The next security target is not a bank

Most Australian banks have successfully rolled out two-factor authentication, which means the security spotlight is starting to shift to the weaker links in our online economy.

Whether its retailers looking to offer financial services, or online social finance sites like Wesabe or Mint, it seems security vendors and analysts have found a new fish to fry.

At Online Banking Review’s security forum AusCERT general manager Graham Ingram told the audience “Everybody talks about the banks, my real concern is everyone else…we need to raise our focus from the financial sector to the online economy, which is really where all the action is”.

And in June research house TowerGroup argued most new online personal finance sites posed a security risk because they only offered single-factor authentication. They also called on the US Government to consider applying the FFIEC guidance regarding online authentication to these and other online sites that requested personal financial information.

I think this argument misses the point of what social finance sites actually do. To begin with they aggregate data and then allow users to decide which data is kept private and which is shared. It’s the sharing of a collective pool of data that helps users gain the most benefit from the service, while still protecting their individual information.

Secondly, and probably most importantly, consumers can’t use social finance sites to move money. The sites are simply a way of gaining access to information in a more convenient format, and where consumers feel comfortable about it, sharing that information with others.

While some analysts argue non-bank social finance sites should take a leaf from the book of their major bank counterparts, I would argue the opposite may be true.

For example, if you compare the Commonwealth Bank’s 24-page privacy policy statement with Wesabe’s Data Bill of Rights, you’ll get a feel for which group is doing a better job of educating consumers about how to manage what is essentially their data.

It could only be a matter of time before bankers start pointing the finger at social finance sites arguing they are less secure. Rather than help consumers I think this type of competitive behaviour would add to the overall level of confusion in the market about the protection of financial information.

I’ll be speaking on the topic of marketing security at next month’s Australian BankTech forum, so I’m interested in your opinion. Should businesses compete on security? Do social finance sites like Wesabe deserve greater scrutiny over data management?