# Requesting photo ID via email OK?



## Sardonik (Apr 29, 2014)

I was recently asked by a registrar to send a copy if my photo ID via email to confirm my name. When I declined and asked if they could provide some sort of secure upload for the requested scan, I was told they didn't have an alterative.

Is sending/receiving sensitive documents over unencrypted channels SOP in the world of web services? Strikes me as a real security concern, but I do tend towards the paranoid when it comes to this sort of thing.


----------



## coreyman (Apr 29, 2014)

Sardonik said:


> I was recently asked by a registrar to send a copy if my photo ID via email to confirm my name. When I declined and asked if they could provide some sort of secure upload for the requested scan, I was told they didn't have an alterative. Is sending/receiving sensitive documents over unencrypted channels SOP in the world of web services? Strikes me as a real security concern, but I do tend towards the paranoid when it comes to this sort of thing.


Personally I feel like you are being real paranoid. If you don't trust the business enough to send them your photo ID, why should they trust you? Are you worried about a man in the middle seeing your ID? What sensitive information is on your ID that you wouldn't want anyone seeing?


----------



## WebSearchingPro (Apr 29, 2014)

In some senses it could be seen as insecure, its a very routine thing for some companies as typically an email (gmail account) will have vastly more information than what is on the ID specifically. You could use PGP encrypted mail with a mail server that you only operate, but then there is the whole task of getting that setup.

You should see if they have a ticketing system that supports uploads, that might be a solution, however your ID will probably remain unencrypted somewhere for all eternity.


----------



## Sardonik (Apr 29, 2014)

I don't mind the registrar having the ID (hence the request for a secure upload), but yeah...I'm not keen on a third party, man-in-the-middle, getting a hold of it.

What's on it? My picture, address and DOB to start. Plus, if the scan itself was good enough to prove my ID to the registrar, seems like it could be used for similar purposes elsewhere.


Sent from my SM-N900T using Tapatalk


----------



## Aldryic C'boas (Apr 29, 2014)

I end up asking for ID from clients from time to time when they're not in a position to meet our usual verification standards (business trips, travelling, college, etc).  Typically, I have them send via email for convenience - but I have no problems with arranging an alternative if they're uncomfortable with email;  usually having them upload as a randomly-named file somewhere that I can temporarily view, and have them remove it after.

It's worth just asking your registrar if they'd be fine with such an alternative - they might not have their own server for you to upload to, but they would probably be fine with you arranging that end yourself.


----------



## HaitiBrother (Apr 29, 2014)

Sardonik said:


> I was recently asked by a registrar to send a copy if my photo ID via email to confirm my name. When I declined and asked if they could provide some sort of secure upload for the requested scan, I was told they didn't have an alterative. Is sending/receiving sensitive documents over unencrypted channels SOP in the world of web services? Strikes me as a real security concern, but I do tend towards the paranoid when it comes to this sort of thing.


Censor any parts you don't want them seeing.

End of story.


----------



## sv01 (Apr 29, 2014)

never asked for my ID, do you register domain for specific country?


----------



## Hxxx (Apr 29, 2014)

Nothing that Facebook doesn't have LOL. (jk)

Well for me all of that is normal, specially after Paypal randomly ask for your license and SS#.


----------



## Sardonik (Apr 29, 2014)

Great suggestions, all. I think I'll use a combo of redaction and obfuscated hosting to handle this.

Thanks for helping a poor, paranoid soul.


----------



## datarealm (Apr 29, 2014)

We always ask for it by fax but then accept it via email when people complain. 

I like the idea of a fax as the return number on the fax can lead to further location identification (yes, sometimes folks use net-to-fax services).

You could use a password protected zip or pdf file if you wanted to add another layer of security to your ID.

My personal favorite is when someone emailed a sample ID photo they pulled from google images and then asked why we wouldn't accept it.  *sigh*  Takes all kinds...


----------



## MannDude (Apr 29, 2014)

I'm a paranoid one as well, though my main concern is _how_ the data is stored _after_ I submit it. Do they keep it on file indefinitely? Do they remove it after verification? Is some random employee who works remotely storing it on his laptop that later got stolen from a Starbucks?

