[ROARosen]

> Businesses that do not have a legitimate reason to view my sensitive document like Passport , should not be allowed to do so.

I get parent comment's totally legitimate security concerns. And businesses that have no business having my identity should surely not be asking for it. But I don't honestly understand how this has anything to do with Stripe. These businesses (which for whatever reason are asking for ID verification before doing business with you) are just using Stripes API to verify identity instead of just taking your info themselves.

Any customer giving their information presumably knows they are giving said business their identity documents, the customers might not even know that the business is using Stripe's API.

Furthermore, Stripe is ostensibly coming in here to streamline the process for business taking identity info from customers. Why - in your opinion - is it worse for consumers when these-type businesses (which ask for identity), use their own-rolled id verification than using Stripe's?

[echopom]

> Why - in your opinion - is it worse for consumers when these-type businesses (which ask for identity), use their own-rolled id verification than using Stripe's?

The point isn't so much using third party , we use a third party on prem.

My point is very simple : Why on earth would you let discord view my passport ? JUST WHY ?!

Those documents are very sensitive and no one should have access to them unless they have a VERY good reason to do so. PCI DSS treat "card information" like hot lava, the same model should have applied here.

Stripe should have acted as a "Trusted Party" and securely store those documents without giving access to it but just let you extract the information from it.

Thus you would been able to have uniquely identified user , backed up by government id , but you can't get access to the documents and sensitive data should have been redacted .... just like Card Number...

Again unless you are a Fintech / Financial Instituion , with a VALID in effect license , you should not have access to those documents.

[ROARosen]

I totally agree. Businesses should not legally be allowed to access more information than they need. Like why do hospitals ask for my Social Security number? I know I can refuse it, but if they really don't need it shouldn't it be illegal for them to needlessly probe my identity?

And the list goes on...

[derefr]

If you've ever been carded at a bar/liquor store in a foreign country, then that random small business has seen your passport, no? How do you feel about that?

[supernovae]

Being human to human, unless they're wearing tech that would allow them to scan/archive it, normally they just verify (eyeball it) and you get it back.

Here, with this system, they could verify and keep the data regardless of what I think is going on.

[derefr]

If you can't assume that a website you upload a scan of your ID to isn't capturing details about it, then you can't assume that a bouncer checking your ID isn't wearing a surreptitious HMD, no? In both cases, you're submitting your PII to an unknown process that seems like it should be safe, but with no previous experience or brand-image there to tell you whether there's actually any proof that it's safe.

[jlokier]

That's a silly stretch. It's vastly more likely that a website fetching copies of a passport image is leaking copies or leaving the files where it shouldn't by accident and has the data exfiltrated by third party identity thieves, compared with a bouncer having a secret scan-quality camera installed by identity thieves without the bouncer noticing.

[derefr]

Who said anything about the bouncer not noticing? I'm presuming that the bouncer is the identity thief. If you're looking to make money as an identity thief, being a bouncer is the perfect job!

There was a story on Reddit a few months back, about a bouncer who, when handed real ID cards, claimed they were fakes, and proceeded to immediately "cut them up" (so that people didn't feel any need to demand them back, since what are you going to do with scraps of an ID card?) The bouncer was actually palming the real ID and cutting up a random piece of plastic instead, and then later handing the real ID card off to the owner, who sold them on the black market. One victim of this scheme figured it out after being a victim of identity theft, as they traced back a submitted capture of the photo ID that some third-party had retained, to the one that got "cut up." The police raided the establishment, and a whole ring of people were caught up in it. It was a whole thing.

There's nothing that leads me to believe that this isn't a simple, obvious, repeatable, low-stakes, high-margin criminal business model. As such, it probably happens a lot.

[tracedddd]

Presumably they aren’t taking photographs of the passport and viewing them at some later date from personal computers.

[KptMarchewa]

In EU, you don't hand over ID/passport like credit card in US. You show it while keeping it in your hand. Second party can verify your age, while being unable to copy stuff like machine readable zone.

[marzell]

You seem to be contradicting yourself. Businesses are asking for Stripe to verify identity. These businesses just need verification, not copies of documents, but Stripe makes them available anyway. That's the whole contention.

As a consumer, I would expect Stripe would do the verification and give the business partner the result, but not all the data they used to get the results themselves.

[tevonsb96]

I actually disagree with this as well. The Hacker News user is not the average user. The average user has no idea what Stripe is, they assume that the business requesting a verification will have access to anything they submit.

I know this because we use Stripe Identity ourselves (in beta) and user's have no idea that Stripe and us are different companies.

[logifail]

> user's have no idea that Stripe and us are different companies.

Doesn't that imply that if there's a security breach at Stripe, that your users will blame you [too]

[booi]

That seems right. Businesses aren't islands, they work with other businesses to provide their services. But you as a business have an issue with a vendor/supplier, that's still on you. If McDonalds can't get fries, I don't blame farmer X for a failed harvest, I blame McDonalds for a fragile supply chain.

[bifrost]

We should figure out who McDonalds' ice cream machine maker is and ask them why their product keeps breaking down.

[wikyd]

This might be an interesting read: https://www.wired.com/story/they-hacked-mcdonalds-ice-cream-...