cyberMonk
/
liberethos_paradigm
2
0
Fork 0
Code Issues 2 Pull Requests Projects Releases Wiki Activity

blacklisted more Tor-hostile banks

This commit is contained in:
cyberMonk 2021-05-14 14:50:35 -04:00
parent b01cacfc67
commit b0dcc50577
1 changed files with 10 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
usa_banks.md
View File

@ -38,35 +38,33 @@ their customers to the privacy and netneutrality
| ***Financial institution*** | ***Values-based network*** | ***Blocks Tor*** | ***CloudFlared login page*** | ***hCAPTCHA*** | ***Locations*** | ***Notes*** |
|--|--|--|--|--|--|--|
| [Beneficial State Bank](https://www.beneficialstatebank.com) | [B Corp](https://bcorporation.net/directory/beneficial-state-bank), [GABV](http://www.gabv.org/members/beneficial-state-bank), [CDFI](https://www.cdfifund.gov/sites/cdfi/files/2020-11/cdfi-cert-list-10-14-2020-final.xlsx), [UNEPFI](https://www.unepfi.org/banking/bankingprinciples/signatories), [Just.](http://justorganizations.com/node/45) || 👁 | y | California, Oregon, Washington| They [claim](https://beneficialstatebank.com/web-accessibility): "we have taken definitive steps to follow Web Content and Accessibility Guidelines (WCAG)," but their CloudFlared login portal imposes an hCAPTCHA which violates WCAG. BSB admits in their [privacy policy](https://beneficialstatebank.com/uploads/files/BSB-Consumer-Privacy-Act-CCPA-Privacy-Notice-Current-6.4.2020.pdf#page=2) that they collect your IP address to track your geoloctation. They also vaguely state that they share your sensitive information with third parties, but they do not name the third parties (thus sharing with CloudFlare, Inc. is concealed). The landing page is not CloudFlared, but the login page (xvault.beneficialstatebank.com) is, which enables CloudFlare to eavesdrop on your banking. |
| [Beneficial State Bank](https://www.beneficialstatebank.com) | [B Corp](https://bcorporation.net/directory/beneficial-state-bank), [GABV](http://www.gabv.org/members/beneficial-state-bank), [CDFI](https://www.cdfifund.gov/sites/cdfi/files/2020-11/cdfi-cert-list-10-14-2020-final.xlsx), [UNEPFI](https://www.unepfi.org/banking/bankingprinciples/signatories), [Just.](http://justorganizations.com/node/45) || 👁 | n (previously yes) | California, Oregon, Washington| They incorrectly [claimed](https://beneficialstatebank.com/web-accessibility): "we have taken definitive steps to follow Web Content and Accessibility Guidelines (WCAG)" when their Cloudflared login portal imposed an hCAPTCHA, which violated WCAG but they no longer push the hCAPTCHA. BSB admits in their [privacy policy](https://beneficialstatebank.com/uploads/files/BSB-Consumer-Privacy-Act-CCPA-Privacy-Notice-Current-6.4.2020.pdf#page=2) that they collect your IP address to track your geoloctation. They also vaguely state that they share your sensitive information with third parties, but they do not name the third parties (thus sharing with CloudFlare, Inc. is concealed). The landing page is not CloudFlared, but the login page (xvault.beneficialstatebank.com) is, which enables CloudFlare to eavesdrop on your banking. |
| [Brattleboro Savings & Loan](https://www.brattbank.com) | [B Corp](https://bcorporation.net/directory/brattleboro-savings-loan) | 👁 ||| Vermont | Sales site permits Tor but [transactional site](https://www.brattbankonline.com) blocks Tor. |
| [City First Bank of DC](https://www.cityfirstbank.com) | [B Corp](https://bcorporation.net/directory/city-first-bank), [GABV](http://www.gabv.org/members/city-first-bank), [CDFI](https://www.cdfifund.gov/sites/cdfi/files/2020-11/cdfi-cert-list-10-14-2020-final.xlsx) | 👁 ||| Washington, D.C., Southern CA (worldwide charter) | Sales site permits Tor but [transactional site](https://olb.cityfirstbank.com) blocks Tor. Online application [available](https://www.cityfirstbank.com/sites/default/modules/ckeditor/ckfinder/userfiles/files/PersonalAccount.pdf), so perhaps it's open to out-of-state clients. Recent merger with a bank in Southern California. |
| [Clearwater Credit Union](http://web.archive.org/web/www.clearwatercreditunion.org) | [GABV](http://www.gabv.org/members/clearwater-credit-union), [CDFI](https://www.cdfifund.gov/sites/cdfi/files/2020-11/cdfi-cert-list-10-14-2020-final.xlsx) || 👁 | y | ? | hCAPTCHA is pushed by CloudFlare and thus triggered unpredictably. Their [vague privacy policy](https://web.archive.org/web/20201027053008/https://clearwatercreditunion.org/privacy-security-policy) conceals the fact that they share all web traffic with CloudFlare, Inc. |
| [Decorah Bank & Trust Company](https://web.archive.org/web/www.decorahbank.com) | [GABV](http://www.gabv.org/members/decorah-bank-trust-company) || 👁 || Iowa | Their [privacy policy](https://www.decorahbank.com/legal-information/privacy-policy) lies. Since CloudFlare sees all traffic, these are false statements: "we will not give your data to third parties without your permission."; "you will never be required to give information to a third party supplier." |
