back to article Banking websites are 'littered with trackers' ogling your credit risk

A new study has warned that third-party trackers litter banking websites and the privacy-invading tech is being used to rate surfers' creditworthiness. Among the top 10 financial institution websites visited in the US and UK, there are 110 third-party trackers snooping on surfers each time they visit. Online privacy firm …

Page:

  1. Zog_but_not_the_first Silver badge
    WTF?

    I think we need to know...

    ... exactly what information is accessed by these third-party trackers on a web site that should be a secure, private and privileged transaction.

    1. Voland's right hand Silver badge

      Re: I think we need to know...

      None. At least here... Looking again at the noscript console. DEFINITELY NONE.

      1. Anonymous Coward
        Anonymous Coward

        Re: I think we need to know...

        Blocking trackers = Risky borrower, probably an anarchist seeking to bring down the system.

      2. N2 Silver badge

        Re: I think we need to know...

        You have to keep an eye on the nasty little fuckers & sinkhole all the bollox like marketing.lloyds.com

        N

      3. Tom Paine Silver badge

        Re: I think we need to know...

        Do modern bank sites work at all with scripting turned off? (I wouldn't know; I work in infosec, and I don't use any online banking or CC services.)

        1. Mark Ruit

          Re: I think we need to know...

          Do modern bank sites work at all with scripting turned off?

          The on-line banking sites of four different banks work well enough for me. Apart, that is, from a really strange problem with the site one bank, which problem:

          a) I could work around and

          b) seems now to have gone away.

          I get that unspeakable Rapport pop-up as well, every time, for the same reasons, with the same fatuous suggestion from that bank on how to suppress it. Oh for a browser that will let me run in private browsing, but stores just the cookies I choose and refuses/dumps all others...

          What makes it worse is that the Rapport pop-up often takes so so long to be served that I am half-way through logging-on, and I have to abort, close the page, and start again...

    2. Pen-y-gors Silver badge

      Re: I think we need to know...

      Someone needs to check up on the EU data protection rules - if UK banks (or banks operating in the EU) are colluding in leaking personal info to third parties they could be in very deep and expensive doo-doo.

      1. Anonymous Coward
        Anonymous Coward

        Re: I think we need to know...

        Until Brexit of course.

      2. Halfmad

        Re: I think we need to know...

        Don't investigate yet, wait until GDPR kicks in..

    3. Compression Artifact
      WTF?

      Re: I think we need to know...

      I use both NoScript and uBlock Origin. NoScript seems to get first crack at things and when I go to my bank's website, it blocks tracking crap from four domains before uBlock Origin gets to see them. If I use a browser with only uBlock Origin, then it blocks all four because they appear on the blacklists that it uses.

      There is one additional domain that interferes with the logon process with an annoying popup ad for some crapware. I reported it to the bank's IT department as a possible infection on their site. They said that the popup will go away if I 1) reconfigure my browsers to never delete cookies and 2) let the popup run once. I prefer to just let NoScript block the domain it's coming from.

      1. deathchurch

        Re: I think we need to know...

        What about all the 3rd party scripts that are reversed proxied, so they will be coming from your banks domain are you going to block them as well? A lot of scripts will run to get a fingerprint of your device to see what else you've been up to, IOVation is just one example...

        1. Compression Artifact

          Re: I think we need to know...

          "What about all the 3rd party scripts that are reversed proxied, so they will be coming from your banks domain are you going to block them as well?"

          I find that, in practice, most websites I visit don't get this cute. Most bludgeon you with garbage from a massive array of obvious third-party domains. E.g., when I visit the website of a local TV station, NoScript takes out its meat axe and chops out eleven domains (and all the actual content I want to read is still there). This leaves uBlock Origin with very little to do; but it still finds three (non-script) objects on its blacklists and takes care of them. While NoScript might not defend against the kind of thing you mention, this sounds like something that uBlock Origin could potentially deal with, if there's a recognizable pattern to it.

          I very rarely see websites with massive quantities of JavaScript coming from just the primary domain; and usually it's something like an amateur WordPress site that I would block completely anyway.

          1. Infernoz Bronze badge
            Flame

            Re: I think we need to know...

