Online Account Application Security | Your stories | Discussion forum

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Feed Topic RSS sp_TopicIcon
Online Account Application Security
October 10, 2019
2:10 pm
Oscar
Member
Members
Forum Posts: 168
Member Since:
October 17, 2018
sp_UserOfflineSmall Offline

Just noticed something strange when completing an online application. After filling in fields on first page I clicked on the link to proceed and as I was waiting for page to load I noticed at bottom left of page the message as shown in this screenshot " sending request to Facebook " .Only noticed because of unusually long time for page to load so I aborted and contacted institution and sent them screenshot via email. I tried it again and this time I let the page load and it displayed same message on bottom of page . Took a long , long time to load and then when it did it was the next page of the online application.
They are sending this to their IT department for a look but assured me that nothing is sent to Facebook. Anybody have expertise on this to provide an explanation ?
I have edited the screenshot to give them the benefit of the doubt as I await their official explanation .
On the face of it , it seems like all this personal info is being sent straight to Facebook. The rep I spoke with said he thought it might just be an issue with Firefox as he noticed the symbols down at the bottom left, Twitter , etc. Doesn't inspire confidence.

Screenshot-Edited.png

October 10, 2019
9:40 pm
Loonie
Member
Members
Forum Posts: 6061
Member Since:
October 21, 2013
sp_UserOnlineSmall Online

I am unable to read the screenshot, but it sounds very strange.
Can you tell us which category of FI this was? e.g. small bank, large bank, MB CU, other CU, trust co?

Perhaps if you sign out of facebook, clear your cookies, and use Chrome, it will stop?

October 11, 2019
12:05 am
NorthernRaven
Moderator
Moderators
Forum Posts: 455
Member Since:
August 4, 2010
sp_UserOfflineSmall Offline

There could be Javascript code that is going to Facebook for advertising, tracking cookies, analytics or other things. It doesn't mean your page itself was being submitted to Facebook.

For instance, the starter page for People's Trust applications (https://www.peoplestrust.com/en/peoples-trust/high-interest-accounts/gics/non-registered-gic/) retrieves an "fbevents.js" Javascript file from "connect.facebook.net" as part of the page; presumably the site somewhere does some sort of Facebook analytics or something at some point.

October 11, 2019
11:21 am
Londonguy
Member
Members
Forum Posts: 372
Member Since:
May 27, 2016
sp_UserOfflineSmall Offline

All the more reason to use a java permission filter such as NoScript which prevents dodgy things happening in the background without you knowing it. I don't have or want a Facebook account and haven't let a Facebook script run on any webpage I've visited for probably 10 years now. Browsing works just fine without it

October 11, 2019
7:55 pm
Oscar
Member
Members
Forum Posts: 168
Member Since:
October 17, 2018
sp_UserOfflineSmall Offline

I think the tendency of most people is to just assume that everything is above board and this may be the case. But I'm not knowledgeable ablout code or scripts and so I'm just trying to look at this from a layman's perspective. Everyone is concerned about online security. We are always being told to memorize our passwords etc. , etc. , and so it seems completely inappropriate to see any type of association with or connection toFacebook when filling out an application for a bank account. And I know that there will be a reasonable explanation by the CU if they provide one at all and Northern Raven has provided one and at the same time gave an example of another CU online application that connects in another way to Facebook. sf-frown
And I agree with you about NoScript but you shouldn't even need it for this situation in particular. I don't have a Facebook account either. Loonie you're getting 3% there at the moment

October 11, 2019
9:58 pm
NorthernRaven
Moderator
Moderators
Forum Posts: 455
Member Since:
August 4, 2010
sp_UserOfflineSmall Offline

"...that connects in another way to Facebook."

All the page is doing is retrieving some javascript code. It isn't "connecting" to Facebook in the sense of logging in, or sending your application data to it. In this case, my best guess is that it is actually about Google Analytics/Tag Manager or the like. They would be using something like that to track which of their internet ads are being clicked to visit their site and so on, and the analytics code would be getting some javascript functions from that Facebook library to determine if the visit came from a Facebook ad. Or something like that.

It's going to be very common to see that "fbevents.js" retrieved by sites - most of the Big5 bank homepages I checked do so. Whatever is being retrieved in the screenshot above is coming from www facebook com, so it isn't the "fbevents.js" in this case, but it is probably a bit of code used to embed the link to the FI's own Facebook page that you see in the "Follow Us" section at the bottom.

October 11, 2019
10:47 pm
Oscar
Member
Members
Forum Posts: 168
Member Since:
October 17, 2018
sp_UserOfflineSmall Offline

NorthernRaven said
"...that connects in another way to Facebook."

All the page is doing is retrieving some javascript code. It isn't "connecting" to Facebook in the sense of logging in, or sending your application data to it. In this case, my best guess is that it is actually about Google Analytics/Tag Manager or the like. They would be using something like that to track which of their internet ads are being clicked to visit their site and so on, and the analytics code would be getting some javascript functions from that Facebook library to determine if the visit came from a Facebook ad. Or something like that.

It's going to be very common to see that "fbevents.js" retrieved by sites - most of the Big5 bank homepages I checked do so. Whatever is being retrieved in the screenshot above is coming from www facebook com, so it isn't the "fbevents.js" in this case, but it is probably a bit of code used to embed the link to the FI's own Facebook page that you see in the "Follow Us" section at the bottom.  

Okay I could live with it on their homepage but why does the bank allow it on its online application form site ? It's not the same as checking the weather online. Facebook and/or Google is collecting my IP address and it surely knows that I am filling out an account application on this page at this financial institution and Google is the all seeing eye so all the dots are connected. Again I am a layperson in this regard but I don't see the need for the analytics in the middle of the application. Thanks for the insight , you have a better handle on this than I do

October 12, 2019
2:18 am
Loonie
Member
Members
Forum Posts: 6061
Member Since:
October 21, 2013
sp_UserOnlineSmall Online

Thanks for the feedback.
If it is at all possible for you to go to a branch, that would be a workaround.
I always go in person when it is an option.
I'm afraid I'm useless on the tech questions.

Please write your comments in the forum.