Web 2.0 Banking Authentication

• Providing online banking services through widgets in web 2.0 sites such as Facebook, Myspace and others.
• Integrating web 2.0 functionalities such as wikis and blogs into the core online banking website of the bank
• Offering 'social lending', which is basically a community lending scheme in which banks don't really play, as consumers lend to each other

Out of the three, the first item strikes me as particularly interesting from an online security perspective. 

Facebook isn't a launching pad in which you click on a link and go to another web site – say, an online banking website. To fit into Facebook's open source applications framework, you need to use its shared infrastructure. Theoretically, the same infrastructure that is used to build a "find out who else likes the movies you like" application will be used as the platform for online banking. 

And sharing the infrastructure means sharing the authentication. 

Oops. 

Facebook, which uses a username/password to authenticate users, is already heavily phished and appears in the 'top 10 non financial websites to steal credentials from' in every online fraudster's to-do list.

This can only mean one thing for banks wishing to integrate into Facebook's open platform. 

Trouble. 

Now, there are several ways to overcome this hurdle. One way is to convince Facebook that applications that require access to sensitive personal data should have other authentication options.

Perhaps Facebook will realize that certain applications must rely on external authentication, and develop APIs that allows authentication against the bank's systems. I'm not sure Facebook users will appreciate it, though. All they care about is lightning-quick service. Security? Bah!

The bank can also decide to disable some high-risk functions such as money transfers to new destination accounts. But that's not a long term strategy.

Another idea is to use invisible device authentication, a technology currently deployed by many financial and non financial organizations these days, and run robust transaction monitoring behind the scenes to make sure the activity conducted using the Facebook widget isn't suspicious. The invisible nature of the defense mechanism will confuse fraudsters and stop most fraud. 

I'm interested to see if you have other ideas or thoughts?