0

Nowadays, internet-only services became very popular, for example, direct bank and many others. The advantage of such services is you don't have to spend the time to get to the office in order to get a service, everything can be done online. However, the disadvantage is you somehow should confirm your identity, usually, it implies sending a scan (a photo) of your official ID and etc. For example, to confirm your identity on facebook you have to share the official ID with photo, the same with branchless banking.

The question is how I can be sure that my official ID will not be used by someone in the company. A good solution could be to alter the scan (place a watermark and etc), but such services require unchanged scans and photos. What could be a good solution in this case?

gar
  • 3
  • 2
  • 1
    You cannot be fully sure. It is a question of trust: trust that they don't misuse these data, trust that they keep the data safe from misuse by others, trust in your laws and law enforcement that it will punish misuse sufficiently ... – Steffen Ullrich Feb 26 '19 at 08:54
  • we need passwords to indentify ourselves not a ID. Please elaborate – again Feb 26 '19 at 08:54
  • @again, sorry, I meant to confirm your personal information (name, date of birth, etc...). – gar Feb 26 '19 at 09:04

1 Answers1

0

The question is how I can be sure that my official ID will not be used by someone in the company.

You can't, there is no way to guarantee it will not be used. I know of systems that will send your data to a third party to determine if the passport and selfie photo are a match or not (bank account creation process).

However, back in the day when these services did not yet exist, a photo copy was made of your ID, hoping they'd store it in a proper way. So in a way the current services should be considered less prone to human errors.

Also, before these internet services, what kind of guarantee did you have an employee would not use your photo copied identity?

When comparing back then with the current way of working, the risk level can be considered less. This assumes the current API's and/or web services are considered sufficiently secure.

What could be a good solution in this case?

I do the same thing when I have to send a photo copy of my ID. I edit the scan and add a date and the company name I am sending it to (this way I know who leaked it when I find a copy of it myself)

One idea I have (which is not fail safe) is add metadata to the files that are sent to these services.

... but such services require unchanged scans and photos.

Do they really? From a technical perspective this is not really required. There is a difference between what they (as the company) want and what they (the company) need.

It could also depend on the country's laws about storing PII data.

Jeroen
  • 5,783
  • 2
  • 18
  • 26