Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Thu 17 Aug 2017, 21:36
All times are UTC - 4
 Forum index » Off-Topic Area » Security
trackers on banking sites?
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 1 [12 Posts]  
Author Message
prehistoric


Joined: 23 Oct 2007
Posts: 1661

PostPosted: Thu 15 Jun 2017, 21:33    Post subject:  trackers on banking sites?  

This may require some background. First you need to know what "trackers" are. This article is a good start. Nearly everybody out there on the Internet would like to track what people who visit their site are also doing elsewhere.

You can go back to some fairly old articles from EFF about the problem, back when it was "a cloud no bigger than a hand" on the horizon.

There is a company selling a device for hundreds of dollars to block tracking. They have recently released a paper on what they found at popular banking websites, discussed here. On one important banking site they found 33 trackers.

My thought: what are banks doing selling invisible ads to third parties? Also, who is auditing the code used to implement these trackers? If it is run like typical ads on web sites it is a major security hole, because no one can keep up with the changes, since different ads may be shown to different users based on location, time, etc.

In addition to being used for advertising we may not want at all, anything exposing our habits in using on-line banking is a great aid to those who want to make their fraud look like our own activity. Where is the legal liability for banking practices that contribute to this?

Can someone point me to a tool to check for trackers on a particular on-line banking site?
Back to top
View user's profile Send private message 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 12588
Location: Arizona USA

PostPosted: Thu 15 Jun 2017, 21:41    Post subject:  

Assuming an https connection, if the trackers are in the online site's server, there's no way to tell they're there until your savings disappear. And if they're not in the server, they must be in your computer. Crying or Very sad
Back to top
View user's profile Send private message 
prehistoric


Joined: 23 Oct 2007
Posts: 1661

PostPosted: Fri 16 Jun 2017, 00:09    Post subject:  

Most trackers are simple matters of placing "cookies" in your browser cache, and comparing these with a database when they are found, but I am concerned about limitations on executable scripts used to implement this. I am also wondering about hidden communication channels in the code implementing web pages that contain trackers.

For an example of just how subtle these can be check the subject of DNS tunneling to exfiltrate information from a secure system. This can be used to send small amounts of information like passwords from a compromised system to a domain where the attacker controls naming. You don't even have to make an http or https connection to that domain; you could simply make a series of DNS queries without using them. Would your firewall stop this?

Just as a proof of concept, imagine a domain with 26 different names for a single IP address. A series of DNS queries could spell a password without ever connecting. This would likely go unnoticed because a typical web page generates many DNS queries.

The idea of having code from advertisers on a web page used for banking looks like a great way to allow undetectable extraction of private information without necessarily cracking the bank's own systems.

I could be misunderstanding what is going on, but I an thinking WTF? Don't these banks have any concern for the security of individual customers, as opposed to the security of the bank itself? I'm afraid such a limited breach would be very hard to prosecute, which may be why this looseness is tolerated.
Back to top
View user's profile Send private message 
Sylvander

Joined: 15 Dec 2008
Posts: 4279
Location: West Lothian, Scotland, UK

PostPosted: Fri 16 Jun 2017, 04:02    Post subject:  

I have "NoScript" installed in my web browser [Firefox-53.0.3].
When I go to my banking website, I need to click on the only script listed at that time [to enable it], which is my banks own.
Once that is enabled, all the others are then listed.
e.g. doubleclick.net, webtrends.com, bluekai.com, webtrendslive.com, tiqcdn.com [all disabled].
Know about any of these?
Back to top
View user's profile Send private message 
8Geee


Joined: 12 May 2008
Posts: 1139
Location: N.E. USA

PostPosted: Fri 16 Jun 2017, 06:09    Post subject:  

I have in the recent past posted about security concerns with browsers/banking/adblockers etc.

If you have a bank website that does not work if you block their trackers... get another bank, or do your banking "in person/by mail". The convience of online banking has a big price... and it won't get cheaper.

When one of my banks did this (for credit card purposes) I was on the phone ASAP informing them I did not like their tracking. I reverted to bill by mail/ pay by check. Let 'em eat dirt. /MNSHO

Regards
8Geee

_________________
Linux user #498913
Back to top
View user's profile Send private message 
s243a

Joined: 02 Sep 2014
Posts: 649

PostPosted: Fri 16 Jun 2017, 10:09    Post subject:  

prehistoric wrote:
For an example of just how subtle these can be check the subject of DNS tunneling to exfiltrate information from a secure system. This can be used to send small amounts of information like passwords from a compromised system to a domain where the attacker controls naming. You don't even have to make an http or https connection to that domain; you could simply make a series of DNS queries without using them. Would your firewall stop this?

Just as a proof of concept, imagine a domain with 26 different names for a single IP address. A series of DNS queries could spell a password without ever connecting. This would likely go unnoticed because a typical web page generates many DNS queries.


