trackers on banking sites?

For discussions about security.
Post Reply
Message
Author
User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

trackers on banking sites?

#1 Post by prehistoric »

This may require some background. First you need to know what "trackers" are. This article is a good start. Nearly everybody out there on the Internet would like to track what people who visit their site are also doing elsewhere.

You can go back to some fairly old articles from EFF about the problem, back when it was "a cloud no bigger than a hand" on the horizon.

There is a company selling a device for hundreds of dollars to block tracking. They have recently released a paper on what they found at popular banking websites, discussed here. On one important banking site they found 33 trackers.

My thought: what are banks doing selling invisible ads to third parties? Also, who is auditing the code used to implement these trackers? If it is run like typical ads on web sites it is a major security hole, because no one can keep up with the changes, since different ads may be shown to different users based on location, time, etc.

In addition to being used for advertising we may not want at all, anything exposing our habits in using on-line banking is a great aid to those who want to make their fraud look like our own activity. Where is the legal liability for banking practices that contribute to this?

Can someone point me to a tool to check for trackers on a particular on-line banking site?

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#2 Post by Flash »

Assuming an https connection, if the trackers are in the online site's server, there's no way to tell they're there until your savings disappear. And if they're not in the server, they must be in your computer. :cry:

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

#3 Post by prehistoric »

Most trackers are simple matters of placing "cookies" in your browser cache, and comparing these with a database when they are found, but I am concerned about limitations on executable scripts used to implement this. I am also wondering about hidden communication channels in the code implementing web pages that contain trackers.

For an example of just how subtle these can be check the subject of DNS tunneling to exfiltrate information from a secure system. This can be used to send small amounts of information like passwords from a compromised system to a domain where the attacker controls naming. You don't even have to make an http or https connection to that domain; you could simply make a series of DNS queries without using them. Would your firewall stop this?

Just as a proof of concept, imagine a domain with 26 different names for a single IP address. A series of DNS queries could spell a password without ever connecting. This would likely go unnoticed because a typical web page generates many DNS queries.

The idea of having code from advertisers on a web page used for banking looks like a great way to allow undetectable extraction of private information without necessarily cracking the bank's own systems.

I could be misunderstanding what is going on, but I an thinking WTF? Don't these banks have any concern for the security of individual customers, as opposed to the security of the bank itself? I'm afraid such a limited breach would be very hard to prosecute, which may be why this looseness is tolerated.

Sylvander
Posts: 4416
Joined: Mon 15 Dec 2008, 11:06
Location: West Lothian, Scotland, UK

#4 Post by Sylvander »

I have "NoScript" installed in my web browser [Firefox-53.0.3].
When I go to my banking website, I need to click on the only script listed at that time [to enable it], which is my banks own.
Once that is enabled, all the others are then listed.
e.g. doubleclick.net, webtrends.com, bluekai.com, webtrendslive.com, tiqcdn.com [all disabled].
Know about any of these?

User avatar
8Geee
Posts: 2181
Joined: Mon 12 May 2008, 11:29
Location: N.E. USA

#5 Post by 8Geee »

I have in the recent past posted about security concerns with browsers/banking/adblockers etc.

If you have a bank website that does not work if you block their trackers... get another bank, or do your banking "in person/by mail". The convience of online banking has a big price... and it won't get cheaper.

When one of my banks did this (for credit card purposes) I was on the phone ASAP informing them I did not like their tracking. I reverted to bill by mail/ pay by check. Let 'em eat dirt. /MNSHO

Regards
8Geee
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."

s243a
Posts: 2580
Joined: Tue 02 Sep 2014, 04:48
Contact:

#6 Post by s243a »

prehistoric wrote:For an example of just how subtle these can be check the subject of DNS tunneling to exfiltrate information from a secure system. This can be used to send small amounts of information like passwords from a compromised system to a domain where the attacker controls naming. You don't even have to make an http or https connection to that domain; you could simply make a series of DNS queries without using them. Would your firewall stop this?

Just as a proof of concept, imagine a domain with 26 different names for a single IP address. A series of DNS queries could spell a password without ever connecting. This would likely go unnoticed because a typical web page generates many DNS queries.
Why woud DNS requests go to a server specified by the attacker? Don't youbspecify the DNS server on your system?

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

#7 Post by prehistoric »

s243a wrote:
prehistoric wrote:For an example of just how subtle these can be check the subject of DNS tunneling to exfiltrate information from a secure system. This can be used to send small amounts of information like passwords from a compromised system to a domain where the attacker controls naming. You don't even have to make an http or https connection to that domain; you could simply make a series of DNS queries without using them. Would your firewall stop this?

