Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Why does my credit union check if I'm logged into Steam and Reddit?
129 points by fanseed on Oct 18, 2017 | hide | past | web | favorite | 64 comments
I was watching the network logs as I logged into my credit union and saw that they attempt to request favicons from lots of third parties including dropbox, accounts.google.com, stackoverflow.com, squareup.com, instagram.com, skype.com, tumblr.com, expedia.de, pinterest.com, de.foursquare.com, eu.battle.net, store.steampowered.com, reddit.com.

The favicons are usually loaded from the login page of the service, so I'm guessing they are doing that old trick to see if the browser is logged into those services by requesting the favicon.

I emailed them about this and after two months all they said is that it's part of their security software checks and not from anything suspicious.

Do they do this to create a 'social media fingerprint' of me as an additional check? Even though a few of the services are the German versions (credit union is in the US) and a few have fixed this so that it doesn't work anymore. It just seems strange and excessive.




Sounds like they copy pasted my demo into production: https://robinlinus.github.io/socialmedia-leak/


Funny enough, the only thing that got wrong was it saying I wasn't logged into HN.


Same for me. Maybe something changed about HN since the demo was written?


they blacklisted /identicon.ico as goto value in their redirect url. It still works with /y18.gif though.


For me it shows I'm logged into HN, but shows I'm 'not logged in' many of other things that I'm actually logged in to, like Twitter, Reddit, Facebook and a few others.


Same here. I use uBlock Origin with all of the tracking filters enabled, plus Privacy Badger.


Yup. uBlock Origin + 'Blur', another privacy add-on.


Nice, nothing came up for me! This is the first time I've seen the positive impact of disabling third party cookies.


Nice work.

I already had Privacy Badger and had disabled third-party cookies, but it's good to have confirmation that it's working. I'm showing up as not logged into anything, even though I am, in fact, logged into six of those services (including HN, obviously).


This page suggest that I am logged into "VK", which apparently is the Russian-equivalent of Facebook, but I never heard of it before this. Any reason why that is?


Weird. It thinks I'm logged in to Facebook and Flickr, which I'm definitely not (I checked).

I am logged in to HN and it didn't catch that.


So disabling 3rd-party cookies is enough to prevent this?


It's basic fingerprinting used by every major security-sensitive service, like banks.

The more entropy (unique bits of data) about your browser context they can collect, the easier it is to recognize you and see if you're a human or not (and block if they need to).


What do you mean? I can use a browser incognito mode and still login


It's a security measure to see if you're logging in under strange circumstances or an automated browser using stolen credentials or something. Some sites will ask security questions only if they see a new device or IP or geolocation, for example. Incognito just means empty cache and cookies, that's not that suspicious on it's own given all the other details.


Use Firefox Containers and live happy.

https://testpilot.firefox.com/experiments/containers/


Great advice, and Containers has actually graduated from experiments to a full release.

https://addons.mozilla.org/en-US/firefox/addon/multi-account...


The add-on still has functionality / faster iteration that isn't quite baked into the release version.

If you want to be more aggressive, you can also toggle the configs privacy.resistFingerprinting and privacy.trackingprotection.enabled which will probably break some websites.


But if the comment above yours is correct, you're defeating a small security measure:

>> It's basic fingerprinting used by every major security-sensitive service, like banks.

>> The more entropy (unique bits of data) about your browser context they can collect, the easier to recognize you and see if you're a human or not (and block if they need to).


A security measure for some is a privacy breech for others.


Great link, thanks. I had no idea this exists.


I would suggest the following when connecting to this site.

1. use a dedicated browser, and only use that browser for this site.

2. utilize private mode if you don't want to dedicate a browser only for this site

3. use different profiles in your normal daily browser. for example firefox, and chrome allows you to have multiple profiles. Create a new profile to use when going to this site.

4. analyze the javascript and see if it is coming from a 3rd party/CDN url. if so download the javascript files, modifiy it to just return a success state, etc..., deploy it to your own server running apache or nginx. clone the URL structure on that server. then edit your hosts file to cause your computer to point that host in the url to your own server, serving up your modified version of the .js files.

5. least level of effort: Get a different credit union.


