| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by thaumaturgy 3938 days ago

I understand wanting to verify my identity; if you had asked me to just send a copy of my personal identification and then checked that against the payment information that you could have on file in a totally secure way, I would have groused but probably done it without too much complaint. (I might have pointed out how easy it is to falsify a scan of a driver's license, and how that makes this all smell a bit like security theater rather than real security...)

I didn't consider a reseller account because in this particular case the plan was just to be the guy that set up the account for the client and then hand everything off to the client, since that's what they wanted. Maybe that would've worked better.

I dig that Gandi takes social engineering into consideration and it's great that you want to do your best to make sure your customers don't have their domains stolen by bad actors, but I think there might be some room for improvement in figuring out who is and isn't a bad actor. This experience with Gandi was unusual compared to a lot of other companies I have to deal with, most of whom have to have some level of data security policies in place.

> We don't have access to any payment information that could reliably identify you, as it all goes directly through our payment processor.

That seems odd. I wonder if this is a technical limitation of your payment processor, or just something that's not implemented on your end, or if there's some other consideration that's keeping you from making it work. I'm pretty sure authorize.net makes transaction information available in a secure way to vendors, as does Stripe and a small number of other forgettable payment gateways I've had to write code for over the years.

If you did have the ability to see the last four of the credit card used to create the account (and I understand you didn't/don't), you could have asked that in a challenge/response manner and I think that would be even better than asking me to send fakeable images of identification -- which violates my personal security, because I have no guarantees whatsoever for what a company does with a scan of my driver's license after they receive it.

Anyway, I do appreciate you reaching out and taking the time to look into this, that shows you do care about your reputation.