[echopom]

> Why - in your opinion - is it worse for consumers when these-type businesses (which ask for identity), use their own-rolled id verification than using Stripe's?

The point isn't so much using third party , we use a third party on prem.

My point is very simple : Why on earth would you let discord view my passport ? JUST WHY ?!

Those documents are very sensitive and no one should have access to them unless they have a VERY good reason to do so. PCI DSS treat "card information" like hot lava, the same model should have applied here.

Stripe should have acted as a "Trusted Party" and securely store those documents without giving access to it but just let you extract the information from it.

Thus you would been able to have uniquely identified user , backed up by government id , but you can't get access to the documents and sensitive data should have been redacted .... just like Card Number...

Again unless you are a Fintech / Financial Instituion , with a VALID in effect license , you should not have access to those documents.

[ROARosen]

I totally agree. Businesses should not legally be allowed to access more information than they need. Like why do hospitals ask for my Social Security number? I know I can refuse it, but if they really don't need it shouldn't it be illegal for them to needlessly probe my identity?

And the list goes on...

[derefr]

If you've ever been carded at a bar/liquor store in a foreign country, then that random small business has seen your passport, no? How do you feel about that?

[supernovae]

Being human to human, unless they're wearing tech that would allow them to scan/archive it, normally they just verify (eyeball it) and you get it back.

Here, with this system, they could verify and keep the data regardless of what I think is going on.

[derefr]

If you can't assume that a website you upload a scan of your ID to isn't capturing details about it, then you can't assume that a bouncer checking your ID isn't wearing a surreptitious HMD, no? In both cases, you're submitting your PII to an unknown process that seems like it should be safe, but with no previous experience or brand-image there to tell you whether there's actually any proof that it's safe.

[jlokier]

That's a silly stretch. It's vastly more likely that a website fetching copies of a passport image is leaking copies or leaving the files where it shouldn't by accident and has the data exfiltrated by third party identity thieves, compared with a bouncer having a secret scan-quality camera installed by identity thieves without the bouncer noticing.

[derefr]

Who said anything about the bouncer not noticing? I'm presuming that the bouncer is the identity thief. If you're looking to make money as an identity thief, being a bouncer is the perfect job!

There was a story on Reddit a few months back, about a bouncer who, when handed real ID cards, claimed they were fakes, and proceeded to immediately "cut them up" (so that people didn't feel any need to demand them back, since what are you going to do with scraps of an ID card?) The bouncer was actually palming the real ID and cutting up a random piece of plastic instead, and then later handing the real ID card off to the owner, who sold them on the black market. One victim of this scheme figured it out after being a victim of identity theft, as they traced back a submitted capture of the photo ID that some third-party had retained, to the one that got "cut up." The police raided the establishment, and a whole ring of people were caught up in it. It was a whole thing.

There's nothing that leads me to believe that this isn't a simple, obvious, repeatable, low-stakes, high-margin criminal business model. As such, it probably happens a lot.

[jlokier]

Wow, that's impressive.

I would still assume identity theft via websites being hacked is a lot more common, and likelihood is an appropriate factor when evaluating protective actions. But you make a good point about the bouncer.

[tracedddd]

Presumably they aren’t taking photographs of the passport and viewing them at some later date from personal computers.

[KptMarchewa]

In EU, you don't hand over ID/passport like credit card in US. You show it while keeping it in your hand. Second party can verify your age, while being unable to copy stuff like machine readable zone.