[superuser2]

Related story: After updating to iOS 7, Google Authenticator lost my AWS 2-factor token. The reset process requires me to hand over my drivers license, proof of address, and a notarized affidavit confirming my identity.

As cleartext email attachments.

So anyone who gets into my GMail Sent Items folder has enough to take out loans in my name, get into all my hosting accounts, etc. I requested a GPG public key but the rep didn't have one and wouldn't create one. Wouldn't even let me send an encrypted archive and share the password over the phone. It had to be email attachments or a link. I went with Dropbox so I can at least shut off the link later, but anyone in a position to observe that email could have already downloaded my identity documents.

I appreciate Amazon's resistance to social engineering there, but refusal to use email encryption in the single most sensitive kind of email I will probably ever send is just awful. Companies that require cleartext transmission of proof of identity need to be held responsible for the identity theft that inevitably occurs as a result.