back to article Banking websites are 'littered with trackers' ogling your credit risk

A new study has warned that third-party trackers litter banking websites and the privacy-invading tech is being used to rate surfers' creditworthiness. Among the top 10 financial institution websites visited in the US and UK, there are 110 third-party trackers snooping on surfers each time they visit. Online privacy firm …

  1. Zog_but_not_the_first Silver badge
    WTF?

    I think we need to know...

    ... exactly what information is accessed by these third-party trackers on a web site that should be a secure, private and privileged transaction.

    1. Voland's right hand Silver badge

      Re: I think we need to know...

      None. At least here... Looking again at the noscript console. DEFINITELY NONE.

      1. Anonymous Coward
        Anonymous Coward

        Re: I think we need to know...

        Blocking trackers = Risky borrower, probably an anarchist seeking to bring down the system.

      2. N2 Silver badge

        Re: I think we need to know...

        You have to keep an eye on the nasty little fuckers & sinkhole all the bollox like marketing.lloyds.com

        N

      3. Tom Paine Silver badge

        Re: I think we need to know...

        Do modern bank sites work at all with scripting turned off? (I wouldn't know; I work in infosec, and I don't use any online banking or CC services.)

        1. Mark Ruit

          Re: I think we need to know...

          Do modern bank sites work at all with scripting turned off?

          The on-line banking sites of four different banks work well enough for me. Apart, that is, from a really strange problem with the site one bank, which problem:

          a) I could work around and

          b) seems now to have gone away.

          I get that unspeakable Rapport pop-up as well, every time, for the same reasons, with the same fatuous suggestion from that bank on how to suppress it. Oh for a browser that will let me run in private browsing, but stores just the cookies I choose and refuses/dumps all others...

          What makes it worse is that the Rapport pop-up often takes so so long to be served that I am half-way through logging-on, and I have to abort, close the page, and start again...

    2. Pen-y-gors Silver badge

      Re: I think we need to know...

      Someone needs to check up on the EU data protection rules - if UK banks (or banks operating in the EU) are colluding in leaking personal info to third parties they could be in very deep and expensive doo-doo.

      1. Anonymous Coward
        Anonymous Coward

        Re: I think we need to know...

        Until Brexit of course.

      2. Halfmad

        Re: I think we need to know...

        Don't investigate yet, wait until GDPR kicks in..

    3. Compression Artifact
      WTF?

      Re: I think we need to know...

      I use both NoScript and uBlock Origin. NoScript seems to get first crack at things and when I go to my bank's website, it blocks tracking crap from four domains before uBlock Origin gets to see them. If I use a browser with only uBlock Origin, then it blocks all four because they appear on the blacklists that it uses.

      There is one additional domain that interferes with the logon process with an annoying popup ad for some crapware. I reported it to the bank's IT department as a possible infection on their site. They said that the popup will go away if I 1) reconfigure my browsers to never delete cookies and 2) let the popup run once. I prefer to just let NoScript block the domain it's coming from.

      1. deathchurch

        Re: I think we need to know...

        What about all the 3rd party scripts that are reversed proxied, so they will be coming from your banks domain are you going to block them as well? A lot of scripts will run to get a fingerprint of your device to see what else you've been up to, IOVation is just one example...

        1. Compression Artifact

          Re: I think we need to know...

          "What about all the 3rd party scripts that are reversed proxied, so they will be coming from your banks domain are you going to block them as well?"

          I find that, in practice, most websites I visit don't get this cute. Most bludgeon you with garbage from a massive array of obvious third-party domains. E.g., when I visit the website of a local TV station, NoScript takes out its meat axe and chops out eleven domains (and all the actual content I want to read is still there). This leaves uBlock Origin with very little to do; but it still finds three (non-script) objects on its blacklists and takes care of them. While NoScript might not defend against the kind of thing you mention, this sounds like something that uBlock Origin could potentially deal with, if there's a recognizable pattern to it.

