Requesting photo ID via email OK?

[Sardonik]

I was recently asked by a registrar to send a copy if my photo ID via email to confirm my name. When I declined and asked if they could provide some sort of secure upload for the requested scan, I was told they didn't have an alterative.

Is sending/receiving sensitive documents over unencrypted channels SOP in the world of web services? Strikes me as a real security concern, but I do tend towards the paranoid when it comes to this sort of thing.

 

[coreyman]

I was recently asked by a registrar to send a copy if my photo ID via email to confirm my name. When I declined and asked if they could provide some sort of secure upload for the requested scan, I was told they didn't have an alterative. Is sending/receiving sensitive documents over unencrypted channels SOP in the world of web services? Strikes me as a real security concern, but I do tend towards the paranoid when it comes to this sort of thing.

Personally I feel like you are being real paranoid. If you don't trust the business enough to send them your photo ID, why should they trust you? Are you worried about a man in the middle seeing your ID? What sensitive information is on your ID that you wouldn't want anyone seeing?

 

[WebSearchingPro]

In some senses it could be seen as insecure, its a very routine thing for some companies as typically an email (gmail account) will have vastly more information than what is on the ID specifically. You could use PGP encrypted mail with a mail server that you only operate, but then there is the whole task of getting that setup.

You should see if they have a ticketing system that supports uploads, that might be a solution, however your ID will probably remain unencrypted somewhere for all eternity.

 

[Sardonik]

I don't mind the registrar having the ID (hence the request for a secure upload), but yeah...I'm not keen on a third party, man-in-the-middle, getting a hold of it.

What's on it? My picture, address and DOB to start. Plus, if the scan itself was good enough to prove my ID to the registrar, seems like it could be used for similar purposes elsewhere.


Sent from my SM-N900T using Tapatalk

 

[Aldryic C'boas]

I end up asking for ID from clients from time to time when they're not in a position to meet our usual verification standards (business trips, travelling, college, etc).  Typically, I have them send via email for convenience - but I have no problems with arranging an alternative if they're uncomfortable with email;  usually having them upload as a randomly-named file somewhere that I can temporarily view, and have them remove it after.

It's worth just asking your registrar if they'd be fine with such an alternative - they might not have their own server for you to upload to, but they would probably be fine with you arranging that end yourself.

 

[HaitiBrother]

I was recently asked by a registrar to send a copy if my photo ID via email to confirm my name. When I declined and asked if they could provide some sort of secure upload for the requested scan, I was told they didn't have an alterative. Is sending/receiving sensitive documents over unencrypted channels SOP in the world of web services? Strikes me as a real security concern, but I do tend towards the paranoid when it comes to this sort of thing.

Censor any parts you don't want them seeing.

End of story.

 

[sv01]

never asked for my ID, do you register domain for specific country?

 

[Hxxx]

Nothing that Facebook doesn't have LOL. (jk)

Well for me all of that is normal, specially after Paypal randomly ask for your license and SS#. 

 

[Sardonik]

Great suggestions, all. I think I'll use a combo of redaction and obfuscated hosting to handle this.

Thanks for helping a poor, paranoid soul.

 

[datarealm]

We always ask for it by fax but then accept it via email when people complain.

I like the idea of a fax as the return number on the fax can lead to further location identification (yes, sometimes folks use net-to-fax services).

You could use a password protected zip or pdf file if you wanted to add another layer of security to your ID.

My personal favorite is when someone emailed a sample ID photo they pulled from google images and then asked why we wouldn't accept it.  *sigh*  Takes all kinds...

 

[MannDude]

I'm a paranoid one as well, though my main concern is how the data is stored after I submit it. Do they keep it on file indefinitely? Do they remove it after verification? Is some random employee who works remotely storing it on his laptop that later got stolen from a Starbucks?

I don't mind sharing the information when needed, but I'd rather it not be stored for any period of time longer than what it takes to verify it.

 

[Hxxx]

I'm a paranoid one as well, though my main concern is how the data is stored after I submit it. Do they keep it on file indefinitely? Do they remove it after verification? Is some random employee who works remotely storing it on his laptop that later got stolen from a Starbucks?

I don't mind sharing the information when needed, but I'd rather it not be stored for any period of time longer than what it takes to verify it.

One would ask why some providers >.> (not looking at anybody), requires authentication when you are paying with PayPal verified, when the provider clearly can just setup their****** PayPal account to just accept payment from verified payers only. No need to ask the same documents PayPal already asked...Among other things that can be highly criticized.

