21 September 2009

What Web Security Means? Watch Your Wallet.

You'd have to have been living under a very mossy rock during the last decade to not have noticed the torrents of spam, spyware, adware, tracking cookies, trojans, and viruses washing over the Web landscape.  Admittedly, vendors -- even Microsoft to some extent -- have been making lots of improvements in protection.  But it's still wild out there.  And the bad guys have been shifting their game over the last few years. It's no longer about fun, or proving something, or general mischief. It's all about the money: our credit card numbers, our bank account numbers, our mothers' maiden names. It's even about taking your computer, just a little bit, and turning it into a zombie that is part of a network of hundreds of thousands of other zombies in your unsuspecting neighbors' family rooms, all ready to do the bidding of a criminal gang.

A large population now uses social networking tools like Facebook, MySpace, Twitter, and the like. These sites have done a lot of work, under a lot of pressure, to improve the privacy aspects of their services. But there's a funny problem with security on social-networking sites. If you receive annoying spam or even a semi-malicious worm that posts inane stuff to your and your friends' profiles, it's quite frankly just an annoyance. Since social networking sites have historically been used mostly for leisure-time activities, advertising, and non-real-time communications, interruptions from security issues just aren't that disruptive in real-world terms (with certain exceptions, of course).  If I can't play Lexulous for a few days due to a security issue, my lifestyle and my bank account aren't affected (though my competitive ego is!).

But now the social networks want my wallet.

Facebook, for example, is getting into handling payments within its framework. MySpace is doing this, too. [Let me just stop there: have you seen MySpace's horrendous design and code? Do you want these same people handling your credit cards?] The ideas are surely a money-maker for them, and a convenience for users. And another pair of security nightmares...

First: worms, viruses, and trojans are going to turn from annoyances to financial risks. If social networks are somehow storing your financial data, then the bad guys (see above) are going to target this data. If MySpace and the others don't do their jobs very very well, then they might expose user's money, not just their blog posts.

Second, fraudsters will see an opportunity in a virtual-goods economy to sell fake things for real money, and steal real money from people hoping to get virtual goods. Again, the social network operators will have to think very hard about how to manage the interface between the virtual economy and the real economy, or real money will leak out of that interface into criminals' hands.  (It was a joke when Richard Pryor did it. Not so funny when it's not funny money.)

So the best advice for the crowded, monetized social network? The same advice as for the crowded subway: watch your wallet.