Why isn't there a browser that provides a sandbox or container for every website I visit? I want cookies to persist between visits for obvious reasons, but I think its absurd that breadcrumbs are so easily reachable and used for building an advertising profile on me.

I want every website I visit to act as if I have a dedicated computer just for browsing that one site, and have zero knowledge of anything else I do on the Internet or on my computer.


That's basically what Firefox Containers does.

https://medium.com/firefox-test-pilot/firefox-containers-are...


Nice! I'll check it out!


Safari sandboxes each tab so you could simply dedicate each one to a specific website.


You trust the credit union with your money, but don't trust them with a fingerprint of your browser identity?


Yes. Money is easily verified (balance = deposits - withdrawals), and there are centuries of law/customs for preventing fraud/theft.

Meanwhile, tying browser fingerprints to a pretty solid real-world identity has deniable value, is discreetly sold (private surveillance bureaus operate with no oversight), and is just the type of gimmicky revenue stream that consumer-capturing industries are on the lookout for.


Trust is neither binary nor universal.


Uh... yes. They're not allowed to give random companies all your money.


Without blacklisting a bunch of 3rd party scripts using a different browser or even device would be useless. Once you log in to your account, this new browser/device is automatically linked to all your old browsers/devices, so there is no difference.

From 2015: https://adexchanger.com/data-driven-thinking/when-evaluating...


Qubes OS pretty much solves this problem!

https://www.qubes-os.org/


The criticism above is wholly unwarranted. You are basically running a collection of VM's. You can create, clone, and dispose of operating systems at will.

Gotta laugh at people criticizing without knowing...Unless connecting from Linux throws major flags, you are good.

It's a much safer OS than Windows, standalone linux, on any given day. Anything touching the web can be disposed and replaced at will. Along with the network management VM.


...or "how to immediately get flagged as a paranoid weirdo nerd and die without credit FOREVER ALONE"

A little like the paradox that by using more secure browsers and configurations, any browser fingerprinting algorithm will single you out reliably from all the other sheep.


Connecting from a Linux based VM will get you flagged? How about one VM used exclusively to connect to banking sites with cookies remaining?

Not sure if you are familiar with how it works, or how using a VM OS works. It's a bare metal hypervisor with VM's to be used at will.


it's like the old adage that "the NSA really love people using PGP email, as it immediately reveals who's worth watching"


I use a different computer for every single website.


With that level of rigor, you're certain to be flagged as a bot. ;)


Anti-fraud.

Criminals create fake accounts and use stolen credentials to defraud banks. The problem of stolen credentials is partly solved by 2FA, but banks have measured that 2FA annoys users and makes them less likely to complete transactions. As a middle ground between imposing 2FA on users and being defrauded frequently, banks buy browser fingerprinting services (e.g., ThreatMetrix, Trusteer, Kount, Iovation, Easy Solutions, ...). If the user's fingerprint matches their database and looks normal, they pass the login through (takes ~100ms, mostly invisible to user). If the user looks suspicious, they escalate to 2FA or some other login verification that criminals cannot pass.

Apps do the same thing. It's all to help gauge whether you're a legit human or a criminal bot.


It is hard to be certain without knowing the particular credit union, but as others have mentioned this data is likely used to counter bot login attempts.

But this is more of a business decision than a security decision likely. It is probably to prevent services like Intuit (Mint.com, Quickbooks, etc), Plaid, Quovo, and other data aggregators from accessing online banking and screen scraping / web crawling. Obviously, there are security reasons to prevent this access as well, but it has historically been a business decision with security as an excuse.

Disclaimer: I'm co-founder of a company that powers online banking, mobile banking, and open banking APIs for credit unions and banks and used to be CTO at a credit union.


I'm sure you already know the answer, but the more data they can collect on you the better. If they are technically capable of building out a full profile on you, they can use it to recommend products, make credit decisions, etc.

Favicons is only the tip of the iceberg - download ghostery and see what 3rd party scripts are running. Like a ton, including some from oracle that connect you to all their data in their device graph. So even if you used a brand new phone and logged into your account, all your previous history would be tied to your new phone and vice versa.


I didn't realise Oracle was in that business, but it looks like its true: https://www.oracle.com/marketingcloud/products/data-manageme...


Yeah they are making acquisitions in that space like crazy too


I might be an outlier, but if they are using this authentication, it's actually somewhat clever. And likely a net positive for the user.