Just as a proof of concept, imagine a domain with 26 different names for a single IP address. A series of DNS queries could spell a password without ever connecting. This would likely go unnoticed because a typical web page generates many DNS queries.
Why woud DNS requests go to a server specified by the attacker? Don't you specify the DNS server on your system?
Having your own DNS server runs into problems if the people running the domain are constantly changing names. To resolve current URLs your server would still need to query the servers of the people owning the domain. Having a DNS server in between would block some naive schemes like the one I used as a proof of concept, but if you check the rate at which certain domains generate new URLs you will find that it is still possible to transmit information via novel queries that will require reference to servers run by the owner of the domain.

Consider this list of recent URLs culled from my spam folder:

Code: Select all

ejusdem@amphogeny.needhacker.nl
brangler@wallenstein.oneupresults.nl
misattributions@codebooks.mybestculture.nl
encolpions@torcel.betssol.nl
etymologized@febronianism.fishehow.nl
It appears that certain major spammers have enough money to buy quite a few domains, plus lawyers, if not entire countries. There is also a constant churn of changing URLs, making it hard to block them. There is really extensive subversion of the Internet. The connection between spam, fraud and money laundering is quite interesting.

We need to concentrate on blocking behaviors which weaken the integrity of the Internet rather than particular URLs.

If I wasn't curious about seeing what they are doing, I might simply filter out any email originating in the Netherlands, with the exception of a few individuals I know.

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#8 Post by Flash »

Former US security advisor: Cyberattacks damage society as much as physical infrastructure
At the 2017 Global Cybersecurity Summit in Kiev, Ukraine, Tony Blinken, who was deputy secretary of state to Barack Obama, said the best defenses against cyberattacks are educated consumers and collaborative responses.
By Amy Talbott | June 15, 2017

In an interview at this week's Global Cybersecurity Summit in Kiev, Ukraine, [Interesting choice of location for such a meeting. Don't a lot of cyberattacks come from Ukraine?] former deputy national security advisor and deputy secretary of state Tony Blinken told TechRepublic's Dan Patterson that the threat posed by cyberattacks to human infrastructure, meaning what we think and believe, is as important as the threat to physical infrastructure

The best defense against the threat to human infrastructure, Blinken said, is a population of educated consumers with strong critical thinking abilities. [That's the last thing advertisers want. Why does he use the word consumers instead of people? Amoeba are consumers but they are incapable of critical thought.]

During the interview, Blinken recommended the following solutions to present cyberthreats:

Demanding a collective response from groups like academic institutions, corporations, NGOs
Better defense, in the form of public-private partnerships to strengthen defenses against cyberattacks
Creation of international cybersecurity norms and standards so there's "at least a floor on how people behave and act."
Measures to impose costs on entities who carry out cyberattacks

The conversation also touched on ways organizations can plan future cyberdefense strategies. Blinken said that right now, organizations are not great at "thinking around the corner," or considering how technology created today might be used as a weapon in the future. [Nobody's any good at that. It's impossible to predict all the ways that someone else can come up with to use or misuse something. Your thinking is limited by your initial conditions and assumptions and your limited knowledge and intelligence. For instance, it's almost impossible to write something so that it can't be misinterpreted by anyone. Whoever wrote the 2nd Amendment didn't even try.] The same energy that goes into innovation needs to go into anticipating potential consequences and how to guard against them, said Blinken.

When asked what's really keeping him up at night, Blinken pointed to tensions between those who feel the best way to respond to societal and technological challenges is to protect themselves and "build a wall," and those who feel the best way to respond is to remain an open society and mitigate any threats that arise. But he also mentioned the power of using technology creatively to start talking and listening to each other again, and said he's ultimately hopeful about the future.
[That's his plan?]

User avatar
Barkin
Posts: 803
Joined: Fri 12 Aug 2011, 04:55

#9 Post by Barkin »

Sylvander wrote:I have "NoScript" installed in my web browser [Firefox-53.0.3].
There's a plug-in for FireFox which called lightbeam shows the trackers as a diagram.

The trackers can record browsing-history in order to target advertising.

belham2
Posts: 1715
Joined: Mon 15 Aug 2016, 22:47

#10 Post by belham2 »

This thread bothers me. I mean, as Flash alluded to, isn't an organization that allows hosting (in their own servers) of 3rd party trackers a "big" source of all malware problems today? Imagine if something happens, a big months or years long breach occurs, just imagine then the finger-pointing that is going to go on? Furthermore, how is this allowing 3rd party trackers considered Best Safe-Secure Practices from the banks & fin'l firms point of view when dealing with their customers?? I know they only care about profit, but there has to be a line somewhere, doesn't there? Dam#

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

#11 Post by prehistoric »

I just did a search for a video I had noticed in which an investor with a long track record predicted a financial collapse in 2017. What I turned up instead of the one I was seeking was a long list of warnings from both the far-right conspiracy sites and far-left. The two things all agree on is that there will be a big crash, perhaps of historic proportions, and they are not responsible for this.

