17
Jun
13

I Am Concerned – Linkables

I got notified of a new service that is popping up at merchants these days, particularly grocery chains.  The service is called Linkables (mylinkables.com) from Linkable Networks, Inc.  The issue I discovered with this service is not PCI related, but it is privacy related.  With all of the discussion going on regarding the NSA collecting and analyzing telephone records, I think this is a good venue to make people aware of a practice that is possibly even more risky than storing PANs.

According the their Web site:

“Linkables are savings offers that can be connected to your credit or debit card to deliver savings to you automatically after you shop. It’s a simple and convenient way to take advantage of advertisers’ online and offline promotions, with no coupons to clip and no paperwork after you shop. Offers can be used online and offline just by using your credit or debit card.”

When you go to the Linkables Web site, you set up an account using an electronic mail address and a password as is standard operating procedure these days.  But where this service goes terribly wrong is in the registering the subscriber’s credit/debit card(s).  While you are required to provide your PAN and expiration date, the subscriber is then required to provide their logon identifier and password to the online banking system for the bank that issued the card.

Yes, you read that right.  The customer needs to provide access to their online banking system.  The reason given on the Linkables’ FAQ is:

“To deliver your savings, MyLinkables needs to be able to see when you redeem offers. To identify your redemption transactions in a secure way, MyLinkables prompts you to enter your card number and expiration date, and in some cases, your online banking credentials. This is to establish a secure connection for ongoing read-only access, and for the ability to credit your account with your savings. This connection is sustained via a PCI-compliant secure token. For some banks, we are able to create this connection without asking you to enter this information.”

The first problem I have with this is that Linkables invokes PCI compliance as though it should provide some sort of comfort to their customer.  However, PCI compliance has nothing to do with access to someone’s bank account.  They have a green colored seal at the bottom of their home page that indicates they are a “Payment Card Industry Data Security Standard PCI Level 1” which is meaningless on a variety of levels.  If you read the FAQ, PCI compliance is brought up all over the place for not only securing cardholder data, but for implying Linkables is secure as a whole because of their PCI compliance.

But an even more troubling discussion is in regards to the fact that in order to provide you your rebates, they need access to an online banking account.

To give customers a better sense of security, the following FAQ answer is given in regards to if someone does manage to compromise Linkables and obtain customer online banking login information.

“No, MyLinkables encrypts your card number and expiration date, and does not store your bank account credentials. The identifier that was created when you entered your account credentials is encrypted, never displayed within MyLinkables, and connects to your account exclusively with read-only access to view your completed transactions. In addition, details about your banking transactions are not stored in MyLinkables.”

You might want to read that response multiple times as it makes no sense.  In the first sentence they claim they do not store the credentials, then in the second sentence it appears to imply that the credentials are stored but encrypted.  But the real troubling statement is that somehow Linkables only gains read-only access to the customers’ bank accounts.  I have audited a lot of online banking environments over the years and I have never run across one that had read-only access.  Last I knew my online banking credentials gave me full access to my accounts.  So how Linkables ensures that they only have read-only access must be in the fact that their software only reads information.

The bottom line on this service is that either this is the biggest, legitimate looking scam to obtain access to peoples’ bank accounts through their online banking system OR this system was developed by people that had no clue as to how the financial systems in the world operate.  I am hoping it was the latter, but I really have to wonder based on the FAQ answers.

The PCI SSC and the card brands should be concerned about this service’s abuse of the PCI standards.

Update:  I got the following response today from Linkables regarding the question I put to them regarding why online banking credentials are required.

“We’ve partnered and integrated with Visa and MasterCard.  When you register a Visa or MasterCard, only the 16-digit card number and expiration date is required.  

We’ve not yet completed our integration with the AMEX and Discover card networks, however.  Until then, cards must be registered via Yodlee, our PCI-Compliant processing partner.  Yodlee then communicates with the card-issuing bank and is issued their own token for use in receiving read-only transactional data from the bank.  We don’t have any access to initiate any new transaction of any type.”

While I get this, I still do not understand what the bank has to do with anything.  They state that they need transactional data from the bank, yet the customer’s bank would not have transactional detail other than a total transaction amount.  As I understand it, Linkables is refunding like a coupon.  So they need to know you purchased ABC Orange Juice for example so that they can rebate $1USD to your account.  That detail comes from the merchant that sold the orange juice, not the bank.  The mystery about this service just gets worse, not better.

Advertisements

0 Responses to “I Am Concerned – Linkables”



  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Announcements

If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.

Calendar

June 2013
M T W T F S S
« May   Jul »
 12
3456789
10111213141516
17181920212223
24252627282930

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,843 other followers


%d bloggers like this: