

For your security, please email your credit card and driver’s license - troyhunt
http://www.troyhunt.com/2013/09/for-your-security-please-email-your.html

======
Terretta
What is with content that can't be seen unless you enable social media
plugins?

In this case, I'm not sure its intentional (looks related to how Disqus is
embedded), but this is one of several such cases in the last couple weeks.

~~~
r0h1n
I face that all the time as a user of NoScript+Ghostery+Adblock. I have to go
through a process of whitelisting trial and error with new websites I come
across everyday.

I wish there were a whitelist I could subscribe to that would only enable only
those domains that are critical to loading content & comments for websites I
visit.

~~~
seiji
Run Disconnect instead of Ghostery. Ghostery had a big fad following a while
ago, but it's not actually good for you. Disconnect is much better.

(and stop running NoScript (nobody is designing sites to work for you), just
run with Click to Plugin enabled, Disconnect, and ABP)

I've seen a lot of these "I can't see the article until I disable my 40
extensions" complaints recently, but they all work fine with my combination of
Disconnect and ABP.

~~~
yareally
Oddly, I can see it just fine with JavaScript disabled. I do not use NoScript
(I use Opera 12 and whitelist sites to allow JS or not via per site
settings[1]). I also have Disqus added to my hosts file (but disabling JS will
have the same effect). I would guess perhaps NoScript decides to partially
allow some scripts and not others, making for chaos? That just seems like a
mess waiting to happen that no developer can 100% predict. No JS or all JS is
much easier, but half blocking is not so much when there's dependencies.

However, I realize when sites fail (re-enable JS) and adjust accordingly as
anyone that does such things should if they're blocking content (though I'm
used to adjusting since I've been using a browser with a minority user base
for years). Alternatively, view it via Google cache search (and add strip=1 to
the end to remove all images and JS) and run it through readability. While I
would prefer all sites to not assume, that's not going to happen and comes
down to if I care enough to work around to see the site content or just move
along and deem it not worth it.

[1]
[http://help.opera.com/Windows/12.10/en/sitepreferences.html](http://help.opera.com/Windows/12.10/en/sitepreferences.html)

~~~
lukeschlather
I only use Noscript, and I can view the content.

I primarily use NoScript because it does a really good job of blocking modern
popups.

~~~
Amadou
I use NoScript because essentially every browser exploit in the last decade
has had javascript as a necessary component. Running the minimum amount of
javascript protects against even zero-day attacks.

I say web developers who put their convenience ahead of my security are
bastards.

------
Amadou
I'm surprised the article missed the single biggest problem with requesting
copies of "identity documents" \- the company you send them to has no way to
verify them!

In his example they wanted copies of utility bills and a driver's license
either domestic or foreign. Clearly they have no way of verifying the
authenticity of foreign driver's licenses from arbitrary countries. At the
very best they might have a book that shows samples of valid licenses, but no
way can they verify the data on the license.

And if they could do it that would be a pretty serious breach of privacy. The
government agency that issues licenses has no business telling arbitrary
people if so and so lives at a certain address - back in 1989 the actress
Rebecca Schaeffer was shot point-blank at her front door by a stalker who
looked up her address at the local dept of motor vehicles precipitating a
major change in privacy of license records.

Basically any of these documents can be photo-shopped or even made up
completely from scratch and the company requiring them would not be any wiser.

So, these policies don't improve security for anyone - legitimate customers
become less secure and the company is just as susceptible to fraud.

~~~
true_religion
> I'm surprised the article missed the single biggest problem with requesting
> copies of "identity documents" \- the company you send them to has no way to
> verify them!

I'm not so sure about that. Bars have machines to scan your drivers licence
and verify if its real, so why can't other companies do the same thing.

As for arbitry licences...they could either not work for the US, or demand
passports which can be verified against someone.

~~~
Amadou
_I 'm not so sure about that. Bars have machines to scan your drivers licence
and verify if its real, so why can't other companies do the same thing._

No, those machines don't work that way. They just check for integrity in the
physical license itself hologram in the right place, etc -- something you
can't do with a scanned copy of a license. They don't have a master database
that they phone home and check in with to see if the data on the card is
forged.

Actually, they do have a database - of the info they read off the cards. The
bars use that info for two things: (1) if you are enough of a troublemaker,
they put you on the list to reject next time. (2) they also sell all of their
card scan info to the data brokers. That's right, places like Equifax, TRW,
etc know the time and date of every time you went to a bar that scanned your
ID.

------
sharjeel
Looks like this thread is still alive:
[http://serverfault.com/questions/293217/our-security-
auditor...](http://serverfault.com/questions/293217/our-security-auditor-is-
an-idiot-how-do-i-give-him-the-information-he-wants)

------
sveit
If I saw this in my inbox, I would think it is a phishing attack. By sending a
legitimate email like this, Big W is making it much easier for their customers
to succumb to phishing.

------
jzs
Paypal asked me for the same data 6 years ago to unblock my account. (I was
not a merchant, just doing a purchase on my card)

I told them to fuck off but haven't been able to open a new account since they
manage to keep linking such to my old blocked one. They pretend it's for my
security as well to protect against fraudulent acts.

It's none of your business. In Denmark the bank will protect us against
fraudulent acts.

Once again, Fuck off.

------
superuser2
Related story: After updating to iOS 7, Google Authenticator lost my AWS
2-factor token. The reset process requires me to hand over my drivers license,
proof of address, and a notarized affidavit confirming my identity.

As _cleartext email attachments_.

So anyone who gets into my GMail Sent Items folder has enough to take out
loans in my name, get into all my hosting accounts, etc. I requested a GPG
public key but the rep didn't have one and wouldn't create one. Wouldn't even
let me send an encrypted archive and share the password over the phone. It
_had_ to be email attachments or a link. I went with Dropbox so I can at least
shut off the link later, but anyone in a position to observe that email could
have already downloaded my identity documents.

I appreciate Amazon's resistance to social engineering there, but refusal to
use email encryption in the single most sensitive kind of email I will
probably ever send is just awful. Companies that require cleartext
transmission of proof of identity need to be held responsible for the identity
theft that inevitably occurs as a result.

------
brohee
"Fines will be levied in all cases where merchants are the subject of a
security breach and upon investigation are found to be non-compliant. The
average fines levied for a small merchant total around £15,000 which is
payable on top of any forensic investigation and remediation costs."

This is mitigated quite a bit by the extreme difficulty to report PCI-DSS
violation before they lead to outright fraud.

~~~
JimmaDaRustla
I believe there is a PCI requirement that a company's system must be evaluated
once every three months by a PCI approved vendor to ensure that data is being
kept secure.

To me, it seems kind of contradictory because if a company is being approved
by said vendors, then how could they be found non-compliant in a breach? Maybe
the quarterly vendor assessment isn't mandatory. _digs through documents_

EDIT: This quarterly scan by an ASV and only evaluates the network in regards
to external IP addresses, so it does not check anything regarding how the data
is stored/transferred.

~~~
lotsofcows
My PCIDSS provider runs nessus once a quarter. It's found a few bugs but it's
not an evaluation of anything other than my web facing server.

------
thaumaturgy
I had to go through a similar process when ordering a machine from an outfit
called "Mac of All Trades"
([http://www.macofalltrades.com/](http://www.macofalltrades.com/)) recently
(on behalf of a client). They requested my driver's license and the front _and
back_ of my business credit card.

I went back and forth with their customer support over this. I pointed out how
easy it was to use free software to fake the "credentials" they were asking
for; I pointed out that the business email address they used to contact me +
the business phone number they used to contact me + the business website that
listed both + web.archive.org were at least as useful for verification of
identity; I pointed out that we order piles of stuff from tons of different
vendors and they were one of only two that requested this. They stonewalled
and I eventually acquiesced. (They were the only non-eBay source for a machine
that this client wanted at anything resembling a decent price.)

I pointed them to SiftScience and Bruce Schneier's article on security
theater. In the end it didn't seem to do any good. I was friendly with them
about it at the time but have gotten grumpier about it since.

I think I'll send them a link to this article and this thread.

------
johnmurch
HostGator pulled this exact crap with me. I said forget it and moved onto a
different host for a client. I am just SHOCKED as it was "policy" for them to
have a copy of drivers license/passport and a credit card on file!!!!

~~~
arjie
Hetzner required passport and some other stuff. I caved.

~~~
thejosh
Nost hosting companies require a drivers license or similar, very few don't
anymore.

Softlayer and Hetzner are the two that I remember needing this, both seemed
fine with my expired one I scanned ages (2008 or something) ago - I couldn't
be bothered scanning my new one.

But really, it might stop some people but it's easy enough to fake it if you
really wanted to do something bad.

------
kamjam
It's scary that this kind of thing ever comes up, you would think this kind of
thing is blindingly obvious. Having said said, I seem to recall even Paypal
asking me to send them copies of the my passport/ID and various other info
when there was an issue on my account. I can't recall whether it was by email
or uploaded through their site though...

Question: Before writing these articles* does Troy Hunt go through a
responsible disclosure with the businesses in question, much like you would if
you found a security flaw in Microsoft/Facebook/Google/etc?

* (not this one so much, but some of the other articles he has written - eg. [http://www.troyhunt.com/2013/09/web-security-dark-matter-dev...](http://www.troyhunt.com/2013/09/web-security-dark-matter-developers-and.html))

~~~
danielbarla
Having recently changed my password with PayPal, I somehow doubt they are
serious about security. They enforce a maximum length limit, disallow spaces
and other "non-printable" characters (!), etc.

~~~
kamjam
The amount of sites that disallow "special characters" is annoying me, esp
when they "encourage" tough passwords... it would also be nice, before sending
me a password reminder, if you reminded me of your rules of your password
policy - that is often enough to trigger me to remember my password!

~~~
joeframbach
correct horse battery staple

------
ChuckMcM
This is what happens when you do s/fax/email/g on all of your processes.