          I very rarely see websites with massive quantities of JavaScript coming from just the primary domain; and usually it's something like an amateur WordPress site that I would block completely anyway.

          1. Infernoz Bronze badge
            Flame

            Re: I think we need to know...

            Some sites, which should damned well know better, get their Javascript blocked completely because they do too self-host too much crap! I don't care if these sites need advertising for funding, when they have a whole side div of double column adverts for their and other people's crap its too much, so NoScript, uMatrix and Privacy Badger!

            The number of third party crap links (ads,tracker,demographics,analytics) was already toxic over a year ago on many commercial and 'free' sites, and is still getting worse(!), so I /have to use/ whitelist driven tools like NoScript and uMatrix to try and retain some privacy and speed; tough web authors who don't like this, it's your r-type, retarded, promiscuous fault!

            I even need Print Edit now for saving pages as text PDFs, even for blog/reference sites, because 50% or more of the page area is not even the actual content, WTF!!!

      2. Robert Helpmann?? Silver badge
        FAIL

        Re: I think we need to know...

        There is one additional domain that interferes with the logon process with an annoying popup ad...They said that the popup will go away if I 1) reconfigure my browsers to never delete cookies and 2) let the popup run once.

        Translation: If you just let us track everything you do, we will stop annoying you with those pesky pop-ups.

        Nice.

        1. Anonymous Coward
          Anonymous Coward

          "let us track everything you do, we will stop annoying you with those pesky pop-ups. Nice."

          Classy.

          And remember banking websites are not free.

          They are there to let us see and control our money, which is why most people will use a bank site.

          (many) other financial institutions are available. IIRC in the UK "Money Facts" is the magazine to look for.

          1. Anonymous Coward
            Anonymous Coward

            Re: "let us track everything you do, we will stop annoying you with those pesky pop-ups. Nice."

            I prefer a branch with a written record that I keep for my records. If the bank loses the evidence online who will believe that you just deposited £100K?

            1. Primus Secundus Tertius Silver badge

              Re: "let us track everything you do, we will stop annoying you with those pesky pop-ups. Nice."

              @AC / written record

              If any of this "rich internet experience" ackamarackus was sincere, they would know that you probably did deposit £100,000. But no, none of that is for our benefit, it is just numebrs for the advertising managers.

              So you then deposit 100,000 of something else. Not nice.

        2. Compression Artifact

          Re: I think we need to know...

          "Translation: If you just let us track everything you do, we will stop annoying you with those pesky pop-ups."

          That's not the worst of it. The pop-up is advertising some security software that the bank would like its customers to install. A quick web search turned up lots of bad reviews of it from people who say it wrecked their machines when they installed it.

          1. SImon Hobson Silver badge

            Re: I think we need to know...

            The pop-up is advertising some security software that the bank would like its customers to install. A quick web search turned up lots of bad reviews of it from people who say it wrecked their machines when they installed it.

            Rapport - lets just get it out in the open. I did try it some years ago - lets just say that it's effects were immediate, wide ranging, and resulted it in being uninstalled with no mercy. The little pile of utter s**t.

            I keep a separate browser, configured to clean itself on quit. I have the same problem - every login gets the "Install Rapport or you are leaving yourself wide open" popup, and several other problems related to not saving preferences.

            And one bank I use has recently "improved" it's site to be the worst pile of useless and confusing eye candy imaginable - bad enough that I'm considering changing banks.

            1. Anonymous Coward
              Anonymous Coward

              Re: I think we need to know...

              Would that be HSBC?

              I never bothered with Rapport, partly through laziness, but also a reluctance to install unnecessary crap on my equipment.

              To be fair though, I've banked with HSBC for over 20 years and my biggest complaint is their new banking website, which compared to the complete IT system meltdowns other banks have had, isn't that big a dea.

            2. Anonymous Coward
              Anonymous Coward

              Re: I think we need to know...

