Slashdot Mirror
Santander To Track Customer Location Via Mobiles and Tablets
New submitter raburton writes: Santander (one of the biggest banks in Europe) slipped a little note on the corner of my latest statement saying they intend to start collecting "location or other data" from mobiles and tablets that their customers own, from 1st July 2015. There is no link to further information about the policy, or any suggestion you can opt out of it. The stated aim is of course to "prevent and detect fraud", but once they have the data (and they'll probably keep it for a long time) they, or anyone who can gain access to it, can do whatever they like with it. In this day and age I find it hard to take any assurances to the contrary very seriously. Is this kind of policy common practice with banks elsewhere?
Guess who's NEVER getting an account with Santander?
Yeah, that'd be me.
Just cruising through this digital world at 33 1/3 rpm...
I bank with First Mattress Savings & Loan.
Bank of America implemented this several months ago. No additional features, of course, to even justify more invasive use.
I have exactly two non-stock apps installed on my phone - Chrome, and Adblock. I don't need a native client for my bank or Twitter or Facebook or Slashdot or anything, for that matter, that does nothing more than save me from opening Chrome and going to a particular URL.
I just don't understand the appeal of "we have an app for that" - Why would I ever want to give a company more access to my data than they already have, and let them drain my battery faster, when I don't need to?
A bank, which provides free banking, would like to track your location if you choose to use their free and very useful app to prevent fraud, fraud which they will reimburse the customer if it loses them money.
If you don't want to be tracked, then don't use the app.
My App doesn't work with TOR tunnels, although I think they only geolocate the client's IP address.
Regards.
I would love this if it was used as part of 2 part authentication. A card and phone must be present to make retail purchases. A stolen card would trigger red flags if it is used without detecting the phone nearby. Online purchases could be validated by SMS Pin. No phone, no Pin reply, red flag to the bank.
Unfortunately it is open for abuse which is the main fear uncertanty and doubt on the system. Did a little FUD stop Linux? It's source code can be seen by hackers and may be abused. LOL FUD all over again.
The truth shall set you free!
Don't install their app, and don't connect to their site from your phone. Use your desktop computer at home.
There. Problem solved.
Many, possibly most, ecommerce sites do at least basic location checks for fraud protection and have for many years. The 20,000 or so sites which use our software have done so for at least ten years. If you're on the site from Comcast San Francisco at 10:00, then an hour later someone claiming to be you tries to initiate a transaction while in Russia, that's suspicious.
That red flag is then combined with other available information to choose from one of four possible outcomes:
The transaction is approved.
The transaction is declined.
The customer gets a call / text asking them to confirm the transaction.
Verified by Visa (tm) or the cashier calls in for manual approval.
The system works pretty well.
Note "tracking" is slightly overstating it for two reasons. First, the bank or processor checks only the location of the transaction- we don't know or care where you are if you're not attempting a transaction against an account holder's funds at the moment. Secondly, the "location" is strictly numerical longitude and latitude to see how far you are from the last location. Is it physically possible that you traveled that fast? We don't know or care if you're in a grocery store or a strip club. We only care if "you" are 4,000 miles from where you were two hours ago.
It's a good thing you can't spoof location data.
Good luck with that. Years ago, I had never heard of Santander, but then the company I had my car loan through was bought out by them. You may end up a customer of theirs through no fault of your own.
This is one of the side effects of trying to fix broken systems and of marking some cash as "criminal" and trying to police its use. Every bank has by now become more an agent of government oversight than a service organisation to the customer. This is something instigated by governments (notably a certain large one with its "follow the money" mantra) but which the banks haven't resisted. Instead they're looking to sell the data on. Various banks have voiced the idea and then wondered about all the backlash. So why voice ideas if you can simply and quietly amend the Ts&Cs?
And this is the reason why capitalism of today doesn't work.