Why woud DNS requests go to a server specified by the attacker? Don't youbspecify the DNS server on your system?
Back to top
View user's profile Send private message 
prehistoric


Joined: 23 Oct 2007
Posts: 1661

PostPosted: Fri 16 Jun 2017, 12:20    Post subject:  

s243a wrote:
prehistoric wrote:
For an example of just how subtle these can be check the subject of DNS tunneling to exfiltrate information from a secure system. This can be used to send small amounts of information like passwords from a compromised system to a domain where the attacker controls naming. You don't even have to make an http or https connection to that domain; you could simply make a series of DNS queries without using them. Would your firewall stop this?

Just as a proof of concept, imagine a domain with 26 different names for a single IP address. A series of DNS queries could spell a password without ever connecting. This would likely go unnoticed because a typical web page generates many DNS queries.


Why woud DNS requests go to a server specified by the attacker? Don't you specify the DNS server on your system?
Having your own DNS server runs into problems if the people running the domain are constantly changing names. To resolve current URLs your server would still need to query the servers of the people owning the domain. Having a DNS server in between would block some naive schemes like the one I used as a proof of concept, but if you check the rate at which certain domains generate new URLs you will find that it is still possible to transmit information via novel queries that will require reference to servers run by the owner of the domain.

Consider this list of recent URLs culled from my spam folder:
Code:
ejusdem@amphogeny.needhacker.nl
brangler@wallenstein.oneupresults.nl
misattributions@codebooks.mybestculture.nl
encolpions@torcel.betssol.nl
etymologized@febronianism.fishehow.nl


It appears that certain major spammers have enough money to buy quite a few domains, plus lawyers, if not entire countries. There is also a constant churn of changing URLs, making it hard to block them. There is really extensive subversion of the Internet. The connection between spam, fraud and money laundering is quite interesting.

We need to concentrate on blocking behaviors which weaken the integrity of the Internet rather than particular URLs.

If I wasn't curious about seeing what they are doing, I might simply filter out any email originating in the Netherlands, with the exception of a few individuals I know.
Back to top
View user's profile Send private message 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 12588
Location: Arizona USA

PostPosted: Fri 16 Jun 2017, 19:55    Post subject:  

Former US security advisor: Cyberattacks damage society as much as physical infrastructure

Quote:
At the 2017 Global Cybersecurity Summit in Kiev, Ukraine, Tony Blinken, who was deputy secretary of state to Barack Obama, said the best defenses against cyberattacks are educated consumers and collaborative responses.
By Amy Talbott | June 15, 2017

In an interview at this week's Global Cybersecurity Summit in Kiev, Ukraine, [Interesting choice of location for such a meeting. Don't a lot of cyberattacks come from Ukraine?] former deputy national security advisor and deputy secretary of state Tony Blinken told TechRepublic's Dan Patterson that the threat posed by cyberattacks to human infrastructure, meaning what we think and believe, is as important as the threat to physical infrastructure

The best defense against the threat to human infrastructure, Blinken said, is a population of educated consumers with strong critical thinking abilities. [That's the last thing advertisers want. Why does he use the word consumers instead of people? Amoeba are consumers but they are incapable of critical thought.]

During the interview, Blinken recommended the following solutions to present cyberthreats:

Demanding a collective response from groups like academic institutions, corporations, NGOs
Better defense, in the form of public-private partnerships to strengthen defenses against cyberattacks
Creation of international cybersecurity norms and standards so there's "at least a floor on how people behave and act."
Measures to impose costs on entities who carry out cyberattacks

The conversation also touched on ways organizations can plan future cyberdefense strategies. Blinken said that right now, organizations are not great at "thinking around the corner," or considering how technology created today might be used as a weapon in the future. [Nobody's any good at that. It's impossible to predict all the ways that someone else can come up with to use or misuse something. Your thinking is limited by your initial conditions and assumptions and your limited knowledge and intelligence. For instance, it's almost impossible to write something so that it can't be misinterpreted by anyone. Whoever wrote the 2nd Amendment didn't even try.] The same energy that goes into innovation needs to go into anticipating potential consequences and how to guard against them, said Blinken.

When asked what's really keeping him up at night, Blinken pointed to tensions between those who feel the best way to respond to societal and technological challenges is to protect themselves and "build a wall," and those who feel the best way to respond is to remain an open society and mitigate any threats that arise. But he also mentioned the power of using technology creatively to start talking and listening to each other again, and said he's ultimately hopeful about the future.
[That's his plan?]
Back to top
View user's profile Send private message 
Barkin


Joined: 12 Aug 2011
Posts: 823

PostPosted: Sat 17 Jun 2017, 09:48    Post subject:  

Sylvander wrote:
I have "NoScript" installed in my web browser [Firefox-53.0.3].

There's a plug-in for FireFox which called lightbeam shows the trackers as a diagram.

