Good writeup! It certainly seems absurd for banks, investment firms, government services, etc. to just allow third-party analytics startups to inject whatever code they want in between the user and the product.<p>It's like if the bank hired contractors from Google, LivePerson, Tealium, and Yext to listen in on every phone call I make to the bank, for "analytics purposes". Um, is it really necessary for them to hear my account number and everything? Oh, you say they're plugging their ears?
The security breaches reported here have been detected by SRI checking bank websites using <a href="https://gitlab.com/markalanrichards/access-test/" rel="nofollow">https://gitlab.com/markalanrichards/access-test/</a><p>If anyone wishes to help improve this test suite or fork it for other purposes, please go for it.<p>Some may trust Google, Microsoft and co, and I'm sure some used to trust Fujitsu.
However, I encourage you to look at the companies in the list against the banks and see how broadly some banks give remote access to various types of third party companies.<p>Barclay's bank aren't on the list because the test suite didn't find anything. I might have to look into how to move my accounts there.