Ask HN: Why does my credit union check if I'm logged into Steam and Reddit?

I was watching the network logs as I logged into my credit union and saw that they attempt to request favicons from lots of third parties including dropbox, accounts.google.com, stackoverflow.com, squareup.com, instagram.com, skype.com, tumblr.com, expedia.de, pinterest.com, de.foursquare.com, eu.battle.net, store.steampowered.com, reddit.com.

The favicons are usually loaded from the login page of the service, so I'm guessing they are doing that old trick to see if the browser is logged into those services by requesting the favicon.

I emailed them about this and after two months all they said is that it's part of their security software checks and not from anything suspicious.

Do they do this to create a 'social media fingerprint' of me as an additional check? Even though a few of the services are the German versions (credit union is in the US) and a few have fixed this so that it doesn't work anymore. It just seems strange and excessive.

129 points | by fanseed 2382 days ago

17 comments

  • Capira 2381 days ago
    Sounds like they copy pasted my demo into production: https://robinlinus.github.io/socialmedia-leak/
    [-]
    • pwython 2381 days ago
      Funny enough, the only thing that got wrong was it saying I wasn't logged into HN.
      [-]
      • captaincrowbar 2381 days ago
        Same for me. Maybe something changed about HN since the demo was written?
        [-]
        • Capira 2381 days ago
          they blacklisted /identicon.ico as goto value in their redirect url. It still works with /y18.gif though.
        • piyush_soni 2381 days ago
          For me it shows I'm logged into HN, but shows I'm 'not logged in' many of other things that I'm actually logged in to, like Twitter, Reddit, Facebook and a few others.
          [-]
          • KozmoNau7 2381 days ago
            Same here. I use uBlock Origin with all of the tracking filters enabled, plus Privacy Badger.
            [-]
            • piyush_soni 2381 days ago
              Yup. uBlock Origin + 'Blur', another privacy add-on.
    • exhilaration 2381 days ago
      Nice, nothing came up for me! This is the first time I've seen the positive impact of disabling third party cookies.
    • Turing_Machine 2381 days ago
      Nice work.

      I already had Privacy Badger and had disabled third-party cookies, but it's good to have confirmation that it's working. I'm showing up as not logged into anything, even though I am, in fact, logged into six of those services (including HN, obviously).

    • seanharr11 2381 days ago
      This page suggest that I am logged into "VK", which apparently is the Russian-equivalent of Facebook, but I never heard of it before this. Any reason why that is?
    • sn9 2381 days ago
      Weird. It thinks I'm logged in to Facebook and Flickr, which I'm definitely not (I checked).

      I am logged in to HN and it didn't catch that.

      [-]
    • jasonkostempski 2381 days ago
      So disabling 3rd-party cookies is enough to prevent this?
  • manigandham 2381 days ago
    It's basic fingerprinting used by every major security-sensitive service, like banks.

    The more entropy (unique bits of data) about your browser context they can collect, the easier it is to recognize you and see if you're a human or not (and block if they need to).

    [-]
    • zaphirplane 2381 days ago
      What do you mean? I can use a browser incognito mode and still login
      [-]
      • manigandham 2381 days ago
        It's a security measure to see if you're logging in under strange circumstances or an automated browser using stolen credentials or something. Some sites will ask security questions only if they see a new device or IP or geolocation, for example. Incognito just means empty cache and cookies, that's not that suspicious on it's own given all the other details.
  • kristoff_it 2381 days ago
    Use Firefox Containers and live happy.

    https://testpilot.firefox.com/experiments/containers/

    [-]
    • bwl 2381 days ago
      Great advice, and Containers has actually graduated from experiments to a full release.

      https://addons.mozilla.org/en-US/firefox/addon/multi-account...

      [-]
      • sf_rob 2381 days ago
        The add-on still has functionality / faster iteration that isn't quite baked into the release version.

        If you want to be more aggressive, you can also toggle the configs privacy.resistFingerprinting and privacy.trackingprotection.enabled which will probably break some websites.

    • phkahler 2381 days ago
      But if the comment above yours is correct, you're defeating a small security measure:

      >> It's basic fingerprinting used by every major security-sensitive service, like banks.

      >> The more entropy (unique bits of data) about your browser context they can collect, the easier to recognize you and see if you're a human or not (and block if they need to).

      [-]
      • Frogolocalypse 2381 days ago
        A security measure for some is a privacy breech for others.
    • binaryapparatus 2381 days ago
      Great link, thanks. I had no idea this exists.
  • iamNumber4 2382 days ago
    I would suggest the following when connecting to this site.

    1. use a dedicated browser, and only use that browser for this site.

    2. utilize private mode if you don't want to dedicate a browser only for this site

    3. use different profiles in your normal daily browser. for example firefox, and chrome allows you to have multiple profiles. Create a new profile to use when going to this site.

