credit card warning ?

[bigvoo]

I just got a new crdit card in the mail, was reading the privaxy statement, and it said: we may obtain information about your i.s.p your operating system and browser! and what sites you visit ? WHAT? that kind of sound like a root kit to me. how they gonna know what os and sites i visit ?

[bigtomrodney]

Well the ISP, operating system and browser is just from your browser's user agent and that is seen by every site you visit. In fact it's required. As for what sites you visit, I suspect they're looking at your cookies which isn't cool at all. Could the phrasing perhaps be that they are tracking your access to their sites? Companies usually notify you that they'll be using a cookie to track your usage.

[meton_magis]

from what they have posted, they can only obtain information that is freely available to any webserver you connect to (you agree to give them that information when you connect to them.) If they obtain any other information without your conscent, you have a case for a lawsuit (depending on your country / state.)

You can also hide (at lease with linux) the information they are talking about EXCEPT for the ISP, they assign your IP address, and you can't fake that one (technicaly you can, see the onion router.) If you google for "browser user agent string" that bigtomrodney posted, you can find a firefox addon that will let you fake it to say whatever you want. (at least you could, havent tested in a while)

[Roxoff]

Having them know which IP address you're connecting from isn't necessarily a problem, indeed it could help them if you suddenly start accessing your account from an IP registered in a different country and start shifting money around...

If you're considering hiding your location from your bank by using a privacy proxy (such as the onion router or the cloak or whatever), bear in mind that you'll be sending bank-sensitive data through servers which are set up soleley for the purposes of disguising identity - you may be passing your (admittedly, lightly encrypted with ssl) bank logon info through an wholly untrustworthy server. I'd sooner let my bank see my IP address rather than do this.

[bigvoo]

I don't mind them knowing my i.s.p, my only concern was with a massive spam attack from them tracking my webstie visits, like postcards from Bill Gate, after he sees I use linux, and gets his panties in a wad about it, or worse yet sends the M.S blackopps sqaud to arrest me...or somtin :

[meton_magis]

no, they can't do that, esspecialy if you lock down your settings so that websites can only access cookies created by that website (it is a firefox privacy setting I think). And I agree, the onion router is not a good idea for banking.

Another option is to change your bank BTW. I changed mine just for the reason that mine required internet explorer with activeX enabled, and adobe acrobat installed, and a bunch of other crap.

[Roxoff]

mine required internet explorer with activeX enabled

That's not even lazyness - it's just as easy to do the banking stuff with javascript or regular ssl-based web. The only reason they'd go down this route is to be able to pry into your computer. You did the right thing and ditched that bank.

[techieMoe]

Having them know which IP address you're connecting from isn't necessarily a problem, indeed it could help them if you suddenly start accessing your account from an IP registered in a different country and start shifting money around...

Several of my bank websites do this. They basically keep a log of what IP address you *usually* use and if you connect from a different one than usual they use that as a flag to ask some extra security questions. Personally, I like the feature.

[meton_magis]

Several of my bank websites do this. They basically keep a log of what IP address you *usually* use and if you connect from a different one than usual they use that as a flag to ask some extra security questions. Personally, I like the feature.

My new bank has something similar, they ask you questions if you don't have a cookie (i think) on your PC. I hated it because my answers to the questions can easily change over time (stuff like what's your favorite book.)

So I just ran a random word through a hash, took 15 or so digits out of the middle, and put those into a text file that I encrypted with a GPG key that I exported to a flash drive that I keep disconnected from my pc. ...... I may be a bit paranoid, but I'd like to see someone break it, hell, I don't even remember the stuff. And when I need it, I can just plug in my flash drive, cat the file, and enter my stuff. I just wish the bank would let me skip the middle and just use a keypair for authentication.

[Roxoff]

So I just ran a random word through a hash, took 15 or so digits out of the middle, and put those into a text file that I encrypted with a GPG key that I exported to a flash drive that I keep disconnected from my pc.

Shirly, it's easier to remember your passphrases?

When they ask for your favourite pudding, or favourite breed of horse, you don't have to actually pick your favourite. You can just pick one that you'll easily remember...