I don't mind sharing the information when needed, but I'd rather it not be stored for any period of time longer than what it takes to verify it.


----------



## Hxxx (Apr 29, 2014)

MannDude said:


> I'm a paranoid one as well, though my main concern is _how_ the data is stored _after_ I submit it. Do they keep it on file indefinitely? Do they remove it after verification? Is some random employee who works remotely storing it on his laptop that later got stolen from a Starbucks?
> 
> I don't mind sharing the information when needed, but I'd rather it not be stored for any period of time longer than what it takes to verify it.


One would ask why some providers >.> (not looking at anybody), requires authentication when you are paying with PayPal verified, when the provider clearly can just setup their****** PayPal account to just accept payment from verified payers only. No need to ask the same documents PayPal already asked...Among other things that can be highly criticized.

They tell you that they will keep a file on record with the information sent. One would think well they print it, delete it from the systems, maybe lock it up in a secure archive. Ujum that's utopia. They just leave it there attached in their WHMCS systems so that when some cluster fuck happen, BAM you re screwed.


----------



## rds100 (Apr 29, 2014)

hrr1963 said:


> when the provider clearly can just setup their****** PayPal account to just accept payment from verified payers only.


I don't think there is such a setting, at least i cannot find it.

I wonder though, why nobody uses Jumio for verification.


----------



## datarealm (Apr 29, 2014)

hrr1963 said:


> No need to ask the same documents PayPal already asked...Among other things that can be highly criticized.


What documents does paypal require to be verified?

Its been many a moon since I've done it, but iirc alls I had to do to verify a paypal account was confirm two microdeposits to whatever random bank account number I entered onto their site after logging in.  I am not sure how this associated my identity in any way with paypal.

Also, when we request someone to confirm their identity, it is so that WE can validate who they say they are.  Not that they are someone who figured out how to log into someone else's paypal account in order to shoot us a fraudulent payment...


----------



## Hxxx (Apr 29, 2014)

rds100 said:


> I don't think there is such a setting, at least i cannot find it.
> 
> I wonder though, why nobody uses Jumio for verification.


There you go: 

https://developer.paypal.com/docs/classic/ipn/integration-guide/IPNandPDTVariables/

Jump to variable: payer_status   



datarealm said:


> What documents does paypal require to be verified?
> 
> Its been many a moon since I've done it, but iirc alls I had to do to verify a paypal account was confirm two microdeposits to whatever random bank account number I entered onto their site after logging in.  I am not sure how this associated my identity in any way with paypal.
> 
> Also, when we request someone to confirm their identity, it is so that WE can validate who they say they are.  Not that they are someone who figured out how to log into someone else's paypal account in order to shoot us a fraudulent payment...


License and SS# , this may vary.


----------



## rds100 (Apr 29, 2014)

@ this is returned in the IPN, i.e. after the payment has been made. Of course you can choose to refund it if it comes from a non-verified account, but this costs you money.

AFAIK the only way to not accept payments from non-verified accounts is to use the "Authoried & Capture" scheme. Unfortunately i haven't seen any paypal module for the popular billing system which supports Authorize & Capture


----------



## datarealm (Apr 29, 2014)

hrr1963 said:


> License and SS# , this may vary.


Well variance makes that less than useful.  Their site makes no mention of requiring a license, and I certainly never provided one for my verification:

https://www.paypal.com/cgi-bin/webscr?cmd=p/acc/seal-CA-unconfirmed-outside

Just the two micro deposits to a bank, or two micro charges on a cc.

And again, if I'm looking to protect against fraudulent, I have to wonder if the paypal account is legit and/or breached.  Just because you logged into paypal does not prove that you are the person who created the paypal account or purported to be the person who signed up for our service.


----------



## Hxxx (Apr 29, 2014)

rds100 said:


> @ this is returned in the IPN, i.e. after the payment has been made. Of course you can choose to refund it if it comes from a non-verified account, but this costs you money.
> 
> AFAIK the only way to not accept payments from non-verified accounts is to use the "Authoried & Capture" scheme. Unfortunately i haven't seen any paypal module for the popular billing system which supports Authorize & Capture


Again, still if the customer refuses to provide any documentation you will have to refund what he paid. So basically why not just automate it with the API using the verified status condition?



datarealm said:


> Well variance makes that less than useful.  Their site makes no mention of requiring a license, and I certainly never provided one for my verification:
> 
> https://www.paypal.com/cgi-bin/webscr?cmd=p/acc/seal-CA-unconfirmed-outside
> 
> ...