              > I keep a separate browser, configured to clean itself on quit.

              Why a separate browser? Permanent private mode has been the name of the game for years now.

              1. David Hicklin

                Re: I think we need to know...

                >> I keep a separate browser, configured to clean itself on quit.

                >Why a separate browser? Permanent private mode has been the name of the game for years now.

                I have a VM *just* for online banking - it does not get used for anything else, yes it has Rapport + noscript + ublock origin.

                Good luck finding some tracking history there

      3. ShortLegs

        Re: I think we need to know...

        @Compression Artifact,

        NoScript - can't find it in Chrome add-ons, only No-Script Suite Lite. Is this the script blocker you refer to?

      4. ShortLegs

        Re: I think we need to know...

        @Compression Architect,

        NoScript - can't find it in Chrome add-ons, only No-Script Suite Lite. Is this the script blocker you refer to?

    4. katrinab Silver badge

      Re: I think we need to know...

      No, they are tracking shopping habits and stuff like that to decide whether you are a responsible borrower.

      How accurate they are, I've no idea. A few months ago, I was getting loads of adverts for dating sites where I could find the "perfect" boyfriend, not something that appeals to me at all. I don't know where they got that idea from when my browsing history is full of lesbian stuff. Now I'm getting loads of adverts for pregnancy testing kits.

      1. Rich 11 Silver badge
        Joke

        Re: I think we need to know...

        Now I'm getting loads of adverts for pregnancy testing kits.

        Perhaps Amazon once presented you with an ad for a turkey-baster?

        (If that is in far too bad taste, I apologise and will gladly delete this comment.)

        But it just goes to show how dangerous all this data-gathering can become. Some bank somewhere decides that their algorithm is ~70% accurate, which is far better than what their loan officers can achieve, and they switch over to trusting the algorithm and rejecting 20-30% of applications regardless of real-world merit or individual circumstance.

      2. Steve Davies 3 Silver badge

        Re: I think we need to know...

        And tomorrow, it will be for incontinency pads.

        I've seen the same sort of thing.

        Any time I use a Bank etc then it is done from a Linux VM that is restored once I'm done with it.

        One UK Financial Institution (scumbags) leaves 60+ cookies and other nasties behind for each visit. If the returns on my investment over the past three years had not been so good, I would have stopped using them a long time ago.

        1. katrinab Silver badge

          Re: I think we need to know...

          "And tomorrow, it will be for incontinency pads."

          If they keep going as they are, I suspect it will be baby stuff in about 8 months time, followed by divorce lawyers.

      3. herman Silver badge

        Re: I think we need to know...

        It would have been funnier if your username was not female.

        1. katrinab Silver badge

          Re: I think we need to know...

          "It would have been funnier if your username was not female."

          I'm sure there are men out there getting ads for pregnancy testing kits.

          If you have a Twitter account, you can see what gender it thinks you are. It doesn't ask when you sign up, they make assumptions based on various things. It got mine right, but it's accuracy seems to be little better than random.

          1. Captain DaFt

            Re: I think we need to know...

            "I'm sure there are men out there getting ads for pregnancy testing kits."

            Back when I got lots of spam, Breast enhancement spam ran neck and neck with \/iagra spam.

            I guess my lack of personal info on the web caused them to hedge their bets. ☺

            1. Anonymous Coward
              Anonymous Coward

              Re: I think we need to know...

              yep! I'm up to my neck with breast enhancement.

              1. Agamemnon
                Coat

                Re: I think we need to know...

                yep! I'm up to my neck with breast enhancement.

                But that's better than down to your knees.

                Yeah, yeah...I'm leaving.

          2. Anonymous Coward
            Anonymous Coward

            Re: I think we need to know...

            > If you have a Twitter account, you can see what gender it thinks you are.

            Q₁: How many choices do they offer?

            Q₂: Why do they (or anyone else, apart from your physician) care? There is seldom any need to know anyone's gender, apart from data fetishism.