| [First Green Bank](https://web.archive.org/web/www.firstgreenbank.com) | ~~B Corp~~, [GABV](http://gabv.org) || 👁 | y | Florida | A 3rd party site said they were B Corp listed, but they aren't listed on the B Corp site. hCAPTCHA is pushed by CloudFlare and thus triggered unpredictably. They don't even have a proper privacy policy, but their "[privacy commitment](https://web.archive.org/web/20201129095019/https://www.firstgreenbank.com/privacy-commitment)" statement conceals the fact that all web traffic is shared with CloudFlare, Inc. |
| [Lead Bank](https://lead.bank) | [GABV](http://www.gabv.org/members/lead-bank) | 👁 ||| Missouri | Sales site **Amazon AWS-hosted**; [transactional site](https://retailonline.fiservapps.com) blocks Tor; paper statements are $5 but they say they're willing to email statements if the website stops working for a customer's browser; online reg. open to out-of-state residents; [Moneypass ATMs](https://www.moneypass.com/atm-locator.html) |
| [Mascoma Savings Bank](http://www.mascomabank.com/) | [B Corp](https://bcorporation.net/directory/mascoma-bank) | 👁 || ? | New Hampshire, Vermont |||
| [Missoula Federal Credit Union](https://web.archive.org/web/missoulafcu.org/) | ~~[GABV](http://gabv.org/the-community/members/banks)~~, ~~CDFI~~ || 👁 | y | Montana | A 3rd party site said they were a GABV member, but they aren't listed on the GABV site. They also don't exist in the [CDFI spreadsheet](https://www.cdfifund.gov/sites/cdfi/files/2020-11/cdfi-cert-list-10-14-2020-final.xlsx) |
| [National Cooperative Bank](http://www.ncb.coop) | [GABV](http://www.gabv.org/members/national-cooperative-bank) | 👁 | 👁 | y | ? | hCAPTCHA pushed to Tor users (untested for non-Tor users) |
| [Piscataqua Savings Bank](https://piscataqua.com) | [B Corp](https://bcorporation.net/directory/piscataqua-savings-bank) | 👁 ||| New Hampshire | Sales site **Amazon AWS-hosted**; [transactional site](https://web13.secureinternetbank.com) blocks Tor; online reg. open to out-of-state residents |
| [Southern Bancorp](https://banksouthern.com/) | [B Corp](https://bcorporation.net/directory/southern-bancorp-inc), [GABV](http://www.gabv.org/members/southern-bancorp), [CDFI](https://www.cdfifund.gov/sites/cdfi/files/2020-11/cdfi-cert-list-10-14-2020-final.xlsx) || 👁 || Arkansas, Mississippi | **Google Cloud-hosted**; The landing page is not cloudflared, but the [login page](https://xvault.banksouthern.com) is, which enables Cloudflare to eavesdrop on your banking. |
| [Spring Bank](https://springbankny.com/) | [B Corp](https://bcorporation.net/directory/spring-bank), [CDFI](https://www.cdfifund.gov/sites/cdfi/files/2020-11/cdfi-cert-list-10-14-2020-final.xlsx) | 👁 ||| New York | Website down in Jan. 2021; up when checked in May 2021. Sales site permits Tor but [transactional site](https://retailonline.fiservapps.com) blocks Tor.|
| [Sunrise Banks](https://sunrisebanks.com) | [B Corp](https://bcorporation.net/directory/sunrise-banks), [GABV](http://www.gabv.org/members/sunrise-community-banks), [CDFI](https://www.cdfifund.gov/sites/cdfi/files/2020-11/cdfi-cert-list-10-14-2020-final.xlsx) | 👁 ||| Minnesota | **Google Cloud-hosted** Sales site permits Tor but [transactional site](https://online.sunrisebanks.com) blocks Tor. |
| [VCC Bank](http://www.vacommunitycapital.org/invest/products/) | [B Corp](https://bcorporation.net/directory/virginia-community-capital), [CDFI](https://www.cdfifund.gov/sites/cdfi/files/2020-11/cdfi-cert-list-10-14-2020-final.xlsx) | 👁 ||| Virginia | Sales site permits Tor but [transactional site](https://retailonline.fiservapps.com) blocks Tor. [Non-profit](https://www.vacommunitycapital.org/about/frequently-asked-questions); Fastly-hosted; checking, savings, money markets, but no debit cards or ATMs; there is an online application, so perhaps it's open to out-of-state clients. |
| [VSECU (Vermont State Employees Credit Union)](https://www.vsecu.com/) | [GABV](http://www.gabv.org/members/vermont-state-employees-credit-union-vsecu-usa) | 👁 | 👁 || Vermont | Sales site permits Tor but [transactional site](https://online.vsecu.com) is Cloudflared and blocks Tor. Vermont residents only, generally, with [some exceptions](https://www.vsecu.com/about/membership/join). |
| [Verity Credit Union](https://www.veritycu.com) | [GABV](http://www.gabv.org/members/verity-credit-union) | 👁 ||| Washington | **Amazon AWS-hosted**; was MitMd by CloudFlare in the past but not when last checked on Feb. and May 2021. Sales site permits Tor but [transactional site](https://secure.veritycu.com) blocks Tor. |
| [VSECU (Vermont State Employees Credit Union)](https://www.vsecu.com/) | [GABV](http://www.gabv.org/members/vermont-state-employees-credit-union-vsecu-usa) | 👁 | 👁 | n (Tor-block is absolute) | Vermont | Sales site permits Tor but [transactional site](https://online.vsecu.com) is Cloudflared and blocks Tor. Vermont residents only, generally, with [some exceptions](https://www.vsecu.com/about/membership/join). |
## Graylisted banks
These banks are endorsed by a values-based network, but they outsource
hosting to an unethical and untrustworthy tech giant. Exceptionally,
New Resource Bank is also listed here because endorsements by B Corp
and GABV seem to have been dropped.
