With common terms such as "banking secret" one should be able to trust a bank, right?
In this article, I am investigating whether banking secrecy is still as it used to be. What does my bank know about me and which external stakeholders might be involved?
Did the cool fintechs of today really just cut the paperwork - or are there any pitfalls? We are going to find out 🙂.
N26 as a fintech startup grew very fast. At the same time, the bank started offering plenty of additional services, such as insurances, where the actual contract is made with an external provider.
The overall appearance of these external services however is smoothly integrated in the app and might suggest, the user is still dealing with trusted services by the bank itself.
Regarding privacy, I consider this to be somewhat concerning, as the contract closing phase is kept very short, without the user is likely of doing any further research on the services of this external provider. At the same time however it is one more company that with one click receives personal data and solvency information of an individual. A process, where back in the days, pen, paper and a more extensive thinking process was involved.
Privacy evaluation - N26
Quote from ToC
Personal Information & Solvency metrics
Information are transferred to third party services, when signing up for 3rd party services, (in-app, in the appearance of N26 Bank, yet with the services being executed another third party)
Required by law (Basic Information)
Market and opinion-research
Examination and Optimization of processes
3rd party services
N26 Fixed Savings
Assess credit risks (Schufa)
Stripe Top Up Feature
We process your personal data in accordance with the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG) if at least one of the following applies [...] If necessary, we process your personal data beyond our contractual obligations in order to protect our legitimate interests or the legitimate interests of a third party
Endangering financial assets
[...] We process your personal data partially automated to assess certain personal aspects (profiling). "If we should use the possibility of a fully automated person related decision in order to provide our services fast and easy and if it is legally required, we will inform you upfront"
Phone book access
You can send money to the contacts from your mobile phone via MoneyBeam without knowing their bank details
[...] If the recipient is also an N26 customer, the transactions will be carried out in real time. To enable this, N26 Bank will access the contacts stored on your end device. Furthermore, as a current account holder with N26 Bank, you are visible to your contacts
N26 uses the users' location to show them a map with nearby locations where they can withdraw or deposit cash. At the same time, this information can be used to conduct location analysis, so N26 can extend the service area.
List nearby locations
Learn customers POIs
[...] To display to you the location of our Cash26 partners nearby, we process your geolocation
Mobile Payment - Mastercard MPTS
Apple Pay and Google Pay use liked virtual cards that contain personal information, such as your name.
[...] In order to be able to use the mobile financial services of Google and Apple, information concerning your current account is transferred to our processor Mastercard MPTS. The information is tokenized at Mastercard MPTS. The tokens are used to authorize and to perform transactions with one of the mentioned service providers. Your personal data will be shared with Alphabet Inc. (Google) or Apple Inc. as Google and Apple provide the technological basis. In case you deactivate these services, the token generated by MPTS is automatically deactivated and erased.
Identify phone meta data
Market and opinion-research
"With targeted marketing we try to only make offers to you which are interesting for you and which meet your needs."
"In order to evaluate your credit rating, we use scoring. Within the scoring process we calculate how probable it is that the respective customer meets his payment obligations. [...] we use personal data such as your salary, your expenses, existing obligations, your job, duration of employment, experiences of former contractual relations, repayment of former credits as agreed upon, as well as credit agencies’ information. Your scoring is the result of a mathematical-statistical procedure and it is necessary to fulfill the obligations of our credit contract (overdraft or N26 credit) according to Art. 22 2a) GDPR. The score results support our decision making, when a customer wishes to purchase an additional product and it is included in the current risk management."
Video-Ident and Photo-Ident
German Money Laundering Act
[...] The execution of video and photo identification is performed either on behalf of N26 Bank by an external service provider or directly by employees of N26 GmbH or its subsidiaries on behalf of N26 Bank. In both cases, identity is established by means of a web-based video or photo identification procedure via an encrypted transmission path. In both cases, web-based video and photo identification, N26 Bank may transmit personal data to external service providers for the purpose of verifying your identity.
