The http:// thing is what stands out to me. Someone had to actively choose to serve content over http in 2026. Even if the original template was ancient, any security review would have caught that - unless they skipped that step entirely, which honestly tracks.
I work with banking data day to day and the internal systems are often just as rough. CSV exports with inconsistent date formats between the same bank's own products. Transaction descriptions that are random truncated strings with no standardisation. Every bank formats their statements differently and some of them can't even stay consistent between their own account types.
You'd think with the regulatory pressure around data accuracy this stuff would be sorted by now. But the reality is most banks treat their digital infrastructure like legacy plumbing - it works well enough that nobody wants to risk touching it.
NB. If the statement was more specific, something like, "HSBC chose to use HTTP for return receipts in 2026" then I would have no reason to comment. Instead the statement suggests HTTP is no longer a useful nor appropriate choice for _anyone_. That of course is false, as shown above
> “Every bank formats their statements differently…”
In my experience with bank data, on the downstream side, banking data is available in the OFX specification, which is a consistent transaction data format. Unfortunately, memo’s do get truncated to different char lengths by different banks, even though the specification allows 255 characters. AMEX, amazingly, switches NAME and MEMO properties. It's a dog breakfast of compliance, but there is a standard.
Does HTTP really matter in this particular case though?
HTTPS still typically exchanges the Server Name Identification. So you know somebody is talking to HSBC. And the rest of the URL is just an anonymized tracking ID. So I'm having a hard time seeing what the threat is this particular instance.
More than likely its a third party service managing the tracking of the email. Serving content over http just requires them to ask HSBC to add a domain entry for their (cName) server. HTTPS would increase the amount of work required.
My experience with IT in banks is that this entire "feature" of tracking who's opening/not opening emails must have went through about 50 people, and it must have taken at least a year from the idea forming in someone's head, going through all the administrative bureaucracy, getting approved, developed, tested, and rolled out.
Is it that HSBC has 0 competent people who could have mentioned that "tracking pixels are unreliable, especially in 2025/26"? Or is it that everybody who mentioned this was overruled by middle/upper management because they know better? What about the http:// part? I imagine there must have been a few developers saying we should not be serving anything under http://.
I ran a team at FAANG where I supported people creating content, including emails, and no matter how many times I explained open tracking was only useful as a trend and not an individual evaluation it just went over people's heads.
Senior leadership wouldn't believe me, kept harassing my team to explain why so and so who said they opened the email didn't have an open event, and why so and so who said they didn't open the email did have an open event.
Authors wouldn't believe me because email open was the highest scoring metric they had. Less than 3% of recipients would land on the page for the publication, but >50% would "open" the email that has a teaser and a call to action to open the webpage. If they had to go off of the click through metrics which are accurate it'd make it sound like they were bad at their job.
So everyone used open rates because it made them feel good. Either that they were writing engaging content, or made them feel like they actually had a handle on who was/was not reading their mail.
No metric would have been better than this metric.
They might have competent people but most tech people working at a bank like are out of fucks to give.
At these massive, unable to go bankrupt companies, you quickly lose all fucks to give. No one cares about opinion of ICs or even direct managers, Senior Management makes the calls and you either execute quietly or replaced with someone who is. When I worked for $MegaUSBank, there was two types of people. Those who realized their "spark" was draining out of them and got a new job after a few years and those who were just "Whatever, I push buttons and get paycheck." and had been there for 15 years.
My take: someone wanted a technical solution for what is a people/process problem. A hypothetical version of events, just one of many possible scenarios of course:
1) Important communications required by law and/or regulation are sent by email.
2) Contacting customers via email is sometimes unreliable. It is unreliable enough that problems caused by missed emails caused enough pain in some exec's silo that they demanded a solution.
3) "Make sure people read their email" isn't really an actionable demand. The business knows this, so they turned to IT.
