Photo ID Request

Not sure if this discussion is breaking any form rules (Richard will decide) but I have just been asked to verify my account with photo ID by an on-line trading site. I can see no reason for this and will cease using them if there is no alternative. My son was scammed just two weeks ago where someone hacked into his account and purchased an item. I do not trust their protection software and they were very unhelpful when he spoke to them about it. Has anyone else come across this?

This sort of security check is becoming increasingly common. If you were making a transaction face-to-face you probably wouldn’t question such a request, but now that we do so much online the security procedures need to be just as rigorous. Regulations often require it too. Money laundering, tax evasion and identity theft are all on the rise, and measures to reduce this are needed.

Imo the less personal info you have online the better. This is why I have no social media presence. If scammers get hold of your photo ID it does not bear thinking about what damage they could cause. Looks like my days of buying/selling online are coming to an end.


I had to provide a notarised residency document issued and stamped from city hall to use Transfer-Wise and mail it by post as a form of “witnessed” proof of name and address.

I’ve gotten use to having to have my photo ID photocopied even for in-person transactions like joining a second hand bookclub or registering that I’m looking for a flat with an estate agent, or just to renew my phone contract.

Do I like it? Not at all. Do I have a choice? Well yes, I can shun it all and live like a hermit with access to very few services.

Many banks are worse. I’ve worked with a few who mandate customers on online banking install endpoint security software that is itself, basically a keystroke logger and root kit. In one case it could not even be uninstalled once on. Was very heavy. Sent all a users keystrokes and user activity to servers in Tel-Aviv for “threat profiling and analysis”. It was a bizarre solution. Kind of like cutting your arm off to prevent getting a splinter on your finger.

Scammers are becoming smarter as time goes on and online fraud has spiralled during the pandemic. The fact that my son’s account was hacked recently gives me zero confidence in their security protocols and ability to keep my personal information safe.

Your concern is well founded.

My bank (Mizuho) has informed me in writing no less than 4 times in 20 years that my personal information had been obtained in data breaches. And the most recent one was a dual notification that my data had been stolen in their breach and my card had been maxed out.

When I worked for a market infrastructure supporting nearly all global banks, many of the support staff entrusted their savings to the mattress. The things we saw on a daily basis. Not anywhere near the number of checks and balances and [functional] resiliency that they are supposed to have. It’s all smoke and mirrors and amateur hour by even the world’s largest institutions.

1 Like

Many years ago I got a similar demand to book a cottage with Airbnb… I told them to ‘…on a bike’ and went elsewhere.

I would agree - always question what is asked for online or over the phone.
I went through a period with First Direct Bank where they would ring & ask me to confirm my identity before discussing what they had rung me for! And then got snotty when I asked for their department number so I could call back.

The really worrying one for me is DeepFakes - $200 to have one made of anyone! very soon you’ll not be able to believe anything you see or hear unless you can actually touch them.

The NHS app (not the COVID track and Trace app), as security to allow you access a COVID passport, your more detailed medical records, order repeat prescriptions etc require a photo ID, they then go on to get you to take a ‘selfie’ (it looks like a basic pencil drawing of your pertinent facial features).
Upto 24 hours later and I presume after facial recognition software has done it thing full access is granted.

Odd! That app doesn’t ask me for photo id.

Needed photo of driving licence.

Sister in law was also asked both of us in last couple of weeks.
(Could be cos I did it on my faceid iPhone)

I did it on my Face ID iPhone too!

I checked again earlier and it’s all working properly.

Strange indeed.

One of the most basic tenets of online security. Don’t post who you bank with.

Yep. Mine required photo ID and the recording of a short video saying key phrases.

Perhaps the requirements are varying over time?


It may come as a shock to you, but my name is not “feeling_zen”

Besides, it’s not strictly true either. I held a security officer role at SWIFT for the best part of a decade. Bank, account name, account number, sort code and BIC can only be used to place money into an account. There is no mechanism for that information to be used for a withdrawal.

Now the social engineering aspect is of course a different matter. Should a person convey any information more than is strictly necessary? That is up for each person to decide whether they feel suitably guarded enough. In many countries (certainly the one I live in), person to person bank transfers are the most common way of making payments. Nearly all businesses accept it as an alternative to credit card, but more importantly it is the preferred method for most online auctions here. Major sites are just packed with hundreds of thousands of bank details of each seller which are stored and published by sites operating in the country.

In the case of Japan, to make a withdrawal, you need physical tokens. RSA OTP generators, passcode matrix cards etc for online transfers and withdrawals. A registered seal for in-person withdrawals.

By far the greater risk is to people of a vulnerable disposition. The fake phone calls claiming to be from their bank asking for personal details to confirm identity. Though as mentioned, the requirement of tokens makes that pretty useless in my part of the world. Most common is simply using the name of a person’s grandchild and calling pretending to be them and asking for large sums of money to get out of some imaginary trouble. The so called “It’s me. It’s me” scams.

Working with mostly customers in the financial sector for close to 2 decades, one shocking truth is that a breach is more likely to originate from a financial institution than a customer. They are so preoccupied with box tick security requirements that any security gaping hole unique to them that is not on some mandated audit is basically ignored. The reason is simple. Audit failures are more of a risk in terms of fines or a suspended banking license than actual breaches. If bank ticks all the box but an attacker walkaway with the crown jewels from a hole that was obvious but not on the audit, they can go to the regulator and wave the audit to show compliance. On the other hand, if they work diligently with security experts to really analyse security and close lines of attack (social or technical) but fail to tick some box on an audit (perhaps something that is irrelevant to how they operate), then they can get smacked with serious fines without even having a breech. In many respects compliance requirements have made things far less secure because the goal is not security. The goal is simply ticking the right boxes.

As a result, I work with major banks who have compliance requirements coming out of their ears and yet have the most appallingly lax practices in any area not audited. Passwords on screens visible to vendors; shared system accounts; shared vendor support credentials - really shocking stuff, that lets a wide number of people who don’t even work with the bank or are ex employees continue to have access to information.

1 Like

Point taken. However, the Naim forum does not hold enough useful personal info to be of use to fraudsters, not even phot ID.
Incidentally, my son did receive a refund of the monies eventually from the “well known online trading platform” but it took a lot of legwork on his part. I still feel they could have explained the reasoning behind asking me for the extra photo ID rather than holding me to ransom (provide a photo or your account will be locked). It also seems very disrespectful after using their services for over 20 years and now it feels like they suddenly they don’t trust me.

You would think so! About twenty years ago our company was stung for 20K. What happened was our bank received a fake fax giving our bank details and asking for 20K to be transferred to someone else’s account. It was signed with a totally bogus signature. The bank honoured the request! It was only when we spotted it on the bank statement that alarm bells started to ring! A shouting match with the bank ensued and they admitted that this was very poor security and they refunded the 20K.

That seems common. I have been using a “well known online trading platform” for about 17 years. Last month they decided to keep my sale proceeds for three weeks because they changed a process and I’m now a new seller. I don’t think I’ve given them photo ID yet though.