Major security concern. [Solved.]

[metalman228]

Hello everyone,

I have had online banking with my main financial institution for quite a number of years and on Friday nite I happened to be looking at the lower left corner of my browser window as I clicked the login button and found to my horror that my banks login page sent a "request to Facebook...." !

Now this may not be as much a security risk as a privacy risk, but none the less, I am scared sh..less to log on to the bank.

I called in over the weekend and the customer service person (who also has a FB account) tried logging on to their own acct and it did not send any request to FB and they did use a FF browser.

They said I needed to talk to their IT dept, so I called the bank this morning and spoke to the "head" IT guy and he had me login on other browsers and using the other browsers they did not send a request to FB.

He thinks it may be a FF issue, so that is the reason for the thread here.

He is also contacting the vendor that supplies the bank with its online banking software to see if there are any known issues with FF.

I have taken video of this as I logged on if anyone thinks viewing it would help

Any thoughts from the forum? Is it some "setting" I have on Facebook?

It does the same thing here at work on my work desktop, using FF of course. When logging in on Chrome browser it does not send a request.

Should I have any concerns, and what do I do next ?

Any help would be greatly appreciated.

[therube]

What bank?
It's going to be the bank.

Don't think that what the bank does is for your benefit.
What they do is to make them money.

BoA's Online Behavior Advertising, https://www.bankofamerica.com/security- ... -our-sites.

[metalman228]

Agreed on who's making who money with banks!

They actually seem very concerned, (scared??)

15 min after I spoke to the branch IT guy I got a call from the Information Security Officer for the whole bank asking if I really had snip videos of the login as it connected showing the request going to FB which I told him I did.

He asked to to send them, which I did.

It will be interesting to see what they come back with.

I scanned through the BOA document and I see that they will send you targeted ad's and the like, or banner adds that show up when you log on/off, which I can sorta understand, but you actually get to SEE these ad's.

I am not sure that these 3rd part vendors etc. get notified that you actually just logged on, and are online with BOA, and connected to the secure bank site which could give thieves knowledge your browser is now open and vulnerable to that malware hiding somewhere on your computer they are ready to unleash.

[jscher2000]

Have you tested in Firefox's Safe Mode to try to rule out an extension as the culprit? http://kb.mozillazine.org/Safe_mode

[therube]

Yes, that^. (Like FF has ever been known to harbor malicious, or otherwise, extensions .)

[metalman228]

Well, jscher2000

I am home now and I did just that.

And to my surprise, not only did it still send the request when I hit the logon button, it also sent one as the logon page initially loaded into the tab!

I repeated this a couple times and switched back to enabled and it does not do it with extensions enabled.

So in safe mode it will send one when the page loads, then it sent another one when I hit the logon button.



Just so everyone knows, I checked right away Friday night when I first noticed this issue to see if it happens when the page first loads, (it did not).

I also checked all my other banking bookmarks, no other banking/financial book marks did this.

Then I checked a random selection of book marks. Only my bank's online banking page is guilty.


I only got a glimpse at the hand off connections when I tried this in safe mode, but the Facebook address is different than earlier.

The one that came up ended in .net- Facebook( ) .net

I think another video is in order here.

Very strange.....

[jscher2000]

Facebook.net is used for the script that creates "Like" buttons. I don't know whether it is used for anything else because I've kept it blocked in NoScript for as long as I can remember. But I agree a login page should not have a Like button.

Can you share a URL for the login page? If not, check the parameters send with the request using the Network Monitor: https://developer.mozilla.org/docs/Tool ... rk_Monitor

[metalman228]

Thank you for all this useful information.

I will try this monitor and see what it shows.

I will try it at work as well as at home.

I will also try the FF on my work PC in safe mode as well and report back what I find.

I want to wait and see what the bank says before I share any of the video clips or URL's etc..