    4. analyze the javascript and see if it is coming from a 3rd party/CDN url. if so download the javascript files, modifiy it to just return a success state, etc..., deploy it to your own server running apache or nginx. clone the URL structure on that server. then edit your hosts file to cause your computer to point that host in the url to your own server, serving up your modified version of the .js files.

    5. least level of effort: Get a different credit union.

    [-]
    • illumin8 2381 days ago
      Why isn't there a browser that provides a sandbox or container for every website I visit? I want cookies to persist between visits for obvious reasons, but I think its absurd that breadcrumbs are so easily reachable and used for building an advertising profile on me.

      I want every website I visit to act as if I have a dedicated computer just for browsing that one site, and have zero knowledge of anything else I do on the Internet or on my computer.

      [-]
    • dzdt 2381 days ago
      You trust the credit union with your money, but don't trust them with a fingerprint of your browser identity?
      [-]
      • mindslight 2381 days ago
        Yes. Money is easily verified (balance = deposits - withdrawals), and there are centuries of law/customs for preventing fraud/theft.

        Meanwhile, tying browser fingerprints to a pretty solid real-world identity has deniable value, is discreetly sold (private surveillance bureaus operate with no oversight), and is just the type of gimmicky revenue stream that consumer-capturing industries are on the lookout for.

      • Volt 2381 days ago
        Trust is neither binary nor universal.
      • SerLava 2381 days ago
        Uh... yes. They're not allowed to give random companies all your money.
    • soared 2381 days ago
      Without blacklisting a bunch of 3rd party scripts using a different browser or even device would be useless. Once you log in to your account, this new browser/device is automatically linked to all your old browsers/devices, so there is no difference.

      From 2015: https://adexchanger.com/data-driven-thinking/when-evaluating...

      [-]
      • blakes 2381 days ago
        Qubes OS pretty much solves this problem!

        https://www.qubes-os.org/

        [-]
        • Nickg00617 2381 days ago
          The criticism above is wholly unwarranted. You are basically running a collection of VM's. You can create, clone, and dispose of operating systems at will.

          Gotta laugh at people criticizing without knowing...Unless connecting from Linux throws major flags, you are good.

          It's a much safer OS than Windows, standalone linux, on any given day. Anything touching the web can be disposed and replaced at will. Along with the network management VM.

        • endymi0n 2381 days ago
          ...or "how to immediately get flagged as a paranoid weirdo nerd and die without credit FOREVER ALONE"

          A little like the paradox that by using more secure browsers and configurations, any browser fingerprinting algorithm will single you out reliably from all the other sheep.

          [-]
          • Nickg00617 2381 days ago
            Connecting from a Linux based VM will get you flagged? How about one VM used exclusively to connect to banking sites with cookies remaining?

            Not sure if you are familiar with how it works, or how using a VM OS works. It's a bare metal hypervisor with VM's to be used at will.

          • blibble 2381 days ago
            it's like the old adage that "the NSA really love people using PGP email, as it immediately reveals who's worth watching"
      • WillyOnWheels 2381 days ago
        I use a different computer for every single website.
    • liberte82 2381 days ago
      With that level of rigor, you're certain to be flagged as a bot. ;)
  • tedsanders 2381 days ago
    Anti-fraud.

    Criminals create fake accounts and use stolen credentials to defraud banks. The problem of stolen credentials is partly solved by 2FA, but banks have measured that 2FA annoys users and makes them less likely to complete transactions. As a middle ground between imposing 2FA on users and being defrauded frequently, banks buy browser fingerprinting services (e.g., ThreatMetrix, Trusteer, Kount, Iovation, Easy Solutions, ...). If the user's fingerprint matches their database and looks normal, they pass the login through (takes ~100ms, mostly invisible to user). If the user looks suspicious, they escalate to 2FA or some other login verification that criminals cannot pass.

    Apps do the same thing. It's all to help gauge whether you're a legit human or a criminal bot.

  • HoyaSaxa 2381 days ago
    It is hard to be certain without knowing the particular credit union, but as others have mentioned this data is likely used to counter bot login attempts.

    But this is more of a business decision than a security decision likely. It is probably to prevent services like Intuit (Mint.com, Quickbooks, etc), Plaid, Quovo, and other data aggregators from accessing online banking and screen scraping / web crawling. Obviously, there are security reasons to prevent this access as well, but it has historically been a business decision with security as an excuse.

    Disclaimer: I'm co-founder of a company that powers online banking, mobile banking, and open banking APIs for credit unions and banks and used to be CTO at a credit union.

  • soared 2381 days ago
    I'm sure you already know the answer, but the more data they can collect on you the better. If they are technically capable of building out a full profile on you, they can use it to recommend products, make credit decisions, etc.

    Favicons is only the tip of the iceberg - download ghostery and see what 3rd party scripts are running. Like a ton, including some from oracle that connect you to all their data in their device graph. So even if you used a brand new phone and logged into your account, all your previous history would be tied to your new phone and vice versa.

    [-]
  • wdr1 2380 days ago
    I might be an outlier, but if they are using this authentication, it's actually somewhat clever. And likely a net positive for the user.

