bank collects MAC addresses (infosec.pub)

submitted 3 months ago* (last edited 3 months ago) by daveyOsborn@infosec.pub to c/infosec@infosec.pub

2 comments fedilink hide all child comments

A bank’s privacy policy lists a lot of data they collect, including customers’ MAC addresses. I was dumbfounded. How is that possible? The router on your LAN obviously knows your device’s MAC address. And I guess the ISP’s router would know your gateway’s MAC address. But from there wouldn’t the bank only see your IP address from the WAN?

Then it occurred to me-- the bank has a smartphone app. So the app likely demands perms to get the phone’s MAC. But then what would the likely purpose be? To check vendor consistencies (to block VMs) and raise impostor flags if your MAC changes?

(update) Another question: instead of using the bank’s shitty phone app, you use their shitty web app instead. I would assume the JavaScript engine is naturally blocked from obtaining your MAC address and transmitting it. But I would like a sanity check.. anyone know for certain?

top 2 comments

sorted by: hot top controversial new old

[-] CameronDev@programming.dev 5 points 3 months ago

Probably a rudimentary device ban. Banks are usually pretty behind on these kinds of things, they'll follow some advice they were given 15 years ago, even if it doesnt make sense anymore.

[-] yardy_sardley@lemmy.ca 5 points 3 months ago

It's a fingerprint that can be used to cross-reference and de-anonymize your online activity, either by your bank, or by the 298 unscrupulous partners who your bank has decided to share your information with. Kinda like cookies, but they don't need to ask for permission.

this post was submitted on 21 Nov 2025

4 points (100.0% liked)

Information Security

358 readers

2 users here now

founded 2 years ago

MODERATORS

himazawa@infosec.pub