4) "Make sure people read their email" isn't really technically feasible either, but at this point it's not about making sure that the customer got the message: it's about making sure that the company is covered if a customer complains about missing communications.
5) To that end, a variety of technical solutions are proposed, and everyone knows that they're all bad or incomplete. The tracking pixel is chosen because it's at the intersection of "least bad" and "lowest effort to implement."
6) Around now, someone probably pointed out the issue with serving the content over http, but changing that requires buy-in from another team. It'll go to their product manager as an inject and maybe get prioritized for next PI (it won't, something more important will come up between now and then).
7) The tracking pixel ships. The team that implemented it stresses that this is an incomplete solution and the business really needs to re-evaluate their processes around customer communications.
8) The email tracking pixel solution gets a bullet point on a slide in a presentation given to managers 3-5 levels higher than the devs who made it. No one mentions that the solution is incomplete and requires additional work and investment. No one ever thinks of it again.
At least they email him and don't send the stupid "you have an important message, login to see it" email. No idea what those important messages are, I'm sure sometimes they were important
I'd guess one of two things. One is a conversation that goes like:
"I want to send letters to everyone who doesn't open our emails."
"We can't really detect that. We could add a tracking pixel, but–"
"Yeah, do that, the tracking pickle thing."
The other is that the "did they open this?" feature was rolled out purely for metrics knowing that it's imprecise, and later on got repurposed for something unsuitable without looking at how the "did this email get opened?" facility actually worked.
Same thing happens with renting apartments. Slowly but surely, conveniences like apartment-phone-app (to open doors, to access mailboxes) get accepted by people and then they "throw the switch" and make the remaining 3% do it. Or maybe new renters must accept it to move in. And then they can deny access to apartments imeediately, track their residents, match with online activity and more...
I think people are overthinking this, though the discussion about reliability is merited
For every HN technically inclined people you have dozens of other customers who will give any email (thinking it's just writing "John.smith@bt.co.uk" or something) - or worse- and they have to find a way of identifying those customers
NAB Australia does exactly the same thing. Unless I "load remote images" when I receive their emails, they'll start mailing letters saying that they switched me to paper statements as their emails are not going through.
It also took me a bit to investigate as their emails were obviously coming through.
I'm in two minds on this - the bank does need to know that its communications are being received
But, they have no idea if the paper statements are making it to your desk, or if they are getting swiped from the letterbox (I'm in an apartment in Melbourne, and the snail mail is not reliable at all, mail is sometimes delivered to the wrong building, sometimes the wrong address entirely, it's also swiped by miscreants who have nothing better to do, and, in some cases, the pricks set the letter boxes on fire, taking all the mail with it)
CapitalOne balance alerts for a low-use credit card - they silently disabled the alerts because "I wasn't reading them". Because I have read notifications disabled and don't load remote resources.
Even if they truly believed I wasn't reading them, disabling them makes no sense to me. They certainly weren't bouncing and I wasn't reporting them as spam.
I dropped CapitalOne after that (not sure I moved to something better though...)
Years ago, I used to get marketing spam emails from Bank of America. In their email, they did not offer a way to opt out from those types of email, so I invalidated the unique email address that I had created just for them. A few months later, I got a snail mail letter like the one Dan got, telling me that emails were being rejected and that I needed to correct my email address. I went through the same sort of nonsensical dialog with them, and they simply would not let me opt out from their marketing emails, so I left it disabled for a few years. Eventually they offered "email preferences", so I re-enabled it.
My wife continues to get spam snail mail from Citi, and they offer no way to opt out. If it was my account, I would switch banks.
Back to the main topic: I think it's pretty stupid of the HSBC IT folks to assume that an email was not read because the tracking pixels were never accessed. Lots of email clients these days do not load images by default.
All sounds about right for HSBC. They've got some of the worst banking tech in existence. How the heck anyone puts up with their crap is beyond me, I moved away a decade ago but still have a close family member with them and they're forever having issues (genuinely not user error) with the crippled online banking app they've got that looks like something from the early days of app development.
