I work with banking data day to day and the internal systems are often just as rough. CSV exports with inconsistent date formats between the same bank's own products. Transaction descriptions that are random truncated strings with no standardisation. Every bank formats their statements differently and some of them can't even stay consistent between their own account types.
You'd think with the regulatory pressure around data accuracy this stuff would be sorted by now. But the reality is most banks treat their digital infrastructure like legacy plumbing - it works well enough that nobody wants to risk touching it.
They don't seem to have nearly the same concern for their online banking web UIs, though. Or even the UIs presented on screen at ATMs.
HTTPS still typically exchanges the Server Name Identification. So you know somebody is talking to HSBC. And the rest of the URL is just an anonymized tracking ID. So I'm having a hard time seeing what the threat is this particular instance.
Like I said, even with HTTPS everyone in the cafeteria theoretically knows you're connecting to HBSC as well.
So I don't see the difference.
HTTPS the attackers know a conversation is happening, but no idea what
But, I personally think the threat is being overblown (I am happy to be corrected though)
It's trivial to encode each tracking pixel with a personalized hash of some sort linking it to the intended recipient of that particular email.
This is...just how tracking pixels work.
"Not the real HSBC", and "Also not real HSBC" respectively.
But, they have no idea if the paper statements are making it to your desk, or if they are getting swiped from the letterbox (I'm in an apartment in Melbourne, and the snail mail is not reliable at all, mail is sometimes delivered to the wrong building, sometimes the wrong address entirely, it's also swiped by miscreants who have nothing better to do, and, in some cases, the pricks set the letter boxes on fire, taking all the mail with it)
My experience with IT in banks is that this entire "feature" of tracking who's opening/not opening emails must have went through about 50 people, and it must have taken at least a year from the idea forming in someone's head, going through all the administrative bureaucracy, getting approved, developed, tested, and rolled out.
Is it that HSBC has 0 competent people who could have mentioned that "tracking pixels are unreliable, especially in 2025/26"? Or is it that everybody who mentioned this was overruled by middle/upper management because they know better? What about the http:// part? I imagine there must have been a few developers saying we should not be serving anything under http://.
Senior leadership wouldn't believe me, kept harassing my team to explain why so and so who said they opened the email didn't have an open event, and why so and so who said they didn't open the email did have an open event.
Authors wouldn't believe me because email open was the highest scoring metric they had. Less than 3% of recipients would land on the page for the publication, but >50% would "open" the email that has a teaser and a call to action to open the webpage. If they had to go off of the click through metrics which are accurate it'd make it sound like they were bad at their job.
So everyone used open rates because it made them feel good. Either that they were writing engaging content, or made them feel like they actually had a handle on who was/was not reading their mail.
No metric would have been better than this metric.
I explained what that number actually means and watched his eyes totally glaze over. Doesn't matter. The "Apple number" was greater than zero so clearly he was successful at his job. (Entirely unrelated, he now has one employee and zero customers)
This was one of the first known issues when Gmail and others began checking and preloading images/content in emails. It was "triggering" that events/requests to tracking pixels. Eventually folks learned and knew to check the user agent to determine if it was just the mail provider preloading/checking the email content.
At these massive, unable to go bankrupt companies, you quickly lose all fucks to give. No one cares about opinion of ICs or even direct managers, Senior Management makes the calls and you either execute quietly or replaced with someone who is. When I worked for $MegaUSBank, there was two types of people. Those who realized their "spark" was draining out of them and got a new job after a few years and those who were just "Whatever, I push buttons and get paycheck." and had been there for 15 years.
Same thing happens with renting apartments. Slowly but surely, conveniences like apartment-phone-app (to open doors, to access mailboxes) get accepted by people and then they "throw the switch" and make the remaining 3% do it. Or maybe new renters must accept it to move in. And then they can deny access to apartments imeediately, track their residents, match with online activity and more...
1) Important communications required by law and/or regulation are sent by email.
2) Contacting customers via email is sometimes unreliable. It is unreliable enough that problems caused by missed emails caused enough pain in some exec's silo that they demanded a solution.
3) "Make sure people read their email" isn't really an actionable demand. The business knows this, so they turned to IT.
4) "Make sure people read their email" isn't really technically feasible either, but at this point it's not about making sure that the customer got the message: it's about making sure that the company is covered if a customer complains about missing communications.
5) To that end, a variety of technical solutions are proposed, and everyone knows that they're all bad or incomplete. The tracking pixel is chosen because it's at the intersection of "least bad" and "lowest effort to implement."