      4. Anonymous Coward
        Anonymous Coward

        Re: I think we need to know...

        I put togther a PC for my son a couple of months ago ... he's studying engineering at university and said he wanted a desktop as his laptop was not good enouigh for some CAD programs he wanted to run. So to check spec I asked him what CAD programs he'd want to run. One of them was SolidWorks so I did some research on this ... result that is two months later virtually every page I browse on my phone (which doesn't have an ad-blocker) is littered with offers fo rfree trial for SolidWorks. I suppose it makes a change for the weeks after I'd being researching how to fix a leaking flush valve in our toilet!

      5. handleoclast Silver badge
        Coat

        Re: I think we need to know...

        My browsing history is full of lesbian stuff too.

        I'm a lesbian trapped inside a man's body.

  2. Anonymous Coward
    Anonymous Coward

    a job for pi-hole ?

    'nuff said.

  3. andy 103

    Yeah but...

    ... as with most things, all of this is stated in the small print. It's just that nobody bothers to read it and then complains and acts shocked when this sort of thing happens.

    You know when you get one of this "annoying" Cookie Policy notices and just dismiss it? Well that's where they're telling you more about what they're doing, but you're too annoyed to bother reading it.

    *cough* https://www.theregister.co.uk/Profile/cookies/ *cough*

    1. Tikimon Silver badge
      Devil

      Re: Yeah but...

      "... as with most things, all of this is stated in the small print. It's just that nobody bothers to read it "

      You are referring I presume to multiple pages of legalese, a jargon crafted specifically to obfuscate information? I've read plenty of them, and they make it as difficult as possible to know exactly what you're agreeing to.

      Doesn't matter anyway! Their TOC always states they can change anything anytime without notice or approval from you. So whatever you agree to TODAY won't protect you any longer than it takes for the echo of the mouse click to fade.

      1. Commswonk Silver badge

        Re: Yeah but...

        So whatever you agree to TODAY won't protect you any longer than it takes for the echo of the mouse click to fade.

        That is so good as to be almost poetic.

      2. Adam 52 Silver badge

        Re: Yeah but...

        Which will all change in May 2018, if anyone enforces it. Consumer protection brought to you by, well not your local friendly government.

    2. Infernoz Bronze badge

      Re: Yeah but...

      I have "Self-Destructing Cookies"; all the non-whitelisted cookies get destroyed when the last tab for the domain is closed :-P

  4. Anonymous Coward
    Anonymous Coward

    'littered with trackers' ogling your credit risk

    I think it's a cheap clickbait here on two counts. First, because the readers here hold a smug view of being (somewhat) more intelligent than those feeding specimen off gutter press (discuss), and secondly because they / we are far superior in protecting their data where it matters, in many ways.

    p.s. And thirdly, you should know it, so it's kinda lazy, thus somewhat offensive.

    1. Anonymous Coward
      Anonymous Coward

      Re: 'littered with trackers' ogling your credit risk

      That's me out then.

  5. Local Laddie

    UK banks tracking......

    Interesting little war I had with a local UK bank (currently up for sale - going cheap)... At one stage I was unable logon to manage my internet account with an ad-blocker/tracking blocker installed/running.... stop the blocker - all works well... Long and short of many tech support discussions with bank was - "if you want to do online banking, you agree to being tracked (they were using an using an Adobe product...) - see terms and conditions on said bank website". ICO disagreed and things quietly changed (I changed bank in the meantime)...

    So who is watching you while you bank online and who has access to your "anonymized data"...?

    1. Zolko
      Holmes

      Re: UK banks tracking......

      That's why I use another browser for banking. My main browser is Firefox with Ghostery, blocking all trackers, and my banking browser is something else, with 1% market-share, where they can track me all they want there is nothing to see since I don't use it for anything else. And then there is my Tor-browser for when I really want to be on the safe side.

