Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Businesses Privacy

Santander To Track Customer Location Via Mobiles and Tablets 130

New submitter raburton writes: Santander (one of the biggest banks in Europe) slipped a little note on the corner of my latest statement saying they intend to start collecting "location or other data" from mobiles and tablets that their customers own, from 1st July 2015. There is no link to further information about the policy, or any suggestion you can opt out of it. The stated aim is of course to "prevent and detect fraud", but once they have the data (and they'll probably keep it for a long time) they, or anyone who can gain access to it, can do whatever they like with it. In this day and age I find it hard to take any assurances to the contrary very seriously. Is this kind of policy common practice with banks elsewhere?
This discussion has been archived. No new comments can be posted.

Santander To Track Customer Location Via Mobiles and Tablets

Comments Filter:
  • Guess who's NEVER getting an account with Santander?

    Yeah, that'd be me.
    • by Anonymous Coward

      You could have an account with Santander but simply fail to install their app on your phone or tablet.
      I don't have any app from a financial institution on my mobile devices. It is no big loss to use a browser to access my accounts.
      Currently they do offer some attractive interest rates here in the UK.

      I also disable location services on my phone. That will hinder their data slurping.

      But to be honest, I can't see the reason for this move by Santander.

      • Yup. Just another reason why I still use PCs at home and protect that browsing with tools like Noscript and Flashblock.
      • You could have an account with Santander but simply fail to install their app on your phone or tablet.

        I don't think "fail" means what you think it means. I would call not installing their app a "success".

      • by kmoser ( 1469707 )
        If they notice a device halfway around the world attempting to transfer money from your account, they would be reasonably suspicious it might be fraudulent. Location tracking has its uses in security, much as we consumers may not like it.
    • done.

      if Banco Santander barfs at the login screen because of that, don't use itty bitty computerish stuff with a GPS in it. or use the browser on the itty bitty device to talk to their regular website.

      • I guess I'm a Luddite...my phone does not have location services. (If it did, I'm not sure I'd turn them on.)

        I don't browse the web on my phone or watch movies or play games. I use it to a) make calls, and b) take calls.

        something something off my lawn
      • by ESD ( 62 )

        Then the bank interrogates the browser on the itty bitty device and sees that the screen resolution is so low that it *must* be a mobile device, so it refuses to let you log in from the website because 'they have an app for mobile devices'. That app conveniently also only requires PIN authentication instead of one-time codes and is only available through the Play store, which I don't have installed on my Jolla (even then, it might detect that the phone is 'rooted' and refuse to work because Android support

  • by Anonymous Coward

    I bank with First Mattress Savings & Loan.

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      I've heard a lot of those banks have gone up in flames, literally. Seems like the security isn't all that great...

    • No Bank? (Score:3, Insightful)

      by Anonymous Coward

      I did this for a long time, eschewing banks. Then, when I had enough cash, I tried to buy a cheap house with it, but, no dice. There's a law in the U.S. that's vague enough that no seller or agent will accept anything but a cashier's check because they are afraid they will be grilled by the Feds and the banks which answer to them as to where the cash came from; banks are not allowed to accept large cash transfers without reporting such to anti-drug, anti-laundering and anti-terrorism agencies.

      • You can get a cashier's check at the post office, if there's any of those left.

    • by Anonymous Coward

      > Is this kind of policy common practice with banks elsewhere?

      No, most banks won't tell you they are doing it.

  • by Anonymous Coward

    Bank of America implemented this several months ago. No additional features, of course, to even justify more invasive use.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Bank of America implemented this several months ago. No additional features, of course, to even justify more invasive use.

      Undoubtedly Bank of Amerika will happily provide all your tracking data to the "security services" without so much as a warrant or if a warrant is issued it will be from the unconstitutional FISA Court adjoined to a National Security Letter for Bank of Amerika.

    • Bank of America implemented this several months ago. No additional features, of course, to even justify more invasive use.

      They use it for fraud detection. If your cell phone is at your home, and your credit card is used 1500 miles away, that might be a problem.

  • by pla ( 258480 ) on Sunday June 14, 2015 @10:40AM (#49908749) Journal
    I have exactly two non-stock apps installed on my phone - Chrome, and Adblock. I don't need a native client for my bank or Twitter or Facebook or Slashdot or anything, for that matter, that does nothing more than save me from opening Chrome and going to a particular URL.

