Monday, July 27, 2015

ICICI Bank gives unfettered access to your netbanking account to Google

After seeing this project by Jacques Mattheij on which of the top 1,000,000 websites load external resources, I decided to check whether my bank, ICICI Bank, does the same. Unfortunately, it turns out that they do load external resources, including Javascript, from Google. This seriously compromises the security and privacy of their users like me.

Here's the text of an email I sent to them.

Subject: ICICI Bank gives unfettered access to my netbanking account to Google


It seems ICICI Bank is using Google Analytics to track user behaviour and Google Tag Manager to track online campaigns. To enable this your netbanking website loads Javascript sources directly from these two services. The URLs are:

This unfortunately gives Google unfettered access to my netbanking account. The first script, from Google Analytics, is loaded on both the login page and on subsequent pages after login. The second script is loaded only after login. Some of the things that this allows Google to do are:

* Steal my customer id and password
* Read my debit card grid number (not all, but some of the pages where the grid numbers are required load these scripts)
* Get info (account number, balance, etc.) about my bank account, loan account, deposits, etc.
* Read my account statements
* Get the list of my payees for funds transfer (including their account numbers)

This list is by no means exhaustive, but even leaking this much info about your users to a third party is extremely worrying. This is serious enough that I am considering moving to another bank where my privacy is taken more seriously.

For the sake of your users, please remove all references to these external scripts from your netbanking website on a priority.

Now, many websites trust Google Analytics to provide them insights about their users, and in many cases you might be able to argue that its fine if a script is provided directly by Google. However, my bank account details are too sensitive for Google or any other third party to be given unfettered access like this, no matter how much you may trust them. I hope ICICI Bank will remove Google's scripts from their netbanking website soon.

Also, while its better to check for yourself, here's "proof" of what I am claiming:

This page is powered by Blogger. Isn't yours?

Subscribe to Posts [Atom]