UK banks stream customers’ information to third parties

18 August 2023

How much do you know about where your personal data goes? Source: Shutterstock.

Mobile banking apps purport to be as secure as visiting your bank in person. Behind biometric locks, customers happily provide a wealth of personal information – wrongly believing that it won’t leave the vault.

Many users imagine their mobile banking apps have security as extensive as Gringott’s. Your personal data is not being guarded by magic.

Several UK banks are quietly gathering data on their customers with the aid of third-party services via personal banking apps running on smartphones, Tech HQ can exclusively reveal.

The Co-operative and Cashplus Banks both gather information on their customers that falls well outside the needs of commercial necessity, such as location data, a device’s unique identifier, network carrier, and a device’s brand & IP address.

The third-party tracking code embedded in the mobile banking apps we tested is highly active, with hundreds of callbacks to the third-party’s systems taking place every hour, whether or not the app is in active use.

The Advanced Payment Solutions Ltd., trading as Cashplus utilizes Google Analytics for Mobile Apps tracking as part of its application’s code base, while the Co-operative banking app (under the Smile brand) uses Adobe Analytics. The list of data passed to the third parties may include all or some of the following:

OS Version Device Language
Network Connection Type Network Carrier
GPS Coordinates Android Advertising ID
App Version App Name
Email address Timezone
Unique Identifier Device Model
Device Brand Cookies
Postal Code App Install Date
OS Build Number Device Orientation
Screen Resolution Country
Local IP Address Last Name
CPU Data City
State System Volume
Gender Available Internal Storage
First Name Charging Status
Battery Level Device Total Memory
Device Boot Time Timezone
Headphone Status

Some elements of data that can be collected by banks in the UK via these and similar third-party data-gathering services are already available to banks from their records. Other collected fields, such as screen orientation and screen resolution, can be useful for application updates and further development.

Even taken at face value, users of banking apps may be alarmed to know that information regarding their geographical location and gender, for example, are potentially used by their bank, data that can have little impact on improving services and app performance.

In a time when data science techniques collate disparate data sources to build ever more complete profiles of consumers, the availability of this quantity of intelligence makes pinpointing particular individuals significantly easier.

With fairly simple tools, combining users’ data trails from social media activity and web browsing already formulates high-resolution information for any purpose desired. It’s into this respository of available information that UK consumers’ banking apps are flowing.

KYC doesn’t include headphone status or device battery level.

Ironically, financial institutions invest billions in KYC (know your customer) systems, AI-powered antifraud transaction monitoring, and cybersecurity measures of every color while simultaneously having their customers’ apps feed highly identifiable data to third parties.

Security experts will attest that the more complex an organization’s data repositories are, the greater the attack surface presented to bad actors. Data-gathering companies such as Google, Adobe, OneSignal, Firebase, Glassbox, Amplitude, and a hundred others simply don’t operate under the type of tight data governance that banks have to. Any connectivity between such a third-party and its banking clients represents another route by which black hat hackers can exfiltrate highly confidential information.

At the heart of the issue is the opacity of the process. Unless specific, outbound packet tracking software is installed on end-users’ mobile devices, users of banking apps are unaware of the flow of information to companies whose raison d’etre is data gathering.

Many such organizations operate to fulfill a need from digital marketing companies keen to gain insight into potential markets: to sell stuff to people, in short.

But given that the sole criterion required to access data legally from Adobe Analytics et al, is having access to the required fees, it’s not difficult to see how such services can quite legally be misused.

Similarly opaque are individual banks’ policies regarding this type of digital data collection. Our efforts to discover the purposes and extent of the data collection via third parties have been fruitless. The Co-operative Bank has been considering these issues, raised by us, for over eight months at the time of writing, and the UK’s Financial Ombudsman is similarly tardy – this consumer rights body is currently working with a four-month backlog of cases.

It may be the case that the UK’s banks are only using information gathered from these channels to improve future app iterations. But as the process is opaque, end-users may never know what’s being recorded, for which purposes.

Additionally, software provided by Adobe Analytics may capture as much data as possible but only allow partial access to it by their bank clients. The extent of the captured data remains a trade secret.

How a third-party data-gathering service puts information to commercial use is solely its wherewithal.