One standard phrase in any number of financial pronouncements is "consumer confidence". Beyond the threat of huge losses if the weaknesses many people see in current on-line banking and commerce are exploited aggressively, there is an incredible risk of a loss of confidence by both consumers and investors that will cause an economic contraction far greater than any immediate loss of assets.

Performance of economic professionals during the 2008 crisis did not inspire confidence. At one extreme we had Lehman Brothers using an accounting trick called repo 105 to disguise toxic assets for three quarters. This didn't work in the fourth quarter because Lehman Brothers was forced into bankruptcy. Those investors misled by this means of hiding problems suffered substantial losses.

Investors flocked to the few banks which appeared solid, but that was also an illusion. JPMorgan Chase declared their exposure to risk was some $13 billion, which is indeed substantial. Unfortunately, subsequent analysis found their exposure was more like $53 billion, which would put a dent in any bank. Goldman Sachs was also a favorite refuge. What nobody outside the top levels of Goldman Sachs knew until a meeting at the New York Federal Reserve in the depths of the crisis was the extent to which credit default swaps exposed them risk from the collapse of other banks.

When the federal government bought toxic assets at 100% value, this was said to be protecting the investors in those banks. What got less attention was the way it protected GS and JPMorgan Chase from consequences of their own misjudgment in signing credit default swaps without doing due diligence. They didn't lose a penny. If the federal government would bail those banks out of a bad situation they didn't need to exercise any judgment.

In another example of serious defects in the financial system several credit rating agencies gave the collateralized debt obligations put together from toxic assets, with a small leavening of good mortgages, triple A ratings. This greatly facilitated fraud by financial institutions flogging these junk bond equivalents at high prices.

Major banks have been fined for violating regulations in or leading up to the 2008 crisis, but none of the officers of those banks faced criminal prosecution. Who was held responsible?

We might ask, which banks were prosecuted for criminal fraud as a result of practices that were widespread prior to the 2008 crash? How about Abacus Bank? This bank had only 9 defaults on 3,104 mortgage loans. Did this cause the 2008 crash?

A number of commentators who might have an axe to grind have blamed numerous small individuals for signing loans made available, and aggressively marketed, by banks. I've investigated a couple of people who admittedly made terrible personal decisions during the bubble, and lost homes as a result. Their eyes glaze over if I try to explain CDOs and CDS. They don't even have college degrees, so how could they understand subjects that tax the abilities of PhDs in economics?

(BTW: should these people ever inherit substantial moneys, they can expect to face lawsuits from those firms which bought bad debts from banks. This will hang over them for the rest of their lives. They lost their life savings before they had any.)

It seems the only people who paid a serious personal price for the fraud prevalent in the run-up to that bubble were those with the least background for understanding the subject. None of the people with the requisite education, training and experience went to jail. These people were paid big bucks prior to the crash for their expertise and the heavy responsibilities they carried. It appears the concept of professional fiduciary responsibility is completely dead.

With current practices in on-line commerce, including banking, we have another situation where the vast majority of people depending on these services don't have a clue about the risks to individuals, and the people who do have some understanding are often paid to downplay those risks.

I've received some "targeted advertising" from very shady operations, due to some unusual financial problems which happened during illness, because I had no one to take over. Some of these appeared within hours of an action on my part. How are these bottom feeders learning of potential vulnerability? Could it be from trackers on banking sites?

User avatar
Barkin
Posts: 803
Joined: Fri 12 Aug 2011, 04:55

#12 Post by Barkin »

prehistoric wrote:I've received some "targeted advertising" from very shady operations, due to some unusual financial problems which happened during illness, because I had no one to take over. Some of these appeared within hours of an action on my part. How are these bottom feeders learning of potential vulnerability? Could it be from trackers on banking sites?
A few years ago my power-supplier accidentally broke my standing-order, which resulted in them not getting paid for several months. Along with the snail-mail letter telling me the bill was overdue, came two letters addressed specifically to me from companies offering me loans, (at extortionate rates of interest).

IMO the power-supplier automatically gave the loan-sharks my name & address when my account went into the red, (which was no fault of mine).

Post Reply