alt Hacker NewsThat's not how email works
Comments
NAB Australia does exactly the same thing. Unless I "load remote images" when I receive their emails, they'll start mailing letters saying that they switched me to paper statements as their emails are not going through. It also took me a bit to investigate as their emails were obviously coming through.
So what do you think, what's happening here?
My experience with IT in banks is that this entire "feature" of tracking who's opening/not opening emails must have went through about 50 people, and it must have taken at least a year from the idea forming in someone's head, going through all the administrative bureaucracy, getting approved, developed, tested, and rolled out.
Is it that HSBC has 0 competent people who could have mentioned that "tracking pixels are unreliable, especially in 2025/26"? Or is it that everybody who mentioned this was overruled by middle/upper management because they know better? What about the http:// part? I imagine there must have been a few developers saying we should not be serving anything under http://.
All sounds about right for HSBC. They've got some of the worst banking tech in existence. How the heck anyone puts up with their crap is beyond me, I moved away a decade ago but still have a close family member with them and they're forever having issues (genuinely not user error) with the crippled online banking app they've got that looks like something from the early days of app development.
Years ago, I used to get marketing spam emails from Bank of America. In their email, they did not offer a way to opt out from those types of email, so I invalidated the unique email address that I had created just for them. A few months later, I got a snail mail letter like the one Dan got, telling me that emails were being rejected and that I needed to correct my email address. I went through the same sort of nonsensical dialog with them, and they simply would not let me opt out from their marketing emails, so I left it disabled for a few years. Eventually they offered "email preferences", so I re-enabled it.
My wife continues to get spam snail mail from Citi, and they offer no way to opt out. If it was my account, I would switch banks.
Back to the main topic: I think it's pretty stupid of the HSBC IT folks to assume that an email was not read because the tracking pixels were never accessed. Lots of email clients these days do not load images by default.
Want them to really listen to you? Cancel your accounts - move to another bank.
This works well as a bluff, but of course you need to be ready to follow through in case they call the bluff. Which if you are, you may as well switch banks for real anyway.
Gmail automatically downloads images ahead of time, so the tracking pixels will have been fetched by Gmail themselves regardless of when the user opens the email.
Capital One does this to me as well, but at least they make it clear so I actually understanding what they mean ("You haven't opened an email from us lately...").
It's fine, Capital One. I did open your emails, I just didn't load your shady tracking pixels.
Charles Schwab has something very similar. They keep unenrolling me from their paperless thing and then send me a letter every month telling me they unenrolled me because emails aren't being delivered.
But I get their emails just fine. It's their tracking that (intentionally) isn't working.
Can somebody please tell Barclays their 3DS widget is never redirecting back to the seller when transaction has been approved on user's device?
In fact, the sheer amount of systems not working correctly in Britain is astonishing. Feels like the whole country is falling apart.
Who has two thumbs and (1) will never open an HSBC account because of this and (2) will advise his legal clients to bank elsewhere?
I noticed this a couple of years ago too, I just ignored the letters, continued to receive the emails, and they stopped sending me letters about it /shrug
Isn't this the exact reason we 'verify email address'?
What's the point of that entire handshake then?
Id be willing to bet the number of people who sign up for ebilling, then screw up their email address is huge. then those people blame the bank for not contacting them to tell them the issue.
yes, its not how email is supposed to work. but people can be really really stupid.
> But it gets worse. Because HSBC are using http://, rather than https:// URLs for their tracking pixels, they’re also saying that every time you read an email from them, they’d like everybody on the same network as you to be able to know that you did so, too. If you’re at my house, on my WiFi, and you open an email from HSBC, not only might HSBC know about it, but I might know about it too.
> But we’re in the Darkest Timeline. Tracking pixels have become so endemic that HSBC have clearly come to the opinion that if they can’t track when I open their emails, I must not be receiving their emails. So they wrote me a letter to tell me that my emails have been “returned undelivered” (which seems to be an outright lie).
“We need to confirm you are receiving our emails, please click this link” is a phishing setup. That is absolutely not what they should do.