            Some sites, which should damned well know better, get their Javascript blocked completely because they do too self-host too much crap! I don't care if these sites need advertising for funding, when they have a whole side div of double column adverts for their and other people's crap its too much, so NoScript, uMatrix and Privacy Badger!

            The number of third party crap links (ads,tracker,demographics,analytics) was already toxic over a year ago on many commercial and 'free' sites, and is still getting worse(!), so I /have to use/ whitelist driven tools like NoScript and uMatrix to try and retain some privacy and speed; tough web authors who don't like this, it's your r-type, retarded, promiscuous fault!

            I even need Print Edit now for saving pages as text PDFs, even for blog/reference sites, because 50% or more of the page area is not even the actual content, WTF!!!

      2. Robert Helpmann?? Silver badge
        FAIL

        Re: I think we need to know...

        There is one additional domain that interferes with the logon process with an annoying popup ad...They said that the popup will go away if I 1) reconfigure my browsers to never delete cookies and 2) let the popup run once.

        Translation: If you just let us track everything you do, we will stop annoying you with those pesky pop-ups.

        Nice.

        1. Anonymous Coward
          Anonymous Coward

          "let us track everything you do, we will stop annoying you with those pesky pop-ups. Nice."

          Classy.

          And remember banking websites are not free.

          They are there to let us see and control our money, which is why most people will use a bank site.

          (many) other financial institutions are available. IIRC in the UK "Money Facts" is the magazine to look for.

          1. Anonymous Coward
            Anonymous Coward

            Re: "let us track everything you do, we will stop annoying you with those pesky pop-ups. Nice."

            I prefer a branch with a written record that I keep for my records. If the bank loses the evidence online who will believe that you just deposited £100K?

            1. Primus Secundus Tertius Silver badge

              Re: "let us track everything you do, we will stop annoying you with those pesky pop-ups. Nice."

              @AC / written record

              If any of this "rich internet experience" ackamarackus was sincere, they would know that you probably did deposit £100,000. But no, none of that is for our benefit, it is just numebrs for the advertising managers.

              So you then deposit 100,000 of something else. Not nice.

        2. Compression Artifact

          Re: I think we need to know...

          "Translation: If you just let us track everything you do, we will stop annoying you with those pesky pop-ups."

          That's not the worst of it. The pop-up is advertising some security software that the bank would like its customers to install. A quick web search turned up lots of bad reviews of it from people who say it wrecked their machines when they installed it.

          1. SImon Hobson Silver badge

            Re: I think we need to know...

            The pop-up is advertising some security software that the bank would like its customers to install. A quick web search turned up lots of bad reviews of it from people who say it wrecked their machines when they installed it.

            Rapport - lets just get it out in the open. I did try it some years ago - lets just say that it's effects were immediate, wide ranging, and resulted it in being uninstalled with no mercy. The little pile of utter s**t.

            I keep a separate browser, configured to clean itself on quit. I have the same problem - every login gets the "Install Rapport or you are leaving yourself wide open" popup, and several other problems related to not saving preferences.

            And one bank I use has recently "improved" it's site to be the worst pile of useless and confusing eye candy imaginable - bad enough that I'm considering changing banks.

            1. Anonymous Coward
              Anonymous Coward

              Re: I think we need to know...

              Would that be HSBC?

              I never bothered with Rapport, partly through laziness, but also a reluctance to install unnecessary crap on my equipment.

              To be fair though, I've banked with HSBC for over 20 years and my biggest complaint is their new banking website, which compared to the complete IT system meltdowns other banks have had, isn't that big a dea.

            2. Anonymous Coward
              Anonymous Coward

              Re: I think we need to know...

              > I keep a separate browser, configured to clean itself on quit.

              Why a separate browser? Permanent private mode has been the name of the game for years now.

              1. David Hicklin

                Re: I think we need to know...

                >> I keep a separate browser, configured to clean itself on quit.

                >Why a separate browser? Permanent private mode has been the name of the game for years now.

                I have a VM *just* for online banking - it does not get used for anything else, yes it has Rapport + noscript + ublock origin.

                Good luck finding some tracking history there

      3. ShortLegs

        Re: I think we need to know...

        @Compression Artifact,

        NoScript - can't find it in Chrome add-ons, only No-Script Suite Lite. Is this the script blocker you refer to?