    I obviously don't for sure if this is happening, but if your social media footprint helps determine if you see a captcha or not, or if you're forced to enter your credential again, it seems a reasonable signal to add to the mix of things like IP, browser, etc.

  • saberworks 2381 days ago
    I'm usually completely against using "apps" for anything, but does using an app (on mobile) protect against this type of thing? Does an embedded web view have access to the things you're logged into in your main browser on your phone? So does using my credit union app to access my account protect me from them getting all this info from my phone browser?
    [-]
    • netsharc 2381 days ago
      Safer? I doubt it, apps can ask the Android system for list of installed packages, and list of currently running apps:

      http://stacktips.com/tutorials/android/how-to-get-list-of-in..., https://stackoverflow.com/questions/3304685/how-to-get-the-l...

      For example the Facebook app is a curious one. IIRC it also asks the system to notify it when a package (any package) is installed or uninstalled: https://stackoverflow.com/questions/11246326/how-to-receivin...

      I guess they can easily track the popularity of apps like Snapchat or WhatsApp. Geez, also, identify any apps that are "going viral" in popularity, and either buy the company, or squash them through imitation...

    • dpim 2381 days ago
      On iOS, checking deep link url schemes (does user X have 'Gmail' installed on their phone?) is pretty straightforward albeit rate-limited.
    • scarface74 2381 days ago
      The typical embedded WebView is even less secure. The app containing the webview can see everything that you do within it -- including capturing login information for other sites.

      At least with iOS, Apple introduced an out of process Safari View Controller that can share cookies, logins, etc with Safari inside an app, but doesn't allow the app to intercept what you are doing

    • nathancahill 2381 days ago
      Yes, it does, since apps are sandboxed better than web pages. There are a number of steps you can take depending on your browser: Disabling 3rd-party cookies prevents this attack. So does Firefox's Containers (or just private browsing) and other addons like uMatrix.
  • tpaschalis 2381 days ago
    Seconding other commenters, using a dedicated browser and/or a VPN can help hide your 'digital footprint'.

    For example, here's what I'm using. An easy way to set up a sandboxed Chrome using Docker! https://tpaschalis.github.io/sandboxed-browser-with-docker/

    [-]
    • illumin8 2381 days ago
      This is good, but I want to sandbox every site from each other, and I don't want to run a dedicated Docker/Chrome container for every site.
  • swanson 2381 days ago
    A few maybe-not-so-nefarious options I can think of:

    a) some kind of third-party OAuth sign in library that may not be properly configured? Is it possible to log in the website using some kind of single-sign in?

    b) requesting favicons to use as a visual icon when displaying/categorizing transactions?

    c) some external user tracking package that could be used for analytics or support?

  • teeray 2381 days ago
    I'm pretty sure NoScript's ABE (https://noscript.net/abe/) would be able to reject those requests. You can basically define rules that say requests are only allowed to the credit union's origin and that's it.
  • londons_explore 2380 days ago
    If they're smart, it will go into a risk profile for you to be able to offer you a better deal (assuming you are low risk).

    I suspect it might just be an anti-bot thing though. Most bots run in sandboxes which aren't logged into these sites.

  • nomadiccoder 2381 days ago
    I use ublock origin to block ads and ghostery to block a lot of trackers, theres some configurability to block some stuff from social media accounts maybe it will help..?
    [-]
    • yamalight 2381 days ago
      umatrix [1] from gorhill (ubo dev) does that pretty well (along with a bunch of other things)

      [1] https://github.com/gorhill/uMatrix

      [-]
      • jasonkostempski 2381 days ago
        Does uBlock Origin not do it out of the box?
        [-]
        • greenyoda 2381 days ago
          uMatrix is more granular. From example, you can tell it to allow images and CSS from a domain, but not cookies or JavaScript.

          Or, you can tell it to allow JavaScript from Facebook while you're on Facebook's site, but not when you're on other sites.

          I find both uBlock Origin and uMatrix to be useful.

          [-]
          • jasonkostempski 2381 days ago
            But for this particular problem, I want it off everywhere, all the time, no exceptions for anyone. According to https://robinlinus.github.io/socialmedia-leak/ I'm covered. I have 3rd-party cookies disabled and uBlock Origin but I'm not sure what's helping me. Banks shouldn't be utilizing vulnerabilities in the name of security, I haven't had an issue logging into anything yet.
  • muzani 2381 days ago
    They could be selling the data too. A lot of major corporations in my country seem to collecting and selling user data.
  • codedokode 2381 days ago
    Why don't those companies (stackoverflow, Google and others) close the vulnerability?
    [-]
  • 7ewis 2381 days ago
    > you install on your own server

    Yes anyone can easily spin up their own server, but MailChimp does that part for you. Right?

    So the cost analysis should really include the cost of an EC2 instance too, to compare them fairly.

    [-]
    • krallja 2381 days ago
      Are you sure you commented on the right article?