      I don't say that NSA can't see me, but I'm making their life more difficult.

    2. Alan Brown Silver badge

      Re: UK banks tracking......

      "ICO disagreed and things quietly changed "

      Given the ICO agreed with you, please name the bank.

      1. Anonymous Coward
        Anonymous Coward

        Re: UK banks tracking......

        "currently up for sale - going cheap" .... think that's a pretty strong pointer to it being the Coop - though from experiences watching my son try to pay in cheques there then I'm surprised their IT is modern enough to understand the web

    3. Primus Secundus Tertius Silver badge

      Re: UK banks tracking......

      That is why I use a live CD Linux system for online banking.

      1. It contains no keyloggers etc.

      2. It contains no personal data other than what the bank already has in relation to my login.

    4. Delbert

      Re: UK banks tracking......

      I'm with Local Laddie , if the only leverage we have is to bank elsewhere then make it so. My own bank would love me to use their new account and offer incentives like interest on the current a/c but require me to transact online through my phone which I 'can do anywhere'. Not convinced that having my data streamed through a third party wifi is any safer than having a stranger enter my PIN its not happening. Likewise my bank card was replaced at my request with one lacking an RFID chip I know the risk and I'm not taking it, it is my choice not the banks.

  6. Anonymous Coward
    Anonymous Coward

    Doubleclick / Santander

    A few years ago, merely logging on to Santander's online banking involved a redirect through doubleclick (which meant you couldn't log on if you'd hosts-file sinkholed doubleclick).

    Just one of the many irritations (including leaking my Sant-unique email address to spammers) which saw me walk away from Santander.

    1. Anonymous Coward
      Anonymous Coward

      Re: Doubleclick / Santander

      Santander & Internet banking is a PITA for other reasons.

      I lasted 4 months with a 1-2-3 account before moving away.

      I know that people love to slag off NatWest but their iPhone App is pretty good.

      Posting AC as I don't want any more calls from Santander.

  7. moiety

    Not surprising

    Consider, if you will, the tsunami of crap junk mail/email you get when you open a bank account and in particular get a credit card. The trackers honestly don't matter because the banks are going to sell the raw server logs to anyone who waves half a groat in their direction.

    1. Alan Brown Silver badge

      Re: Not surprising

      "The trackers honestly don't matter because the banks are going to sell the raw server logs to anyone who waves half a groat in their direction."

      Even when served with a DPA section 11 notice? :)

    2. earl grey Silver badge
      Trollface

      Re: Not surprising

      So sorry. I read: " raw server logs" as raw sewage logs.

      It's probably about the same.

    3. Allan George Dyer Silver badge
      Joke

      Re: Not surprising

      "sell the raw server logs to anyone who waves half a groat in their direction"

      So they do care tuppence about privacy!

  8. andy 103

    Are there any legitimate uses for client side scripts on a banking website?

    Just wondering - and may well be wrong - but what would be a legitimate use for any client side scripting on a banking web application?

    Validation? Hell no. It may be used to enhance the UI, but should obviously be being done server-side.

    Ajax? I'd rather have a slower experience with full page reloads and everything done server-side.

    UI / UX enhancements? I don't need the developers to give Chrome a boner. Just serve the plain HTML and style it with CSS. We don't need any fading and transition bullshit thanks.

    Erm, can't think of many other uses for client side js... Please can someone expand on this? I honestly don't see why you'd have to use any client side scripting. If you're showing people their balance, or they are submitting (posting) a form, why not just let the server side application take care of it all? Modern web developers will cite UX no doubt, but I'm pretty sure you can still build a full application with absolutely no client side scripting... Unless anyone has 2 cents (no pun intended) otherwise?

    If this were the case you should be able to use every banking app with js completely disabled...but you can't.

    1. TeaLeaf

      Re: Are there any legitimate uses for client side scripts on a banking website?