Want them to really listen to you? Cancel your accounts - move to another bank.
This works well as a bluff, but of course you need to be ready to follow through in case they call the bluff. Which if you are, you may as well switch banks for real anyway.
> Want them to really listen to you? Cancel your accounts
Just loop in your regulators. This costs them far more and properly documents the problem for follow-up in case it becomes a pattern. Possibly more annoying than moving accounts. But far more effective (unless you have nine figures with the firm).
Capital One does this to me as well, but at least they make it clear so I actually understanding what they mean ("You haven't opened an email from us lately...").
It's fine, Capital One. I did open your emails, I just didn't load your shady tracking pixels.
Ditto, I get them all the time and just ignore them. I actually have a gmail rule that if it sees that phrase it marks it read and deletes it. Them not knowing if I read an email is not a problem I need to solve.
Gmail automatically downloads images ahead of time, so the tracking pixels will have been fetched by Gmail themselves regardless of when the user opens the email.
I had a demo for some high-school students for an ethics and tech class that successfully demonstrated these with a GMail account, so when this started happening I got very upset lol.
When Gmail downloads the image it identifies itself as GoogleImageProxy, and will be coming from a GCP/Google ASN.
Similar signal will be there for any email provider or server-side filter that downloads the content for malware inspection.
Pixel trackers are nearly never implemented in-house, because it's basically impossible for you to do your own email. So the tracker is a function of the batteries-included sending email provider. Those guys do that for a living, so they are sophisticated, and filter on the provider download of images.
Charles Schwab has something very similar. They keep unenrolling me from their paperless thing and then send me a letter every month telling me they unenrolled me because emails aren't being delivered.
But I get their emails just fine. It's their tracking that (intentionally) isn't working.
Maybe this is what's happening to me at Fidelity. They keep complaining about my email on custom domain but the Protonmail address works fine. I use different apps for the two because PM doesn't support IMAP, so maybe PM doesn't block the tracking pixels but the other one does.
I've been getting similar letters in the mail from Ameriprise for over 15 years. I receive all my account-related emails, but because they can't _track me doing that_ they _assume_ there is some kind of problem.
I've contacted them about this multiple times and always get the same clueless & useless responses that ultimately end with "just disregard the notices" result.
Banks have some of the worst IT in the world. Being purely manager-led, with developers completely subservient to the bean counters, the results are terrible.
This is one of the reasons why in 2019 they wrote about their own demise https://web.archive.org/web/20240213185758/https://www.cimb.... against fintech (which is only slightly less archaic) and how cryptos, I don't know which ones, but maybe some yet to be born, will eventually displace them because regardless of their dominant position, the level of poor service and archaic systems is not humanly/socially sustainable for much longer.
Their leadership is mentally incapable of changing. Unfortunately, I fear that most of the population isn't either.
I had the exact same experience with HSBC, with a little twist: I was really impressed by their 100% online signup process with digital government ID which took less than 10 minutes. The process was extremely smooth, except for a very scammy sounding verification phone call. Within 1 day I had a digital card for Apple Pay and within 3 days a courier handed my my physical debit card. I liked the app too. I hadn't consented to marketing mail but HSBC decided to send me some "welcome upsell" anyways, which was returned as I refuse marketing mail. Immediately my card and account were blocked which sent me down the same experience as OP describes here.
I send over 1M transactional (user opt in only) emails per day for one of my websites. We have to be pretty strict how we handle bounces and complaints or it can tarnish our sending rep. Sometimes people accidentally flag mail as spam, or maybe their client does, or maybe their server does, and this comes back to us as a complaint. Under the ToS of my email gateway I must stop sending to that address until the user updates their email.
There is a lot of assumptions in this post about tracking pixels etc, without any concrete evidence. The truth could be far simpler.
This isn't going to get to someone at HSBC. Nothing will change.
