I Hope Edo is Worth the Privacy Risk

Wednesday, May 16, 2012

Keith Mendoza


About a week ago, I read on Techcrunch about this new daily deal service called edo that ties to your bank account, and the first thing that came to my mind is “uh oh, another attack vector into my bank info”.

What makes this service unique is the fact that it’s attached to your credit or debit card. That bothers me from a security standpoint.

In poking through the “edo” website, and reading the Techcrunch article, we find out about how this new service works. Here are a list of features that are potential attack vectors from a high-level standpoint:

  • It’s white label, meaning that you as a consumer may not even know that you’re using edo’s service through your bank’s website/application.
  • Since it’s white label the bank/credit card company gets to decide whether you’re opted in or out by default.
  • It uses your past credit/debit card usage to figure out what deal you might be interested in.

The first two bullets I have issues with from a privacy setting standpoint, and I’m not going to deal with that. What I want to deal with is the fact that this service uses past credit/debit card transactions to figure out what deal it should send to the customer.

That would mean that there is an interface between edo and the banks credit card database. There better be something making sure that an attacker cannot come in from edo’s system, hop to the interface to the bank, and into the credit/debit card database.

The Techcrunch article points out that “the banks don’t need to pull any personally identifiable info, your demographic profile, or anything else but how you like to spend and where you spend in order to start sending you offers.”

So how will the bank send the “daily deal” email to me exactly? Right, my email address on record will have to be used. So how do they plan to do that?

Sure, that “personally identifiable” information might not be handed over to edo to do a pattern analysis of what deals should be sent to me; however, I have a feeling that edo will get it eventually.

edo just flat out bothers me. It’s one thing for Amazon.com to be able to run pattern analysis to suggest other items from you, it’s totally different for a 3rd party to use my credit and debit card records to send me daily deals.

What’s worst is the fact that this service can fly under the bank’s colors.

Cross-posted from Home+Power

Possibly Related Articles:
Privacy Application Security Banking Third Party API Personally Identifiable Information Attack Vector Data Collection Edo
Post Rating I Like this!
Marc Quibell I read edo briefly, I do not have any indication this edo system gets into your credit card database and is able to view your transactions. From what I see, you sign up (enroll - and you provide your contact info, such as # for SMS or email)) for this 'prewards' at a store, they send you deals, you take advantage of that deal, then the prewards says "hey thanks" and that's where edo records your transaction.

You see, they don't get your email from your bank...That would be highly illegal!

I do not see them tracking all of your purchases with your card. It only records your transations within the Prewards program.

Look, if you want a convenient way to save money without coupons...etc, it looks like a good program, but at the same time, while you're saving money, they start tracking where you use the Prewards credits. There's a trade-off. That's the worst it gets.
Michael Johnson From the Techcrunch site: 'In fact, in some cases, you don’t even need to sign up – you’re opted in by default by your bank. (Opt-out is available, of course).'

And: 'The company also targets its offers based on your previous transaction history'

They key question is how much data will edo be storing? What kind of data exactly?
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked