It’s a familiar scenario: You go online to do some shopping, but before you can start window shopping, you’re prompted to sign in to the site, either by:
- Filling out several fields of your personal information and creating yet another password you have to remember, or
- Clicking one button and allowing the site to use your Facebook account to sign in.
There’s no doubt that using your social media account to sign in to certain sites is an easy, quick way to peruse online sites, but the risks involved might not be worth the benefit of convenience.
Connected Log-in, also called a Social sign-in (SSI) prompts are growing in popularity and are commonly found on online-only shopping sites such as Wayfair, Zulily, Joss and Main, and Dot and Bo. The idea behind SSI is to use a social media account such as Facebook or Google in lieu of creating a new profile from scratch.
According to a 2015 survey by , 88 percent of U.S. consumers have used an existing digital identity to sign in to a third-party website. Morey Haber, vice president of technology and chief technology officer at international cybersecurity firm BeyondTrust , says the click of a button gives third-party sites more than your name and birth date.
“The risk—very simply—is how much information are those sites extracting from your profile right out of the gate?” Haber says. “Even if you just want to browse, when you hit accept, they can take anything from your profile [such as your] birthdate [or] home address. [Sites] extract anything you accept in their terms, and they can extract quite a bit.”
From there, marketers use your social information to target ads your way. For example, remember that household item you were considering but never purchased? You might not-so-coincidentally see an advertisement for that same item show up in your Facebook news feed within hours of shopping for it.
“They want to know who the person is when they walk in the door,” he says. “They’re looking for contact information to spam, to sell, to whatever their purpose is.”
Haber says there are various levels of risks associated with each type of site. He notes that he personally has no problem using SSI for a shopping site (which he labels “low risk”), but once a credit card is required or anything financial becomes involved in account creation or signing in, he labels it high risk and bows out.
“It’s dangerous when you’re using [SSI] for financial sites or things that are more sensitive and higher risk,” he says. “[There are] certain vendors that are more trustworthy than others. If users see a McAfee logo on a vendor, that just means the site is protecting the front end and not necessarily the back end. It’s supposed to give some reassurance, but it doesn’t.”
What if hackers decide to target a site on which the majority of account holders are using SSI? Though it hasn’t happened yet on a large scale, if a site like this were to be compromised, would the information be used to access Facebook and associated accounts en masse?
“Architecturally, it’s not supposed to happen,” Haber says. “But to be safe, I always recommend that you don’t use the same email address for everything. Put your bank’s sensitive info on one email address, and don’t give it out to people. Set up another for social media [and another] for spam. Set up at least two email addresses outside of work.”
The information contained in this blog post is designed to generally educate and inform visitors to the Equifax Finance Blog. The blog posts do not give, and should not be assumed to provide, personalized tax, investment, real estate, legal, retirement, credit, personal financial, or other professional advice. Before making any financial decision, you should always consult with the appropriate professionals who can explain your options, rights, and legal responsibilities, and advise you on any tax, legal, credit, or business implications that may result from those decisions. The views and opinions expressed by the authors of blog posts are their own views and may not be the views or opinions of Equifax, Inc. and/or its affiliates.