They hired another company to do it.
The project has been over for 4 years.
The man who determined the requirements no longer works at HSBC or the other company.
The coder doesn't even know HSBC is using his code.
It's absolutely useless - humans going into the age of software. It's a death spiral of I don't know's for a hundred miles.
I noticed this a couple of years ago too, I just ignored the letters, continued to receive the emails, and they stopped sending me letters about it /shrug
I take bigger offense to the message that says "your emails were returned undelivered", because that is a lie. A bank, sent to a customer, a lie. "Scale" should never be an acceptable excuse but somehow we let it slide when it comes to the internet.
As an aside, at least the email wasn't "a new document is available in your secure portal click here to view it"!
I am, in fact, shocked that any email clients (including the BigCo webmail clients) load remote images automatically in 2026. I haven't seen a client that didn't require an extra click to open remote resources since like 2020. Even Outlook 365 only seems to do it for emails within the same organization.
> But it gets worse. Because HSBC are using http://, rather than https:// URLs for their tracking pixels, they’re also saying that every time you read an email from them, they’d like everybody on the same network as you to be able to know that you did so, too. If you’re at my house, on my WiFi, and you open an email from HSBC, not only might HSBC know about it, but I might know about it too.
> But we’re in the Darkest Timeline. Tracking pixels have become so endemic that HSBC have clearly come to the opinion that if they can’t track when I open their emails, I must not be receiving their emails. So they wrote me a letter to tell me that my emails have been “returned undelivered” (which seems to be an outright lie).
Tracking pixels have become so endemic that HSBC have clearly come to the opinion that if they can’t track when I open their emails, I must not be receiving their emails. So they wrote me a letter to tell me that my emails have been “returned undelivered”
Tracking pixels are the key of thing that my computer filters out. So I wonder if this explains why I get paper statements for my Apple Card.
Each time one comes in the mail, it has a letter with it stating that Goldman Sachs was unable to contact me at the email address on file, which they show as my Apple ID email address. Which works fine for everyone else in the world, including Apple.
True, but HSBC thinks you read the email, because somebody fetched the tracking pixel, right? The irony is that HSBC and others who use this kind of thing probably aren't in the least interested in when or how many times you open the email. Whoever came up with this idea (probably) really did think it was (just) a pretty good way of figuring out if they have your correct email.
They do work for the inferred purpose here though, assuming Gmail only downloads them when the email is successfully delivered to the mailbox (and thus the address is valid).
I mean, they still work in some way. If you use tracking pixels to see if an email was read, I agree with you that this break the functionality. But if you just want to see if the email exists, then the fact that google fetches them (and triggers the parametric URL) still tells you something
> I have a credit card with HSBC: you know, the bank with virtue-signalling multiculturalism in their ads.
Was this opening sentence necessary? It is not germane at all to the rest of the article. Ironically, it is itself virtue-signalling (for some definition of virtue), just to a different audience.
It doesn't even link to an ad, it links to a weird parody attempt of the ad on the same site as the article. Which makes little sense for people unfamiliar with the original ad it parodies.
My first instinct was to close the article as I didn't want to read a Republican virtue signaling to his audience. I wonder if they were trying to sound Republican?
The article itself is a nice, well interesting, dive into the topic; kinda unfortunate.
And apparently not targeted all that well, since half the comments here think it is a right-wing (anti-multiculturalism) sentiment, and the other half a left-wing (anti-corporate-reputation-laundering) sentiment.
Some may treat these as an inconvenience or annoyance, but I think it’s a sign of rot. And it may run a lot deeper. Unfortunately I feel like most financial institutions have terrible websites and practices in general, so I don’t know if switching will let you avoid problems.
The rot goes deeper because for every story like this there were hundreds of people involved in making it happen. Some by choice, some less so but rot nontheless.
It seems the article and most of the comments here are nonsense.
The focus on http versus https in allowing surveillance of fetching the tracking pixel are all but completely irrelevant.