6) Around now, someone probably pointed out the issue with serving the content over http, but changing that requires buy-in from another team. It'll go to their product manager as an inject and maybe get prioritized for next PI (it won't, something more important will come up between now and then).
7) The tracking pixel ships. The team that implemented it stresses that this is an incomplete solution and the business really needs to re-evaluate their processes around how customer communications.
8) The email tracking pixel solution gets a bullet point on a slide in a presentation given to managers 3-5 levels higher than the devs who made it. No one mentions that the solution and requires additional work and investment. No one ever thinks of it again.
For every HN technically inclined people you have dozens of other customers who will give any email (thinking it's just writing "John.smith@bt.co.uk" or something) - or worse- and they have to find a way of identifying those customers
"I want to send letters to everyone who doesn't open our emails."
"We can't really detect that. We could add a tracking pixel, but–"
"Yeah, do that, the tracking pickle thing."
The other is that the "did they open this?" feature was rolled out purely for metrics knowing that it's imprecise, and later on got repurposed for something unsuitable without looking at how the "did this email get opened?" facility actually worked.
In the chain of command for a feature like this, that's quite possible.
> Or is it that everybody who mentioned this was overruled by middle/upper management because they know better?
Or just learned helplessness, they don't bother because they know it's not worth trying.
My wife continues to get spam snail mail from Citi, and they offer no way to opt out. If it was my account, I would switch banks.
Back to the main topic: I think it's pretty stupid of the HSBC IT folks to assume that an email was not read because the tracking pixels were never accessed. Lots of email clients these days do not load images by default.
This works well as a bluff, but of course you need to be ready to follow through in case they call the bluff. Which if you are, you may as well switch banks for real anyway.
And besides that, banks need capital reserves in the form of customer deposits; if too much money flows out then they will have to either acquire customers or pause their real moneymaking activity (loans).
Your account doesn't make them significant money. Retail banking in general makes boatloads of money, and deposits are central to this now that we're out of zero-interest-rate-land.
USA's fractional reserve requirement is now 0%. UK has also gotten rid of their reserve requirement as well. In the UK, the limit to what the bank can loan out is more determined by the market cap of the bank (committed shareholder value). Cash is only strictly needed to cover ... customer deposits.
So in the UK, if a bank gets rid of customer deposits entirely, then it kind of doesn't need any cash anymore. It can just lend money out of thin air based on its total net worth (market cap).
Talking about banking in general is generally a huge mistake. While deposits may be central, retail deposits are irrelevant for the banks that do > 70% of banking.
> now that we're out of zero-interest-rate-land.
Doesn't matter to them.
We’re talking about an individual sticking it to the bank he has an account with by cancelling it. Retail sounds entirely relevant here.
Citibank interest rate on savings accounts is less than 1%, more like 0.1%, and there are account fees too. They're telling you load and clear "We don't want your money" - you can't argue with that empirical evidence, straight from the horse's mouth.
The main thing is that they do care about retention.
I don't follow; why would regulations on consumer accounts change the price of commercial customer accounts?
Just loop in your regulators. This costs them far more and properly documents the problem for follow-up in case it becomes a pattern. Possibly more annoying than moving accounts. But far more effective (unless you have nine figures with the firm).
At least that's what I remember from them announcing the feature. No idea about other providers, and I haven't tested the feature myself.
It is, of course, very possible that Google has heuristics that can catch tracking pixels—in fact, I would go so far as to say that if they chose to, they 100% could, probably tomorrow. But given where Google makes its money, I would not in the least trust them to do that for me.
It's fine, Capital One. I did open your emails, I just didn't load your shady tracking pixels.
But I get their emails just fine. It's their tracking that (intentionally) isn't working.
I'd almost prefer paper statements from a few of my accounts, but not enough to pay for it directly.
In fact, the sheer amount of systems not working correctly in Britain is astonishing. Feels like the whole country is falling apart.
yes, its not how email is supposed to work. but people can be really really stupid.
What's the point of that entire handshake then?
> But we’re in the Darkest Timeline. Tracking pixels have become so endemic that HSBC have clearly come to the opinion that if they can’t track when I open their emails, I must not be receiving their emails. So they wrote me a letter to tell me that my emails have been “returned undelivered” (which seems to be an outright lie).
Tracking pixels are the key of thing that my computer filters out. So I wonder if this explains why I get paper statements for my Apple Card.
