privacy – Should I be worried of tracking domains on a banking website?

The Question :

126 people think this question is useful

Finland’s largest bank OP (former Osuuspankki) has added tracking domains (all three owned by Adobe) in their website redesign:

uBlock Origin on uusi.op.fi

These domains are loaded when signed in:

2o7.net
demdex.net
omtrdc.net

Is this considered acceptable? What information can third-party domains gather on my bank account activity?

The Question Comments :
  • Are these domains embedded into the actual online banking or only in the website of the bank, i.e. on pages where you enter sensitive information or not on such pages?
  • @SteffenUllrich: demdex.net, omtrdc.net and occasionally 2o7.net are loaded when inspecting my account activity. The balance of my bank accounts is displayed on the front page.
  • Given the answer by Steffen, I hope you send(sent) your bank a warning message? And thanks for asking, I’ll put this check on my to-do list.
  • This happened with another Finnish bank, S-Pankki, a couple years ago. Article in Finnish, sorry. tivi.fi/Kaikki_uutiset/2015-02-25/…
  • OP representative has responded, claims there’s no threat (in Finnish): tivi.fi/Kaikki_uutiset/…

The Answer 1

158 people think this answer is useful

It looks like the main site is embedding script from Adobe Marketing Cloud directly into the page. While these scripts are loaded from the same server as the main site it looks like that these scripts communicate with external servers using XHR and also download new script from demdex.net and 2o7.net according to the logs of uBlock Origin.

Especially the loading and executing of new scripts from a third party outside the control of your bank is a huge security problem. Essentially these scripts can get full control over the web site, including reading what you enter, changing submitted or displayed content etc. These are essentially cross site scripting, only that they did not happen by accident but the developers of the banking site explicitly invited these third parties to do cross site scripting.

While such use of third party services might be acceptable on a site where no sensitive information is entered, it is absolutely not acceptable whenever sensitive information is transferred or when it unexpectedly changes to the content of a web site (like showing a different account balance) and might cause unwanted actions from the visitor.

The Answer 2

16 people think this answer is useful

Banking sites are hardly monolithic. A bank usually relies on dozens or even hundreds of third party systems in their overall solution. You might have a banking host provided by one vendor, a credit card solution from two or three more vendors, a signon solution provided by yet another, payments by another. The work to put together these sites is enormous.

It is not at all uncommon for banking sites to involve third parties on the front end as well. This could range from third party libraries just to render a calendar control to systems that provide user behavior analytics and risk decisions. Many of these vendors offer script and content via content delivery networks (CDNs), meaning that the files might come from a third party domain.

Is this dangerous? It can be. If the third party resources are not verified via Subresource integrity, they could be modified by hackers (via Man-in-the-middle) or even the third party itself (e.g. malicious employee). So any online banking implementation will either host the content themselves (i.e. copy and paste the third party files onto their own web server) or in some cases deliver the content with a cryptographic hash, notated via the integrity attribute of the script node or link node that references the external file. In yet other cases, they will link to the CDN but provide fallback behavior to a local file (see this StackOverflow question) in case the SRI check fails.

Should I be worried of tracking domains on a banking website?

It is important to note that in the EU, the cost of fraudulent transactions is borne by the institution. Online banking security, therefore, has the primary mission of protecting the bank, not you.

Whatever architecture OP came up with, you can be certain that it passed several layers of risk assessment and review and the decision to use a CDN to serve some content was not made lightly. Chances are they have implemented it properly and are using some means of SRI. You can still worry, but the worry should be minimal.

The Answer 3

4 people think this answer is useful

The chance is low but it could be a real threat. Recently (April 2017) it was discovered that tracking scripts (Gemius) on one of large Polish banks (mBank) was sending account balance together with other (standard) tracking data. The intended effect was probably capturing navigation (page titles/section) so leak itself might be accidental.

Add a Comment