In any case, the domain name of the tracking pixel locations will be resolved through DNS, which is almost always unencrypted. So anyone on the LAN will see the DNS query, revealing the banking URL, in plain text.
The big issue here, which I couldn't find one comment regarding, is that the email client is interpreting HTML.
Use plain text email! Problem solved. At least use a "Simple HTML" or similar mode when viewing email. Where the HTML is rendered, but no links are followed.
Id be willing to bet the number of people who sign up for ebilling, then screw up their email address is huge. then those people blame the bank for not contacting them to tell them the issue.
yes, its not how email is supposed to work. but people can be really really stupid.
Hang on. The OP gets a paper statement already (there's a picture). If the email address is correct, and OP does nothing, what's the worst that could happen?
If the bank wants to waste time and energy with this nonsense, that's their business. As long as nothing real bad can happen, let them at it.
I don't think I'd be inclined to do the "bank's job" when it affects me not a bit. As sure as eggs is eggs, I wouldn't spend hours on the phone or chatline explaining what their problem is. It seems like it's their problems and not the OP's.
>used to surreptitiously track when somebody reads an email
Not in my email client, mutt. I use Thunderbird once in a great while. For some reason I thought there was an option to stop that and I enabled it. Will need to check the next time I fire up Thunderbird.
I don't see anything wrong with attempting this. A significant number of people mistype/change their e-mail address, and security messages from banks can be important, so anything that catches no-longer-working e-mail addresses is better for everyone involved. And I assume a very small proportion of people try to disable tracking pixels.
But this post is entirely speculation. The author has no evidence they're basing it on tracking pixels. They're literally just guessing.
And I'm dubious that tracking pixels would be a reliable enough signal to be worth it. Doesn't Gmail download images in advance anyways? Plus, I regularly filter predictable emails or just archive them directly from my inbox based on the subject line without opening.
I'd more likely assume they have an e-mail bounce detector that just has a bug in it.
jackfranklyn|1 month ago
I work with banking data day to day and the internal systems are often just as rough. CSV exports with inconsistent date formats between the same bank's own products. Transaction descriptions that are random truncated strings with no standardisation. Every bank formats their statements differently and some of them can't even stay consistent between their own account types.
You'd think with the regulatory pressure around data accuracy this stuff would be sorted by now. But the reality is most banks treat their digital infrastructure like legacy plumbing - it works well enough that nobody wants to risk touching it.
zahlman|1 month ago
They don't seem to have nearly the same concern for their online banking web UIs, though. Or even the UIs presented on screen at ATMs.
1vuio0pswjnm7|1 month ago
To be fair, people actively choose to do this every day
For example, millions of people actively choose to do this for HTTP-01 ACME challenges
https://www.ietf.org/rfc/rfc8555.txt
https://letsencrypt.org/docs/challenge-types/
Certificate authorities also actively choose to do this for
1. TLS Certificates
For example, http://www.ssl.com/repository/SSLcom-RootCA-ECC-384-R1.crt
2. TLS Certifcate Revocation Lists (CRLs)
For example, http://crls.ssl.com/ssl.com-ecc-RootCA.crl
3. Online TLS Certificate Status Protocol (OCSP) responses
For example, http://ocsps.ssl.com
NB. If the statement was more specific, something like, "HSBC chose to use HTTP for return receipts in 2026" then I would have no reason to comment. Instead the statement suggests HTTP is no longer a useful nor appropriate choice for _anyone_. That of course is false, as shown above
xtiansimon|1 month ago
In my experience with bank data, on the downstream side, banking data is available in the OFX specification, which is a consistent transaction data format. Unfortunately, memo’s do get truncated to different char lengths by different banks, even though the specification allows 255 characters. AMEX, amazingly, switches NAME and MEMO properties. It's a dog breakfast of compliance, but there is a standard.