    I just don't understand the appeal of "we have an app for that" - Why would I ever want to give a company more access to my data than they already have, and let them drain my battery faster, when I don't need to?
    • It doesn't actually say this is based on using their app, although that seems like the most likely way they might do it. It says "where we hold information about devices you use such as mobiles or tablets", doesn't say in connection with an app, or with accessing online banking, etc. all a bit vague really.

    • And considering the fact that most "apps" are just a "wrapper" for their web page (that you could use just fine from a browser), you end up to the safe conclusion that their only reason to exist as "apps" is to have access to our very personal data!
    • ^^^^ THIS.

      Yes, I too am sick of the whole "We have an app for that!" crap. I'd rather use a browser any day and I don't want to load 500 crap-apps on my phone for something a browser does perfectly well.
    • I just don't understand the appeal of "we have an app for that"

      That is because you use a laptop or desktop. For many people, their phone is their computer.

      • by KGIII ( 973947 )

        They certainly can use their phone as their only computer (my phone is much faster and has more compute power than many of the computers I have owned) but doing so is just silly in my opinion. Hell, I get one with a slide-out keyboard every time and I still do not find the format functional enough to do any computing tasks. Even browsing many sites is nearly unacceptable. The lack of consistency between sites makes it even worse. I can read email but I would not want to reply to it - less so if I am using t

    • by Luthair ( 847766 )
      Agreed, my bank's application has always required location access which is why I've never installed it (perhaps with M...), I presumed it was mostly for their locate an ABM but didn't want to read and watch the ToS to be sure. I've also uninstalled applications I was using when an update added location perms.
    • I just don't understand the appeal of "we have an app for that"

      My credit union has a deposit cheque by phone. A browser can't do that.

      • by KGIII ( 973947 )

        You can not just take a picture and upload it? That seems, well, unusual.

      • My credit union has a deposit cheque by phone. A browser can't do that.

        Yes they can. Well, the browser can't do the actual deposit, but neither does an app. An app takes a picture of the check using the devices camera and sends the picture to the bank who does the image processing and performs the deposit. This can easily be done in the browser. If your bank doesn't know how to do it, I am available at reasonable rates.

        • What API would you use?

          • by ncc74656 ( 45571 ) *

            What API would you use?

            WebRTC, IIRC. I recently rolled out a webapp at work that case workers can use to help determine eligibility for potential clients. One minor capability within it is photo capture. Along with a slew of questions about demographics, disabilities, and such, it'll also take a picture and stash it in the database. If someone is then accepted as a client, that photo is then available so that (for instance) our delivery drivers can compare the photo on file to whoever answers the door

    • I don't need a native client for my bank or Twitter or Facebook or Slashdot or anything, for that matter, that does nothing more than save me from opening Chrome and going to a particular URL.

      My credit unions' apps let me deposit checks by taking photos of them with my phone. That's not a service available via the website.

      I agree with the general point of "the app for accessing your company's website should be my web browser", but in the real world there are reasons to have specific apps.

    • Except if your bank requires you using an app for the token generation.... Like one I use, I need to open the app on my phone to access their website on my PC. Not to mention that the two banks I use refuse to open the website on a mobile device. Just pop something like "security extensions not found". Their securities extension can hog my i7 with 8GB, so I imagine my phone....

  • I would love this if it was used as part of 2 part authentication. A card and phone must be present to make retail purchases. A stolen card would trigger red flags if it is used without detecting the phone nearby. Online purchases could be validated by SMS Pin. No phone, no Pin reply, red flag to the bank.

    Unfortunately it is open for abuse which is the main fear uncertanty and doubt on the system. Did a little FUD stop Linux? It's source code can be seen by hackers and may be abused. LOL FUD all ove

    • If you got your phone stolen, you will have a hard time to gain access to your accounts, in particular if you are oversea. This can quickly become a nightmare. You cannot get a replacement phone because your purchases are rejected.
    • My bank uses IP addresses as part of its algorithm, as a proxy for location. One of their security options is to only require 2-factor authentication when logging in from a new computer, or doing something suspicious (changing your contact information or wiring all your money to Russia, for example). It was reasonably convenient, but I eventually decided to go with the stronger security of always requiring 2FA.

      The best thing you can do is probably to find a bank you trust. My local credit union is friendly,

      • I've heard of some that will reorder all your withdrawals in a day before all your deposits to try and overdraw you so they can charge a fee. Mine does the opposite; all the deposits are processed first, so even if you do overdraw, you have a grace period until the end of the day.

