Rysiekúr (old account)

What. The. Actual. Fuck.

#OneProvider requires "verifying" my credit card details by sending them a photo of myself holding my ID, and a photo of me holding the credit card in question.

Are they out of their minds? No, honestly, what have they been smoking and where can I get some!

#InfoSec

https://mastodon.social/media/CIpFvg9yMTlToU4MKmQ

Jul 8, 2017 at 8:09pmWeb
Show threadMunin, Keeper of LoreJul 8, 2017

@rysiek

.....I've been seeing phishing attempts asking for that same setup. 'guess this is where they got it from.

Show threadRysiekúr (old account)Jul 8, 2017

@munin that's pretty much what I told them in an e-mail.

Very tempted to take a photo of a random guy from Teh Intertubes, GIMP my CC into it, GIMP my modified ID into it, and send that. Because obviously they will have no way of verifying that the document in the photo is genuine.

That would be fraud, I guess, so I won't. But ffs, talking about counter-productive.

/me is now looking for a different provider

Show threadmulanderJul 8, 2017

@rysiek that sounds like a setup for identity theft. Seriously it's stupid.

This reminds me of a credit card company asking customers to take interesting vacation pictures with their new card... Think niebezpiecznik covered that?

Show threadRysiekúr (old account)Jul 8, 2017
@mulander yeah. Dumbfucks.
Show threadmulanderJul 8, 2017
@rysiek sent it off to mainstream media and find a new provider.
Show threadRysiekúr (old account)Jul 8, 2017
@mulander @munin honestly, this doesn't even sound legal. I wonder what would happen if I sent this the private data ombudsman's office way.
Show threadmulanderJul 8, 2017
@rysiek @munin it is not legal in Poland if you are still here. I recently told a bank to GTFO when they wanted to scan my ID - identifying with a document is not the same as storing and processing it.
Show threadKrzysztof JurewiczJul 9, 2017
@mulander @rysiek @munin The funny thing is that identity card (named “proof of identity” in Poland) doesn’t actually prove anything besides the data it encompasses. Therefore you can use it for identification, but what’s probably required is authentication, so a photo of an user holding an id could be imaginably stored as a proof that that procedure had occured.
Show threadKrzysztof JurewiczJul 9, 2017

@rysiek It seems they’re trying to perform customer authentication in an analogous way to mortar services. The question is, are there any laws imposed by the #government that require this behaviour or is this fault of some overzealous lawyer?

By the way, if they treated that seriously, they should require putting some additional data on the photos to protect from replay attacks.

Show threadRysiekúr (old account)Jul 9, 2017
@KrzysiekJ exactly. They're not getting my photo with my ID card for many reasons, potential replay by a malicious employee is one.
Show threadAntanicusJul 9, 2017
@rysiek did they tell you to smile and wear something sexy? LOL
Show threadMMN-o ✅⃠Jul 9, 2017
@rysiek You mean so they can do a duplication attack and send that image off to someone else to identify as you? .)
Show threadMMN-o ✅⃠Jul 9, 2017
@rysiek oh, @krzysiekj had already commented on replay attacks. *catching up*
Show threadAlexander BochmannJul 9, 2017
@rysiek I think France has passed quite strict "anti-terror" laws in recent years, so possibly providers of online services have been pressed to make sure their (foreign) customers are identifiable. Even if that was the case (a conjecture on my part), this seems like a particularly absurd implementation...
Show threadRysiekúr (old account)Jul 9, 2017
@galaxis Agreed.