Slashdot Mirror
Bank Puts a Billion Transaction Records Behind Analytics Site
schliz writes "Australia's UBank has put a billion real-world transaction records behind a website that allows users to compare their spending habits with others of the same gender, in the same age/income range, neighborhood and living situation. The 'PeopleLikeU' tool surfaces favorite shops and restaurants surprisingly accurately — because it's based on real customers' transactions, it lists places like good takeout joints that wouldn't normally come to mind when you think of a favorite place to eat. The bank says all data was 'deidentified' and it consulted with privacy authorities."
Yeah! And fucking iTunes with its Genius feature! I don't WANT to know what songs go well together! Data analytics is bullshit!
The problem with 'anonymizing' the data is that while today it might seem safe, tomorrow a separate database showing a different subset of the same data source, or trace information, etc., which when combined can re-pair and de-anonymize it.
#fuckbeta #iamslashdot #dicemustdie
Especially in small samples, like the size of a neighborhood.
> "The bank says all data was 'deidentified' and it consulted with privacy authorities."
Sure, but what about the actual customers whose data is being exposed? Someone should take nude photos of these bank bureaucrats in the shower, mosaic out their faces and put it in on the web. "Don't worry, we checked with our "privacy authorities.""
You have to wonder who these "privacy authorities" are. The Federal Privacy Commissioner is weak and except for hidden microphones, Australia has weak privacy laws: The worst penalty the Privacy Commissioner can hand out is a letter to an offending company saying "please don't do that." There is no fine or penalty so there is no deterrent.
http://www.theage.com.au/technology/technology-news/youre-being-more-closely-watched-20120916-260ko.html
http://www.privacy.org.au/Resources/POA.html
Remember when it was discovered that the plugins you have installed in your browser, and which browser you were using could almost identify who you were? That's how I felt as I answered questions on the site and saw the number of matches dwindle. I'm not even an AU resident, I just answered truthfully up until it asked for the city and it had narrowed down to ~20000 matches for "people like me."
If you assume that one of those 20000 is me, and that I live in a small town then the number might get even closer to just 1. And once you factor in any other data that might correlate behind the scenes it's not hard to figure out who's who.
Remember the anonymous netflix data that they figured out how to de-anonymize? Same deal. If you're an AU resident, the data is there to uniquely identify you, they just have made a bet with the internet that people won't be able to do so.
Two words: fraud detection.
How are sites slashdotted when nobody reads TFAs?
It makes for a pretty good stalking tool. Find me where all the rich young bitches hang out...
Once I was a four stone apology. Now I am two separate gorillas.
It's been about 5 or 6 months since I switched to using predominantly cash. Yes, it's a little less convenient in some contexts (though sit-down restaurants are faster, just leaving money on the table instead of waiting for a receipt to sign), but I simply do not want to be 100% tracked like this.
Off to (Score:-1) you go!
LOL.
So they can sell your data to other businesses. Not to mention, how are they going to sell you Burger King advertisements when you're reading your online banking statements? (I use Bank of America and in-between actual entries of my statement, it lists things like "10% discount on Burger King!" or "6% discount on Star Bucks!". It's fucking tacky.
Must do better.
Unfortunately, fraud detection works for shit.
My credit card is shut off an average of at least once per week and I have to call up the bank, sit on hold, go through the whole verification process, go through the listing of my recent purchases, etc. Then go make my purchases again. I can tell the things that are going to trigger it, before it even happens. And nothing ever changes. For example, I buy something on Steam probably twice per week. I have for every week for almost eight years. Yet, inevitably, it triggers fraud detection on my card every two or three times.
The same happens with many other purchases, but Steam is the most common. I could understand, if they didn't have a database showing that I have made hundreds or thousands of purchases with them over the past decade. It also happens almost every time I order something from Apple. And many other places. . . . despite a history of buying things from them.
I appreciate them keeping an eye out and protecting me if someone gets my card and goes nuts, but it's not worth having to go through this hassle EVERY WEEK.
I don't really care where everyone else is spending their dough. If I cared, I would have an iPhone, a MacBook Air, an iPad, and I'd be thinking about an iPad Mini for Christmas - but I don't want that stuff. I want a new, 9 pound, i7 3rd-generation laptop with 17 inch monitor, a GeForce GTX 680MX, and 5-6 USB ports and room for twin 1TB SATA drives. That's what I want - even if no one makes one yet, or I have to pay $2600 bucks. And I'm probably not going to get it.
This is violation of a business privacy as well. Sure, you might not be paying taxes and the tax collector might see you get business form rich yuppies.. but it could also tell a competitor business how well you are doing without getting off the couch. Seems like an unfair use of private data.
Wow, try switching to a not-complete-shit bank / credit provider. My bank has twice over the last 7 years put a temporary hold on my account after I bout something I don't usually buy in a location I don't usually buy things. One other time it probably would have, but I proactively called ahead and told them that I was going there on vacation, so there was no problem.
Also, they call me, not the other way around, and getting it resolved took about 10 minutes. The list of suspect purchases was short and reasonable, and definitely not things that I had a history of buying.
Your bank is crap. Time to vote with your wallet rather than complaining about it on a tech forum.
There's no place I could be, since I've found Serenity...
According to the site I should be spending $1350 a month more on beer to be keeping up with the neighbors.
Google "bathing" and "beer".
Hmmm... what company are you using? I'd like to ensure I avoid them.
I've had it trigger twice myself. Once correctly, and once a false-positive (but not unexpected - it was a sudden business trip, and I was making purchases in another state that were also out of character - I don't eat out much, and was also buying some gifts while I was there). Both times were essentially correct in flagging improper behavior, and ensuring it was quickly noted and checked upon (as in, within minutes of the purchases, rather than days later). They called me with an automated message asking some questions. Thinking it was a phishing attempt of some sort (since it asked for some verification data), I chose to call the credit card directly rather than trusting an incoming call, and it dumped me into the same system with a quick "Your card has been flagged as possibly fraudulent activity, please verify these transactions."
After the automated part, where I could accept or deny any given charge for the window they thought might have been I was almost instantly dumped onto a live customer service rep that was there for any follow-up questions I might have, and for the false-positive, ensured the card I was using wasn't locked out and would accept purchases properly for the remainder of my travel. Really pretty good, as such things go. I'd agree with cbhacking -- find a different provider, your current one isn't working for you at all. For the record, the above is a Bank of America Visa (for all the hate BoA has gotten, the BoA Visa has some really good features associated).
~Anguirel (lit. Living Star-Iron)
QA: The art of telling someone that their baby is ugly without getting punched.
So change banks?
If you put up with such crap then obviously there's no incentive for businesses not to dish it out.
I'm a uBank customer, got a bit annoyed about them publishing my data like this, "disaggregated" or not.
Then I remembered that uBank only do mortgages, savings accounts, and term deposits (I have the latter), nothing with a credit or debit card attached that would provide the kind of data they're bragging about. Put simply, it's not my data. From the FAQ, emphasis and clicky links mine:
"PeopleLikeU insights are a combination of census data, consumer spend information sourced from Quantium's Market Blueprint® capability , aggregated savings goals, balance information, and summarised mortgage data from uBank and NAB."
Quantium's information is based on the NAB's credit card data, so if you've got one of those you may want to look at alternatives. Of course, figuring out who's not selling your purchasing habits to some other, similar mob may be trickier.
Oh what could possibly go wrong here?
Anyone remember the AOL incident?
They released a bunch of supposedly anonymous search results, but it turns out it wasn't so anonymous.
http://en.wikipedia.org/wiki/AOL_search_data_leak
File written complaints, it's not enough to just call them up and expect them to fix it.
However, you might also want to keep in mind that Apple and Steam are primary targets for fraudulent activity. Additionally you could call the bank prior to making purchases in this area, and see if that can save you a bit of a headache.
I don't like the idea that a bank would decline a transaction just because it's something I wouldn't normally do. E.g., I don't usually travel, but when I do I don't want my debit card put on hold. Not that that has ever happened.
However I think it would be useful if banks could allow geographic restrictions on card usage to be set using online banking. I'd be happy to restrict it to my local area and expand the restriction temporarily as required.
and I'll keep on paying cash for as long as I can.
This is in fact harder than it looks and slowly keeps getting harder in this country where even the central bank is pushing for everyone to pay using "chip&pin" because it's so much more safe and secure and all around better and the system never fails, honest and privacy gaffes never happen because there's a law against it and so on. You trust us, you have to trust us, we're the central bank!
