Facebook for banking? No thanks!

Your Facebook ID could become your universal identifier, even for financial transactions. Let's think about that for a minute and ask ourselves just how many ways are we prepared to become Mark Zuckerberg's bitch?

Commonwealth Bank released its mobile payment system Kaching earlier this week and as promised, it gives users the ability to pay anyone via Facebook,whether or not they're a Commbank customer. Surely not. Since when is Facebook bank-grade security?

More importantly, since when has Facebook had your privacy as its primary focus? That's real privacy, of course, the kind of privacy you expect for your personal finances. As opposed to the mere perception of privacy.

Being seen to be doing something about privacy to create trust isn't the same as providing true security. But you have to show you're trying  otherwise people won't keep uploading all that personal stuff.

Facebook IDs aren't exactly your traditional 100-point banking identity. Yet every time they're used to log into a third-party service, it can then track the use of that service -- which pages were visited, when and for how long -- adding the data to the massive dossiers they're already compiling.

The thought of pouring raw financial data into Facebook's vast lake of social data horrified the identity experts I recently spoke with, many of whom were mystified by the state of events.

"I'm sitting here with my mouth open. How could you possibly think that that's a good idea?" said Jon Callas. He's chief technology officer for Entrust, a private company that manages identity for such demanding clients as the US Department of Homeland Security and the FBI, the British intelligence services and the Saudi government.

"It's just the personal information privacy thing of giving Facebook one more thing they get to correlate with everything else. Forget the bad guys. [Facebook is already] selling all your personal information to advertisers, and we're going to sell your banking information too?"

Stephen Wilson is managing director of Lockstep Group, advisors and analysts of digital identity and privacy technologies. He's most unimpressed that supposed expert can't see the problems.

According to Wilson, the head of security for the White House recently pointed out how cool  it would be when you'll be able to log onto your bank using your student ID card.

"There's an internet banking commentator out there at the moment who's blogging -- and he should know better -- he's blogging that people who are not ready to use their Facebook IDs to log on to the banks are luddites," Wilson said.

"He's saying it's inevitable. He's teasing. He's almost shaming people into using their Facebook IDs to log on to banks."

Fortunately Commbank hasn't quite created the full scary scenario. Kaching's pay-via-Facebook function requires that both parties to the transaction log into Facebook to verify their Facebook IDs. But the sender logs in to Commbank's systems to generate a unique payment code that's then passed to the recipient privately. The recipient must provide their BSB and account number to be paid.

In other words, Facebook is only used to authenticate the login to Facebook. The network is merely a communications channel.

According to Chris Gatford, director of penetration testing firm HackLabs,  this is exactly as it should be.
"If you've ever worked with the banks, especially here in Australia, there's no chance that they'll let Facebook to allow authentication to any of the bank's systems, even low-level marketing things," he said.

Banking systems might be out of reach, at least for now, but Facebook IDs are already being used to log in to everything from eBay and The New York Times to tens of millions of WordPress blogs. Even the Janrain commenting system here on the Technology Spectator website provides Facebook as a login option.

Facebook isn't the only social ID being used this way of course. Google is  the clearest competitor, and chair Eric Schmidt has already said publicly that Google sees itself as an identity company, with Google and its real names policy as its core.

Twitter, LinkedIn, Yahoo and Microsoft Live IDs are also common options, but Facebook is the giant with 800 million users, massive mindshare, and the biggest trove of personal data to which additional information can be cross-matched.

The problem with social networks and social media companies providing an identity service is that they have a clear conflict of interest. On the one hand, the users' interests are best served by keeping separate all of the data generated by their activities on different services. Yet Facebook's very profitability comes from merging and mining those data streams.

The mission would be clearer if the global login system were to be provided by an independent company, paid directly by the user, and focussed on nothing but the security and privacy of the users' information. It appears that the world is not taking that path.

"We're on the cusp of two incredible societal programs that we're just manifesting, unready for, both from the privacy and the individual authentication point of view," Wilson said. "I refer to personal health records, and I refer to the social cross-breeding of things like Facebook identities with credit cards."

Health records are another story for another time. But when it comes to this strategy of using social ID for everything, said Wilson, "We're sleepwalking into some true disasters."