Not sure if this discussion is breaking any form rules (Richard will decide) but I have just been asked to verify my account with photo ID by an on-line trading site. I can see no reason for this and will cease using them if there is no alternative. My son was scammed just two weeks ago where someone hacked into his account and purchased an item. I do not trust their protection software and they were very unhelpful when he spoke to them about it. Has anyone else come across this?
This sort of security check is becoming increasingly common. If you were making a transaction face-to-face you probably wouldnât question such a request, but now that we do so much online the security procedures need to be just as rigorous. Regulations often require it too. Money laundering, tax evasion and identity theft are all on the rise, and measures to reduce this are needed.
Imo the less personal info you have online the better. This is why I have no social media presence. If scammers get hold of your photo ID it does not bear thinking about what damage they could cause. Looks like my days of buying/selling online are coming to an end.
3 Likes
I had to provide a notarised residency document issued and stamped from city hall to use Transfer-Wise and mail it by post as a form of âwitnessedâ proof of name and address.
Iâve gotten use to having to have my photo ID photocopied even for in-person transactions like joining a second hand bookclub or registering that Iâm looking for a flat with an estate agent, or just to renew my phone contract.
Do I like it? Not at all. Do I have a choice? Well yes, I can shun it all and live like a hermit with access to very few services.
Many banks are worse. Iâve worked with a few who mandate customers on online banking install endpoint security software that is itself, basically a keystroke logger and root kit. In one case it could not even be uninstalled once on. Was very heavy. Sent all a users keystrokes and user activity to servers in Tel-Aviv for âthreat profiling and analysisâ. It was a bizarre solution. Kind of like cutting your arm off to prevent getting a splinter on your finger.
Scammers are becoming smarter as time goes on and online fraud has spiralled during the pandemic. The fact that my sonâs account was hacked recently gives me zero confidence in their security protocols and ability to keep my personal information safe.
Your concern is well founded.
My bank (Mizuho) has informed me in writing no less than 4 times in 20 years that my personal information had been obtained in data breaches. And the most recent one was a dual notification that my data had been stolen in their breach and my card had been maxed out.
When I worked for a market infrastructure supporting nearly all global banks, many of the support staff entrusted their savings to the mattress. The things we saw on a daily basis. Not anywhere near the number of checks and balances and [functional] resiliency that they are supposed to have. Itâs all smoke and mirrors and amateur hour by even the worldâs largest institutions.
1 Like
Many years ago I got a similar demand to book a cottage with Airbnb⌠I told them to ââŚon a bikeâ and went elsewhere.
I would agree - always question what is asked for online or over the phone.
I went through a period with First Direct Bank where they would ring & ask me to confirm my identity before discussing what they had rung me for! And then got snotty when I asked for their department number so I could call back.
The really worrying one for me is DeepFakes - $200 to have one made of anyone! very soon youâll not be able to believe anything you see or hear unless you can actually touch them.
The NHS app (not the COVID track and Trace app), as security to allow you access a COVID passport, your more detailed medical records, order repeat prescriptions etc require a photo ID, they then go on to get you to take a âselfieâ (it looks like a basic pencil drawing of your pertinent facial features).
Upto 24 hours later and I presume after facial recognition software has done it thing full access is granted.
Odd! That app doesnât ask me for photo id.
Needed photo of driving licence.
Sister in law was also asked both of us in last couple of weeks.
(Could be cos I did it on my faceid iPhone)
I did it on my Face ID iPhone too!
I checked again earlier and itâs all working properly.
Strange indeed.
One of the most basic tenets of online security. Donât post who you bank with.
Yep. Mine required photo ID and the recording of a short video saying key phrases.
Perhaps the requirements are varying over time?
Erm.
It may come as a shock to you, but my name is not âfeeling_zenâ
Besides, itâs not strictly true either. I held a security officer role at SWIFT for the best part of a decade. Bank, account name, account number, sort code and BIC can only be used to place money into an account. There is no mechanism for that information to be used for a withdrawal.
Now the social engineering aspect is of course a different matter. Should a person convey any information more than is strictly necessary? That is up for each person to decide whether they feel suitably guarded enough. In many countries (certainly the one I live in), person to person bank transfers are the most common way of making payments. Nearly all businesses accept it as an alternative to credit card, but more importantly it is the preferred method for most online auctions here. Major sites are just packed with hundreds of thousands of bank details of each seller which are stored and published by sites operating in the country.
In the case of Japan, to make a withdrawal, you need physical tokens. RSA OTP generators, passcode matrix cards etc for online transfers and withdrawals. A registered seal for in-person withdrawals.
By far the greater risk is to people of a vulnerable disposition. The fake phone calls claiming to be from their bank asking for personal details to confirm identity. Though as mentioned, the requirement of tokens makes that pretty useless in my part of the world. Most common is simply using the name of a personâs grandchild and calling pretending to be them and asking for large sums of money to get out of some imaginary trouble. The so called âItâs me. Itâs meâ scams.
Working with mostly customers in the financial sector for close to 2 decades, one shocking truth is that a breach is more likely to originate from a financial institution than a customer. They are so preoccupied with box tick security requirements that any security gaping hole unique to them that is not on some mandated audit is basically ignored. The reason is simple. Audit failures are more of a risk in terms of fines or a suspended banking license than actual breaches. If bank ticks all the box but an attacker walkaway with the crown jewels from a hole that was obvious but not on the audit, they can go to the regulator and wave the audit to show compliance. On the other hand, if they work diligently with security experts to really analyse security and close lines of attack (social or technical) but fail to tick some box on an audit (perhaps something that is irrelevant to how they operate), then they can get smacked with serious fines without even having a breech. In many respects compliance requirements have made things far less secure because the goal is not security. The goal is simply ticking the right boxes.
As a result, I work with major banks who have compliance requirements coming out of their ears and yet have the most appallingly lax practices in any area not audited. Passwords on screens visible to vendors; shared system accounts; shared vendor support credentials - really shocking stuff, that lets a wide number of people who donât even work with the bank or are ex employees continue to have access to information.
1 Like
Point taken. However, the Naim forum does not hold enough useful personal info to be of use to fraudsters, not even phot ID.
Incidentally, my son did receive a refund of the monies eventually from the âwell known online trading platformâ but it took a lot of legwork on his part. I still feel they could have explained the reasoning behind asking me for the extra photo ID rather than holding me to ransom (provide a photo or your account will be locked). It also seems very disrespectful after using their services for over 20 years and now it feels like they suddenly they donât trust me.
You would think so! About twenty years ago our company was stung for 20K. What happened was our bank received a fake fax giving our bank details and asking for 20K to be transferred to someone elseâs account. It was signed with a totally bogus signature. The bank honoured the request! It was only when we spotted it on the bank statement that alarm bells started to ring! A shouting match with the bank ensued and they admitted that this was very poor security and they refunded the 20K.
That seems common. I have been using a âwell known online trading platformâ for about 17 years. Last month they decided to keep my sale proceeds for three weeks because they changed a process and Iâm now a new seller. I donât think Iâve given them photo ID yet though.