And the populace by and large says "I have nothing to hide" and does exactly what some authority figure wants them to. Amazingly this country is not Japan, but they do much the same thing.
erm... change banks
"The 'PeopleLikeU' tool SURFACES favorite shops and restaurants surprisingly accurately"
Huh? What does that mean, exactly? How does one 'surface' a shop? Can we have it in ENGLISH please?
The credit card system has a crappy authentication method that makes it extremely easy to fake transactions when you're not the owner of the card. Card skimming is altogether too easy since people now don't stay in their own village and use electronic communication, so you can't keep CC data local and on paper only. The CC industry has been really lacking in fixing proper authentication, since these fraud detection systems and making the seller pay for the losses is so much cheaper to do. Any CC provider that would be the first to actually require proper authentication would probably be shunned by a lot of vendors because of the increased investment in the equipment and labor required to process the card. Also, many customers will find the ease of use of the competitors more appealing and not use the new CC. It will probably take legislation before CC companies will take this problem seriously enough to actually solve it in a half decent way.
I was promised a flying car. Where is my flying car?
Calling your bank prior to every $2-$50 Steam purchase is a little absurd. When I bought a home theater in a single day, including a full set of B&W + Velodyne audio system, a call was totally reasonable. I also understand that several small purchases in a short period of time can be indicative of someone testing out a stolen card before going out for a real splurge with it, but not when there is an established history of purchases with it.
It's Bank of America.
My spending profile can occasionally be erratic and I completely understand flagging really strange series of purchases (try filling up two tanks of gas and immediately going to the store and buying a pair of Nikes). It becomes a nuisance when we're talking about small purchases with places you've done a lot of business with for years. I shouldn't have to stop everything, because I pulled the trigger on today's $4.99 Steam sale. (It also doesn't help that Steam doesn't let you buy multiple copies of things at one time or to buy stuff for yourself and gifting at the same time, forcing multiple consecutive small purchases).
I've thought about finding another bank -- especially because BofA doesn't even have a presence in the state I've lived in for the last seven years), but haven't found terribly great. Not even credit unions. And of course, my problem is with their systems and processes; not their employees. They've always been pretty fantastic and as helpful as possible.
I wish their alert method was reliable, as you described. Sometimes they will immediately call my cell phone when an alert is put on my card. I don't even have to dial a number. It's FANTASTIC. Other times, I get a call a day or two later. More often than not, I never get a call. I have to call them and have the first person transfer me and wait on hold for a good fifteen minutes, then give them all my information and go through the verification process. Other times (almost never), their system offers me a chance to go to a website and verify everything through an online process. It is just unbelievably inconsistent. (Maybe that is intended as part of the design, so there isn't always a predictable method for someone stealing your credit card?).
I also wish the ShopSafe thing worked. That could potentially help a lot. The idea is that you generate a "fake" credit card that is tied to your main card and it is only usable up to a certain amount, for a certain period of time, at a specific merchant. It becomes a big hassle to maintain and, through some research, I discovered that there is absolutely nothing preventing someone from charging a ton of money on one of these fake cards, anyway (rendering the limit you put on it totally meaningless). These ShopSafe "fakes" also have generated alerts against my card, so they didn't help there.
In the end, I'd rather they be more cautious than let someone totally screw me over and steal my identity or something. I appreciate that they're doing SOMETHING. You always hear it said that banks don't give a shit about fraudulent charges, because they'll just recover the theft from all collective card owners and mitigate it for the individual. That doesn't really seem to be the case, from my experience. I just wish they'd come up with a slicker method of handling these alerts and that their system would learn more from historical data (which I thought was the whole point of it).
Maybe this new card with a sort of RSA keygen fob in another slashdot story posted after this one will alleviate some of these unnecessary alerts.
Drop BoA they are a huge ripoff. They charge a seperate atm fee for a balance inquiry. I switched from them to a local credit union. As long as you use a NCUA credit union with shared branches you can use other credit union branches when you are out of town, some even do shared atm
Snowden and Manning are heroes.
I work for a large US Bank that is dong the same thing.... its spelled Omniture.
Sure, they'll wipe out the same and address, but if you can associate that "random person X" bought pizza at [location X] regularly, gets gas/petrol as [station x], etc etc you're going to have a pretty good finger on where that person lives or works. If you associate purchases to a weekend you'll more likely have a home location.
Now add in that person X goes to a female-only gym, and you've got gender.
Tie in times of purchases and you've got a regular schedule. Even if you don't know the person's name yet, it isn't going to be that hard for things to go bad with creepy stalker types.