015. In addition to the glaring lack of 2-factor authentication first reported by NewsPie, additional analysis by NewsPie of the service called icicibankpay indicates that it contains serious privacy flaws. In this light, the benefits seem dubious.
To begin with, the new service from ICICI depends heavily on customers using Twitter's direct messaging (DM) functionality. Done properly, DM sends the message only to the intended recipient. However, this is not something that most Twitter users know or understand. Famous misusers include the CFO of Twitter and former US Congressman Anthony Weiner, who thought he was using DM but instead tweeted pictures of his penis for all the world to see. Even on its first day, ICICI's service has seen many people make the same mistake, revealing to the world that they are ICICI customers and their mobile phone numbers. This doesn't mean that they now need to change their phone number, but it would be better to avoid such disclosure.
The service also works in such a way that when a person follows the bank on Twitter, the bank's Twitter account automatically follows the customer as well. This information is openly available to everyone. This can be a great help to criminals because it narrows the pool of potential victims. Imagine if a criminal didn't know who was an ICICI customer—he might target 100 random people hoping to reach one who is a customer. Using ICICI's Twitter information, the criminal can now potentially reach 100 customers.
Criminals can then target these possible customers with requests to update their bank login and a phony Web site, and chances are that a few people will fall for this trick. Once criminals have access to the online account, they can then try to get the money in the account.
One of the benefits of this service is supposed to be a simple method for transferring money to anyone else, as long as they have a Twitter account and an Indian bank account. However, while the process does sound quite simple for the sender, even though it still also uses a one-time code sent via mobile text messaging, it gets quite complicated for the recipient. ICICI's process also contains several privacy concerns.
The sender is supposed to initiate the transfer using a DM to the bank, but then the bank sends a regular tweet to the recipient notifying him or her that a transfer is pending, and the tweet identifies the sender. This tweet can be seen by anyone, so there is no privacy to the transaction. Moreover, the Web link to receive the money can be used by anyone. Although the recipient must identify herself by using her Twitter login and password, this is something that a hacker could figure out. Then the recipient is supposed to provide the code that was sent to the sender, but since this is a 4-digit code that only has 10,000 possible values, it would only take a few seconds for criminals to guess all the possibilities.
For the transfer to work, the person receiving the money needs to see the notification tweet from the bank. If a person's Twitter feed is very active, it may be easy to miss this one tweet. Or else if the person doesn't check Twitter for a while, they may not know that a transfer is pending. It is fine if the notification were done by email, but as a tweet, the longer that the person doesn't see and act on it, the longer criminals have time to do so.
The recipient may also delay acting on the notification because to receive the money she has to provide her bank account details, which may not be something she carries around with her, and so has to wait until she can get to the information.
It is unclear what benefit this service provides, since ultimately it still relies on SMS for verification. Meanwhile it increases complexity by using two different communications methods instead of just one, and requires additional communication between sender and recipient. Moreover, much of this is taking place in public, for intrusive governments and criminals to see.
While the idea of using Twitter has some new-media appeal, it is not a one-size-fits-all platform and it may not be appropriate for certain activities. Banking seems to be one of those.
