A domain suffix designed to be a trust anchor โ telling citizens "this website is genuinely your bank" โ can accidentally become a cross-bank tracking surface when the browser doesn't know that sbi.bank.in and hdfc.bank.in should be treated as separate sites.
This page documents the browser cookie mechanics, the Public Suffix List fix that already exists, the gap that remains in practice, what Kingsly J discovered in Feb 2026, and an expedition plan to find real-world abuses.
The Public Suffix List (PSL) is a machine-readable catalogue that tells browsers which domain suffixes belong to a registry โ so cookie.example.co.uk and other.example.co.uk can't read each other's cookies.
Without a PSL entry for bank.in, the browser treats it as a "private domain":
The mechanic is simple: any cookie set with Domain=.bank.in by one bank will be sent to every *.bank.in domain the user visits. This means:
During our research for this page, we discovered that bank.in is already on the Public Suffix List.
It was added via PR #2603 โ "add bank.in and fin.in to the public suffix list" โ submitted by Gaurav Kansal (NIC.IN), the .in registry operator, on 2025-11-06 and merged the same day by PSL maintainer Simon Friedberger.
This was part of the broader update by NIXI/NIC.IN to bring all official .in second-level domains onto the PSL โ covering bank.in, fin.in, ac.in, gov.in, edu.in, and others added in the same batch (PR #1588, then PR #2603).
.in registry operator, already handled this. RBI/IDRBT are not the right party โ the PSL submission is the registry's responsibility. The PSL submission was done by NIC.IN (the registry for .in), not RBI. So no PR is needed from us โ it's done.Adding bank.in to the PSL repository is necessary but not sufficient. Here's why the risk persists:
The PSL is shipped with browser releases. Chromium fetches updates every ~4-6 weeks for Chrome; Firefox ships with each release (~4 weeks). Safari and mobile WebViews update on their own cadence. A user running a 3-month-old browser in Feb 2026 would not have the Nov 2025 PSL update.
Many Indian apps โ banking apps, UPI apps, fintech โ use embedded WebViews to render bank pages. These WebViews often use a bundled Chromium WebView that may not receive PSL updates for months or years. An SBI YONO app WebView from early 2025 would never know about bank.in on the PSL.
The most dangerous vector: if any .bank.in site loads a third-party script (analytics, ad network, fraud detection, support widget), that script can set Domain=.bank.in cookies. Since browsers without the PSL update see bank.in as a single "site," the third-party can correlate user behaviour across SBI, HDFC, ICICI, and all other banks.
Kingsly's finding is significant because:
USER visits sbi.bank.in
โ
โโ SBI page loads
โ โโ Third-party script (analytics/marketing) sets:
โ Set-Cookie: _iidt=abc123; Domain=.bank.in
โ Set-Cookie: _vid_t=xyz789; Domain=.bank.in
โ Set-Cookie: WZRK_S_...=...; Domain=.bank.in
โ
โโ Cookie stored for .bank.in
USER visits hdfc.bank.in (different bank, same browser)
โ
โโ Browser sends ALL .bank.in cookies:
Cookie: _iidt=abc123; _vid_t=xyz789; WZRK_S_...=...
โ
โโ HDFC page can now read these cookies via JS
โโ Third-party scripts on HDFC can correlate:
"Same visitor who was on sbi.bank.in"
If a tracker successfully sets a .bank.in-scoped cookie, the following cross-bank profiling becomes possible:
| Harm | How It Works | Severity |
|---|---|---|
| Cross-bank browsing profile | A single visitor ID cookie links all your bank visits โ SBI, HDFC, ICICI, Axis โ into one profile | High |
| Fintech credit inference | Visiting a bank known for personal loans โ targeting you with debt products. Visiting multiple banks โ tracked as "rate shopping" | High |
| Session hijacking surface | If any bank's site has an XSS, the attacker can read cookies set by other banks โ because they're all scoped to .bank.in | Critical |
| Identity stitching | Ad-tech platforms can correlate device fingerprints across banking sessions where the user is authenticated, linking demographic data to browsing behaviour | High |
| Competitive intelligence | One bank can observe when a user browses a competitor's loan or credit card page โ enabling real-time counter-offers in the same session | Medium |
| Fingerprinting amplification | Cookies combined with canvas/WebGL fingerprinting from each bank page creates a richer, harder-to-evade cross-site fingerprint | High |
Live scan of 13 domains revealed the following third-party tracking services actively running on .bank-in websites:
| Tracker | Type | Banks Using It | Cookie |
|---|---|---|---|
| Adobe Analytics / Audience Manager | Analytics, cross-site audience | ICICI, Axis, Kotak | AMCV_*, demdex.net (3rd-party) |
| Google Analytics 4 | Analytics | Most banks | _ga, _gid |
| VWO (Visual Website Optimizer) | A/B testing, visitor tracking | ICICI, IDFC First | _vwo_uuid, _vis_opt_s |
| WizRocket / CleverTap | Customer engagement, push | Axis | WZRK_S_* |
| Facebook Pixel | Ad targeting | Kotak, Federal, IndusInd, Bandhan | _fbp |
| Microsoft Clarity | Session recording, heatmaps | Axis | _clck, _clsk |
| LinkedIn Insight Tag | B2B ad targeting | Axis | Third-party pixel |
| Akamai Bot Manager | Bot detection (security) | ICICI | _abck, bm_sz |
Key observation: Every single cookie from these trackers is scoped to the bank-specific subdomain (e.g. .axis.bank.in, .icici.bank.in), not the bare .bank.in. This confirms the PSL entry is doing its job on modern browsers.
We ran a systematic scan across 13 major bank domains using agent-browser (Chrome-based headless browser):
| Domain | Cookies Found | Trackers Detected | .bank.in Wide Cookies |
|---|---|---|---|
| sbi.bank.in | 9 | Session, GA4 | โ None |
| hdfc.bank.in | 0 | None (initial load) | โ None |
| icici.bank.in | 15 | Adobe (Analytics/Target/AAM), VWO | โ None |
| axis.bank.in | 20 | Adobe, CleverTap/WizRocket, Clarity, GTM, LinkedIn | โ None |
| kotak.bank.in | 14 | Adobe, Facebook Pixel, GTM | โ None |
| federal.bank.in | 9 | GA4, Facebook Pixel | โ None |
| indusind.bank.in | 7 | GA4, Facebook Pixel | โ None |
| idfcfirst.bank.in | 9 | VWO (A/B testing) | โ None |
| bandhan.bank.in | 7 | GA4, Facebook Pixel | โ None |
| canarabank.bank.in | 12 | GA4, Load Balancer (AWS) | โ None |
| au.bank.in | 3 | Cloudflare (bot/cookie challenge) | โ None |
| yesbank.bank.in | โ | DNS does not resolve | N/A |
| pnbuat.bank.in | โ | Invalid certificate (dev domain) | N/A |
Kingsly found _iidt, _vid_t, and WZRK_S_... cookies scoped to .bank.in in Feb 2026 โ 3 months after the PSL entry. Possible explanations:
Every major bank has at least one marketing/analytics tracker on their .bank.in page. While cross-bank supercookies aren't currently active on desktop because of the PSL, the tracker ecosystem is primed for abuse if the PSL entry were missing or bypassed:
The automated scanner script has been saved to the repository at scripts/scan_bankin_cookies.py for regular re-runs.
A consumer collective that tracks the digital payments industry in India, producing awareness resources, technical analysis, open data, and policy inputs toward a fair cashless society.