https://en.wikipedia.org/wiki/Open_Financial_Exchange
https://www.financialdataexchange.org/FDX/FDX/About/About-FD...
crazygringo|1 month ago
HTTPS still typically exchanges the Server Name Identification. So you know somebody is talking to HSBC. And the rest of the URL is just an anonymized tracking ID. So I'm having a hard time seeing what the threat is this particular instance.
sandeepkd|1 month ago
63stack|1 month ago
My experience with IT in banks is that this entire "feature" of tracking who's opening/not opening emails must have went through about 50 people, and it must have taken at least a year from the idea forming in someone's head, going through all the administrative bureaucracy, getting approved, developed, tested, and rolled out.
Is it that HSBC has 0 competent people who could have mentioned that "tracking pixels are unreliable, especially in 2025/26"? Or is it that everybody who mentioned this was overruled by middle/upper management because they know better? What about the http:// part? I imagine there must have been a few developers saying we should not be serving anything under http://.
malfist|1 month ago
Senior leadership wouldn't believe me, kept harassing my team to explain why so and so who said they opened the email didn't have an open event, and why so and so who said they didn't open the email did have an open event.
Authors wouldn't believe me because email open was the highest scoring metric they had. Less than 3% of recipients would land on the page for the publication, but >50% would "open" the email that has a teaser and a call to action to open the webpage. If they had to go off of the click through metrics which are accurate it'd make it sound like they were bad at their job.
So everyone used open rates because it made them feel good. Either that they were writing engaging content, or made them feel like they actually had a handle on who was/was not reading their mail.
No metric would have been better than this metric.
stackskipton|1 month ago
At these massive, unable to go bankrupt companies, you quickly lose all fucks to give. No one cares about opinion of ICs or even direct managers, Senior Management makes the calls and you either execute quietly or replaced with someone who is. When I worked for $MegaUSBank, there was two types of people. Those who realized their "spark" was draining out of them and got a new job after a few years and those who were just "Whatever, I push buttons and get paycheck." and had been there for 15 years.
brendoelfrendo|1 month ago
dwedge|1 month ago
wat10000|1 month ago
"I want to send letters to everyone who doesn't open our emails."
"We can't really detect that. We could add a tracking pixel, but–"
"Yeah, do that, the tracking pickle thing."
The other is that the "did they open this?" feature was rolled out purely for metrics knowing that it's imprecise, and later on got repurposed for something unsuitable without looking at how the "did this email get opened?" facility actually worked.
m463|1 month ago
Same thing happens with renting apartments. Slowly but surely, conveniences like apartment-phone-app (to open doors, to access mailboxes) get accepted by people and then they "throw the switch" and make the remaining 3% do it. Or maybe new renters must accept it to move in. And then they can deny access to apartments imeediately, track their residents, match with online activity and more...
raverbashing|1 month ago
For every HN technically inclined people you have dozens of other customers who will give any email (thinking it's just writing "John.smith@bt.co.uk" or something) - or worse- and they have to find a way of identifying those customers
antonvs|1 month ago
In the chain of command for a feature like this, that's quite possible.
> Or is it that everybody who mentioned this was overruled by middle/upper management because they know better?
Or just learned helplessness, they don't bother because they know it's not worth trying.
Nextgrid|1 month ago
Given the salaries, tooling and working conditions for tech people in such companies, why would anyone competent work there?
nickname-derail|1 month ago
awesome_dude|1 month ago
But, they have no idea if the paper statements are making it to your desk, or if they are getting swiped from the letterbox (I'm in an apartment in Melbourne, and the snail mail is not reliable at all, mail is sometimes delivered to the wrong building, sometimes the wrong address entirely, it's also swiped by miscreants who have nothing better to do, and, in some cases, the pricks set the letter boxes on fire, taking all the mail with it)
rendaw|1 month ago
Even if they truly believed I wasn't reading them, disabling them makes no sense to me. They certainly weren't bouncing and I wasn't reporting them as spam.
