Privacy & Tracking

.bank.in Supercookies: How India's Banking Domain Becomes a Cross-Bank Tracking Vector

CashlessConsumer  ยท  June 30, 2026
โ† Back to main investigation

A domain suffix designed to be a trust anchor โ€” telling citizens "this website is genuinely your bank" โ€” can accidentally become a cross-bank tracking surface when the browser doesn't know that sbi.bank.in and hdfc.bank.in should be treated as separate sites.

This page documents the browser cookie mechanics, the Public Suffix List fix that already exists, the gap that remains in practice, what Kingsly J discovered in Feb 2026, and an expedition plan to find real-world abuses.

Status: .bank.in was added to the Public Suffix List in Nov 2025 (PR #2603 by NIC.IN). But this doesn't eliminate the risk โ€” PSL updates propagate slowly to browsers, WebViews, and embedded browsers. Kingsly found cookies crossing bank boundaries as late as Feb 2026, 3+ months after the PSL entry.

1. The Public Suffix List & Cookie Isolation

The Public Suffix List (PSL) is a machine-readable catalogue that tells browsers which domain suffixes belong to a registry โ€” so cookie.example.co.uk and other.example.co.uk can't read each other's cookies.

Without a PSL entry for bank.in, the browser treats it as a "private domain":

PSL diagram: before and after

The mechanic is simple: any cookie set with Domain=.bank.in by one bank will be sent to every *.bank.in domain the user visits. This means:

2. .bank.in on the PSL โ€” Already Fixed at the Registry Level

During our research for this page, we discovered that bank.in is already on the Public Suffix List.

It was added via PR #2603 โ€” "add bank.in and fin.in to the public suffix list" โ€” submitted by Gaurav Kansal (NIC.IN), the .in registry operator, on 2025-11-06 and merged the same day by PSL maintainer Simon Friedberger.

This was part of the broader update by NIXI/NIC.IN to bring all official .in second-level domains onto the PSL โ€” covering bank.in, fin.in, ac.in, gov.in, edu.in, and others added in the same batch (PR #1588, then PR #2603).

Answer to who can submit: NIC.IN, as the .in registry operator, already handled this. RBI/IDRBT are not the right party โ€” the PSL submission is the registry's responsibility. The PSL submission was done by NIC.IN (the registry for .in), not RBI. So no PR is needed from us โ€” it's done.

3. The Gap That Remains โ€” PSL Updates Are Not Instant

Adding bank.in to the PSL repository is necessary but not sufficient. Here's why the risk persists:

3a. Browser Release Cycles

The PSL is shipped with browser releases. Chromium fetches updates every ~4-6 weeks for Chrome; Firefox ships with each release (~4 weeks). Safari and mobile WebViews update on their own cadence. A user running a 3-month-old browser in Feb 2026 would not have the Nov 2025 PSL update.

3b. Embedded Browsers & WebViews

Many Indian apps โ€” banking apps, UPI apps, fintech โ€” use embedded WebViews to render bank pages. These WebViews often use a bundled Chromium WebView that may not receive PSL updates for months or years. An SBI YONO app WebView from early 2025 would never know about bank.in on the PSL.

3c. Third-Party Tracking Scripts

The most dangerous vector: if any .bank.in site loads a third-party script (analytics, ad network, fraud detection, support widget), that script can set Domain=.bank.in cookies. Since browsers without the PSL update see bank.in as a single "site," the third-party can correlate user behaviour across SBI, HDFC, ICICI, and all other banks.

4. Kingsly's Discovery โ€” Feb 27, 2026

๐Ÿงต While browsing SBI in incognito, noticed cookies scoped to .bank.in appearing โ€” specifically _iidt, _vid_t, and WZRK_S_.... The dot-prefix (.bank.in not sbi.bank.in) means these cookies are shared across ALL *.bank.in domains.
Set-Cookie: _iidt=abc123; Domain=.bank.in; Path=/; Max-Age=31536000
Set-Cookie: _vid_t=xyz789; Domain=.bank.in; Path=/; Max-Age=31536000
Set-Cookie: WZRK_S_...=...; Domain=.bank.in; Path=/; Max-Age=31536000

Kingsly's finding is significant because:

USER visits sbi.bank.in
    โ”‚
    โ”œโ”€ SBI page loads
    โ”‚   โ””โ”€ Third-party script (analytics/marketing) sets:
    โ”‚      Set-Cookie: _iidt=abc123; Domain=.bank.in
    โ”‚      Set-Cookie: _vid_t=xyz789; Domain=.bank.in
    โ”‚      Set-Cookie: WZRK_S_...=...; Domain=.bank.in
    โ”‚
    โ””โ”€ Cookie stored for .bank.in

USER visits hdfc.bank.in (different bank, same browser)
    โ”‚
    โ””โ”€ Browser sends ALL .bank.in cookies:
       Cookie: _iidt=abc123; _vid_t=xyz789; WZRK_S_...=...
       โ”‚
       โ””โ”€ HDFC page can now read these cookies via JS
          โ””โ”€ Third-party scripts on HDFC can correlate:
             "Same visitor who was on sbi.bank.in"