        Most institutions do credits first processing. I had heard that it was illegal to do debits first processing, but a quick google doesn't seem to verify that. What banks will do, which ought to be illegal is to reorder your debits such that the biggest ones hit your account first in order to maximize fees. Lets say you have $10 in your account and you get hit with a 100 1 cent debits followed by a $10 debit. They will reorder the transactions such that the $10 hits first and then you get 100 $30 NSF fees.
        T

  • by raymorris ( 2726007 ) on Sunday June 14, 2015 @10:50AM (#49908787) Journal

    Many, possibly most, ecommerce sites do at least basic location checks for fraud protection and have for many years. The 20,000 or so sites which use our software have done so for at least ten years. If you're on the site from Comcast San Francisco at 10:00, then an hour later someone claiming to be you tries to initiate a transaction while in Russia, that's suspicious.

    That red flag is then combined with other available information to choose from one of four possible outcomes:
    The transaction is approved.
    The transaction is declined.
    The customer gets a call / text asking them to confirm the transaction.
    Verified by Visa (tm) or the cashier calls in for manual approval.

    The system works pretty well.

    Note "tracking" is slightly overstating it for two reasons. First, the bank or processor checks only the location of the transaction- we don't know or care where you are if you're not attempting a transaction against an account holder's funds at the moment. Secondly, the "location" is strictly numerical longitude and latitude to see how far you are from the last location. Is it physically possible that you traveled that fast? We don't know or care if you're in a grocery store or a strip club. We only care if "you" are 4,000 miles from where you were two hours ago.

    • by TheGratefulNet ( 143330 ) on Sunday June 14, 2015 @11:02AM (#49908841)

      it fucks me up all the time. I use a vpn and my endpoint is all over the place. google really throws a hissy fit when I send email from my home (on a vpn) using imap. mostly they grey list me and time me out. if I use my own paid email vendor things are always fine.

      but many websites do try to be smart but they fail because of vpn's.

      I get google's calendar in various non-english languages simply because I use a vpn and some site that uses g's calendar ends up showing me days of the week in various languages. heh, maybe it a learning opportunity ;)

      but this anti-vpn concept annoys me. I don't believe it rejects fraud. but it does discourage you to cloak yourself and I have my suspicions about why everyone is trying to force you to NOT anonymize, at least to the middle nodes along the way.

      • by rsilvergun ( 571051 ) on Sunday June 14, 2015 @01:58PM (#49909733)
        I'm in the payment industry and it pretty well works. There's more to it (metrics and whatnot that score up or down your transactions) but location is incredibly useful. Give it 10, 15 years and these sorts of metrics + big data parsing will pretty much eliminate point of sale fraud. Right now the only thing holding it back is processor cycles are still kinda pricy per watt in a data center, but that's changing more and more. Sure, Moore's law is done but we're nowhere's near done with reducing the energy footprint. Plus before long cell phones will replace your credit card, and when your "credit card" is a no longer a dumb piece of plastic but basically a super computer with tons advanced sensors in your pocket it opens up a whole new world.

        I know it's popular to say the hackers and crackers will always come out ahead, but really they won't. In 10-15 years the only fraud left will be the large scale investor kind and the "legal" kind where you buy up a company Bain Capital style and suck the life out of it. Small scale credit card fraud is a dying breed.
        • by KGIII ( 973947 )

          I do not know so I will ask... Is Moore's Law really done or is it still in effect but just on different architecture (as that is where the growth is)? See the advancements in RISC and ARM for examples. I do not know if their expansion is enough to qualify but they are growing in capability at a really incredible rate.

          • From what I've read it's dead simply because we're hitting the limits of physics. You just can't make things smaller, so there's a practical limit to how small a transistor can be (Moore's Law says that you get twice as many transistors per square inch every year).

            That said our processors have been so focused on smaller and smaller transistors and getting so much performance out of it that we've ignored tons of other optimizations. Right now the big thing is more power per watt so that datacenters can r
            • by KGIII ( 973947 )

              I guess that is a good thing. In a way. We do not really need much more compute power in the home. This system is *just* an 8 core with 16 GB of RAM. (I once paid $400 USD for a whopping 4 MB of RAM. It was EDO as I recall.) I actually have a new computer sitting in the box, it is twice as fast (theoretically) as it has 16 cores with 32 GB of RAM. I have not dug it out to even turn it on, I have not taken the time to dig out a mouse, keyboard, and monitor for it.

              It was on sale at NewEgg recently and I have

        • Plus before long cell phones will replace your credit card, and when your "credit card" is a no longer a dumb piece of plastic but basically a super computer with tons advanced sensors in your pocket it opens up a whole new world.

          "Assuming the attacker didn't get too much of your wife's blood into any of the ports when he took off her fingers."

