
I think we need to know...
... exactly what information is accessed by these third-party trackers on a web site that should be a secure, private and privileged transaction.
A new study has warned that third-party trackers litter banking websites and the privacy-invading tech is being used to rate surfers' creditworthiness. Among the top 10 financial institution websites visited in the US and UK, there are 110 third-party trackers snooping on surfers each time they visit. Online privacy firm …
Do modern bank sites work at all with scripting turned off?
The on-line banking sites of four different banks work well enough for me. Apart, that is, from a really strange problem with the site one bank, which problem:
a) I could work around and
b) seems now to have gone away.
I get that unspeakable Rapport pop-up as well, every time, for the same reasons, with the same fatuous suggestion from that bank on how to suppress it. Oh for a browser that will let me run in private browsing, but stores just the cookies I choose and refuses/dumps all others...
What makes it worse is that the Rapport pop-up often takes so so long to be served that I am half-way through logging-on, and I have to abort, close the page, and start again...
I use both NoScript and uBlock Origin. NoScript seems to get first crack at things and when I go to my bank's website, it blocks tracking crap from four domains before uBlock Origin gets to see them. If I use a browser with only uBlock Origin, then it blocks all four because they appear on the blacklists that it uses.
There is one additional domain that interferes with the logon process with an annoying popup ad for some crapware. I reported it to the bank's IT department as a possible infection on their site. They said that the popup will go away if I 1) reconfigure my browsers to never delete cookies and 2) let the popup run once. I prefer to just let NoScript block the domain it's coming from.
What about all the 3rd party scripts that are reversed proxied, so they will be coming from your banks domain are you going to block them as well? A lot of scripts will run to get a fingerprint of your device to see what else you've been up to, IOVation is just one example...
"What about all the 3rd party scripts that are reversed proxied, so they will be coming from your banks domain are you going to block them as well?"
I find that, in practice, most websites I visit don't get this cute. Most bludgeon you with garbage from a massive array of obvious third-party domains. E.g., when I visit the website of a local TV station, NoScript takes out its meat axe and chops out eleven domains (and all the actual content I want to read is still there). This leaves uBlock Origin with very little to do; but it still finds three (non-script) objects on its blacklists and takes care of them. While NoScript might not defend against the kind of thing you mention, this sounds like something that uBlock Origin could potentially deal with, if there's a recognizable pattern to it.
I very rarely see websites with massive quantities of JavaScript coming from just the primary domain; and usually it's something like an amateur WordPress site that I would block completely anyway.
Some sites, which should damned well know better, get their Javascript blocked completely because they do too self-host too much crap! I don't care if these sites need advertising for funding, when they have a whole side div of double column adverts for their and other people's crap its too much, so NoScript, uMatrix and Privacy Badger!
The number of third party crap links (ads,tracker,demographics,analytics) was already toxic over a year ago on many commercial and 'free' sites, and is still getting worse(!), so I /have to use/ whitelist driven tools like NoScript and uMatrix to try and retain some privacy and speed; tough web authors who don't like this, it's your r-type, retarded, promiscuous fault!
I even need Print Edit now for saving pages as text PDFs, even for blog/reference sites, because 50% or more of the page area is not even the actual content, WTF!!!
There is one additional domain that interferes with the logon process with an annoying popup ad...They said that the popup will go away if I 1) reconfigure my browsers to never delete cookies and 2) let the popup run once.
Translation: If you just let us track everything you do, we will stop annoying you with those pesky pop-ups.
Nice.
Classy.
And remember banking websites are not free.
They are there to let us see and control our money, which is why most people will use a bank site.
(many) other financial institutions are available. IIRC in the UK "Money Facts" is the magazine to look for.
@AC / written record
If any of this "rich internet experience" ackamarackus was sincere, they would know that you probably did deposit £100,000. But no, none of that is for our benefit, it is just numebrs for the advertising managers.
So you then deposit 100,000 of something else. Not nice.
"Translation: If you just let us track everything you do, we will stop annoying you with those pesky pop-ups."
That's not the worst of it. The pop-up is advertising some security software that the bank would like its customers to install. A quick web search turned up lots of bad reviews of it from people who say it wrecked their machines when they installed it.
The pop-up is advertising some security software that the bank would like its customers to install. A quick web search turned up lots of bad reviews of it from people who say it wrecked their machines when they installed it.