      Two that I can think of and have used on websites I've built. (And I would love to find HTML/CSS alternatives to.) First is automatically jumping from field to field when filling in a form. The second is popping up a calendar to select a date. My bank uses this second feature and it truly is convenient for choosing when the bill payment needs to be made.

      1. Donn Bly

        Re: Are there any legitimate uses for client side scripts on a banking website?

        A third is filtering characters, so that non-numeric characters aren't entered into a numeric field. Sure, you could do it server-side, but then when someone enters "100/23" they may try to transfer 10023.00 instead of 100.23

        There are a lot of things that are far better done on the client than on the server.

        1. andy 103

          Re: Are there any legitimate uses for client side scripts on a banking website?

          "when someone enters "100/23" they may try to transfer 10023.00 instead of 100.23"

          Oh dear. That's exactly why I mentioned server side validation in the original post. You can still post the value "100/23" from the form but the validation on the server should check that's a legitimate monetary value (which it isn't, as it contains a /). I take the point that you might stop them posting it *at all* by using client side validation, but the principle still applies that the server should sanitize then validate all user input from forms anyway, so it's kind of redundant.

          1. Dave Evans 1

            Re: Are there any legitimate uses for client side scripts on a banking website?

            Am I being daft, but surely if you just set the input type as number in the html form, problem solved?

          2. Donn Bly
            Thumb Down

            Re: Are there any legitimate uses for client side scripts on a banking website?

            I take it that you don't have a lot of experience in UI implementation?

            You ALWAYS do server-side validation, no matter what validation you have on client side, however, if you can eliminate the round-robin trip then why not -- or would you prefer to return the web back to 1990's? In my example you prevent the user from even entering the slash - a simple regex on the keyup is all that is required - not some clunky onsubmit validation.

            In your solution, the entire page would have to be re-transmitted and re-rendered. With client validation you don't even have the opportunity for the error.

            In your solution the client couldn't even know that they had made an error until after they had tried to submit the request.

            Do you want a form to change based on whether a checkbox or radio button is selected? Then you need JavaScript. Even if you do everything on the server and resend the entire form, you need JavaScript in order to SUBMIT the form since without it you need an actual submit button (and of course the form will submit if they happen to hit enter without filling out the form). Over a high-latency connection this type of site design would be a customer-service killer. If you are going to have that poor of a design, why bother to have a web page at all?

            Not to say that JavaScript isn't over-used with lots of heavyweight libraries that aren't needed - but to say that there is NO legitimate use is clearly incorrect to anyone with any web development knowledge.

        2. Infernoz Bronze badge
          Facepalm

          Re: Are there any legitimate uses for client side scripts on a banking website?

          Current security standards say that the web servers handling entered data must always strictly fully validate all data from a client, including using a page populated unique token, stored in a session, and checked for in the input data. The idea that you can have stateless or no sessions, or do non-strict validation, is security retarded.

          Client side Javascript checking of values is fine for faster rejection of iffy values, but the server must always strictly check for bad input data and reject it, this is because a spoofing/hijack exploit may bypass the page Javascript checks and attempt to pass harmful data!

          The problem is that too many sites use too complex and obfuscated Javascript framework based code, so break in unknowable/annoying ways, so can run very slowly on even high spec. PCs and be vulnerable to, or even cause, security exploits!

      2. andy 103

        Re: Are there any legitimate uses for client side scripts on a banking website?

        "jumping from field to field when filling in a form"

        tabindex in the HTML?

        "calendar to select a date"

        http://www.html5tutorial.info/html5-date.php - although this won't work in older browsers. Maybe degrade it back to using a series of dropdowns (day, month, year)?

        1. Donn Bly

          Maybe degrade it back to using a series of dropdowns

          And how do you propose to degrade it without client-side scripting? The server could guess based on user-agent, but then it would have to know the capabilities of every version of every browser ever made or yet to be made -- which is why solutions like browsercaps and server-side browser detection were broken from the very beginning and aren't used by anyone with a brain - if you need detection then it is done on the client side based upon capabilities and not some arbitrary text string.

