Online Security

[PoshTiger]

I remembered that I had £50 in a textbroker account from a while back so I requested some random articles be created for testing.

They just sent me an email asking me to send over a scan of my passport to get the order started.

WTF - my passport? They said they require all first time orders to provide photo ID to start working on them.

I politely told them that I never send that kind of information anywhere - and I've no idea why they need this - I buy products and services over the internet all the time and have never been asked for this.

I generally make up birth dates and other bits of personal information as you've no idea what security processes are in place with internet based companies but this is probably the worst 'pseudo' security policy I've ever happened upon.

I asked for a refund which they've agreed to but they still think they're justified in asking for this scan.

<gobsmacked>

 

[Retired_Member42]

It's ridiculous isn't it. I always have a nightmare with verification living abroad with UK banks/credit cards etc. I'm flagged for fraud constantly. I've also found that a lot of the freelancer sites are forcing you to provide photo ID too. I was managing workers on PeoplePerHour.com for a client and he had all the billing etc in his name. I hired workers, got the jobs done and when it became time to pay they wanted photo ID from me before they'd release the payment. No mention of it when posting the job. No mention of it when accepting workers and no mention of it when it came to uploading funds into the online wallet. Luckily the workers were able to send their e-mails to me via the messaging system so I could pay directly but it was extremely frustrating. I didn't want to provide my own ID as I was managing workers on behalf of someone else but the whole security process was completely over the top. PeoplePerHour.com in particular are refusing to accept workers if they don't have a profile photograph. You can't even use your company logo. It's security gone mad.

 

[ChrisMM]

A while back when I was ordering servers from a US hosting company, they required a passport scan as ID for the account.

Textbroker already know your name, d.o.b, address and payment information. They just want to verify it with a photo ID.

I understand your reaction, but realistically what could a criminal really do with a photocopy of your passport page?

 

[Adam H]

Etoro do the same and want a passport or driving licence to approve payments back into your account............but dont require it to take your money.

 

[PoshTiger]

A while back when I was ordering servers from a US hosting company, they required a passport scan as ID for the account.

Textbroker already know your name, d.o.b, address and payment information. They just want to verify it with a photo ID.

I understand your reaction, but realistically what could a criminal really do with a photocopy of your passport page?

Scans of passports can be used to verify your identity with pretty much any service, someone could represent me to change payment information to one of the contract companies I work with.

If you don't think it's a security risk then I recommend you read one of Kevin Mitnicks books about how you can social engineer people to do pretty much anything you want them if they think you're kosha.

Textbroker in particular also ask for scans of payment cards - I'm pretty sure they're not PCI compliant either.

Bonkers - I'm buying £50 worth of articles and I paid via paypal, that's still not good enough.

 

[Retired_Member42]

I understand your reaction, but realistically what could a criminal really do with a photocopy of your passport page?

I guess if it got into the wrong hands they could use it for the very things these companies are trying to protect against. If someone needs passport verification they need it to protect against something. Using the web hosting example, if I had someones passport page it wouldn't be difficult to change my name on PayPal, sign up in his name and send his passport scan for verification. Sure there would ultimately be a trail if you're using your own payment info but this is how all ID theft scams start. A copy of your ID of sorts, acquiring details about you and using your ID as verification and then scaling up and up once you've acquired several key identity pieces until you can pretty much become the person you're intending to scam.

 

[Retired_Member42]

If you don't think it's a security risk then I recommend you read one of Kevin Mitnicks books about how you can social engineer people to do pretty much anything you want them if they think you're kosha.

This is exactly what I'm talking about. Something as strong as passport ID, matching name and e-mail, you could get quite a bit of stuff together with a bit of creative social engineering. People are the weak link and begging for something over the phone or e-mail with a seemingly good / legit excuse and clear ID can lead to a lot of details being acquired. The more pieces of ID you have the stronger the pieces of the ID you can acquire.

 

[dazc]

I asked for a refund which they've agreed to but they still think they're justified in asking for this scan.

Since this is becoming common it's worth noting that, because just providing a scan will tick the box, you can have a ready made scan to hand with some essential details already changed.

They won't know you've done that.

 

[sdsinc]

I understand your reaction, but realistically what could a criminal really do with a photocopy of your passport page?

Many things, like setting up a verified paypal account (mentioned above) or you could even apply for credit or open bank accounts by mail. There are many possible approaches to identity theft.

If I really really must send a passport copy, I use an image editor like Gimp and I put a big, visible watermark on the scan, with the name of the website in the background.
It renders the scan pretty much unusable for any other purpose than verification.

Given that even the big corporations are routinely hacked, you can't really trust anyone with your personal data.

 

[UncleBob]

a clean, blank passport is pretty easy to obtain or forge. the trick in a fake one is getting accurate details to populate it with - passport number, name, date of birth, place of birth, etc - so that it sails through a scan and spot check at customs.

i've in the past given my passport number to a couple of Govt bodies - DVLA i think, and that lot that do the tax - so they can access the database and see i am who i say i am. other than that, no way anyone other that someone in uniform right in front of me is having anything to do with it, thanks.