          • there's a world of difference between the very, very violent crime you just described and the relatively non-violent muggings and pickpocketings that go on. Crooks know this. They know if they ever do anything really out there to someone with money that the cops come down on them like a ton of bricks. Sure, they might get away, but all their friends and family will suffer during the police beat down.

            It's probably not the best way to control crime and prevent social unrest, but it's how we do things here
      • by IamTheRealMike ( 537420 ) on Sunday June 14, 2015 @02:33PM (#49909867)

        google really throws a hissy fit when I send email from my home (on a vpn) using imap. mostly they grey list me and time me out. but this anti-vpn concept annoys me. I don't believe it rejects fraud.

        It does reject fraud. I know this because I designed the system at Google that is rejecting your logins, back when I worked there. There's a blog post about the system here [blogspot.ch]. Obviously location (actually: geographical coordinates) are not the only thing that is used, it's just a signal that's carefully blended with others.

        The main reason location works as a useful anti-fraud signal is that the datasets that hackers are working off are very sparse. Normally only usernames and passwords. So they don't know where in the world you live, meaning that they have to guess. It's almost like a second password. And mostly their guess will be wrong, leading to an ID verification check.

        Now if you use VPNs or Tor or whatever that actually move you around the world constantly, then you're in a tiny minority of people that this heuristic doesn't work for. That's not so great. But here's a tip - if you enable 2-step verification on your Google account and then give your IMAP client an "app specific password" you shouldn't see rejected logins anymore [google.com], as is documented in the Google support pages. If your IMAP client knows how to use OAuth to log in, that would also work, but most don't.

        • I do a lot of online buying and most of the time I don't know where the actual vender is located but it unlikely to be close. Yet I never get rejected. How does this type of system accommodate this?
      • by tlhIngan ( 30335 )

        it fucks me up all the time. I use a vpn and my endpoint is all over the place. google really throws a hissy fit when I send email from my home (on a vpn) using imap. mostly they grey list me and time me out. if I use my own paid email vendor things are always fine.

        That's because you're tripping up the anti-fraud detectors, which also tries to detect illicit logins to your account.

        Think of it as a physical check - in 2 hours, could you log into your account from say, New York, then again from San Jose? Shor

      • Hey, first and foremost let's keep some of cultural standards man.
    • The difference here seems to be that in your example you are primarily interested in where the the transaction is taking place (or in the case of e-commerce, where it is initiated from). All fairly reasonable, but obviously does still create a "tracking" record, but only of where you use your cards. This is suggesting, and admittedly it's quite vague (but that should never be taken as a good thing), they are just as interested in knowing where you are, by unspecified means using your electronic devices.

      Now

    • If you're on the site from Comcast San Francisco at 10:00, then an hour later someone claiming to be you tries to initiate a transaction while in Russia, that's suspicious.

      [...]

      The system works pretty well.

      The system works well enough for you guys.

      First, the bank or processor checks only the location of the transaction

      I doubt that. It's difficult to get gps readings indoors or underground where the transaction might take place.

      • If you're underground or deep in a building, you're probably on wifi (or plugged in). That means we can geoip to within a 20 or 30 miles at worst, within a block in the best case (company IPs). That's far more accurate than we need to,know whether the acount holder COULD be there. What we're looking for is a transaction in southern California, folllowed 30 minutes later by one in South Carolina, then one in Mexico an hour later. We're computing whether it's possible for the account holder to travel th

    • Posting to undo mod stuff up.
  • because I ALWAYS let my banks know when I'm travelling abroad, and where I'm going to. That means that when I use a credit or debit card in a foreign country, they know that it's unlikely to be a fraudster with a cloned card, and if a withdrawal is made from my card in, say, Hong Kong when I've not told the bank I'm travelling there, then they know it's fraudulent.

    Therefore I have absolutely no problem with them knowing from, say, a hotel IP address, where I'm located if I use my laptop to log in to my acco

    • Where you use your credit card is already location tracked.
      3 times in the last 10 years my card has been cloned.
      The bank in question caught the problem as soon as the 1st bogus transaction was attempted because it did not fit my spending pattern

      So why would I worry that about giving them the ability to protect me thus?
    • by JimMcc ( 31079 )

      Great idea, in theory. I used to use HSBC and got tired of telling them that I'd be traveling to a foreign country only to have them put a security hold on my account when I used my card in that country. One priceless conversation with a support droid went like this:
      Me: Why is there a security hold on my account?
      Droid: We noticed an attempt to use the card in Mexico.
      Me: I called and notified the bank that I would be traveling in Mexico. Don't you record and track that information.
      Droid: We certainly do. It

      • They told me that I should have notified them that I would be traveling in Canada. (This was before the Mexico incident.)