I dropped CapitalOne after that (not sure I moved to something better though...)
pabs3|1 month ago
anonymousiam|1 month ago
My wife continues to get spam snail mail from Citi, and they offer no way to opt out. If it was my account, I would switch banks.
Back to the main topic: I think it's pretty stupid of the HSBC IT folks to assume that an email was not read because the tracking pixels were never accessed. Lots of email clients these days do not load images by default.
esskay|1 month ago
loloquwowndueo|1 month ago
This works well as a bluff, but of course you need to be ready to follow through in case they call the bluff. Which if you are, you may as well switch banks for real anyway.
direwolf20|1 month ago
JumpCrisscross|1 month ago
Just loop in your regulators. This costs them far more and properly documents the problem for follow-up in case it becomes a pattern. Possibly more annoying than moving accounts. But far more effective (unless you have nine figures with the firm).
fy20|1 month ago
https://www.theguardian.com/business/2017/sep/03/hsbc-heads-...
My business (which had been around for 5 years at this point) was part of this. Now I'm wise Wise.
theyneverlear|1 month ago
[deleted]
zzyzxd|1 month ago
It's fine, Capital One. I did open your emails, I just didn't load your shady tracking pixels.
burnte|1 month ago
Dwedit|1 month ago
ChicagoBoy11|1 month ago
jdhawk|1 month ago
jiveturkey|1 month ago
Similar signal will be there for any email provider or server-side filter that downloads the content for malware inspection.
Pixel trackers are nearly never implemented in-house, because it's basically impossible for you to do your own email. So the tracker is a function of the batteries-included sending email provider. Those guys do that for a living, so they are sophisticated, and filter on the provider download of images.
extraduder_ire|1 month ago
At least that's what I remember from them announcing the feature. No idea about other providers, and I haven't tested the feature myself.
bmenrigh|1 month ago
But I get their emails just fine. It's their tracking that (intentionally) isn't working.
fooqux|1 month ago
6ak74rfy|1 month ago
unknown|1 month ago
[deleted]
blackhaz|1 month ago
In fact, the sheer amount of systems not working correctly in Britain is astonishing. Feels like the whole country is falling apart.
sd9|1 month ago
amprisewinner|1 month ago
I've contacted them about this multiple times and always get the same clueless & useless responses that ultimately end with "just disregard the notices" result.
What a waste of resources, at so many levels.
kkfx|1 month ago
This is one of the reasons why in 2019 they wrote about their own demise https://web.archive.org/web/20240213185758/https://www.cimb.... against fintech (which is only slightly less archaic) and how cryptos, I don't know which ones, but maybe some yet to be born, will eventually displace them because regardless of their dominant position, the level of poor service and archaic systems is not humanly/socially sustainable for much longer.
Their leadership is mentally incapable of changing. Unfortunately, I fear that most of the population isn't either.
janpeuker|1 month ago
VladVladikoff|1 month ago
almosthere|1 month ago
bennyp101|1 month ago
TheJoeMan|1 month ago
As an aside, at least the email wasn't "a new document is available in your secure portal click here to view it"!
NoGravitas|1 month ago
barbazoo|1 month ago
> But we’re in the Darkest Timeline. Tracking pixels have become so endemic that HSBC have clearly come to the opinion that if they can’t track when I open their emails, I must not be receiving their emails. So they wrote me a letter to tell me that my emails have been “returned undelivered” (which seems to be an outright lie).
reaperducer|1 month ago
Tracking pixels are the key of thing that my computer filters out. So I wonder if this explains why I get paper statements for my Apple Card.
Each time one comes in the mail, it has a letter with it stating that Goldman Sachs was unable to contact me at the email address on file, which they show as my Apple ID email address. Which works fine for everyone else in the world, including Apple.
renewiltord|1 month ago
gweinberg|1 month ago
wrs|1 month ago
jldugger|1 month ago
"Our open rates have skyrocketed! send more emails!"
philipwhiuk|1 month ago
CGMthrowaway|1 month ago
Almondsetat|1 month ago
Analemma_|1 month ago
Was this opening sentence necessary? It is not germane at all to the rest of the article. Ironically, it is itself virtue-signalling (for some definition of virtue), just to a different audience.