Rapport - lets just get it out in the open. I did try it some years ago - lets just say that it's effects were immediate, wide ranging, and resulted it in being uninstalled with no mercy. The little pile of utter s**t.
I keep a separate browser, configured to clean itself on quit. I have the same problem - every login gets the "Install Rapport or you are leaving yourself wide open" popup, and several other problems related to not saving preferences.
And one bank I use has recently "improved" it's site to be the worst pile of useless and confusing eye candy imaginable - bad enough that I'm considering changing banks.
Would that be HSBC?
I never bothered with Rapport, partly through laziness, but also a reluctance to install unnecessary crap on my equipment.
To be fair though, I've banked with HSBC for over 20 years and my biggest complaint is their new banking website, which compared to the complete IT system meltdowns other banks have had, isn't that big a dea.
>> I keep a separate browser, configured to clean itself on quit.
>Why a separate browser? Permanent private mode has been the name of the game for years now.
I have a VM *just* for online banking - it does not get used for anything else, yes it has Rapport + noscript + ublock origin.
Good luck finding some tracking history there
No, they are tracking shopping habits and stuff like that to decide whether you are a responsible borrower.
How accurate they are, I've no idea. A few months ago, I was getting loads of adverts for dating sites where I could find the "perfect" boyfriend, not something that appeals to me at all. I don't know where they got that idea from when my browsing history is full of lesbian stuff. Now I'm getting loads of adverts for pregnancy testing kits.
Now I'm getting loads of adverts for pregnancy testing kits.
Perhaps Amazon once presented you with an ad for a turkey-baster?
(If that is in far too bad taste, I apologise and will gladly delete this comment.)
But it just goes to show how dangerous all this data-gathering can become. Some bank somewhere decides that their algorithm is ~70% accurate, which is far better than what their loan officers can achieve, and they switch over to trusting the algorithm and rejecting 20-30% of applications regardless of real-world merit or individual circumstance.
And tomorrow, it will be for incontinency pads.
I've seen the same sort of thing.
Any time I use a Bank etc then it is done from a Linux VM that is restored once I'm done with it.
One UK Financial Institution (scumbags) leaves 60+ cookies and other nasties behind for each visit. If the returns on my investment over the past three years had not been so good, I would have stopped using them a long time ago.
"It would have been funnier if your username was not female."
I'm sure there are men out there getting ads for pregnancy testing kits.
If you have a Twitter account, you can see what gender it thinks you are. It doesn't ask when you sign up, they make assumptions based on various things. It got mine right, but it's accuracy seems to be little better than random.
I put togther a PC for my son a couple of months ago ... he's studying engineering at university and said he wanted a desktop as his laptop was not good enouigh for some CAD programs he wanted to run. So to check spec I asked him what CAD programs he'd want to run. One of them was SolidWorks so I did some research on this ... result that is two months later virtually every page I browse on my phone (which doesn't have an ad-blocker) is littered with offers fo rfree trial for SolidWorks. I suppose it makes a change for the weeks after I'd being researching how to fix a leaking flush valve in our toilet!
... as with most things, all of this is stated in the small print. It's just that nobody bothers to read it and then complains and acts shocked when this sort of thing happens.
You know when you get one of this "annoying" Cookie Policy notices and just dismiss it? Well that's where they're telling you more about what they're doing, but you're too annoyed to bother reading it.
*cough* https://www.theregister.co.uk/Profile/cookies/ *cough*
"... as with most things, all of this is stated in the small print. It's just that nobody bothers to read it "
You are referring I presume to multiple pages of legalese, a jargon crafted specifically to obfuscate information? I've read plenty of them, and they make it as difficult as possible to know exactly what you're agreeing to.
Doesn't matter anyway! Their TOC always states they can change anything anytime without notice or approval from you. So whatever you agree to TODAY won't protect you any longer than it takes for the echo of the mouse click to fade.
I think it's a cheap clickbait here on two counts. First, because the readers here hold a smug view of being (somewhat) more intelligent than those feeding specimen off gutter press (discuss), and secondly because they / we are far superior in protecting their data where it matters, in many ways.
p.s. And thirdly, you should know it, so it's kinda lazy, thus somewhat offensive.
Interesting little war I had with a local UK bank (currently up for sale - going cheap)... At one stage I was unable logon to manage my internet account with an ad-blocker/tracking blocker installed/running.... stop the blocker - all works well... Long and short of many tech support discussions with bank was - "if you want to do online banking, you agree to being tracked (they were using an using an Adobe product...) - see terms and conditions on said bank website". ICO disagreed and things quietly changed (I changed bank in the meantime)...