Your point is valid. What guarantee will you give to the customer that his license or cc copy will not be leaked? Then again.. will you provide the customer with the required aid such as credit verification services for at least a year and such preventing measures that companies should provide upon personal data leaked?

You have to protect your business, still the customer also need to protect his identity. Balance needed.

Fun thread, moving on.


----------



## rds100 (Apr 29, 2014)

hrr1963 said:


> Again, still if the customer refuses to provide any documentation you will have to refund what he paid. So basically why not just automate it with the API using the verified status condition?


Could, indeed. I guess you could even automate it via WHMCS hooks.

Then again someone could automate and send you 1000 payments. You refund them all. You are short of $300 in paypal fees


----------



## rds100 (Apr 29, 2014)

So if someone wants to develop a paypal module for WHMCS which uses Authorize & Capture - i am willing to donate.

Also WHMCS integration / module for Jumio verifications would be nice.


----------



## qps (Apr 29, 2014)

Jumio looks very cool.  Anyone know how much it costs?


----------



## serverian (Apr 29, 2014)

rds100 said:


> So if someone wants to develop a paypal module for WHMCS which uses Authorize & Capture - i am willing to donate.
> 
> Also WHMCS integration / module for Jumio verifications would be nice.


http://myworkshosting.com/clients/whmcs-paypal-billing-agreements-payment-gateway

You are welcome.


----------



## rds100 (Apr 29, 2014)

@serverian awesome! What do you drink?


----------



## Aldryic C'boas (Apr 29, 2014)

MannDude said:


> I'm a paranoid one as well, though my main concern is _how_ the data is stored _after_ I submit it. Do they keep it on file indefinitely? Do they remove it after verification? Is some random employee who works remotely storing it on his laptop that later got stolen from a Starbucks?
> 
> I don't mind sharing the information when needed, but I'd rather it not be stored for any period of time longer than what it takes to verify it.


A fair concern, and one I'm going to take the chance to answer for us.  To clarify, any type of ID, documentation, and so forth sent to me is deleted immediately after it gets verified, without exception.


----------



## serverian (Apr 29, 2014)

rds100 said:


> @serverian awesome! What do you drink?


I'd drink my grandmother if she had alcohol in her!


----------



## drmike (Apr 29, 2014)

First SS# isn't a form of identification and was never intended to be.

Second, a random company requiring such personal information?  Err, wrong, move on, next company.

It's risk assessment on both sides... If the risk is too high, then I'll buy elsewhere. 

Photo IDs and such laying around in storage, via email, etc.  YIKES!


----------



## kcaj (Apr 30, 2014)

Sardonik said:


> I don't mind the registrar having the ID (hence the request for a secure upload), but yeah...I'm not keen on a third party, man-in-the-middle, getting a hold of it. What's on it? My picture, address and DOB to start. Plus, if the scan itself was good enough to prove my ID to the registrar, seems like it could be used for similar purposes elsewhere. Sent from my SM-N900T using Tapatalk


As others have suggested you could upload to Google Drive or something similar and send the host a link to this.


----------



## beast5 (Apr 30, 2014)

Sardonik said:


> I was recently asked by a registrar to send a copy if my photo ID via email to confirm my name. When I declined and asked if they could provide some sort of secure upload for the requested scan, I was told they didn't have an alterative. Is sending/receiving sensitive documents over unencrypted channels SOP in the world of web services? Strikes me as a real security concern, but I do tend towards the paranoid when it comes to this sort of thing.


hi

I can see your concern and understand it. if the hosting company gets hacked and they get your ID and your credit card it can be a real problem.

but some times you just have to do it. just make sure you follow your credit card's account and you can reverse and cancel if your information is compromised you are insured. and as for the registrar they are trying to have the domains with real information (only trying)


----------