          And if you did use your dropdowns, without client side scripting you couldn't even limit the number of days based on month selected - so you would HAVE to allow the user to enter February 31st and then reject it as an error after form submission, making them correct and it resubmit it again. Not a very user-friendly solution.

    2. doke

      Re: Are there any legitimate uses for client side scripts on a banking website?

      One common use is "responsive web design" where the js modifies the page to fit various size screens under certain rules. Many designers think it's better to make one page full of "if"s and rules than to maintain separate desktop and mobile sites. I see points for both sides, I think it depends on the site.

      1. Aitor 1 Silver badge

        Re: Are there any legitimate uses for client side scripts on a banking website?

        Same website for gods sake, this is 2017!!

      2. Allan George Dyer Silver badge
        Boffin

        Re: Are there any legitimate uses for client side scripts on a banking website?

        "the js modifies the page to fit various size screens under certain rules"

        How about using

        @media (min-width: 800px)

        in the CSS. That's what it's there for, right?

    3. SImon Hobson Silver badge

      Re: Are there any legitimate uses for client side scripts on a banking website?

      Isn't it obvious, all these scripts are to make the site "fresher and more responsive" - or at least, that's the sort of canned excuse I've had back from one bank that's recently "improved" it's site to be far slower and harder to use than it used to be !

      Yes, that's a joke. You are right, there are very few legitimate uses - most of this crap is just that, crap. Just well polished crap designed to "look pretty and never mind the function" (or lack of function).

      1. Mark 85 Silver badge

        Re: Are there any legitimate uses for client side scripts on a banking website?

        I'm thinking some developer talked them into it for a nice fee for "updating" and "modernizing" their website.

    4. Anonymous Coward
      Anonymous Coward

      Re: Are there any legitimate uses for client side scripts on a banking website?

      Stopping you from making the same payment twice (or four, or eight times, etc) by double-clicking the button again and again on a slow connection?

  9. John Mangan
    Joke

    It wouldn't be so bad.....

    .. if it would at least save you having to fill in all of the forms.

  10. Spanners Silver badge
    Linux

    Any real banks?

    How about such "normal" banks as

    Barclays

    Natwest

    TSB

    Royal Bank of Scotland

    and so on?

  11. Anonymous Coward
    Anonymous Coward

    Some UK ones

    Nationwide nil (used to use adobe omniture), perhaps its now done at the server?

    Santander Adobe Dynamic Tag (santander pedantically traces to GB-US-GB via prolexic)

    1. Adam 52 Silver badge

      Re: Some UK ones

      Omniture/Site Catalyst isn't going to be doing any cross-site tracking, it'll be purely activity within the site. So you're not giving away much, if any, personal data to it. Nothing the bank doesn't already know.

      1. Anonymous Coward
        Anonymous Coward

        Re: Some UK ones

        Invoking a local mitm revealed some interesting stuff, omniture data set is interesting, and two financial organizations refused to reveal the information sent to omniture for commercial reasons (which prompted the previous actions).

  12. fobobob
    Big Brother

    protip

    Uninstall flash (who uses that anymore? just trackers?), install NoScript. Get ready to cruise the information superhighway like it's 1993! Anyhow, to hell with abusive client-side scripting.

  13. Anonymous Coward
    Anonymous Coward

    Somewhat ironic that the Register has six trackers on this page according to Ghostery.

    Nothing compared to some news sites - the Telegraph used to have 30+ before I stopped reading it.

  14. Gnosis_Carmot

    No link to the study?

    Slackers!

  15. P|H

    Thingy

    And what of this eblocker thingamajig? It looks expensive and mysterious.

  16. Gene Cash Silver badge

    Really dodgy domains

    One of the Chase cookies (I'm a sucker customer) is from a .ru domain.

