With fraud on the rise, a need to secure tax revenues, and a global commitment to reducing money laundering, it’s no wonder that regulation requires ever more stringent verification of customers’ identities. The trouble is that something which used to be the province of banks has become the province of, well, everyone. Including any number of businesses trading on-line.
I don’t terribly mind showing my driving licence and a bank statement or utility bill in a shop to prove I am who I say I am. I get a little jumpy if they want to take them out of my hands, and jumpier still if they want to take a copy or a scan; after all, I do security auditing for a living – I know how badly they’ll look after it once it’s out of my hands.
If we’re talking about a bank, or an insurance company, I can live with it. They’ve got the depth of pockets to compensate me if they’re breached; they have a demonstrable need for the information, and there is – usually – a significant financial exposure on both sides.
But I really do draw the line at being asked to email two pieces of prime identity-theft material to an on-line manufacturer of vehicle number plates. I understand the problem – although I’m unsympathetic: our government, in its wisdom, to crack down on people faking plates to avoid traffic fines requires such manufacturers to check that the customer has a legal right to the plate.
However, asking me to send them scans of:
Either my driving licence, a recent council tax/bank/utility statement, passport, debit/credit card (!), warrant card or forces ID card
and
the vehicle registration document (or one of the various alternatives thereto)
…is ridiculous.
Let’s just gloss over the suggestion that I might send them a scan of my credit card. Someone in PCI-DSS must be really enjoying that one. Effectively I’m paying them a little under £20 in return for which I get a rectangular piece of plastic and hand over everything they need to steal my identity; or, less confrontationally, everything someone else needs to do so after this – small, and doubtless not terribly secure – internet vendor is breached. I’m also telling whomever gets the material where I live and what I leave parked outside. That feels safe.
Here’s the thing. To buy the plate, I had to a) tell them my name and address, b) give them the registration number of the car and c) pay them. I used PayPal. So without needing anything else from me, they have everything they need to verify my identity and my right to the plate. PayPal has already done full KYC on me – they’re an electronic money institution, so bound by full EU KYC regulations – and you can find out if I’m the registered keeper of the car by checking with the DVLA.
This kind of delegated identity verification is at the heart of the government’s identity assurance project. Although I have all sorts of reservations about that project, if it helps us keep our critical personal information inside a tighter perimeter that at least must be a good thing.
Oh, and as a PS: the only reason I used this particular vendor is because they took PayPal, so I didn’t have to give them credit card details. Ironic, really – especially since there’s no shortage of number plate vendors based outside the UK who’ll do you a plate no questions asked [Edit: a correspondent asked me to make it clearer that this would be illegal – for the manufacturer and, more importantly, for the purchaser; happy to do so]. Needless to say I’ll be writing the £20 off to experience and going to Halfords like everyone else. Inconvenient, but I get to keep my hands on my identity a little longer.
A bigger picture 