hosting to an unethical and untrustworthy tech giant.
| ***Financial institution*** | ***Values-based network*** | ***Locations*** | ***Notes*** |
|--|--|--|--|
| [Aspiration](https://www.aspiration.com/) | [B Corp](https://bcorporation.net/directory/aspiration) | *N/A* (online only) | **Amazon AWS-hosted**; blog.aspiration.com is a CloudFlare site; login page previously blocked Tor, but not when checked in Jan. 2021; it will go back to the blacklist if found to block Tor in the future. |
| [Lead Bank](https://lead.bank) | [GABV](http://www.gabv.org/members/lead-bank) | Missouri | Paper statements are $5, but they say they're willing to email statements if the website stops working for a customer's browser; **Amazon AWS-hosted**; online reg. open to out-of-state residents; [Moneypass ATMs](https://www.moneypass.com/atm-locator.html) |
| [New Resource Bank](https://newresourcebank.com/) | ~~B Corp~~, ~~[GABV](http://gabv.org/the-community/members/banks)~~ | California | A 3rd party site said they were both B Corp listed and a GABV member, but they aren't listed on either site. Website also harasses Tor users about having a clock that's ahead and it uses CloudFlare NS servers which means they can spontaneously start proxying through CloudFlare with ease. |
| [Piscataqua Savings Bank](https://piscataqua.com) | [B Corp](https://bcorporation.net/directory/piscataqua-savings-bank) | New Hampshire | **Amazon AWS-hosted**; online reg. open to out-of-state residents |
| [Southern Bancorp](https://banksouthern.com/) | [B Corp](https://bcorporation.net/directory/southern-bancorp-inc), [GABV](http://www.gabv.org/members/southern-bancorp), [CDFI](https://www.cdfifund.gov/sites/cdfi/files/2020-11/cdfi-cert-list-10-14-2020-final.xlsx) | Arkansas, Mississippi | **Google Cloud-hosted**; uses CloudFlare NS servers which means they can spontaneously start proxying through CloudFlare with ease. |
| [Sunrise Banks](https://sunrisebanks.com) | [B Corp](https://bcorporation.net/directory/sunrise-banks), [GABV](http://www.gabv.org/members/sunrise-community-banks), [CDFI](https://www.cdfifund.gov/sites/cdfi/files/2020-11/cdfi-cert-list-10-14-2020-final.xlsx) | Minnesota | **Google Cloud-hosted** |
| [Verity Credit Union](https://www.veritycu.com) | [GABV](http://www.gabv.org/members/verity-credit-union) | Washington | **Amazon AWS-hosted**; was MitMd by CloudFlare in the past but not when last checked on Feb.2021. |
| [Aspiration](https://www.aspiration.com/) | [B Corp](https://bcorporation.net/directory/aspiration) | *N/A* (online only) | Sales and transactional sites are both **Amazon AWS-hosted**; blog.aspiration.com is a CloudFlare site; login page previously blocked Tor, but not when checked in Jan. 2021; it will go back to the blacklist if found to block Tor in the future. |
| ~~[New Resource Bank](https://newresourcebank.com/)~~ | ~~B Corp~~, ~~[GABV](http://gabv.org/the-community/members/banks)~~ | ~~California | A 3rd party site said they were both B Corp listed and a GABV member, but they aren't listed on either site. Website also harasses Tor users about having a clock that's ahead and it uses CloudFlare NS servers which means they can spontaneously start proxying through CloudFlare with ease.~~ As of May 2021, it redirects to Amalgamated Bank. |
## Whitelist: relatively ethical banks