------
dalore
So say a restaurant wants me to give them my card details to make a
reservation but I'm in a crowded place (like on a train). I offer to email the
details and they accept. I know it's bad but I would rather email my details
then say it loudly over the phone and have everyone hear it. Now did they
break PCI? Or not because I was the one who offered to send my details.

How does one send their credit card details securely to a brick and mortar
store?

Via email I know it's insecure but if unauthorized charges do appear I can
(and will) contest them and get a new card, so really the bank is taking on
risk.

~~~
jerf
The credit card is designed for the use case of reading it out over the phone.
Part of the reason they aren't free is that credit card usage includes
insurance fees against fraud and such. By design, the credit card is designed
to be used in an only "mostly secure" manner.

This goes back to the fact that security is not about building impenetrable
walls around the thing being secured, and if there's the slightest breach the
security is "failed". It's about raising the costs of penetrating the security
above the value of penetration. When computers aren't involved [1], it's "hard
enough" to gather enough cards to make fraud worthwhile, and even harder to
get away with it. (Not impossible... just "hard enough".)

[1]: One of my favorite personal sayings: "To err is human. To fuck up a
million times per second, you need a computer." Fraudulently obtaining ten
cards by working as a waiter and stealing them over the course of a day is one
thing, stealing 25 million in ten seconds from a computer is quite another.

~~~
dalore
If it can be read over the phone, or written on the outside of mail order
catalogs. Why is it not ok to send it via email?

Reading it over the phone people around you can hear it, and say you have
children who then go on to use it, are you going to call that fraud (and
potentially have something brought against your children)?

~~~
jdbernard
Because the physical distance your voice can be heard is a much, much smaller
pool of people, and it is safe to assume that it generally excludes credit
card fraudsters. _edit to add_ : This is also why it is suggested that you
wait until you are off the subway to make a purchase over the phone, for
example. Who knows who's listening.

Email is available world-wide. Email is not generally secure, and the message
is not protected as it is sent on the wire. It is not very difficult for a
determined attacker to harvest your email and scan it for common structured
data like credit card details. The potential audience here is much, much
bigger and is made up of many sharks.

If your kids use your card it is easy to control, you can probably return the
purchases and clear up the matter yourself. If a mob in Russia gets your
details and starts making fraudulent charges chances either Visa or your bank
are going to have to just give you the money to cover the fraud with no
realistic recourse of recovering it themselves.

~~~
jerf
"It is not very difficult for a determined attacker to harvest your email and
scan it for common structured data like credit card details."

In particular, let me highlight that _scan_ part. The attacker in question is
probably not attacking you personally... the hacker is simply spreading a
dragnet as wide as possible and running a simple RE over the whole thing. The
odds that a hacker is attacking "your" email is low, the odds that your email
is part of some dragnet somewhere is non-trivial, in a world of bot nets and
rampant compromises.

------
qdog
I've had this type of request for certain online things before. I've always
assumed it was for the company's security, not mine. While it might be
unreasonable for a purchase, if you want secure shell or something on a hosted
server, I can see where verifying you are who you say you are would be
valuable. I certainly wouldn't hand out shells to random people on my own
servers.

Of course, you might use a different method than email to deliver the required
documents a little more securely.

------
jedbrown
Ctrip.com, a Chinese travel site, does this for purchases with a non-Chinese
card. I spent a lot of time on the phone explaining why requesting that
customers email such information was inexcusable. I've encountered similar
problems with badges for site visits at some companies and national labs
(which have strict guidelines on PII, including numerous "training courses",
but poor implementation and admin staff often overlook the requirements).

~~~
nucleardog
Namecheap did this to me a while back. For some reason I must have appeared
fraudulent, although I can't imagine why.

They (IIRC) asked for a photo of an ID card with the name of the person on the
credit card and a photo of something tying that name to the address provided.

Our drivers licenses have our addresses on them. Sent in a photo of a driver's
license with all the other information obscured... So it was just the
government's identifying marks, the name, address, and photo. The license
number, height, weight, barcode, etc were all obscured. In retrospect, a nice
big watermark that said "FOR NAMECHEAP ONLY" would have maybe been a good
addition.

It was sufficient for them.

I saw no issues with it as far as a security measure. It wouldn't take much to
find my name, picture, or address just digging around online - never mind with
access to my email.

------
snake_plissken
Doesn't Mt Gox require copy of your ID to 'verify' you?

~~~
aroch
It's to verify that you're a real person --the same real person as attached to
the bank account -- and that you're in the US (or whatever country). There are
tax and liability considerations when you're moving money

~~~
yebyen
Not to mention "Know Your Customer" and Anti-Money Laundering laws for money
service businesses. Given that you can't really get "money" out of Mt.Gox at
this point in time (only bitcoins), it seems like mostly a formality at this
point so that next time the feds come to seize all of Mt.Gox's holdings, they
can show that they've been crossing all of the t's and dotting all of the
lower-case j's ever since the last time they unwillingly paid $5mil to the
government.