5. Theoretical Privacy Harms

If a tracker successfully sets a .bank.in-scoped cookie, the following cross-bank profiling becomes possible:

HarmHow It WorksSeverity
Cross-bank browsing profile A single visitor ID cookie links all your bank visits โ€” SBI, HDFC, ICICI, Axis โ€” into one profile High
Fintech credit inference Visiting a bank known for personal loans โ†’ targeting you with debt products. Visiting multiple banks โ†’ tracked as "rate shopping" High
Session hijacking surface If any bank's site has an XSS, the attacker can read cookies set by other banks โ€” because they're all scoped to .bank.in Critical
Identity stitching Ad-tech platforms can correlate device fingerprints across banking sessions where the user is authenticated, linking demographic data to browsing behaviour High
Competitive intelligence One bank can observe when a user browses a competitor's loan or credit card page โ€” enabling real-time counter-offers in the same session Medium
Fingerprinting amplification Cookies combined with canvas/WebGL fingerprinting from each bank page creates a richer, harder-to-evade cross-site fingerprint High
Important: These are theoretical harms at this stage. The point of the expedition below is to find evidence of actual abuse.

6. Trackers Observed on .bank.in Sites

Live scan of 13 domains revealed the following third-party tracking services actively running on .bank-in websites:

TrackerTypeBanks Using ItCookie
Adobe Analytics / Audience ManagerAnalytics, cross-site audienceICICI, Axis, KotakAMCV_*, demdex.net (3rd-party)
Google Analytics 4AnalyticsMost banks_ga, _gid
VWO (Visual Website Optimizer)A/B testing, visitor trackingICICI, IDFC First_vwo_uuid, _vis_opt_s
WizRocket / CleverTapCustomer engagement, pushAxisWZRK_S_*
Facebook PixelAd targetingKotak, Federal, IndusInd, Bandhan_fbp
Microsoft ClaritySession recording, heatmapsAxis_clck, _clsk
LinkedIn Insight TagB2B ad targetingAxisThird-party pixel
Akamai Bot ManagerBot detection (security)ICICI_abck, bm_sz

Key observation: Every single cookie from these trackers is scoped to the bank-specific subdomain (e.g. .axis.bank.in, .icici.bank.in), not the bare .bank.in. This confirms the PSL entry is doing its job on modern browsers.

7. ๐Ÿ•ต๏ธ Expedition Findings โ€” Live Scan Results (June 30, 2026)

We ran a systematic scan across 13 major bank domains using agent-browser (Chrome-based headless browser):

DomainCookies FoundTrackers Detected.bank.in Wide Cookies
sbi.bank.in9Session, GA4โœ… None
hdfc.bank.in0None (initial load)โœ… None
icici.bank.in15Adobe (Analytics/Target/AAM), VWOโœ… None
axis.bank.in20Adobe, CleverTap/WizRocket, Clarity, GTM, LinkedInโœ… None
kotak.bank.in14Adobe, Facebook Pixel, GTMโœ… None
federal.bank.in9GA4, Facebook Pixelโœ… None
indusind.bank.in7GA4, Facebook Pixelโœ… None
idfcfirst.bank.in9VWO (A/B testing)โœ… None
bandhan.bank.in7GA4, Facebook Pixelโœ… None
canarabank.bank.in12GA4, Load Balancer (AWS)โœ… None
au.bank.in3Cloudflare (bot/cookie challenge)โœ… None
yesbank.bank.inโ€”DNS does not resolveN/A
pnbuat.bank.inโ€”Invalid certificate (dev domain)N/A
Finding: Zero wide Domain=.bank.in cookies found across all tested domains. The PSL entry submitted by NIC.IN (Nov 2025) is working as intended on modern desktop browsers.

What about Kingsly's findings?

Kingsly found _iidt, _vid_t, and WZRK_S_... cookies scoped to .bank.in in Feb 2026 โ€” 3 months after the PSL entry. Possible explanations:

  1. Browser lag: Chrome/Edge/Firefox hadn't shipped the PSL update yet. PSL updates take 4-6 weeks to reach stable browser releases, and users on older versions may never receive them.
  2. Mobile WebView: Banking apps using embedded WebViews with ancient Chromium versions that don't receive PSL updates at all.
  3. The cookie was already scoped to the subdomain and Kingsly's observation was about what could happen, not the actual Domain attribute.

Key Insight: The tracker density is high but isolated

Every major bank has at least one marketing/analytics tracker on their .bank.in page. While cross-bank supercookies aren't currently active on desktop because of the PSL, the tracker ecosystem is primed for abuse if the PSL entry were missing or bypassed:

Expedition Methodology

  1. Open each *.bank.in domain in headless Chrome (agent-browser)
  2. Wait for full page load (CSS/JS execution complete)
  3. Dump all cookies with full metadata (domain, path, secure, httpOnly, sameSite)
  4. Identify any cookie with Domain=.bank.in (not bank-specific subdomain)
  5. Enumerate third-party scripts loaded from tracking/analytics domains

The automated scanner script has been saved to the repository at scripts/scan_bankin_cookies.py for regular re-runs.

CashlessConsumer

A consumer collective that tracks the digital payments industry in India, producing awareness resources, technical analysis, open data, and policy inputs toward a fair cashless society.