
Ask HN: Why does my credit union check if I'm logged into Steam and Reddit? - fanseed
I was watching the network logs as I logged into my credit union and saw that they attempt to request favicons from lots of third parties including dropbox, accounts.google.com, stackoverflow.com, squareup.com, instagram.com, skype.com, tumblr.com, expedia.de, pinterest.com, de.foursquare.com, eu.battle.net, store.steampowered.com, reddit.com.<p>The favicons are usually loaded from the login page of the service, so I&#x27;m guessing they are doing that old trick to see if the browser is logged into those services by requesting the favicon.<p>I emailed them about this and after two months all they said is that it&#x27;s part of their security software checks and not from anything suspicious.<p>Do they do this to create a &#x27;social media fingerprint&#x27; of me as an additional check?  Even though a few of the services are the German versions (credit union is in the US) and a few have fixed this so that it doesn&#x27;t work anymore.  It just seems strange and excessive.
======
Capira
Sounds like they copy pasted my demo into production:
[https://robinlinus.github.io/socialmedia-
leak/](https://robinlinus.github.io/socialmedia-leak/)

~~~
pwython
Funny enough, the only thing that got wrong was it saying I wasn't logged into
HN.

~~~
captaincrowbar
Same for me. Maybe something changed about HN since the demo was written?

~~~
piyush_soni
For me it shows I'm logged into HN, but shows I'm 'not logged in' many of
other things that I'm actually logged in to, like Twitter, Reddit, Facebook
and a few others.

~~~
KozmoNau7
Same here. I use uBlock Origin with all of the tracking filters enabled, plus
Privacy Badger.

~~~
piyush_soni
Yup. uBlock Origin + 'Blur', another privacy add-on.

------
manigandham
It's basic fingerprinting used by every major security-sensitive service, like
banks.

The more entropy (unique bits of data) about your browser context they can
collect, the easier it is to recognize you and see if you're a human or not
(and block if they need to).

~~~
zaphirplane
What do you mean? I can use a browser incognito mode and still login

~~~
manigandham
It's a security measure to see if you're logging in under strange
circumstances or an automated browser using stolen credentials or something.
Some sites will ask security questions only if they see a new device or IP or
geolocation, for example. Incognito just means empty cache and cookies, that's
not that suspicious on it's own given all the other details.

------
kristoff_it
Use Firefox Containers and live happy.

[https://testpilot.firefox.com/experiments/containers/](https://testpilot.firefox.com/experiments/containers/)

~~~
bwl
Great advice, and Containers has actually graduated from experiments to a full
release.

[https://addons.mozilla.org/en-US/firefox/addon/multi-
account...](https://addons.mozilla.org/en-US/firefox/addon/multi-account-
containers/)

~~~
sf_rob
The add-on still has functionality / faster iteration that isn't quite baked
into the release version.

If you want to be more aggressive, you can also toggle the configs
privacy.resistFingerprinting and privacy.trackingprotection.enabled which will
probably break some websites.

------
iamNumber4
I would suggest the following when connecting to this site.

1\. use a dedicated browser, and only use that browser for this site.

2\. utilize private mode if you don't want to dedicate a browser only for this
site

3\. use different profiles in your normal daily browser. for example firefox,
and chrome allows you to have multiple profiles. Create a new profile to use
when going to this site.

4\. analyze the javascript and see if it is coming from a 3rd party/CDN url.
if so download the javascript files, modifiy it to just return a success
state, etc..., deploy it to your own server running apache or nginx. clone the
URL structure on that server. then edit your hosts file to cause your computer
to point that host in the url to your own server, serving up your modified
version of the .js files.

5\. least level of effort: Get a different credit union.

~~~
dzdt
You trust the credit union with your money, but don't trust them with a
fingerprint of your browser identity?

~~~
mindslight
Yes. Money is easily verified (balance = deposits - withdrawals), and there
are centuries of law/customs for preventing fraud/theft.

Meanwhile, tying browser fingerprints to a pretty solid real-world identity
has deniable value, is discreetly sold (private surveillance bureaus operate
with no oversight), and is just the type of gimmicky revenue stream that
consumer-capturing industries are on the lookout for.

------
tedsanders
Anti-fraud.

Criminals create fake accounts and use stolen credentials to defraud banks.
The problem of stolen credentials is partly solved by 2FA, but banks have
measured that 2FA annoys users and makes them less likely to complete
transactions. As a middle ground between imposing 2FA on users and being
defrauded frequently, banks buy browser fingerprinting services (e.g.,
ThreatMetrix, Trusteer, Kount, Iovation, Easy Solutions, ...). If the user's
fingerprint matches their database and looks normal, they pass the login
through (takes ~100ms, mostly invisible to user). If the user looks
suspicious, they escalate to 2FA or some other login verification that
criminals cannot pass.

Apps do the same thing. It's all to help gauge whether you're a legit human or
a criminal bot.

------
HoyaSaxa
It is hard to be certain without knowing the particular credit union, but as
others have mentioned this data is likely used to counter bot login attempts.

But this is more of a business decision than a security decision likely. It is
probably to prevent services like Intuit (Mint.com, Quickbooks, etc), Plaid,
Quovo, and other data aggregators from accessing online banking and screen
scraping / web crawling. Obviously, there are security reasons to prevent this
access as well, but it has historically been a business decision with security
as an excuse.

Disclaimer: I'm co-founder of a company that powers online banking, mobile
banking, and open banking APIs for credit unions and banks and used to be CTO
at a credit union.

------
soared
I'm sure you already know the answer, but the more data they can collect on
you the better. If they are technically capable of building out a full profile
on you, they can use it to recommend products, make credit decisions, etc.

Favicons is only the tip of the iceberg - download ghostery and see what 3rd
party scripts are running. Like a ton, including some from oracle that connect
you to all their data in their device graph. So even if you used a brand new
phone and logged into your account, all your previous history would be tied to
your new phone and vice versa.

