Twitter as a PayPal killer? Umm, not so fast
* Ryan Naraine is on vacation.
Guest Editorial by Dan Glass
There are many pitfalls to this but I will start by tackling the obvious concerns. Twitter is extremely user-friendly by allowing users a plethora of interfaces: SMS, IM, third-party apps and Web sites, and, of course, the Twitter site itself. With so many ways to communicate, how do we verify that the person sending money is actually authorized to do so? If a Twitter users’ Facebook, Google Talk, or Netvibes account becomes compromised, their money is instantly at risk. Users of SMS are at even greater risk as there is absolutely no authentication or authorization – the phone number itself is the only way to "prove" you are the sender. Unfortunately, SMS is easily spoofed, and there are multiple Web sitesapplications that allow you to send a text message from any phone number you wish. Nitesh Dhanjani wrote about how Twitter is already vulnerable to this sort of attack; imagine the havoc that would be caused by spoofed test messages that transferred funds.
Since users are limited to 140 characters per tweet, the use of URL redirection sites is a normal (and encouraged) practice. Unfortunately, that opens up users to cross-site scripting attacks that would be crafted to send money between accounts without the user’s knowledge. All a malicious user would need is one hit every once in a while to make it worth the trouble of setting up a bot to send random URLs to users. And while Twitter has said it is cracking down on bots, it is a long way from solving that problem.
Beyond the security issue is stability. What happens to payment messages that get lost when Twitter is down? Do you resend when the site is back up? What if an acknowledgement message is lost during downtime? Twitter users have gotten used to seeing the "Fail Whale" quite often over the past few months and they are vocal with their frustration. Multiply that frustration with the anger one would feel if his or her payment got screwed up. Availability of data is one of the cornerstones of security and until Twitter has a its stability problems fixed, any payment system would be a nightmare.
Many of the issues I bring up have possible solutions. Two-factor authentication is something that has come up as a possible solution to ensure the Twitter user is the actual account holder. But one major issue with a two-factor solution is timing. A one-time code can be attached to a message but if Twitter is down or if the message gets delayed for a period of time then the tweet will eventually get through but the code will no longer be valid. There are many other issues with two-factor authentication such as spoofing, man-in-the-middle attacks, and non-security issues such as deployment and support.
Even if a secure method of tweeting money from one account to another can be worked out and the legal and payment issues are smoothed out, the biggest question that remains is: why bother? If I have to carry a token with me or log into the Web site to send money the benefits of a Twitter payment system goes away and I am left to wonder: "Why don't we just use PayPal?" Ultimately, that question -- not ones of stability or security -- is the one that will keep Twitter from joining the online payment industry anytime soon.
* Dan Glass is senior information security architect for a Fortune 500 company. Read more of Dan's views on security issues at Security Karma. You can follow him on Twitter.