I obviously don't for sure if this is happening, but if your social media footprint helps determine if you see a captcha or not, or if you're forced to enter your credential again, it seems a reasonable signal to add to the mix of things like IP, browser, etc.


I'm usually completely against using "apps" for anything, but does using an app (on mobile) protect against this type of thing? Does an embedded web view have access to the things you're logged into in your main browser on your phone? So does using my credit union app to access my account protect me from them getting all this info from my phone browser?


Safer? I doubt it, apps can ask the Android system for list of installed packages, and list of currently running apps:

http://stacktips.com/tutorials/android/how-to-get-list-of-in..., https://stackoverflow.com/questions/3304685/how-to-get-the-l...

For example the Facebook app is a curious one. IIRC it also asks the system to notify it when a package (any package) is installed or uninstalled: https://stackoverflow.com/questions/11246326/how-to-receivin...

I guess they can easily track the popularity of apps like Snapchat or WhatsApp. Geez, also, identify any apps that are "going viral" in popularity, and either buy the company, or squash them through imitation...


On iOS, checking deep link url schemes (does user X have 'Gmail' installed on their phone?) is pretty straightforward albeit rate-limited.


The typical embedded WebView is even less secure. The app containing the webview can see everything that you do within it -- including capturing login information for other sites.

At least with iOS, Apple introduced an out of process Safari View Controller that can share cookies, logins, etc with Safari inside an app, but doesn't allow the app to intercept what you are doing


Yes, it does, since apps are sandboxed better than web pages. There are a number of steps you can take depending on your browser: Disabling 3rd-party cookies prevents this attack. So does Firefox's Containers (or just private browsing) and other addons like uMatrix.


Seconding other commenters, using a dedicated browser and/or a VPN can help hide your 'digital footprint'.

For example, here's what I'm using. An easy way to set up a sandboxed Chrome using Docker! https://tpaschalis.github.io/sandboxed-browser-with-docker/


This is good, but I want to sandbox every site from each other, and I don't want to run a dedicated Docker/Chrome container for every site.


A few maybe-not-so-nefarious options I can think of:

a) some kind of third-party OAuth sign in library that may not be properly configured? Is it possible to log in the website using some kind of single-sign in?

b) requesting favicons to use as a visual icon when displaying/categorizing transactions?

c) some external user tracking package that could be used for analytics or support?


I'm pretty sure NoScript's ABE (https://noscript.net/abe/) would be able to reject those requests. You can basically define rules that say requests are only allowed to the credit union's origin and that's it.


If they're smart, it will go into a risk profile for you to be able to offer you a better deal (assuming you are low risk).

I suspect it might just be an anti-bot thing though. Most bots run in sandboxes which aren't logged into these sites.


I use ublock origin to block ads and ghostery to block a lot of trackers, theres some configurability to block some stuff from social media accounts maybe it will help..?


umatrix [1] from gorhill (ubo dev) does that pretty well (along with a bunch of other things)

[1] https://github.com/gorhill/uMatrix


Does uBlock Origin not do it out of the box?


uMatrix is more granular. From example, you can tell it to allow images and CSS from a domain, but not cookies or JavaScript.

Or, you can tell it to allow JavaScript from Facebook while you're on Facebook's site, but not when you're on other sites.

I find both uBlock Origin and uMatrix to be useful.


But for this particular problem, I want it off everywhere, all the time, no exceptions for anyone. According to https://robinlinus.github.io/socialmedia-leak/ I'm covered. I have 3rd-party cookies disabled and uBlock Origin but I'm not sure what's helping me. Banks shouldn't be utilizing vulnerabilities in the name of security, I haven't had an issue logging into anything yet.


They could be selling the data too. A lot of major corporations in my country seem to collecting and selling user data.


Why don't those companies (stackoverflow, Google and others) close the vulnerability?


some have, including StackOverflow:

2016/10/14: Stackoverflow has fixed the issue.

via: https://robinlinus.github.io/socialmedia-leak/


> you install on your own server

Yes anyone can easily spin up their own server, but MailChimp does that part for you. Right?

So the cost analysis should really include the cost of an EC2 instance too, to compare them fairly.


Are you sure you commented on the right article?




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: