(no title)
echopom | 4 years ago
Some people at Discord now have access at the pictures of my Passport that I uploaded during the verification process because they use "Stripe Identity".
The FAQ is very clear , Stripe give you full access to those documents. It should NEVER do so.
Now the very smart people have Discord have access to my passport they can now take a 50K Loan using my documents and face-check video , social security and some fake income documents.
They can also destroy my entire life because I maintain a political blog with views they don't really like that they consider "hate speech". These are exaggerated examples , but you get the idea.
I'm concerned by this , because more and more startups are going to use it to increase the value of their userbase to reduce fraud and look more attractive for their planned exit.
In the meantime, people having access to my personal documents is going to go exponential...
Again , I'm an Architect in Banking we have 500+ Partners selling Loan for us , they have NEVER access to your documents / personal data. They can only tell if the document has been approved , income range and some basic information. You don't know what they are going to do those sensitive documents / info , even if you have contractual agreement with them.
Banking industry has had a very simple rule that everyone has been following for decade : DON'T TRUST THIRD PARTY. Stripe has decided to do otherwise I guess and I'm pretty scared about it.
Stripe Identity seems like Identity Theft as a Service.
mLuby|4 years ago
This is a good policy when ALL first parties meet a certain (regulatory) bar. For banks, I assume that bar is "don't become insolvent" and more recently "don't lend money to terrorists."
The problem is that, as we've seen from the countless hacks in recent years, the first parties are NOT all meeting the bar when it comes to security, namely "don't leak (or abuse) users' private personal info."
And that's unfortunate, because a lot of the time, all a company really needs to know is a "does the registered account correspond (uniquely) to a real human (with certain legal characteristics)." Sometimes they need to know for compliance reasons ("our users are adults" or "aren't terrorists") and other times for uniqueness/fraud reasons ("We want to reduce spam accounts" or "we're paying users $10 to sign up and so need to make sure users aren't signing up multiple times.") It'd be great to be able to answer those questions without having to protect all that personal data that goes into answering it, similar to credit cards.
But your main point stands: if Stripe is allowing companies access to the collected data, then from a security point of view it's little better than having the companies collect and store it themselves. Hopefully Stripe explains their reasoning, or even better, course-corrects early in this launch.
OJFord|4 years ago
Why would you upload a copy of your passport to Discord, via a third-party or not? The issue here is just trusting people you shouldn't be trusting with things you shouldn't be trusting them with.
The alternative isn't WhizzBangApp doesn't request you upload documents, the alternative is they roll their own WhizBang ID service, or use a Stripe Identity competitor.
I know my bank needs to verify my driving licence or whatever, and I tr.. well banks are heavily regulated anyway, so I'm happy to upload it without caring whether they use Stripe Identity or their own or whatever.
I know Discord has no business with my passport or whatever, so they're not getting it whatever they use under the hood.
toomuchtodo|4 years ago
I let my Congressperson know policy is needed about online identity service providers needing better governance over identity data, as businesses aren’t going to do it voluntarily unless the law requires. This should probably be overseen by the CFPB, even though identity is a bit of a walk from finance (while Stripe is still primarily a financial services provider).