A bank’s privacy policy lists a lot of data they collect, including customers’ MAC addresses. I was dumbfounded. How is that possible? The router on your LAN obviously knows your device’s MAC address. And I guess the ISP’s router would know your gateway’s MAC address. But from there wouldn’t the bank only see your IP address from the WAN?
Then it occurred to me-- the bank has a smartphone app. So the app likely demands perms to get the phone’s MAC. But then what would the likely purpose be? To check vendor consistencies (to block VMs) and raise impostor flags if your MAC changes?
(update) Another question: instead of using the bank’s shitty phone app, you use their shitty web app instead. I would assume the JavaScript engine is naturally blocked from obtaining your MAC address and transmitting it. But I would like a sanity check.. anyone know for certain?
Probably a rudimentary device ban. Banks are usually pretty behind on these kinds of things, they'll follow some advice they were given 15 years ago, even if it doesnt make sense anymore.