So who is watching you while you bank online and who has access to your "anonymized data"...?
That's why I use another browser for banking. My main browser is Firefox with Ghostery, blocking all trackers, and my banking browser is something else, with 1% market-share, where they can track me all they want there is nothing to see since I don't use it for anything else. And then there is my Tor-browser for when I really want to be on the safe side.
I don't say that NSA can't see me, but I'm making their life more difficult.
I'm with Local Laddie , if the only leverage we have is to bank elsewhere then make it so. My own bank would love me to use their new account and offer incentives like interest on the current a/c but require me to transact online through my phone which I 'can do anywhere'. Not convinced that having my data streamed through a third party wifi is any safer than having a stranger enter my PIN its not happening. Likewise my bank card was replaced at my request with one lacking an RFID chip I know the risk and I'm not taking it, it is my choice not the banks.
A few years ago, merely logging on to Santander's online banking involved a redirect through doubleclick (which meant you couldn't log on if you'd hosts-file sinkholed doubleclick).
Just one of the many irritations (including leaking my Sant-unique email address to spammers) which saw me walk away from Santander.
Consider, if you will, the tsunami of crap junk mail/email you get when you open a bank account and in particular get a credit card. The trackers honestly don't matter because the banks are going to sell the raw server logs to anyone who waves half a groat in their direction.
Just wondering - and may well be wrong - but what would be a legitimate use for any client side scripting on a banking web application?
Validation? Hell no. It may be used to enhance the UI, but should obviously be being done server-side.
Ajax? I'd rather have a slower experience with full page reloads and everything done server-side.
UI / UX enhancements? I don't need the developers to give Chrome a boner. Just serve the plain HTML and style it with CSS. We don't need any fading and transition bullshit thanks.
Erm, can't think of many other uses for client side js... Please can someone expand on this? I honestly don't see why you'd have to use any client side scripting. If you're showing people their balance, or they are submitting (posting) a form, why not just let the server side application take care of it all? Modern web developers will cite UX no doubt, but I'm pretty sure you can still build a full application with absolutely no client side scripting... Unless anyone has 2 cents (no pun intended) otherwise?
If this were the case you should be able to use every banking app with js completely disabled...but you can't.
Two that I can think of and have used on websites I've built. (And I would love to find HTML/CSS alternatives to.) First is automatically jumping from field to field when filling in a form. The second is popping up a calendar to select a date. My bank uses this second feature and it truly is convenient for choosing when the bill payment needs to be made.
A third is filtering characters, so that non-numeric characters aren't entered into a numeric field. Sure, you could do it server-side, but then when someone enters "100/23" they may try to transfer 10023.00 instead of 100.23
There are a lot of things that are far better done on the client than on the server.
"when someone enters "100/23" they may try to transfer 10023.00 instead of 100.23"
Oh dear. That's exactly why I mentioned server side validation in the original post. You can still post the value "100/23" from the form but the validation on the server should check that's a legitimate monetary value (which it isn't, as it contains a /). I take the point that you might stop them posting it *at all* by using client side validation, but the principle still applies that the server should sanitize then validate all user input from forms anyway, so it's kind of redundant.
I take it that you don't have a lot of experience in UI implementation?
You ALWAYS do server-side validation, no matter what validation you have on client side, however, if you can eliminate the round-robin trip then why not -- or would you prefer to return the web back to 1990's? In my example you prevent the user from even entering the slash - a simple regex on the keyup is all that is required - not some clunky onsubmit validation.
In your solution, the entire page would have to be re-transmitted and re-rendered. With client validation you don't even have the opportunity for the error.
In your solution the client couldn't even know that they had made an error until after they had tried to submit the request.
Do you want a form to change based on whether a checkbox or radio button is selected? Then you need JavaScript. Even if you do everything on the server and resend the entire form, you need JavaScript in order to SUBMIT the form since without it you need an actual submit button (and of course the form will submit if they happen to hit enter without filling out the form). Over a high-latency connection this type of site design would be a customer-service killer. If you are going to have that poor of a design, why bother to have a web page at all?
Not to say that JavaScript isn't over-used with lots of heavyweight libraries that aren't needed - but to say that there is NO legitimate use is clearly incorrect to anyone with any web development knowledge.
