How to get bill-pay and financial sites to work in Safari

Is your bank, credit-union, or credit-card site not working? They may be using an insecure approach.

safari icon osx
Apple

Today's Best Tech Deals

Picked by Macworld's Editors

Top Deals On Great Products

Picked by Techconnect's Editors

When you see the lock icon to the left of a website’s URL in the Address and Search bar in Safari, you assume the site is secure. That may be nice for any site you visit, but it’s particularly critical for ones you use for banking, bill payment, and other financial purposes.

You may find, however, that after updating Safari or macOS you can longer get features on a financial site to work. That appears to be due to poor security practices at some institutions, maybe owing to them licensing the same server software to handle their customers’ needs.

The issue here is typically “cross-site tracking,” which relies on passive linking among different sites. That can be as simple as an invisible single-pixel image placed on a webpage that is linked from another site. When you load a page from the first-party site (the site’s operator), the third-party image is loaded and information about you can be sent there. When that same one-pixel image appears in your browser on another site, that other party can track your behavior across sites.

mac911 cross site macos safari IDG

Blocking cross-site tracking broke some banking and financial sites, at least briefly.

Apple has increasingly clamped down on tracking through advertising links and clicks and these sorts of pixels. In the latest major update of macOS, iOS, and iPadOS, Safari imposed stricter protections than previously on tracking and cookies. That broke some financial sites in how they handed off certain operations, like bill pay, to other parties through their sites.

It’s unclear to me why you would rely on an embedded piece of tracking to be part of your system. All major browsers have increasingly locked down methods used to both overtly and surreptitiously track users across sites and sessions. Instead of embedding something in a page, sites that need to hand off account activity perform a secure hidden server-to-server connection, allowing a user to click through and have their session authenticated.

A number of banks and others posted about this problem when Safari 13.0.4 for macOS came out in December, although it apparently effected a version of iOS and iPadOS in an update around the same. Settings and behavior in that release apparently were overzealous in preventing some innocuous uses. Reports indicate that 13.1 for macOS and a later release for iPhone and iPad fixed the problem.

If you still find yourself unable to use a financial site’s features with current releases, you can see if cross-site scripting is the problem. Here are the instructions for macOS Safari.

  1. Choose Safari > Preferences > Privacy.

  2. Uncheck Prevent Cross-Site Tracking.

  3. Load the site and attempt to carry out your business.

  4. When complete, return to the preference and check the Prevent Cross-Site Tracking box.

The same setting is available in iOS and iPadOS in Settings > Safari.

This Mac 911 article is in response to a question submitted by Macworld reader David.

Ask Mac 911

We’ve compiled a list of the questions we get asked most frequently along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to mac911@macworld.com including screen captures as appropriate, and whether you want your full name used. Not every question will be answered, we don’t reply to email, and we cannot provide direct troubleshooting advice.

Note: When you purchase something after clicking links in our articles, we may earn a small commission. Read our affiliate link policy for more details.
  
Shop Tech Products at Amazon