[metalman228]

https://www.facebook.com/tr/?id=5785686 ... k%22%7D&cd[Schema.org]=%5B%5D&cd[JSON-LD]=%5B%7B%22%40context%22%3A%22https%3A%2F%2Fschema.org%22%2C%22%40type%22%3A%22WebSite%22%2C%22url%22%3A%22https%3A%2F%2Fwww.epnb.com%2F%22%2C%22name%22%3A%22Ephrata%20National%20Bank%22%2C%22potentialAction%22%3A%7B%22%40type%22%3A%22SearchAction%22%2C%22target%22%3A%22https%3A%2F%2Fwww.epnb.com%2Fsearch%2F%7Bsearch_term_string%7D%22%2C%22query-input%22%3A%22required%20name%3Dsearch_term_string%22%7D%7D%2C%7B%22%40context%22%3A%22https%3A%2F%2Fschema.org%22%2C%22%40type%22%3A%22Organization%22%2C%22url%22%3A%22https%3A%2F%2Fwww.epnb.com%2F%22%2C%22name%22%3A%22Ephrata%20National%20Bank%22%7D%5D&sw=1920&sh=1080&v=2.9.23&r=stable&ec=1&o=30&fbp=fb.1.1597657708318.1906805960&it=1597746664752&coo=false&es=automatic&tm=3&rqm=GET

[costark]

For the amateurs ... is a written record of What You See at Logon page bottom left (ref Facebook) in one of the Web Developer modules (ie) Inspector, etc.?
I logged into my BoA Online Banking and the bottom left data came & went really fast / you post as though you see this in Slow Motion - but I didn't see Facebook, and I looked in Inspector.

[jscher2000]

The bank's home page contains Facebook tracking code (per right-click > View Page Source) --

Code: Select all

<!-- Facebook Pixel Code -->
<script>
!function(f,b,e,v,n,t,s){if(f.fbq)return;n=f.fbq=function(){n.callMethod?
n.callMethod.apply(n,arguments):n.queue.push(arguments)};if(!f._fbq)f._fbq=n;
n.push=n;n.loaded=!0;n.version='2.0';n.queue=[];t=b.createElement(e);t.async=!0;
t.src=v;s=b.getElementsByTagName(e)[0];s.parentNode.insertBefore(t,s)}(window,
document,'script','https://connect.facebook.net/en_US/fbevents.js');

fbq('init', '578568692344463');
fbq('track', "PageView");</script>
<noscript><img height="1" width="1" style="display:none"
src="https://www.facebook.com/tr?id=578568692344463&ev=PageView&noscript=1" alt="Facebook tracking pixel" title="Facebook tracking pixel"
/></noscript>
<!-- End Facebook Pixel Code -->	

-- but this code is not present in the dedicated login page:

https://onlinebanking.epnb.com/ENBOnlin ... spx#/login

[metalman228]

The bank called me this morning and said that the vendor for their software they use told them that it is a link to the banks home FB page.

I have no way of verifying this, but I may be able to block it using the Network Monitor.

I just read your post from this morning jscher2000 and tried the URL in your reply and correct, there is nothing FB related there, though it is a different looking page than my bookmarked one.

My concern is that is present during login and no one else has reported this issue and it only is happening to me, so I am still very worried.

Since the cat is out of the bag as far as what bank it is, I am willing to share any videos or URLs if it may help.

[jscher2000]

You can view source on the page you bookmarked and see whether it has the tracking pixel code I found in the home page. I assume someone installed that intentionally and that other people would be aware of it. I find it completely unbelievable that they can't see it.

[metalman228]

Ok, I changed some settings in FF, I moved up one notch in the Tracking Protection to "STRICT" and set the Do Not Track to "ALWAYS ON".

Now when I log on the Monitor shows both Facebook, (and Google) in RED, and they are currently blocked.

I guess other than getting the bank to fess up this is the only way to stop it, and my my goal is to STOP IT !

I will have to adjust these settings on my work PC and on my laptop too.

If this had not occurred, I would not have gone thru this process, which has been a learning experience for me.

I felt I was adequately protected by my use of FF as a browser, ADBlocker, Malwarebytes and the built in Windows Defender, but there was room for improvement.

Tracking, though generally a privacy concern, could develop into a security concern and at the very least this shows me a weakness I needed to address.

I appreciate everyone's feedback, and the time they spent contributing to this thread, I could not have come a decent resolution without the input of you all.

I will mark this as SOLVED.