      4. ShortLegs

        Re: I think we need to know...

        @Compression Architect,

        NoScript - can't find it in Chrome add-ons, only No-Script Suite Lite. Is this the script blocker you refer to?

    4. katrinab Silver badge

      Re: I think we need to know...

      No, they are tracking shopping habits and stuff like that to decide whether you are a responsible borrower.

      How accurate they are, I've no idea. A few months ago, I was getting loads of adverts for dating sites where I could find the "perfect" boyfriend, not something that appeals to me at all. I don't know where they got that idea from when my browsing history is full of lesbian stuff. Now I'm getting loads of adverts for pregnancy testing kits.

      1. Rich 11 Silver badge
        Joke

        Re: I think we need to know...

        Now I'm getting loads of adverts for pregnancy testing kits.

        Perhaps Amazon once presented you with an ad for a turkey-baster?

        (If that is in far too bad taste, I apologise and will gladly delete this comment.)

        But it just goes to show how dangerous all this data-gathering can become. Some bank somewhere decides that their algorithm is ~70% accurate, which is far better than what their loan officers can achieve, and they switch over to trusting the algorithm and rejecting 20-30% of applications regardless of real-world merit or individual circumstance.

      2. Steve Davies 3 Silver badge

        Re: I think we need to know...

        And tomorrow, it will be for incontinency pads.

        I've seen the same sort of thing.

        Any time I use a Bank etc then it is done from a Linux VM that is restored once I'm done with it.

        One UK Financial Institution (scumbags) leaves 60+ cookies and other nasties behind for each visit. If the returns on my investment over the past three years had not been so good, I would have stopped using them a long time ago.

        1. katrinab Silver badge

          Re: I think we need to know...

          "And tomorrow, it will be for incontinency pads."

          If they keep going as they are, I suspect it will be baby stuff in about 8 months time, followed by divorce lawyers.

      3. herman Silver badge

        Re: I think we need to know...

        It would have been funnier if your username was not female.

        1. katrinab Silver badge

          Re: I think we need to know...

          "It would have been funnier if your username was not female."

          I'm sure there are men out there getting ads for pregnancy testing kits.

          If you have a Twitter account, you can see what gender it thinks you are. It doesn't ask when you sign up, they make assumptions based on various things. It got mine right, but it's accuracy seems to be little better than random.

          1. Captain DaFt

            Re: I think we need to know...

            "I'm sure there are men out there getting ads for pregnancy testing kits."

            Back when I got lots of spam, Breast enhancement spam ran neck and neck with \/iagra spam.

            I guess my lack of personal info on the web caused them to hedge their bets. ☺

            1. Anonymous Coward
              Anonymous Coward

              Re: I think we need to know...

              yep! I'm up to my neck with breast enhancement.

              1. Agamemnon
                Coat

                Re: I think we need to know...

                yep! I'm up to my neck with breast enhancement.

                But that's better than down to your knees.

                Yeah, yeah...I'm leaving.

          2. Anonymous Coward
            Anonymous Coward

            Re: I think we need to know...

            > If you have a Twitter account, you can see what gender it thinks you are.

            Q₁: How many choices do they offer?

            Q₂: Why do they (or anyone else, apart from your physician) care? There is seldom any need to know anyone's gender, apart from data fetishism.

      4. Anonymous Coward
        Anonymous Coward

        Re: I think we need to know...

        I put togther a PC for my son a couple of months ago ... he's studying engineering at university and said he wanted a desktop as his laptop was not good enouigh for some CAD programs he wanted to run. So to check spec I asked him what CAD programs he'd want to run. One of them was SolidWorks so I did some research on this ... result that is two months later virtually every page I browse on my phone (which doesn't have an ad-blocker) is littered with offers fo rfree trial for SolidWorks. I suppose it makes a change for the weeks after I'd being researching how to fix a leaking flush valve in our toilet!

      5. handleoclast Silver badge
        Coat

        Re: I think we need to know...

        My browsing history is full of lesbian stuff too.

        I'm a lesbian trapped inside a man's body.

  2. Anonymous Coward
    Anonymous Coward

    a job for pi-hole ?

    'nuff said.