The trackers can record browsing-history in order to target advertising.
Back to top
View user's profile Send private message 
belham2

Joined: 15 Aug 2016
Posts: 897

PostPosted: Sun 18 Jun 2017, 07:53    Post subject:  

This thread bothers me. I mean, as Flash alluded to, isn't an organization that allows hosting (in their own servers) of 3rd party trackers a "big" source of all malware problems today? Imagine if something happens, a big months or years long breach occurs, just imagine then the finger-pointing that is going to go on? Furthermore, how is this allowing 3rd party trackers considered Best Safe-Secure Practices from the banks & fin'l firms point of view when dealing with their customers?? I know they only care about profit, but there has to be a line somewhere, doesn't there? Dam#
Back to top
View user's profile Send private message 
prehistoric


Joined: 23 Oct 2007
Posts: 1661

PostPosted: Sun 18 Jun 2017, 10:23    Post subject:  

I just did a search for a video I had noticed in which an investor with a long track record predicted a financial collapse in 2017. What I turned up instead of the one I was seeking was a long list of warnings from both the far-right conspiracy sites and far-left. The two things all agree on is that there will be a big crash, perhaps of historic proportions, and they are not responsible for this.

One standard phrase in any number of financial pronouncements is "consumer confidence". Beyond the threat of huge losses if the weaknesses many people see in current on-line banking and commerce are exploited aggressively, there is an incredible risk of a loss of confidence by both consumers and investors that will cause an economic contraction far greater than any immediate loss of assets.

Performance of economic professionals during the 2008 crisis did not inspire confidence. At one extreme we had Lehman Brothers using an accounting trick called repo 105 to disguise toxic assets for three quarters. This didn't work in the fourth quarter because Lehman Brothers was forced into bankruptcy. Those investors misled by this means of hiding problems suffered substantial losses.

Investors flocked to the few banks which appeared solid, but that was also an illusion. JPMorgan Chase declared their exposure to risk was some $13 billion, which is indeed substantial. Unfortunately, subsequent analysis found their exposure was more like $53 billion, which would put a dent in any bank. Goldman Sachs was also a favorite refuge. What nobody outside the top levels of Goldman Sachs knew until a meeting at the New York Federal Reserve in the depths of the crisis was the extent to which credit default swaps exposed them risk from the collapse of other banks.

When the federal government bought toxic assets at 100% value, this was said to be protecting the investors in those banks. What got less attention was the way it protected GS and JPMorgan Chase from consequences of their own misjudgment in signing credit default swaps without doing due diligence. They didn't lose a penny. If the federal government would bail those banks out of a bad situation they didn't need to exercise any judgment.

In another example of serious defects in the financial system several credit rating agencies gave the collateralized debt obligations put together from toxic assets, with a small leavening of good mortgages, triple A ratings. This greatly facilitated fraud by financial institutions flogging these junk bond equivalents at high prices.

Major banks have been fined for violating regulations in or leading up to the 2008 crisis, but none of the officers of those banks faced criminal prosecution. Who was held responsible?

We might ask, which banks were prosecuted for criminal fraud as a result of practices that were widespread prior to the 2008 crash? How about Abacus Bank? This bank had only 9 defaults on 3,104 mortgage loans. Did this cause the 2008 crash?

A number of commentators who might have an axe to grind have blamed numerous small individuals for signing loans made available, and aggressively marketed, by banks. I've investigated a couple of people who admittedly made terrible personal decisions during the bubble, and lost homes as a result. Their eyes glaze over if I try to explain CDOs and CDS. They don't even have college degrees, so how could they understand subjects that tax the abilities of PhDs in economics?

(BTW: should these people ever inherit substantial moneys, they can expect to face lawsuits from those firms which bought bad debts from banks. This will hang over them for the rest of their lives. They lost their life savings before they had any.)

It seems the only people who paid a serious personal price for the fraud prevalent in the run-up to that bubble were those with the least background for understanding the subject. None of the people with the requisite education, training and experience went to jail. These people were paid big bucks prior to the crash for their expertise and the heavy responsibilities they carried. It appears the concept of professional fiduciary responsibility is completely dead.

With current practices in on-line commerce, including banking, we have another situation where the vast majority of people depending on these services don't have a clue about the risks to individuals, and the people who do have some understanding are often paid to downplay those risks.

I've received some "targeted advertising" from very shady operations, due to some unusual financial problems which happened during illness, because I had no one to take over. Some of these appeared within hours of an action on my part. How are these bottom feeders learning of potential vulnerability? Could it be from trackers on banking sites?
Back to top
View user's profile Send private message 
Barkin


Joined: 12 Aug 2011
Posts: 823

PostPosted: Sun 18 Jun 2017, 12:16    Post subject:  

prehistoric wrote:
I've received some "targeted advertising" from very shady operations, due to some unusual financial problems which happened during illness, because I had no one to take over. Some of these appeared within hours of an action on my part. How are these bottom feeders learning of potential vulnerability? Could it be from trackers on banking sites?

A few years ago my power-supplier accidentally broke my standing-order, which resulted in them not getting paid for several months. Along with the snail-mail letter telling me the bill was overdue, came two letters addressed specifically to me from companies offering me loans, (at extortionate rates of interest).

IMO the power-supplier automatically gave the loan-sharks my name & address when my account went into the red, (which was no fault of mine).
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 1 [12 Posts]  
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0915s ][ Queries: 13 (0.0068s) ][ GZIP on ]