Each time one comes in the mail, it has a letter with it stating that Goldman Sachs was unable to contact me at the email address on file, which they show as my Apple ID email address. Which works fine for everyone else in the world, including Apple.
mate was on a toll till this. I mean after all that amazing write-up we gon be clicking links in emails??!
The focus on http versus https in allowing surveillance of fetching the tracking pixel are all but completely irrelevant.
In any case, the domain name of the tracking pixel locations will be resolved through DNS, which is almost always unencrypted. So anyone on the LAN will see the DNS query, revealing the banking URL, in plain text.
The big issue here, which I couldn't find one comment regarding, is that the email client is interpreting HTML.
Use plain text email! Problem solved. At least use a "Simple HTML" or similar mode when viewing email. Where the HTML is rendered, but no links are followed.
They also send you an email back saying your email wasn't delivered after a few days or hours, so there's little benefit in using the tracking pixel to determine if an address exists.
Don't know if they fetch images from emails sent to non-existent addresses, but I would if I were to design such a system.
"Our open rates have skyrocketed! send more emails!"
$ head -n 100 /dev/random | md5sum
a6cc1b7c09ccb122cb066c89e16b3140 -
They hired another company to do it.
The project has been over for 4 years.
The man who determined the requirements no longer works at HSBC or the other company.
The coder doesn't even know HSBC is using his code.
This is one of the reasons why in 2019 they wrote about their own demise https://web.archive.org/web/20240213185758/https://www.cimb.... against fintech (which is only slightly less archaic) and how cryptos, I don't know which ones, but maybe some yet to be born, will eventually displace them because regardless of their dominant position, the level of poor service and archaic systems is not humanly/socially sustainable for much longer.
Their leadership is mentally incapable of changing. Unfortunately, I fear that most of the population isn't either.
Not in my email client, mutt. I use Thunderbird once in a great while. For some reason I thought there was an option to stop that and I enabled it. Will need to check the next time I fire up Thunderbird.
Was this opening sentence necessary? It is not germane at all to the rest of the article. Ironically, it is itself virtue-signalling (for some definition of virtue), just to a different audience.
The article itself is a nice, well interesting, dive into the topic; kinda unfortunate.
Surprisingly neutral on topics regarding monarchy/monarchs, in favour of the AV referendum to get rid of plurality voting, and very annoyed at the electoral system for unilaterally changing his name on the voter rolls. (His surname is Q)
Putting diverse races in an ad, while not doing anything else about diversity, is virtue signalling. Complaining there are other races in the ad is vice signalling.
It would be very surprising behaviour for a British guy living in the UK
Sometimes called "pink capitalism" or "rainbow capitalism", where a company will show the rainbow pride flag for Pride Month, but not put any more substantial effort towards diversity, plurality, LGBTQ rights, etc.
I expect nothing from companies, and it's nice to see that virtue signal. If they're signalling, it means they think we haven't been exterminated yet. But I don't expect good works from anything for-profit. It's just business.
Edit: The author using the phrase "surveillance capitalism" is generally a left wing thing. I don't hear right-wingers rallying against capitalism (let's not even get into the weeds of defining "capitalism" the word) even when they happen to oppose surveillance
And apparently not targeted all that well, since half the comments here think it is a right-wing (anti-multiculturalism) sentiment, and the other half a left-wing (anti-corporate-reputation-laundering) sentiment.
That's why I fucking hate society. This is everywhere.
But this post is entirely speculation. The author has no evidence they're basing it on tracking pixels. They're literally just guessing.
And I'm dubious that tracking pixels would be a reliable enough signal to be worth it. Doesn't Gmail download images in advance anyways? Plus, I regularly filter predictable emails or just archive them directly from my inbox based on the subject line without opening.
I'd more likely assume they have an e-mail bounce detector that just has a bug in it.
They literally admit to this and go on to provide the evidence for their guess:
> I think I can place a solid guess about what went wrong here.
And they don't provide any evidence. Not a single piece. Merely claiming it's a "solid guess" doesn't make it solid. It's based on nothing. Tracking pixels are extremely common, so there's nothing to suggest it's tied specifically to this. As opposed to, like I said, a buggy bounce detector.
I do, when the result of that attempt is to tell people to change their email addresses unnecessarily. Most people will fall for that.
The wording could obviously be better, it should use softer language with a note that if you're sure the email is correct then you can ignore the letter.
But the general concept of trying to detect unused email addresses seems valid.