The favicons are usually loaded from the login page of the service, so I'm guessing they are doing that old trick to see if the browser is logged into those services by requesting the favicon.
I emailed them about this and after two months all they said is that it's part of their security software checks and not from anything suspicious.
Do they do this to create a 'social media fingerprint' of me as an additional check? Even though a few of the services are the German versions (credit union is in the US) and a few have fixed this so that it doesn't work anymore. It just seems strange and excessive.
I already had Privacy Badger and had disabled third-party cookies, but it's good to have confirmation that it's working. I'm showing up as not logged into anything, even though I am, in fact, logged into six of those services (including HN, obviously).
I am logged in to HN and it didn't catch that.
The more entropy (unique bits of data) about your browser context they can collect, the easier it is to recognize you and see if you're a human or not (and block if they need to).
https://testpilot.firefox.com/experiments/containers/
https://addons.mozilla.org/en-US/firefox/addon/multi-account...
If you want to be more aggressive, you can also toggle the configs privacy.resistFingerprinting and privacy.trackingprotection.enabled which will probably break some websites.
>> It's basic fingerprinting used by every major security-sensitive service, like banks.
>> The more entropy (unique bits of data) about your browser context they can collect, the easier to recognize you and see if you're a human or not (and block if they need to).
1. use a dedicated browser, and only use that browser for this site.
2. utilize private mode if you don't want to dedicate a browser only for this site
3. use different profiles in your normal daily browser. for example firefox, and chrome allows you to have multiple profiles. Create a new profile to use when going to this site.
4. analyze the javascript and see if it is coming from a 3rd party/CDN url. if so download the javascript files, modifiy it to just return a success state, etc..., deploy it to your own server running apache or nginx. clone the URL structure on that server. then edit your hosts file to cause your computer to point that host in the url to your own server, serving up your modified version of the .js files.
5. least level of effort: Get a different credit union.
I want every website I visit to act as if I have a dedicated computer just for browsing that one site, and have zero knowledge of anything else I do on the Internet or on my computer.
https://medium.com/firefox-test-pilot/firefox-containers-are...
Meanwhile, tying browser fingerprints to a pretty solid real-world identity has deniable value, is discreetly sold (private surveillance bureaus operate with no oversight), and is just the type of gimmicky revenue stream that consumer-capturing industries are on the lookout for.
From 2015: https://adexchanger.com/data-driven-thinking/when-evaluating...
https://www.qubes-os.org/
Gotta laugh at people criticizing without knowing...Unless connecting from Linux throws major flags, you are good.
It's a much safer OS than Windows, standalone linux, on any given day. Anything touching the web can be disposed and replaced at will. Along with the network management VM.
A little like the paradox that by using more secure browsers and configurations, any browser fingerprinting algorithm will single you out reliably from all the other sheep.
Not sure if you are familiar with how it works, or how using a VM OS works. It's a bare metal hypervisor with VM's to be used at will.
Criminals create fake accounts and use stolen credentials to defraud banks. The problem of stolen credentials is partly solved by 2FA, but banks have measured that 2FA annoys users and makes them less likely to complete transactions. As a middle ground between imposing 2FA on users and being defrauded frequently, banks buy browser fingerprinting services (e.g., ThreatMetrix, Trusteer, Kount, Iovation, Easy Solutions, ...). If the user's fingerprint matches their database and looks normal, they pass the login through (takes ~100ms, mostly invisible to user). If the user looks suspicious, they escalate to 2FA or some other login verification that criminals cannot pass.
Apps do the same thing. It's all to help gauge whether you're a legit human or a criminal bot.
But this is more of a business decision than a security decision likely. It is probably to prevent services like Intuit (Mint.com, Quickbooks, etc), Plaid, Quovo, and other data aggregators from accessing online banking and screen scraping / web crawling. Obviously, there are security reasons to prevent this access as well, but it has historically been a business decision with security as an excuse.
Disclaimer: I'm co-founder of a company that powers online banking, mobile banking, and open banking APIs for credit unions and banks and used to be CTO at a credit union.
Favicons is only the tip of the iceberg - download ghostery and see what 3rd party scripts are running. Like a ton, including some from oracle that connect you to all their data in their device graph. So even if you used a brand new phone and logged into your account, all your previous history would be tied to your new phone and vice versa.
I obviously don't for sure if this is happening, but if your social media footprint helps determine if you see a captcha or not, or if you're forced to enter your credential again, it seems a reasonable signal to add to the mix of things like IP, browser, etc.
http://stacktips.com/tutorials/android/how-to-get-list-of-in..., https://stackoverflow.com/questions/3304685/how-to-get-the-l...
For example the Facebook app is a curious one. IIRC it also asks the system to notify it when a package (any package) is installed or uninstalled: https://stackoverflow.com/questions/11246326/how-to-receivin...
I guess they can easily track the popularity of apps like Snapchat or WhatsApp. Geez, also, identify any apps that are "going viral" in popularity, and either buy the company, or squash them through imitation...
At least with iOS, Apple introduced an out of process Safari View Controller that can share cookies, logins, etc with Safari inside an app, but doesn't allow the app to intercept what you are doing
For example, here's what I'm using. An easy way to set up a sandboxed Chrome using Docker! https://tpaschalis.github.io/sandboxed-browser-with-docker/
a) some kind of third-party OAuth sign in library that may not be properly configured? Is it possible to log in the website using some kind of single-sign in?
b) requesting favicons to use as a visual icon when displaying/categorizing transactions?
c) some external user tracking package that could be used for analytics or support?
I suspect it might just be an anti-bot thing though. Most bots run in sandboxes which aren't logged into these sites.
[1] https://github.com/gorhill/uMatrix
Or, you can tell it to allow JavaScript from Facebook while you're on Facebook's site, but not when you're on other sites.
I find both uBlock Origin and uMatrix to be useful.
2016/10/14: Stackoverflow has fixed the issue.
via: https://robinlinus.github.io/socialmedia-leak/
Yes anyone can easily spin up their own server, but MailChimp does that part for you. Right?
So the cost analysis should really include the cost of an EC2 instance too, to compare them fairly.