Using tracking pixels in emails is like using AI to generate solutions/code. It is not deterministic, is is only probabilistic.
> We need to check that you’re receiving our emails. Please click this link to confirm that you are
mate was on a toll till this. I mean after all that amazing write-up we gon be clicking links in emails??!
The same exact thing would happen to me with interactive brokers.
I've heard CapitalOne does the same thing... send paper mail saying their emails aren't being read.
It seems the article and most of the comments here are nonsense.
The focus on http versus https in allowing surveillance of fetching the tracking pixel are all but completely irrelevant.
In any case, the domain name of the tracking pixel locations will be resolved through DNS, which is almost always unencrypted. So anyone on the LAN will see the DNS query, revealing the banking URL, in plain text.
The big issue here, which I couldn't find one comment regarding, is that the email client is interpreting HTML.
Use plain text email! Problem solved. At least use a "Simple HTML" or similar mode when viewing email. Where the HTML is rendered, but no links are followed.
Tracking pixels don’t even work with Gmail because Google fetches them out of band. It doesn’t reveal open rates.
This isn't going to get to someone at HSBC. Nothing will change.
They hired another company to do it.
The project has been over for 4 years.
The man who determined the requirements no longer works at HSBC or the other company.
The coder doesn't even know HSBC is using his code.
Banks have some of the worst IT in the world. Being purely manager-led, with developers completely subservient to the bean counters, the results are terrible.
This is one of the reasons why in 2019 they wrote about their own demise https://web.archive.org/web/20240213185758/https://www.cimb.... against fintech (which is only slightly less archaic) and how cryptos, I don't know which ones, but maybe some yet to be born, will eventually displace them because regardless of their dominant position, the level of poor service and archaic systems is not humanly/socially sustainable for much longer.
Their leadership is mentally incapable of changing. Unfortunately, I fear that most of the population isn't either.
Who still banks with HSBC when we have Monzo and Starling?
HSBC, truly the pinnacle of Great Banks. Surprised they haven't earned your breakup yet.
Some may treat these as an inconvenience or annoyance, but I think it’s a sign of rot. And it may run a lot deeper. Unfortunately I feel like most financial institutions have terrible websites and practices in general, so I don’t know if switching will let you avoid problems.
>used to surreptitiously track when somebody reads an email
Not in my email client, mutt. I use Thunderbird once in a great while. For some reason I thought there was an option to stop that and I enabled it. Will need to check the next time I fire up Thunderbird.
> I have a credit card with HSBC: you know, the bank with virtue-signalling multiculturalism in their ads.
Was this opening sentence necessary? It is not germane at all to the rest of the article. Ironically, it is itself virtue-signalling (for some definition of virtue), just to a different audience.
[flagged]
> I can understand your frustration, but if the bank has sent the letter, you will have to update the e-mail address.
That's why I fucking hate society. This is everywhere.
I don't see anything wrong with attempting this. A significant number of people mistype/change their e-mail address, and security messages from banks can be important, so anything that catches no-longer-working e-mail addresses is better for everyone involved. And I assume a very small proportion of people try to disable tracking pixels.
But this post is entirely speculation. The author has no evidence they're basing it on tracking pixels. They're literally just guessing.
And I'm dubious that tracking pixels would be a reliable enough signal to be worth it. Doesn't Gmail download images in advance anyways? Plus, I regularly filter predictable emails or just archive them directly from my inbox based on the subject line without opening.
I'd more likely assume they have an e-mail bounce detector that just has a bug in it.
The http:// thing is what stands out to me. Someone had to actively choose to serve content over http in 2026. Even if the original template was ancient, any security review would have caught that - unless they skipped that step entirely, which honestly tracks.
I work with banking data day to day and the internal systems are often just as rough. CSV exports with inconsistent date formats between the same bank's own products. Transaction descriptions that are random truncated strings with no standardisation. Every bank formats their statements differently and some of them can't even stay consistent between their own account types.
You'd think with the regulatory pressure around data accuracy this stuff would be sorted by now. But the reality is most banks treat their digital infrastructure like legacy plumbing - it works well enough that nobody wants to risk touching it.