CodesInChaos|1 month ago
arduanika|1 month ago
enlightens|1 month ago
https://en.wikipedia.org/wiki/HSBC#Controversies
throwaway902984|1 month ago
The article itself is a nice, well interesting, dive into the topic; kinda unfortunate.
swiftcoder|1 month ago
And apparently not targeted all that well, since half the comments here think it is a right-wing (anti-multiculturalism) sentiment, and the other half a left-wing (anti-corporate-reputation-laundering) sentiment.
unknown|1 month ago
[deleted]
rjsw|1 month ago
unknown|1 month ago
[deleted]
bstsb|1 month ago
dpoloncsak|1 month ago
What's the point of that entire handshake then?
SilverElfin|1 month ago
CGMthrowaway|1 month ago
barbazoo|1 month ago
ivanjermakov|1 month ago
To be fair, if someone was on my local network, I would have greater issues to worry about.
bdangubic|1 month ago
mate was on a toll till this. I mean after all that amazing write-up we gon be clicking links in emails??!
johnea|1 month ago
The focus on http versus https in allowing surveillance of fetching the tracking pixel are all but completely irrelevant.
In any case, the domain name of the tracking pixel locations will be resolved through DNS, which is almost always unencrypted. So anyone on the LAN will see the DNS query, revealing the banking URL, in plain text.
The big issue here, which I couldn't find one comment regarding, is that the email client is interpreting HTML.
Use plain text email! Problem solved. At least use a "Simple HTML" or similar mode when viewing email. Where the HTML is rendered, but no links are followed.
believ3|1 month ago
exidy|1 month ago
adastra22|1 month ago
crabmusket|1 month ago
treetalker|1 month ago
fragmede|1 month ago
sparrish|1 month ago
kylehotchkiss|1 month ago
mmmlinux|1 month ago
yes, its not how email is supposed to work. but people can be really really stupid.
hrimfaxi|1 month ago
kayo_20211030|1 month ago
If the bank wants to waste time and energy with this nonsense, that's their business. As long as nothing real bad can happen, let them at it.
I don't think I'd be inclined to do the "bank's job" when it affects me not a bit. As sure as eggs is eggs, I wouldn't spend hours on the phone or chatline explaining what their problem is. It seems like it's their problems and not the OP's.
jrs235|1 month ago
effnorwood|1 month ago
nticompass|1 month ago
JasonADrury|1 month ago
[deleted]
koakuma-chan|1 month ago
That's why I fucking hate society. This is everywhere.
drdec|1 month ago
MagicMoonlight|1 month ago
shaftway|1 month ago
https://en.wikipedia.org/wiki/Synapse_Financial_Technologies
reaperducer|1 month ago
jmclnx|1 month ago
Not in my email client, mutt. I use Thunderbird once in a great while. For some reason I thought there was an option to stop that and I enabled it. Will need to check the next time I fire up Thunderbird.
crazygringo|1 month ago
But this post is entirely speculation. The author has no evidence they're basing it on tracking pixels. They're literally just guessing.
And I'm dubious that tracking pixels would be a reliable enough signal to be worth it. Doesn't Gmail download images in advance anyways? Plus, I regularly filter predictable emails or just archive them directly from my inbox based on the subject line without opening.
I'd more likely assume they have an e-mail bounce detector that just has a bug in it.
jmholla|1 month ago
They literally admit to this and go on to provide the evidence for their guess:
> I think I can place a solid guess about what went wrong here.
stronglikedan|1 month ago
I do, when the result of that attempt is to tell people to change their email addresses unnecessarily. Most people will fall for that.