- N26 Bank GmbH and its subsidiaries
- Alphabet Inc. (Google)
- Clark Germany GmbH (“Clark”)
- Raisin GmbH, MHB Bank AG
- SCHUFA AG (Credit score)
- CASH26 Supermarkets (Penny, Real, REWE, BUDNI, Ludwig, ON Express, Eckert, Adam’s, Barbarino and Mobilcom Debitel)
- In co-operation with TransferWise Ltd., 6th Floor, The Tea Building, 56 Shoreditch High Street, London E1 6JJ, Great Britain (hereinafter: “TransferWise”), we offer “international transfers”
- AWP P&C S.A. (branch for the Netherlands, which operates as Allianz Global Assistance Europe and is a member of Allianz Group
- N26 Invest, N26 Bank collaborates with vaamo Finanz AG, Mainzer Landstrasse 250, 60326 Frankfurt am Main (hereinafter: "vaamo") and with FIL Fondsbank GmbH
- [...] to use the Stripe Top Up Feature (“Top Up Feature”), account information is transferred to our processor Stripe Payments Europe Ltd. (“Stripe”), The One Building, 1 Grand Canal Street Lower, Dublin 2, Ireland
The actual danger of what could happen became clear to me, when I signed up for yet another "partner service" with just one click of a button. A few months later, a big data breach of MasterCards Loyalty program happened.
Mastercard Breach Affected 90K Germans' Data | PYMNTS.com
Belgian and German data protection regulators were notified by Mastercard of a possible data breach, Bloomberg reported on Friday (Aug. 23). The breach was first noticed on Aug. 19 and "affected a large number of data subjects," the Belgian watchdog said in a statement. The leak involved 90,000 customers' names, addresses and credit card numbers.
Although I briefly checked whether my card number was affected by the breach and made sure it wasn't, someone apparently gained access to that data and was able to execute two transactions on my name.
This showed me, how dangerous every stakeholder more in the chain potentially is.
Automated scoring proceses algorithms always appeared problematically to me. Especially considering that in Germany, for the scoring of individuals, one particular agency is hired by major companies. The "Schufa" is a credit bureau supported by creditors. The algorithm however is kept secret and thus there are movements like OpenSchufa who are pledging for a more open scoring system .
For now however, whenever someone needs to close a contract, the Schufa is the single entity that is going to decide, whether a debitor can take the offer of not. A single point of failure. An organization created to create trust between companies and customers - while being a mysterious unloved blackbox for the public.
There are however other, more transparent, decentralized models with the potency of higher privacy upcoming - so I am rather optimistic here.
Proof of Solvency: Technical Overview
We ran the same procedure for all the assets on the ICONOMI platform and built a tree for every asset to get multiple root nodes. These root nodes are extremely important because they show the liabilities we have for each asset.
The banking app implemented certain measures to make the user itself feel safe and prevent from actions he might regret.
Screenshots in the banking app are disabled by default. Yet even when the user decides to enable it, he can still hide the numbers associated to an account / transactions.
Less paperwork does not always result in more transparency and privacy - it might just be hidden in a more elegant way.
How dark patterns mislead internet users - VoxEurop (English)
It happens to everyone: you discover you've subscribed to some newsletter you've never heard of, or you knowingly subscribe because it's the only way to access a specific website or app. Like this: @darkpatterns On log in, you either accept marketing emails or cancel which logs you out.
Yelp, Duolingo, other apps send personal data to Facebook without consent
A new collection of apps have been exposed as sending sensitive user data to Facebook. This data transfer occurs regardless of whether or not the user has an active Facebook profile. Three major apps caught in this scandal are Yelp, Duolingo, and Indeed.
36C3 ChaosWest: NOTH1NG T0 HID3: go out and fix privacy!
https://media.ccc.de/v/36c3-78-noth1ng-t0-hid3-go-out-and-fix-privacy- None After the highly-successful presentation "Toll of personal privacy in 2018" at Ch...
Chinese primary school halts trial of device that monitors pupils' brainwaves
A trial that involved primary school pupils wearing a head-mounted device that monitored their attention spans has been halted in China amid parents' privacy concerns and fears they could be used to control the children, local media have reported.
Which privacy - enhancing technologies are you using already? E.g. self hosted open source software Nextcloud, decentralized Messengers such as "Element", Browsers like Tor or Brave who are blocking trackers by design?
More content? Check out the entire blog 😎