~~~
kristianp
I didn't realise Oracle was in that business, but it looks like its true:
[https://www.oracle.com/marketingcloud/products/data-
manageme...](https://www.oracle.com/marketingcloud/products/data-management-
platform/id-graph.html)

~~~
soared
Yeah they are making acquisitions in that space like crazy too

------
wdr1
I might be an outlier, but if they are using this authentication, it's
actually somewhat clever. And likely a net positive for the user.

I obviously don't for sure if this is happening, but if your social media
footprint helps determine if you see a captcha or not, or if you're forced to
enter your credential again, it seems a reasonable signal to add to the mix of
things like IP, browser, etc.

------
saberworks
I'm usually completely against using "apps" for anything, but does using an
app (on mobile) protect against this type of thing? Does an embedded web view
have access to the things you're logged into in your main browser on your
phone? So does using my credit union app to access my account protect me from
them getting all this info from my phone browser?

~~~
netsharc
Safer? I doubt it, apps can ask the Android system for list of installed
packages, and list of currently running apps:

[http://stacktips.com/tutorials/android/how-to-get-list-of-
in...](http://stacktips.com/tutorials/android/how-to-get-list-of-installed-
apps-in-android), [https://stackoverflow.com/questions/3304685/how-to-get-
the-l...](https://stackoverflow.com/questions/3304685/how-to-get-the-list-of-
running-applications)

For example the Facebook app is a curious one. IIRC it also asks the system to
notify it when a package (any package) is installed or uninstalled:
[https://stackoverflow.com/questions/11246326/how-to-
receivin...](https://stackoverflow.com/questions/11246326/how-to-receiving-
broadcast-when-application-installed-or-removed)

I guess they can easily track the popularity of apps like Snapchat or
WhatsApp. Geez, also, identify any apps that are "going viral" in popularity,
and either buy the company, or squash them through imitation...

------
tpaschalis
Seconding other commenters, using a dedicated browser and/or a VPN can help
hide your 'digital footprint'.

For example, here's what I'm using. An easy way to set up a sandboxed Chrome
using Docker! [https://tpaschalis.github.io/sandboxed-browser-with-
docker/](https://tpaschalis.github.io/sandboxed-browser-with-docker/)

~~~
illumin8
This is good, but I want to sandbox every site from each other, and I don't
want to run a dedicated Docker/Chrome container for every site.

------
swanson
A few maybe-not-so-nefarious options I can think of:

a) some kind of third-party OAuth sign in library that may not be properly
configured? Is it possible to log in the website using some kind of single-
sign in?

b) requesting favicons to use as a visual icon when displaying/categorizing
transactions?

c) some external user tracking package that could be used for analytics or
support?

------
teeray
I'm pretty sure NoScript's ABE
([https://noscript.net/abe/](https://noscript.net/abe/)) would be able to
reject those requests. You can basically define rules that say requests are
only allowed to the credit union's origin and that's it.

------
londons_explore
If they're smart, it will go into a risk profile for you to be able to offer
you a better deal (assuming you are low risk).

I suspect it might just be an anti-bot thing though. Most bots run in
sandboxes which aren't logged into these sites.

------
nomadiccoder
I use ublock origin to block ads and ghostery to block a lot of trackers,
theres some configurability to block some stuff from social media accounts
maybe it will help..?

~~~
yamalight
umatrix [1] from gorhill (ubo dev) does that pretty well (along with a bunch
of other things)

[1] [https://github.com/gorhill/uMatrix](https://github.com/gorhill/uMatrix)

~~~
jasonkostempski
Does uBlock Origin not do it out of the box?

~~~
greenyoda
uMatrix is more granular. From example, you can tell it to allow images and
CSS from a domain, but not cookies or JavaScript.

Or, you can tell it to allow JavaScript from Facebook while you're on
Facebook's site, but not when you're on other sites.

I find both uBlock Origin and uMatrix to be useful.

~~~
jasonkostempski
But for this particular problem, I want it off everywhere, all the time, no
exceptions for anyone. According to [https://robinlinus.github.io/socialmedia-
leak/](https://robinlinus.github.io/socialmedia-leak/) I'm covered. I have
3rd-party cookies disabled and uBlock Origin but I'm not sure what's helping
me. Banks shouldn't be utilizing vulnerabilities in the name of security, I
haven't had an issue logging into anything yet.

------
muzani
They could be selling the data too. A lot of major corporations in my country
seem to collecting and selling user data.

------
codedokode
Why don't those companies (stackoverflow, Google and others) close the
vulnerability?

~~~
WillPostForFood
some have, including StackOverflow:

 _2016 /10/14: Stackoverflow has fixed the issue._

via: [https://robinlinus.github.io/socialmedia-
leak/](https://robinlinus.github.io/socialmedia-leak/)

------
7ewis
> you install on your own server

Yes anyone can easily spin up their own server, but MailChimp does that part
for you. Right?

So the cost analysis should really include the cost of an EC2 instance too, to
compare them fairly.

~~~
krallja
Are you sure you commented on the right article?

