6 comments

[ 3.2 ms ] story [ 28.7 ms ] thread
The security breaches reported here have been detected by SRI checking bank websites using https://gitlab.com/markalanrichards/access-test/

If anyone wishes to help improve this test suite or fork it for other purposes, please go for it.

Some may trust Google, Microsoft and co, and I'm sure some used to trust Fujitsu. However, I encourage you to look at the companies in the list against the banks and see how broadly some banks give remote access to various types of third party companies.

Barclay's bank aren't on the list because the test suite didn't find anything. I might have to look into how to move my accounts there.

What is the solution to these issues? Banking has always been on a very old tech stack.
The technical fix to this exact issue is remove or SRI and review third party code. None of these features are a must have requirement for online banking.

However, the breadth of this problem indicates the fix is bigger, else this will just pop up again without being noticed and should be tackled from two directions.

Technically: in the context of non-repudiation, web browsers are insecure for users. Significant user requests (make a payment, consent to terms, etc) are not stored client side, not signed and were a user to discover an audit log feature there is no distinction between what JS did and what a user did. This should and must change for the web to evolve to protect users.

Business: the failure across most of the banking sector suggests that all who should be holding the banks to account (share holders, creditors, regulators, customers, etc) are failing to monitor the banks and given there has been prior warning of this for some (regulators) failing to act. If a third party uses their remote access to hack customers, then I'm sure they will react but that may be too late. When we want security in our physical environment we have watchdogs whose responsibility is not just to react, but to proactively monitor the environment: spot the river has chemicals in it. Banking is significant enough that it probably needs a watchdog tasked with specific objectives regarding information security.

Good writeup! It certainly seems absurd for banks, investment firms, government services, etc. to just allow third-party analytics startups to inject whatever code they want in between the user and the product.

It's like if the bank hired contractors from Google, LivePerson, Tealium, and Yext to listen in on every phone call I make to the bank, for "analytics purposes". Um, is it really necessary for them to hear my account number and everything? Oh, you say they're plugging their ears?

i read it twice and i still don’t understand the article.

is this site complaining about 3rd party analytics?

there is also a table further down that shows various banks sharing data with… themselves? citibank will share data with citibank, and first direct (aka hsbc) will obviously share data with hsbc.

can someone explain what this article is actually about?

> i read it twice and i still don’t understand the article.

Any recommendations to improve are welcome

> is this site complaining about 3rd party analytics?

If a bank page includes a script tag that loads third party JavaScript from a non-bank server, then what is to stop that script from capturing data, submitting forms, spoofing page content?

The bank has effectively given these third parties unaudited remote access, via remote code execution, to consumers bank accounts.

A bank can safely use third party analytics if they adopt appropriate security measures, SRI is likely be one, but alone might not be enough.

In the cases found here, there is no SRI protection or similar to protect users from the third parties doing what they like on the page, acting as customers.

> there is also a table further down that shows various banks sharing data with… themselves?

This is oddity due to the test suite spotting JS from a a separate domain for the same bank ( https://gitlab.com/markalanrichards/access-test/-/blob/main/... ): thank you for highlighting this and when I get time I hope to improve this I hope to filter it out.