Slashdot Mirror

← Back to Stories (view on slashdot.org)

Santander To Track Customer Location Via Mobiles and Tablets

Posted by timothy on from the truman-show dept.

New submitter raburton writes: Santander (one of the biggest banks in Europe) slipped a little note on the corner of my latest statement saying they intend to start collecting "location or other data" from mobiles and tablets that their customers own, from 1st July 2015. There is no link to further information about the policy, or any suggestion you can opt out of it. The stated aim is of course to "prevent and detect fraud", but once they have the data (and they'll probably keep it for a long time) they, or anyone who can gain access to it, can do whatever they like with it. In this day and age I find it hard to take any assurances to the contrary very seriously. Is this kind of policy common practice with banks elsewhere?

1 of 130 comments (clear)

  1. Re:extremely common fraud protection by IamTheRealMike · · Score: 5, Informative

    google really throws a hissy fit when I send email from my home (on a vpn) using imap. mostly they grey list me and time me out. but this anti-vpn concept annoys me. I don't believe it rejects fraud.

    It does reject fraud. I know this because I designed the system at Google that is rejecting your logins, back when I worked there. There's a blog post about the system here. Obviously location (actually: geographical coordinates) are not the only thing that is used, it's just a signal that's carefully blended with others.

    The main reason location works as a useful anti-fraud signal is that the datasets that hackers are working off are very sparse. Normally only usernames and passwords. So they don't know where in the world you live, meaning that they have to guess. It's almost like a second password. And mostly their guess will be wrong, leading to an ID verification check.

    Now if you use VPNs or Tor or whatever that actually move you around the world constantly, then you're in a tiny minority of people that this heuristic doesn't work for. That's not so great. But here's a tip - if you enable 2-step verification on your Google account and then give your IMAP client an "app specific password" you shouldn't see rejected logins anymore, as is documented in the Google support pages. If your IMAP client knows how to use OAuth to log in, that would also work, but most don't.