About a week ago, I read on Techcrunch about this new daily deal service called edo that ties to your bank account, and the first thing that came to my mind is “uh oh, another attack vector into my bank info”.
What makes this service unique is the fact that it’s attached to your credit or debit card. That bothers me from a security standpoint.
In poking through the “edo” website, and reading the Techcrunch article, we find out about how this new service works. Here are a list of features that are potential attack vectors from a high-level standpoint:
- It’s white label, meaning that you as a consumer may not even know that you’re using edo’s service through your bank’s website/application.
- Since it’s white label the bank/credit card company gets to decide whether you’re opted in or out by default.
- It uses your past credit/debit card usage to figure out what deal you might be interested in.
The first two bullets I have issues with from a privacy setting standpoint, and I’m not going to deal with that. What I want to deal with is the fact that this service uses past credit/debit card transactions to figure out what deal it should send to the customer.
That would mean that there is an interface between edo and the banks credit card database. There better be something making sure that an attacker cannot come in from edo’s system, hop to the interface to the bank, and into the credit/debit card database.
The Techcrunch article points out that “the banks don’t need to pull any personally identifiable info, your demographic profile, or anything else but how you like to spend and where you spend in order to start sending you offers.”
So how will the bank send the “daily deal” email to me exactly? Right, my email address on record will have to be used. So how do they plan to do that?
Sure, that “personally identifiable” information might not be handed over to edo to do a pattern analysis of what deals should be sent to me; however, I have a feeling that edo will get it eventually.
edo just flat out bothers me. It’s one thing for Amazon.com to be able to run pattern analysis to suggest other items from you, it’s totally different for a 3rd party to use my credit and debit card records to send me daily deals.
What’s worst is the fact that this service can fly under the bank’s colors.
Cross-posted from Home+Power