Monday, July 27, 2015

ICICI Bank gives unfettered access to your netbanking account to Google

After seeing this project by Jacques Mattheij on which of the top 1,000,000 websites load external resources, I decided to check whether my bank, ICICI Bank, does the same. Unfortunately, it turns out that they do load external resources, including Javascript, from Google. This seriously compromises the security and privacy of their users like me.

Here's the text of an email I sent to them.

Subject: ICICI Bank gives unfettered access to my netbanking account to Google


It seems ICICI Bank is using Google Analytics to track user behaviour and Google Tag Manager to track online campaigns. To enable this your netbanking website loads Javascript sources directly from these two services. The URLs are:

This unfortunately gives Google unfettered access to my netbanking account. The first script, from Google Analytics, is loaded on both the login page and on subsequent pages after login. The second script is loaded only after login. Some of the things that this allows Google to do are:

* Steal my customer id and password
* Read my debit card grid number (not all, but some of the pages where the grid numbers are required load these scripts)
* Get info (account number, balance, etc.) about my bank account, loan account, deposits, etc.
* Read my account statements
* Get the list of my payees for funds transfer (including their account numbers)

This list is by no means exhaustive, but even leaking this much info about your users to a third party is extremely worrying. This is serious enough that I am considering moving to another bank where my privacy is taken more seriously.

For the sake of your users, please remove all references to these external scripts from your netbanking website on a priority.

Now, many websites trust Google Analytics to provide them insights about their users, and in many cases you might be able to argue that its fine if a script is provided directly by Google. However, my bank account details are too sensitive for Google or any other third party to be given unfettered access like this, no matter how much you may trust them. I hope ICICI Bank will remove Google's scripts from their netbanking website soon.

Also, while its better to check for yourself, here's "proof" of what I am claiming:

Google Analytics/Tag Manager will not extract data until explicitly told. This is by design, so the question of Google stealing data is nulled.

Tracking is a important exercise to improve the user experience. But none the less, loading external resources (though through https) is serious security concern.
Google Analytics doesn't track any things you fill on a form or text fields. The article gives no proof of the same as well, just a wild blind accusation to get some hits !
There is no proof that Google will 'not' steal username passwords either. Nor is there any proof that the scripts are not told to extract data/information from the users' activities.

The bottomline is, in a contract between the bank and the customer, if the bank allows any third party access to the secured sites, all liabilities of any fraudulent transaction or loss arising out of those should fall on the bank. Does it happen so in our legal system?

ICICI Bank would like to state that this article is ill founded and not based on facts. The Bank would like to strongly deny that Google or any third party tool can access any confidential customer level information from its website. ICICI Bank is in complete control over all points of access to customer data.

As a standard global practice, banks across the world use Google Analytics Premium services to understand generic behaviour of the users such as navigation patterns, browser types and page speeds among other things.

ICICI Bank would like to re-iterate that it operates with world class standards of information security and that our customer’s privacy is of utmost importance to us.

@ICICI Bank, do you even understand JS?
The article doesn't say that Google does this at the moment, ring up your web devs and ask them, if Google were to make changes to their script, could they do all that is mentioned in the blog, of course they can! Most replies undermining the severity of this issue seem to be people who know nothing about security issues! I mean just read the bank's reply, sounds like a mugged up piece of text vomited out by some PR guy.
Post a Comment

Subscribe to Post Comments [Atom]

<< Home

This page is powered by Blogger. Isn't yours?

Subscribe to Posts [Atom]