When you see the lock icon to the left of a website’s URL in the Address and Search bar in Safari, you assume the site is secure. That may be nice for any site you visit, but it’s particularly critical for ones you use for banking, bill payment, and other financial purposes.
You may find, however, that after updating Safari or macOS you can longer get features on a financial site to work. That appears to be due to poor security practices at some institutions, maybe owing to them licensing the same server software to handle their customers’ needs.
The issue here is typically “ cross-site tracking,” which relies on passive linking among different sites. That can be as simple as an invisible single-pixel image placed on a webpage that is linked from another site. When you load a page from the first-party site (the site’s operator), the third-party image is loaded and information about you can be sent there. When that same one-pixel image appears in your browser on another site, that other party can track your behavior across sites.
IDGBlocking cross-site tracking broke some banking and financial sites, at least briefly.
Apple has increasingly clamped down on tracking through advertising links and clicks and these sorts of pixels. In the latest major update of macOS, iOS, and iPadOS, Safari imposed stricter protections than previously on tracking and cookies. That broke some financial sites in how they handed off certain operations, like bill pay, to other parties through their sites.
It’s unclear to me why you would rely on an embedded piece of tracking to be part of your system. All major browsers have increasingly locked down methods used to both overtly and surreptitiously track users across sites and sessions. Instead of embedding something in a page, sites that need to hand off account activity perform a secure hidden server-to-server connection, allowing a user to click through and have their session authenticated.
A number of banks and others posted about this problem when Safari 13.0.4 for macOS came out in December, although it apparently effected a version of iOS and iPadOS in an update around the same. Settings and behavior in that release apparently were overzealous in preventing some innocuous uses. Reports indicate that 13.1 for macOS and a later release for iPhone and iPad fixed the problem.
If you still find yourself unable to use a financial site’s features with current releases, you can see if cross-site scripting is the problem. Here are the instructions for macOS Safari.
Choose Safari > Preferences > Privacy.
Uncheck Prevent Cross-Site Tracking.
Load the site and attempt to carry out your business.
When complete, return to the preference and check the Prevent Cross-Site Tracking box.
The same setting is available in iOS and iPadOS in Settings > Safari.
This Mac 911 article is in response to a question submitted by Macworld reader David.
Ask Mac 911
We’ve compiled a list of the questions we get asked most frequently along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to mac911@macworld.com including screen captures as appropriate, and whether you want your full name used. Not every question will be answered, we don’t reply to email, and we cannot provide direct troubleshooting advice.
Author: Glenn Fleishman, Senior Contributor
Glenn Fleishman’s most recent books include Take Control of iOS and iPadOS Privacy and Security, Take Control of Calendar and Reminders, and Take Control of Securing Your Mac. In his spare time, he writes about printing and type history. He’s a senior contributor to Macworld, where he writes Mac 911.