Even my own bank is canvas-fingerprinting me.

It's the new hotness in surreptitious privacy violation, you know.

And it makes perfect sense for my bank to be doing this to me, since I'm logged in and they already have all my money. They already have the complete Identity Theft Kit, how much more do they need to know?

(Also that dialog should win some kind of "Enter to Exit" award for inapprehensiblity.)

Previously, previously, previously, previously, previously, previously, previously.

Tags: , , , , ,

15 Responses:

  1. David Glover-Aoki says:

    Thanks for the link to that extension though. Looks good.

    • jwz says:

      The UI is crufty as hell, but it does the job well. I wish there was an iOS version.

      • David Glover-Aoki says:

        Presumably it's impossible to do what it does with the Content Blocking API, which is the only available option on iOS. The extension on macOS gets labelled with the "this will steal your stuff" warning, which happens when it's not using said API.

        • jwz says:

          Shit, I'd settle for an RSS reader that just turned off Javascript 100% of the time on the "view the original page" page.

          • Alex says:

            If we're wishing for workarounds for idiots who broke the web, may I have a Twitter client that turns all AMP links into usable URLs so I never ever have to see one, inadvertently share one, or worse, decipher the URL scheme to canonicalize it myself?

          • Are there blockers for the surreptitious bitcoin miners yet? How do those work, anyway? The Web Workers API?

  2. Angry Security Guy says:

    I'd bet that this is your bank's attempt to implement "multi-factor authentication" in accordance with FFIEC rules, which allow pretty much anything to be multi-factor auth, except, you know, using an app or a token or something as good as world of fucking warcraft does to protect your magic swords.

  3. Kevin Lyda says:

    I'm guessing they use it to avoid session fixation attacks. Yes they authenticate with SMS (which is broken since SMS is broken, but whatever) but then you get a session token that can be stolen. And since loads of people load their computers with malware, stealing that session token is a possible thing. Tying that session token to an ip address won't work with mobile computing and the fact that we keep using ipv4 + nat.

    So instead fingerprint the browser and lock the session token to that to try and stay ahead - make the attackers figure out how to capture and to fake canvas responses. It's firedoor security. From the bank's perspective, it won't stop attackers forever but it means you're making them do more work. Heck, you have some chances to catch them - though the legal system can't really do that well yet. But it definitely means you're a less desirable target and the attackers can go after banks that don't do that.

    • Angry Security Guy says:

      the trouble with this thinking is that they break useful privacy tools for their own temporary convenience. If you can't tell the good guys from the bad, the good guys aren't good.

Leave a Reply

Your email address will not be published. But if you provide a fake email address, I will likely assume that you are a troll, and not publish your comment.

You may use these HTML tags and attributes: <a href="" title=""> <b> <blockquote cite=""> <code> <em> <i> <s> <strike> <strong> <img src="" width="" height="" style=""> <iframe src="" class=""> <video src="" class="" controls="" loop="" muted="" autoplay="" playsinline=""> <div class=""> <blink> <tt> <u>, or *italics*.

  • Previously