It doesn't actually say this is based on using their app, although that seems like the most likely way they might do it. It says "where we hold information about devices you use such as mobiles or tablets", doesn't say in connection with an app, or with accessing online banking, etc. all a bit vague really.
because I ALWAYS let my banks know when I'm travelling abroad, and where I'm going to. That means that when I use a credit or debit card in a foreign country, they know that it's unlikely to be a fraudster with a cloned card, and if a withdrawal is made from my card in, say, Hong Kong when I've not told the bank I'm travelling there, then they know it's fraudulent.
Therefore I have absolutely no problem with them knowing from, say, a hotel IP address, where I'm located if I use my laptop to log in to my accounts.
Can't you just switch off locations services for that application? I thought that both iOS and Android allowed you to do that (albeit in different factions).
On the other hand if they can grab location services data without the OS knowing - then that bank/app needs to be shamed.
On the third hand. Doesn't just collecting the IP address you are logging in from count as collecting location data?
I am Slashdot. Are you Slashdot as well?
This kind of thing is opt IN, not opt OUT. You have to give them access to location data from your phone or tablet, and anyway you should NEVER consider any smartphone as being secure enough for online banking.
So don't opt into the tracking, and they won't track your location. This is a no-brainer to solve.
And considering the fact that most "apps" are just a "wrapper" for their web page (that you could use just fine from a browser), you end up to the safe conclusion that their only reason to exist as "apps" is to have access to our very personal data!
Antisthenes: "Wisdom begins by examining the words/names." - excuse my English, i am (slightly...) better with my Greek!
You may end up a customer of theirs through no fault of your own.
Maybe, but even then, they don't have access to your location data unless you give them access to your location data. They don't use magic!
Possibly, but that's the only way it's ever going to happen.
Just cruising through this digital world at 33 1/3 rpm...
And this is the reason why capitalism of today doesn't work.
It's the glory of the Free Market.
As soon as you become successful, you can afford to start buying up the competition. That can make you more successful, so that you can buy up other competitors who have been buying up their competition. Until finally the ultimate stage of the pyramid is that there is no competition, because no one starting from scratch can afford to compete against the massive economies of scale that only a very large competitor can afford.
All Hail The Glorious Free Market!
^^^^ THIS.
Yes, I too am sick of the whole "We have an app for that!" crap. I'd rather use a browser any day and I don't want to load 500 crap-apps on my phone for something a browser does perfectly well.
Just cruising through this digital world at 33 1/3 rpm...
As this is a European company it is subject to European data protection and privacy legislation. Many countries have given their enforcement agencies quite significant enforcement powers to punish abuse and there is pressure for the penalties to be increased to the point that non-compliance is not going to be viable business model:
http://www.computerweekly.com/...
Namgge
I just don't understand the appeal of "we have an app for that"
That is because you use a laptop or desktop. For many people, their phone is their computer.
Either don't use their app or just don't bank with them. There are plenty of other banks that don't do this stuff and are very reputable.
On second thought, just don't use the app.
Why carry mobile devices except when actually required?
If you go outside people can see you. If my digital person is nothing more than a collection of marketing and a psychological profile information gathering device as I understand it, why participate?
Opting out here.
Agreed, my bank's application has always required location access which is why I've never installed it (perhaps with M...), I presumed it was mostly for their locate an ABM but didn't want to read and watch the ToS to be sure. I've also uninstalled applications I was using when an update added location perms.
Don't install their app. Problem solved.
My device is always at the exact north pole.
You could have an account with Santander but simply fail to install their app on your phone or tablet.
I don't have any app from a financial institution on my mobile devices. It is no big loss to use a browser to access my accounts.
Currently they do offer some attractive interest rates here in the UK.
I also disable location services on my phone. That will hinder their data slurping.
But to be honest, I can't see the reason for this move by Santander.
