

Ask HN: Are banks allowed to use Google Analytics or any 3rd party analytics - techaddict009

Recently someone found that ICICI Bank (One of the biggest bank in India) is using google analytics on pages which are secured by login: http:&#x2F;&#x2F;blog.chaitanyagupta.com&#x2F;2015&#x2F;07&#x2F;icici-bank-gives-unfettered-access-to.html<p>So it is not this against some security norms? And should not it have been disqualified while security audits?<p>Are banks allowed to use Google Analytics or any 3rd party analytics, on pages which are secured by login?
======
ICICIBank_Care
ICICI Bank would like to state that this article is ill founded and not based
on facts. The Bank would like to strongly deny that Google or any third party
tool can access any confidential customer level information from its website.
ICICI Bank is in complete control over all points of access to customer data.

As a standard global practice, banks across the world use Google Analytics
Premium services to understand generic behaviour of the users such as
navigation patterns, browser types and page speeds among other things.

ICICI Bank would like to re-iterate that it operates with world class
standards of information security and that our customer’s privacy is of utmost
importance to us.

------
twunde
I'm not sure why you would assume that Google Analytics or other third-party
analytics software would be forbidden. Google probably has a better security
model than most banks, especially with premier products like Google Analytics.
It also doesn't give information about your banking info unless Google
Analytics has been completely compromised. Additionally most bank security
teams would immediately notice that the network traffic sent to Google
Analytics had increased exponentially.

Jacques Mattheij's research does indicate some security risk, but not an
enormous amount. Most of these externally-hosted javascript libraries have
dedicated security teams on par or better than those at banks

