How banks are putting their Facebook fans at risk

3 min Read Published: 19 Jul 2011

Earlier this month First Direct opened the doors on its new Facebook page. The associated PR was quick to point out

‘first direct was founded on the idea that we should engage with our customers in the way that they want to engage with us. 21 years ago that meant being open and on the phone 24/7, then it was Internet Banking, mobile phones, apps, twitter and now it’s via Facebook. The common factor is that it’s the people that matter, not the channel.

‘Of course social media is a challenging environment especially for old fashioned banking organisations who are having to break down the barriers to conversation, but in the end we find that the more we can interact with our customers the more we are able to build trust between both parties.’

On the surface of it this seems like a great idea. For once a bank is trying to connect to their customers in a way that is more relevant to them. So I should be backing this initiative, Right?


This initiative shows little appreciation or understanding of how people interact with Facebook, and more crucially, what information they share. At the time of writing the First Direct page has 1601 fans whom it can reasonably be assumed are all current customers of First Direct. Why else would you "like" a bank on Facebook?

And that's where the guess work ends.

All of these fans have various amounts of personal profile information freely available to the public. After quick five minute browse I found people who were sharing a huge amount of personal information with the world including:

  • Full Name
  • Date of Birth
  • Place of Birth
  • Town currently living in
  • Schools attended
  • Higher Education attended
  • Marital Status (and who they are married to)
  • Favourite Films
  • Favourite Songs
  • Other general interests

Can you see where I am going with this?

All of that information is available without me even looking at a single status update which can also contain a wealth of information (and nonsense).

Every one of the above bits of information are common security questions on many banking services - including First Direct.

Well that's not the bank's fault is it?

No its not but they should recognise the risk they are exposing their customers to when entering a social platform where their customers personal data can be easily viewed directly by clicking on their names in the First Direct Facebook wall.

The page immediately states that customers shouldn't talk about personal bank details or ask account related questions in public. So really what's the point in the page? Does anyone really want to talk to their bank about the latest episode of The Apprentice?

So banks shouldn't use social media?

No, I believe the complete opposite. Banks need to embrace whatever media is relevant to their business and their customers. Twitter would seem the most logical service to concentrate efforts on given its growth and history of brand and customer interactions. More importantly by following First Direct on twitter my profile will not allow all of the information above (Twitter's user profile is less detailed) to be accessed directly from a central page.

Are the potential risks that bad?

If you think I'm being a tad over the top when explaining the potential risks then think again. Two years ago a friend was on holiday in Portugal and put her passport and purse in her room's safe before going out to dinner. When she returned she found someone had broken into the hotel room and literally ripped the safe out of the wardrobe and stolen it. She immediately contacted her bank to tell them of the crime.

She was subsequently informed that the thief had withdrawn hundreds of pounds from her account and must have guessed her pin number by entering her year of birth from her passport.

At first the bank refused to refund her the money saying she had ignored advice about pin numbers and had stored her card alongside her passport and therefore she was to blame. So is electronically storing your personal data alongside that of the relevant bank any different?

After all if fraudsters will raid your rubbish bin looking for scraps of personal information that they can use to steal your identity or money then the internet has just made their job that bit easier.

So Mrs XX of from Saint Albans, who now lives in Lichfield, was employed at Housing Plus Group - Sept 1997 to June 2011, Bromford Housing Group - Jan 1992 to August 1997, Shelter- Oct 1991 to Dec 1991, went to school at, Francis Bacon School.

I'm going to hazard a guess that any pin or passcode on your First Direct account is 1969 - the year you were born.


Ok how about 0707 - your wedding anniversary.

(Real example - name removed).

So please share this article via facebook, twitter etc using the tools below and spread the word to your family and friends.