OK, your choice. Nothing wrong with it really. But apps do often make for a better user experience than web pages. I take a more moderate view on it and use apps where they provide more benefit and web pages for other things. I don't want 500 crap-apps either, but the IMDB app is better than the web page, the Amazon shopping app is better than the web page, etc. Other apps like this banking one appear to exist just so that they can get your location. It may actually prevent some instances of fraud - but the cost is too high (that being that people both authorized and unauthorized get access to private location data).
I have no problem with tracking of myself by my bank. I don't go anywhere that I need to keep secret from anyone at all. And yes, being tracked by my bank could save me from being ripped off. But here is one thing that most people would not consider. A bad guy could have someone else carry their phone or tablet and use the tracking record as an alibi while he commits a crime. I assume that lawyers could acquire the tracking materials for things like civil suits as well. If you are in a traffic wreck and spent five hours in a bar prior to the accident the jury may well be enlightened as to who probably was at fault in the wreck.
Does quarterly profits dropping more than 90% sound like Santander was a "successful" bank? http://www.bbc.com/news/business-20079104
Santander was no more successful than US large banks and, just like US large banks, they pretended they didn't need large government bailouts by forcing their national government to bailout the people who owed Santander.
I did this for a long time, eschewing banks. Then, when I had enough cash, I tried to buy a cheap house with it, but, no dice. There's a law in the U.S. that's vague enough that no seller or agent will accept anything but a cashier's check because they are afraid they will be grilled by the Feds and the banks which answer to them as to where the cash came from; banks are not allowed to accept large cash transfers without reporting such to anti-drug, anti-laundering and anti-terrorism agencies.
Well damn! Start with the the bank president and work your way down. You'll find 90% of it before you hit four layers down the hierarchy.
“He’s not deformed, he’s just drunk!”
I just don't understand the appeal of "we have an app for that"
My credit union has a deposit cheque by phone. A browser can't do that.
It's my security policy to never use a phone or laptop to access my account. So, while I get emails about activity, there's no bank app nor do I login using the phone/tablet/laptop browser. So they have nothing to track. If they collect info that I'm accessing my account from my desktop at home, I have no problem with that.
I *do* have a problem with them suddenly requiring an ID for me to deposit cash into my account. I have clients who pay me for manual therapy sessions in cash and I would deposit it into my checking account. This is no longer allowed to prevent fraud. I don't know how many nail techs, servers, and house cleaners perpetrate fraud against one of the largest banks in the US, but I'd be curious to know. The bank has no problems with checks, apparently.
I moved my savings to a credit union and only use the checking account. The credit union teller just smiles and asks where account I want the funds deposited.
This is what the data protection act is for. It's illegal for them to collect data for any purpose other than the ones stated, and it's illegal for them to collect it without your permission. They are also required to delete the data on your request (for a reasonable fee).
If you're using Android, then install Mobiwol and set the Santander app to no background execution. That way, it can only access internet by any means when you invoke it explicitly. For bonus points, you could also set it to no phone network access, so it can only access WiFi networks when you invoke it, and can't access the phone network at all. FYI, I have no connection to Mobiwol.
I'm in the payment industry and it pretty well works. There's more to it (metrics and whatnot that score up or down your transactions) but location is incredibly useful. Give it 10, 15 years and these sorts of metrics + big data parsing will pretty much eliminate point of sale fraud. Right now the only thing holding it back is processor cycles are still kinda pricy per watt in a data center, but that's changing more and more. Sure, Moore's law is done but we're nowhere's near done with reducing the energy footprint. Plus before long cell phones will replace your credit card, and when your "credit card" is a no longer a dumb piece of plastic but basically a super computer with tons advanced sensors in your pocket it opens up a whole new world.
I know it's popular to say the hackers and crackers will always come out ahead, but really they won't. In 10-15 years the only fraud left will be the large scale investor kind and the "legal" kind where you buy up a company Bain Capital style and suck the life out of it. Small scale credit card fraud is a dying breed.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Yup. Just another reason why I still use PCs at home and protect that browsing with tools like Noscript and Flashblock.
/. Dissent will not be tolerated. Think like us or perish.