Current security standards say that the web servers handling entered data must always strictly fully validate all data from a client, including using a page populated unique token, stored in a session, and checked for in the input data. The idea that you can have stateless or no sessions, or do non-strict validation, is security retarded.
Client side Javascript checking of values is fine for faster rejection of iffy values, but the server must always strictly check for bad input data and reject it, this is because a spoofing/hijack exploit may bypass the page Javascript checks and attempt to pass harmful data!
The problem is that too many sites use too complex and obfuscated Javascript framework based code, so break in unknowable/annoying ways, so can run very slowly on even high spec. PCs and be vulnerable to, or even cause, security exploits!
"jumping from field to field when filling in a form"
tabindex in the HTML?
"calendar to select a date"
http://www.html5tutorial.info/html5-date.php - although this won't work in older browsers. Maybe degrade it back to using a series of dropdowns (day, month, year)?
And how do you propose to degrade it without client-side scripting? The server could guess based on user-agent, but then it would have to know the capabilities of every version of every browser ever made or yet to be made -- which is why solutions like browsercaps and server-side browser detection were broken from the very beginning and aren't used by anyone with a brain - if you need detection then it is done on the client side based upon capabilities and not some arbitrary text string.
And if you did use your dropdowns, without client side scripting you couldn't even limit the number of days based on month selected - so you would HAVE to allow the user to enter February 31st and then reject it as an error after form submission, making them correct and it resubmit it again. Not a very user-friendly solution.
One common use is "responsive web design" where the js modifies the page to fit various size screens under certain rules. Many designers think it's better to make one page full of "if"s and rules than to maintain separate desktop and mobile sites. I see points for both sides, I think it depends on the site.
Isn't it obvious, all these scripts are to make the site "fresher and more responsive" - or at least, that's the sort of canned excuse I've had back from one bank that's recently "improved" it's site to be far slower and harder to use than it used to be !
Yes, that's a joke. You are right, there are very few legitimate uses - most of this crap is just that, crap. Just well polished crap designed to "look pretty and never mind the function" (or lack of function).
Thinking back to an issue I had with HSBC last year. If memory serves, this was problem occurred when they updated their online banking site (personal) to the current version (which, it has to be said, is rubbish - but that's another matter)
I had trouble logging in - it would get so far, and then show me a message saying something like "Loading data" with the spinner that never seemed to stop spinning; the data would never load. I tried it more than one combination of browser and platform.
They initially replied saying that Palemoon isn't supported, until I pointed out it's a Firefox offshoot. A little later, they suggested the issue is either caused by private browsing mode, or the use of Ghostery.
After they said that, I worked out what Ghostery needed to allow in order for the site to work - cookies from Webtrends. Their bollocks excuse was "There are elements that we track to help us protect your account online."
Solution: Whitelist WebTrends for HSBC - but they track sod all because all cookies are wiped at the end of a browsing session anyway.
"By comparison, HSBC had only two and JPMorgan Chase had nine. Other figures include TD Bank (20), BNY Mellon (14), US Bank (9), Bank of America (6), Citibank (6), Capital One (6) and Wells Fargo (5)."
I have charge accounts at two of these banks; and they're doing a lot more than just hiding trackers that fly under most customers' radar.
Recently, both of them have started nagging me (as a new phase in the account log-on process) to tell them my current income "so they can update their records." Neither actually requires it, as I can work around this by closing the browser and re-starting the logon. One of them openly admits this is purely for marketing reasons so they can present me with advertisements tailored to my income level; and I assume the other is the same.
I have complained to Santander about their web-site over years - they never fixed it.
If you are a customer and login - hover your mouse over "Loans" on the right-hand-side.
You will see the link goes to doubleclick advertising network - even though you are "securely" logged into your bank account?
Mind you, if you are NOT a customer you can read about loans at Santander on their web-site.
It's only harvesting information from you when you are LOGGED IN to Santander, and sharing it with the google doubleclick tracking network.
I came across this forum while trying to trace 'Santander' and ''doubleclick.net'. I was unable to follow a link from my logged in banking page, because it was trying to take me to doubleclick.net which is blocked in my hosts file. I originally thought it was a local virus, but scanning found no trace so I asked Santander about the link. Twice on the phone, and once by secure message they have said that the link to doubleclick did not come from them.
I can see it in the HTML,
<li class="savings"><a href="http://ad-emea.doubleclick.net/clk;...some numbers removed ...;k" target="_blank">Savings</a></li>
but how can I prove this came from them, rather than some code injection on my machine?