    That seems really dodgy and is why I block all the cookies not from chase.com or chasecdn.com when I log in.

  17. VinceH Silver badge

    Optional

    Thinking back to an issue I had with HSBC last year. If memory serves, this was problem occurred when they updated their online banking site (personal) to the current version (which, it has to be said, is rubbish - but that's another matter)

    I had trouble logging in - it would get so far, and then show me a message saying something like "Loading data" with the spinner that never seemed to stop spinning; the data would never load. I tried it more than one combination of browser and platform.

    They initially replied saying that Palemoon isn't supported, until I pointed out it's a Firefox offshoot. A little later, they suggested the issue is either caused by private browsing mode, or the use of Ghostery.

    After they said that, I worked out what Ghostery needed to allow in order for the site to work - cookies from Webtrends. Their bollocks excuse was "There are elements that we track to help us protect your account online."

    Solution: Whitelist WebTrends for HSBC - but they track sod all because all cookies are wiped at the end of a browsing session anyway.

  18. Anonymous Coward
    Anonymous Coward

    90% of these will just be marketing analytics out to try and flog their services to you on every other site on the web

  19. Compression Artifact
    Devil

    Tip of the iceberg

    "By comparison, HSBC had only two and JPMorgan Chase had nine. Other figures include TD Bank (20), BNY Mellon (14), US Bank (9), Bank of America (6), Citibank (6), Capital One (6) and Wells Fargo (5)."

    I have charge accounts at two of these banks; and they're doing a lot more than just hiding trackers that fly under most customers' radar.

    Recently, both of them have started nagging me (as a new phase in the account log-on process) to tell them my current income "so they can update their records." Neither actually requires it, as I can work around this by closing the browser and re-starting the logon. One of them openly admits this is purely for marketing reasons so they can present me with advertisements tailored to my income level; and I assume the other is the same.

  20. Anonymous Coward
    Anonymous Coward

    Santander trackers...

    I have complained to Santander about their web-site over years - they never fixed it.

    If you are a customer and login - hover your mouse over "Loans" on the right-hand-side.

    You will see the link goes to doubleclick advertising network - even though you are "securely" logged into your bank account?

    Mind you, if you are NOT a customer you can read about loans at Santander on their web-site.

    It's only harvesting information from you when you are LOGGED IN to Santander, and sharing it with the google doubleclick tracking network.

    1. Anonymous Coward
      Anonymous Coward

      Re: Santander trackers...

      I came across this forum while trying to trace 'Santander' and ''doubleclick.net'. I was unable to follow a link from my logged in banking page, because it was trying to take me to doubleclick.net which is blocked in my hosts file. I originally thought it was a local virus, but scanning found no trace so I asked Santander about the link. Twice on the phone, and once by secure message they have said that the link to doubleclick did not come from them.

      I can see it in the HTML,

      <li class="savings"><a href="http://ad-emea.doubleclick.net/clk;...some numbers removed ...;k" target="_blank">Savings</a></li>

      but how can I prove this came from them, rather than some code injection on my machine?

  21. Stork Bronze badge

    I need a course!

    I just installed NoScript and can not even log into my company e-bank.

    Anyone know a guide to what is (probably) ok to allow and what not? I mean, some scripts are pretty innocent and some less so...

    Cheat-sheet please!

  22. EBG

    telephone banking

    Without naming them, probably the longest established name. My experience - nearly 30 years with them, great service, zero problems. Seriously, why internet bank in the first place ?

  23. post-truth

    The third-party trackers, and credit providers that purchase their services, now have until July 2018 to get their act together or be destroyed. The credit providers, with deep pockets and thus insurers of last resort, will end up paying for the misdeeds of their suppliers.

  24. N2 Silver badge

    Fires up Sandbox...

    Edits hosts to resolve marketing.shitebank.co.uk to 127.0.0.1

    No Script, Ghostry, UBlock Origin & Little Snitch do a fine job in fucking off the rest.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019