My credit unions' apps let me deposit checks by taking photos of them with my phone. That's not a service available via the website.
I agree with the general point of "the app for accessing your company's website should be my web browser", but in the real world there are reasons to have specific apps.
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
They certainly can use their phone as their only computer (my phone is much faster and has more compute power than many of the computers I have owned) but doing so is just silly in my opinion. Hell, I get one with a slide-out keyboard every time and I still do not find the format functional enough to do any computing tasks. Even browsing many sites is nearly unacceptable. The lack of consistency between sites makes it even worse. I can read email but I would not want to reply to it - less so if I am using the touchscreen keyboard. So, yeah, it is silly in my opinion. While they have functions like a computer, and are a computer, they are not a good substitute for a desktop or a laptop. Note: This is my opinion and your opinion may well be different. I do not even like tablets much for anything other than entertainment. (I did have a nice convertable from Motion back in the day but I eventually wanted to upgrade and my son absconded with the Motion.)
"So long and thanks for all the fish."
You can not just take a picture and upload it? That seems, well, unusual.
"So long and thanks for all the fish."
They probably buy it from the phone company or Facebook.
Better user experience in exchange for zero security. An app is basically the equivalent of installing an .exe with root priv. on your desktop. Ie we are back in 1995 again.
But to be honest, I can't see the reason for this move by Santander.
Not that I like giving them the benefit of the doubt..
Transaction 99 - geo-location of transaction: London, device location: London
Transaction 100 - geo-location of transaction Bucharest, device location: London.
Transaction 101 - geo-location of transaction: London, device location: London
done.
if Banco Santander barfs at the login screen because of that, don't use itty bitty computerish stuff with a GPS in it. or use the browser on the itty bitty device to talk to their regular website.
if this is supposed to be a new economy, how come they still want my old fashioned money?
Nobody says this can't be used as an anti-fraud measure, it's just that this kind of sensible data should be collected with clear privacy statements that claim:
1- nobody but us can access this data
2- this data will never be sold to 3rd parties
3- this data can be accessed by authorities only after a warrant (well, this really depend on local legislation, I admit)
4- this data will be stored for this reasonably short amount of time
5- you can opt out from this service any time, here's how
I don't think "fail" means what you think it means. I would call not installing their app a "success".
Santander is a bank in Boston. It may have some overseas branches also.
Had a home loan that got sold to those swine. They approved a 2nd mortgage for me to get some very needed repairs done to the place - Condition was a 5-year balloon payment that they promised could be re-financed.
Problem was, no one there told me there was apparently a Federal (?) law preventing modification of home mortgage terms more than once every 7 years. Well, buy setting up 5-year terms, I was STUCK trying to figure out a way to get $15,000 to pay off the entire 2nd mortgage. They refused to work with me at all, and ended up losing the house simply because of their predatory BS.
Avoid at all costs!!!
My credit union has a deposit cheque by phone. A browser can't do that.
Yes they can. Well, the browser can't do the actual deposit, but neither does an app. An app takes a picture of the check using the devices camera and sends the picture to the bank who does the image processing and performs the deposit. This can easily be done in the browser. If your bank doesn't know how to do it, I am available at reasonable rates.
If you are not allowed to question your government then the government has answered your question.
What API would you use?
Santander Bank (formerly Sovereign Bank) is a wholly owned subsidiary of the Spanish Santander Group. Based in Boston, Massachusetts
Everytime you use your card in a store, or withdraw cash from an ATM they know where you are.
Impossible to hide from them unless you keep cash under your mattress
"Assuming the attacker didn't get too much of your wife's blood into any of the ports when he took off her fingers."
Except if your bank requires you using an app for the token generation.... Like one I use, I need to open the app on my phone to access their website on my PC. Not to mention that the two banks I use refuse to open the website on a mobile device. Just pop something like "security extensions not found". Their securities extension can hog my i7 with 8GB, so I imagine my phone....