They tell you that they will keep a file on record with the information sent. One would think well they print it, delete it from the systems, maybe lock it up in a secure archive. Ujum that's utopia. They just leave it there attached in their WHMCS systems so that when some cluster fuck happen, BAM you re screwed. 

 

[rds100]

 when the provider clearly can just setup their****** PayPal account to just accept payment from verified payers only.

I don't think there is such a setting, at least i cannot find it.

I wonder though, why nobody uses Jumio for verification.

 

[datarealm]

 No need to ask the same documents PayPal already asked...Among other things that can be highly criticized.

What documents does paypal require to be verified?

Its been many a moon since I've done it, but iirc alls I had to do to verify a paypal account was confirm two microdeposits to whatever random bank account number I entered onto their site after logging in.  I am not sure how this associated my identity in any way with paypal.

Also, when we request someone to confirm their identity, it is so that WE can validate who they say they are.  Not that they are someone who figured out how to log into someone else's paypal account in order to shoot us a fraudulent payment...

 

[Hxxx]

I don't think there is such a setting, at least i cannot find it.

I wonder though, why nobody uses Jumio for verification.

There you go: 

https://developer.paypal.com/docs/classic/ipn/integration-guide/IPNandPDTVariables/

Jump to variable: payer_status  

What documents does paypal require to be verified?

Its been many a moon since I've done it, but iirc alls I had to do to verify a paypal account was confirm two microdeposits to whatever random bank account number I entered onto their site after logging in.  I am not sure how this associated my identity in any way with paypal.

Also, when we request someone to confirm their identity, it is so that WE can validate who they say they are.  Not that they are someone who figured out how to log into someone else's paypal account in order to shoot us a fraudulent payment...

License and SS# , this may vary. 

 

[rds100]

@ this is returned in the IPN, i.e. after the payment has been made. Of course you can choose to refund it if it comes from a non-verified account, but this costs you money.

AFAIK the only way to not accept payments from non-verified accounts is to use the "Authoried & Capture" scheme. Unfortunately i haven't seen any paypal module for the popular billing system which supports Authorize & Capture

 

[datarealm]

License and SS# , this may vary. 

Well variance makes that less than useful.  Their site makes no mention of requiring a license, and I certainly never provided one for my verification:

https://www.paypal.com/cgi-bin/webscr?cmd=p/acc/seal-CA-unconfirmed-outside

Just the two micro deposits to a bank, or two micro charges on a cc.

And again, if I'm looking to protect against fraudulent, I have to wonder if the paypal account is legit and/or breached.  Just because you logged into paypal does not prove that you are the person who created the paypal account or purported to be the person who signed up for our service.

 

[Hxxx]

@ this is returned in the IPN, i.e. after the payment has been made. Of course you can choose to refund it if it comes from a non-verified account, but this costs you money.

AFAIK the only way to not accept payments from non-verified accounts is to use the "Authoried & Capture" scheme. Unfortunately i haven't seen any paypal module for the popular billing system which supports Authorize & Capture

Again, still if the customer refuses to provide any documentation you will have to refund what he paid. So basically why not just automate it with the API using the verified status condition?

Well variance makes that less than useful.  Their site makes no mention of requiring a license, and I certainly never provided one for my verification:

https://www.paypal.com/cgi-bin/webscr?cmd=p/acc/seal-CA-unconfirmed-outside

Just the two micro deposits to a bank, or two micro charges on a cc.

And again, if I'm looking to protect against fraudulent, I have to wonder if the paypal account is legit and/or breached.  Just because you logged into paypal does not prove that you are the person who created the paypal account or purported to be the person who signed up for our service.

Your point is valid. What guarantee will you give to the customer that his license or cc copy will not be leaked? Then again.. will you provide the customer with the required aid such as credit verification services for at least a year and such preventing measures that companies should provide upon personal data leaked?

You have to protect your business, still the customer also need to protect his identity. Balance needed.

Fun thread, moving on.

 

[rds100]

Again, still if the customer refuses to provide any documentation you will have to refund what he paid. So basically why not just automate it with the API using the verified status condition?

Could, indeed. I guess you could even automate it via WHMCS hooks.

Then again someone could automate and send you 1000 payments. You refund them all. You are short of $300 in paypal fees

 

[rds100]

So if someone wants to develop a paypal module for WHMCS which uses Authorize & Capture - i am willing to donate.

Also WHMCS integration / module for Jumio verifications would be nice.