  3. andy 103

    Yeah but...

    ... as with most things, all of this is stated in the small print. It's just that nobody bothers to read it and then complains and acts shocked when this sort of thing happens.

    You know when you get one of this "annoying" Cookie Policy notices and just dismiss it? Well that's where they're telling you more about what they're doing, but you're too annoyed to bother reading it.

    *cough* https://www.theregister.co.uk/Profile/cookies/ *cough*

    1. Tikimon Silver badge
      Devil

      Re: Yeah but...

      "... as with most things, all of this is stated in the small print. It's just that nobody bothers to read it "

      You are referring I presume to multiple pages of legalese, a jargon crafted specifically to obfuscate information? I've read plenty of them, and they make it as difficult as possible to know exactly what you're agreeing to.

      Doesn't matter anyway! Their TOC always states they can change anything anytime without notice or approval from you. So whatever you agree to TODAY won't protect you any longer than it takes for the echo of the mouse click to fade.

      1. Commswonk Silver badge

        Re: Yeah but...

        So whatever you agree to TODAY won't protect you any longer than it takes for the echo of the mouse click to fade.

        That is so good as to be almost poetic.

      2. Adam 52 Silver badge

        Re: Yeah but...

        Which will all change in May 2018, if anyone enforces it. Consumer protection brought to you by, well not your local friendly government.

    2. Infernoz Bronze badge

      Re: Yeah but...

      I have "Self-Destructing Cookies"; all the non-whitelisted cookies get destroyed when the last tab for the domain is closed :-P

  4. Anonymous Coward
    Anonymous Coward

    'littered with trackers' ogling your credit risk

    I think it's a cheap clickbait here on two counts. First, because the readers here hold a smug view of being (somewhat) more intelligent than those feeding specimen off gutter press (discuss), and secondly because they / we are far superior in protecting their data where it matters, in many ways.

    p.s. And thirdly, you should know it, so it's kinda lazy, thus somewhat offensive.

    1. Anonymous Coward
      Anonymous Coward

      Re: 'littered with trackers' ogling your credit risk

      That's me out then.

  5. Local Laddie

    UK banks tracking......

    Interesting little war I had with a local UK bank (currently up for sale - going cheap)... At one stage I was unable logon to manage my internet account with an ad-blocker/tracking blocker installed/running.... stop the blocker - all works well... Long and short of many tech support discussions with bank was - "if you want to do online banking, you agree to being tracked (they were using an using an Adobe product...) - see terms and conditions on said bank website". ICO disagreed and things quietly changed (I changed bank in the meantime)...

    So who is watching you while you bank online and who has access to your "anonymized data"...?

    1. Zolko
      Holmes

      Re: UK banks tracking......

      That's why I use another browser for banking. My main browser is Firefox with Ghostery, blocking all trackers, and my banking browser is something else, with 1% market-share, where they can track me all they want there is nothing to see since I don't use it for anything else. And then there is my Tor-browser for when I really want to be on the safe side.

      I don't say that NSA can't see me, but I'm making their life more difficult.

    2. Alan Brown Silver badge

      Re: UK banks tracking......

      "ICO disagreed and things quietly changed "

      Given the ICO agreed with you, please name the bank.

      1. Anonymous Coward
        Anonymous Coward

        Re: UK banks tracking......

        "currently up for sale - going cheap" .... think that's a pretty strong pointer to it being the Coop - though from experiences watching my son try to pay in cheques there then I'm surprised their IT is modern enough to understand the web

    3. Primus Secundus Tertius Silver badge

      Re: UK banks tracking......

      That is why I use a live CD Linux system for online banking.

      1. It contains no keyloggers etc.

      2. It contains no personal data other than what the bank already has in relation to my login.

    4. Delbert

      Re: UK banks tracking......

      I'm with Local Laddie , if the only leverage we have is to bank elsewhere then make it so. My own bank would love me to use their new account and offer incentives like interest on the current a/c but require me to transact online through my phone which I 'can do anywhere'. Not convinced that having my data streamed through a third party wifi is any safer than having a stranger enter my PIN its not happening. Likewise my bank card was replaced at my request with one lacking an RFID chip I know the risk and I'm not taking it, it is my choice not the banks.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019