Increasingly I'm coming to the conclusion that for most mobile stuff you're better off using the website and get the desktop view.
The website can't constantly track you. The website can't access your contacts. The website can't access your location information, unless it's by IP address.
Mobile websites are crap, but most mobile browsers allow you to request the desktop site.
And then you can send a big "fuck you" to corporations who feel entitled to all of your personal data.
Apps were supposed to give us native things which work better. What they've really give us is an endless stream of privacy issues as the people who make them have decided they can do anything they want.
So, how about "no, piss off, go away, and drop dead"?
I've started uninstalling apps which don't offer specific functionality I can't get from their webpage. It seems like most apps exist to push ads, and to invade your privacy. So stop giving it to them.
Lost at C:>. Found at C.
If you're underground or deep in a building, you're probably on wifi (or plugged in). That means we can geoip to within a 20 or 30 miles at worst, within a block in the best case (company IPs). That's far more accurate than we need to,know whether the acount holder COULD be there. What we're looking for is a transaction in southern California, folllowed 30 minutes later by one in South Carolina, then one in Mexico an hour later. We're computing whether it's possible for the account holder to travel that fast.
We then combine that other data points to score the likelihood of fraud. If it's card-present (swiped) that's lower risk than an internet transaction where they only have the card NUMBER, for example.
Send them a Cease and Desist letter informing them that all such data on your devices is your intelectual property and any attempts to access it will result in them being arrested for spying.
That said, encrypt EVERYTHING without using off the shelf cryptography. You need to use nothing short of 4096 bits encryption IMHO.
NONE of what you suggested is acceptable. My data belongs to me, it's MY intelectual property, and I don't recognize any claim contrary to that.
If they notice a device halfway around the world attempting to transfer money from your account, they would be reasonably suspicious it might be fraudulent. Location tracking has its uses in security, much as we consumers may not like it.
Some of the stupidest things you can do with your phone:
1. Enter your credit card number into it
2. Enter your SSN into it
3. Install your bank/mortgage co/car loan holder's app onto it
4. Access the web page of your bank/mortgage co./credit card co and pay your monthly bill.
If you never put any of your financial data into your phone or use your phone to pay bills or otherwise manage your finances, if you lose your phone all you will have lost is your phone. Do any of the above and lose your phone, and you will have lost an important part of your life.
Your bank can already track your location. They have your home address, and they know everywhere you go based on where you swipe your card. If the police are tracking you, it's one of the first resources they will use.
That said, no, my bank app doesn't use location services. At least, not yet.
https://www.eff.org/https-everywhere
there's a world of difference between the very, very violent crime you just described and the relatively non-violent muggings and pickpocketings that go on. Crooks know this. They know if they ever do anything really out there to someone with money that the cops come down on them like a ton of bricks. Sure, they might get away, but all their friends and family will suffer during the police beat down.
It's probably not the best way to control crime and prevent social unrest, but it's how we do things here in America. In the rest of the world I don't know if they do the same, but I'm pretty sure they do in the UK at least.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
WebRTC, IIRC. I recently rolled out a webapp at work that case workers can use to help determine eligibility for potential clients. One minor capability within it is photo capture. Along with a slew of questions about demographics, disabilities, and such, it'll also take a picture and stash it in the database. If someone is then accepted as a client, that photo is then available so that (for instance) our delivery drivers can compare the photo on file to whoever answers the door to make sure the client's at home to accept delivery. We could've just had the user take a picture with the phone's camera app and then upload into our webapp from there, but this is a seamless approach that's easier to use.
There's not much to it, either. The page that handles the capture is 28 lines of HTML and 114 lines of JavaScript, a fair bit of which was cribbed from examples I found with a few seconds' googling. It provides a live view of what the camera sees, lets you switch between front and back cameras, and lets you preview the capture before it's sent to the server.
20 January 2017: the End of an Error.
WebRTC is may not be ready for all browsers