        I used to tell my bank about travel, but they would inevitably block my card when I used it in the country that I had told the bank about. So now I don't bother. They don't use the information.

  • Can't you just switch off locations services for that application? I thought that both iOS and Android allowed you to do that (albeit in different factions).

    On the other hand if they can grab location services data without the OS knowing - then that bank/app needs to be shamed.

    On the third hand. Doesn't just collecting the IP address you are logging in from count as collecting location data?

    • Well, the app could require it or not function. It would be nice if the OS had an option to always feed false location information to an app. It could always report that you were in Antarctica, or a maximum security prison, or the white house, or any of your favorite places.
  • by namgge ( 777284 ) on Sunday June 14, 2015 @11:08AM (#49908871)

    As this is a European company it is subject to European data protection and privacy legislation. Many countries have given their enforcement agencies quite significant enforcement powers to punish abuse and there is pressure for the penalties to be increased to the point that non-compliance is not going to be viable business model:

    http://www.computerweekly.com/... [computerweekly.com]

    Namgge

    • As this is a European company it is subject to European data protection and privacy legislation.

      This is almost certainly not true. If the bank has a significant presence in a country, it is usually an independent bank with only a loose link with the mother company. For example, Santander in Brazil is very much a Brazilian bank, and has little to do with Santander Spain.

      • If it is a registered business anywhere in EU (and usually EEA as well) then it most definitely has to comply. Last I checked, Santander Brazil wasn't a EU registered business.

  • I have no problem with tracking of myself by my bank. I don't go anywhere that I need to keep secret from anyone at all. And yes, being tracked by my bank could save me from being ripped off. But here is one thing that most people would not consider. A bad guy could have someone else carry their phone or tablet and use the tracking record as an alibi while he commits a crime. I assume that lawyers could acquire the tracking materials for things like civil suits as well. If you are in
    • If you are in a traffic wreck and spent five hours in a bar prior to the accident the jury may well be enlightened as to who probably was at fault in the wreck.

      I believe they would only be collecting location information when a transaction is in progress. If you are in a bar doing banking periodically for five hours there is a problem.

      I have been in a bar for five hours and have walked out completely sober. I have a couple of alcoholic drinks in the first couple of hours and then non-alcoholic for the last three. It is called personal responsibility. One does not have to get drunk when at a bar. Any descent lawyer could show that being in a bar is circumstantial e

    • What if 'being ripped off by your bank' wasn't really a possibility because the regulator/laws made it so? Where I live, if my bank claims I authorised a payment and I say they didn't, they have to provide evidence that I really did do it. Since none exists, they have to pay for the fraud. As such, apart from 'reasonable steps', I feel no need to help my bank out with their fraud problems. On the other hand, they're very motivated to invest in proper technology that really does prevent fraud, rather than pe

  • by fustakrakich ( 1673220 ) on Sunday June 14, 2015 @12:49PM (#49909413) Journal

    Well damn! Start with the the bank president and work your way down. You'll find 90% of it before you hit four layers down the hierarchy.

  • This is what the data protection act is for. It's illegal for them to collect data for any purpose other than the ones stated, and it's illegal for them to collect it without your permission. They are also required to delete the data on your request (for a reasonable fee).

    • They can only charge a fee if the data was collected with your permission in the first place.

  • Increasingly I'm coming to the conclusion that for most mobile stuff you're better off using the website and get the desktop view.

    The website can't constantly track you. The website can't access your contacts. The website can't access your location information, unless it's by IP address.

    Mobile websites are crap, but most mobile browsers allow you to request the desktop site.

    And then you can send a big "fuck you" to corporations who feel entitled to all of your personal data.

    Apps were supposed to give us n

  • Some of the stupidest things you can do with your phone:
    1. Enter your credit card number into it
    2. Enter your SSN into it
    3. Install your bank/mortgage co/car loan holder's app onto it
    4. Access the web page of your bank/mortgage co./credit card co and pay your monthly bill.

    If you never put any of your financial data into your phone or use your phone to pay bills or otherwise manage your finances, if you lose your phone all you will have lost is your phone. Do any of the above and lose your phone, and
  • Your bank can already track your location. They have your home address, and they know everywhere you go based on where you swipe your card. If the police are tracking you, it's one of the first resources they will use.

    That said, no, my bank app doesn't use location services. At least, not yet.

The way to make a small fortune in the commodities market is to start with a large fortune.

Working...