back to article Apple asked me for my BANK statements, says outraged reader

Apple is believed to have asked some online shoppers to hand over copies of their driving licence, passport and bank statements to verify their identity. A concerned Reg reader alerted us to Apple's data-slurp requests after she received one herself - and was told by her bank that they had never heard of private companies …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge

Re: "she emailed over copies of them... and then immediately began panicking"

> certain that at the very least - the email was going to *someone* at Apple.

Well, you can be certain that one of the recipients is someone at Apple. Since email is generally not encrypted or secured against any form of interception or copying, your ID details could have been intercepted by anyone at any of the ISPs it crossed, not to mention anyone the anonymous Apple employee forwarded it to, deliberately or accidentally.

1
0
Thumb Down

Re: "she emailed over copies of them... and then immediately began panicking"

"Thus I could be 100% certain that at the very least - the email was going to *someone* at Apple."

Yes, because no one has ever managed to hack DNS.

1
0
Anonymous Coward

Re: "she emailed over copies of them... and then immediately began panicking"

It takes one line in your hosts file to redirect an e-mail to one domain to any server you choose. Add to the fact you have no idea whether the e-mail will make the entire journey encrypted anyone along the route could sniff that e-mail. Even if you connect to your mail servers using SSL, there's no guarantee that your mail servers will talk to Apple's using it.

You sir, are ripe for the quote: "As soon as you think you're secure, you're not."

0
0

NOot true that only Apple asks for this

You wrote "and was told by her bank that they had never heard of private companies asking for this information."

This is not at all unusual for many third party online travel companies. (Usually, the ones with the worst reputations.)

0
0
Flame

In France its obligatory if you take a cellphone line with it. The whole lot. Identity,proof of residence,bankstatement. To prevent 'terrorists' to have cellphones it seems.

0
0
Gold badge
WTF?

Identity,proof of residence,bankstatement.

s/terrorists/tourists/.........

3
0
Silver badge

Prepaid mobile

...prevent 'terrorists' to have cellphones

You buy a prepaid SIM in Belgium and phone the contact center to activate the card. (Not sure how it is in France though.)

Case 1 CC: Are you a resident of Belgium? Me: No. CC: Your card is now activated.

Case 2 CC: Are you a resident of Belgium? Alter ego: Yes. CC: question after question and ten minutes later: Your card is now activated.

0
0

Easy workaround

I know this must be a challenging concept for some people, but if you're in the vanishingly small group who

1) want to buy an iThing

2) haven't done so before

3) have some oddities in your order such as details mismatches which means Apple are rightly wary of it being fraudulent, and

4) don't want to prove that you are, in fact, you and that your card isn't being used without your permission (and are also blind to the fact that if Apple didn't do this, you same outraged people would be claiming that Apple are crappy for not verifying orders properly and letting people's cards be fraudulently used

then couldn't you:

5) walk into a shop and physically, you know, buy one? How's that hard?

"and was told by her bank that they had never heard of private companies asking for this information."

Whoever told her that is an idiot, and so's she for believing them. Private companies ask for verification documents all the time, leaving aside the fact that many online retailers will do exactly this for suspicious orders, the likes of solicitors, estate agents, letting agents, investment advisors, banks etc all do exactly the same for everyone that walks through the door (and are all private companies), though more for money-laundering than card fraud reasons.

1
11
Silver badge

Re: Easy workaround

4) Don't want to be yet another victim of identity theft by handing the full package off to anybody who happens to be listening or gets the forwarded email.

4.5) Would like to deal only with companies complying with EU data protection laws.

- I cannot work out how this request can possibly comply, as its neither "reasonable" not "secure", both of which are necessary under EU law.

0
0
Anonymous Coward

Apple is not unique...

Other retailers have done this. You don't need to send them a statement that shows transactions... you can blank out the transactions if you want, blur them or whatever. All they want to see is what you're already being asked by other retailers. I am not surprised when some company insists that I provide a utility bill and/or bank statement along with driving licence to prove who I am. Blank out all unnecessary information, and you're sorted.

That an online vendor does it is somewhat unusual, but considering that this retailer (Apple) has been hit a lot with fraudulent transactions (generally purchases of their goods with cloned cards, which then get cancelled and Apple left out of pocket), this is arguably the only way they can make sure you are you and your card purchase is legit.

1
4
FAIL

this is arguably the only way they can make sure you are you and your card purchase is legit.

Nonsense. The proper way for Apple (and any retailer that acts professionally and not just like a bunch of morons) is to flag the transaction as 'suspicious' with their payment provider, which will trigger the customer's CC provider/bank to cross-check with their client to make sure the transaction is genuine. Simple, easy and secure. No need to ask for personal information from your customers.

When consumers are so naive to give out personal data without thinking first it's no surprise CC fraud levels are at an all-time high.

4
0

Re: Apple is not unique...

Totally laughing that someone downvoted you on this...because you are 100% correct. As someone who does a LOT of online purchasing, I have had it happen at least 3 or 4 times, plus innumerable times I've had to phone my bank and verify a transaction because of fraud prevention. And none of it from Apple (I usually go to an Apple store for fruity purchases).

Anyone that is raising a stink about this just hasn't done that much online shopping - it isn't unique to Apple, it applies to any company that is being hit hard by fraud and has easily re-sellable merchandise. The banks have policies to ensure THEY don't get stuck with fraud as much anymore, so now it is on the retailer.

The "email us these things in an unecrypted email" side is a worry however...as someone said, a secure upload to a HTTPS:// site would have been better.

0
10
WTF?

Re: Apple is not unique...

I Still think the correct people to inquire about the authenticity is the CC issuer, they have a lot of information on file already, information that is "historic" and verified. Apple cannot have as much of a factual base for a check of submitted "documents" as your CC company / DC issuing bank would have if they called you for a verification check - which would use information already supplied and held on file.

Too many companies seem to think they have the right to chapter and verse about us. I wouldnt/havent had any issues over being called by the card issuer, I would be very disturbed to be asked to submit ID documents to a company selling me something, especially via an insecure submission method, thats without the data protection issues that may arise.

1
0
Anonymous Coward

Re: Apple is not unique...

@futureshock999

Sorry but I cannot disagree more. I have been asked for this type on info (only once - and refused point blank). I have never been asked by any other service and buy everything online (yep, even food and clothes - 'cos I'm a lazy fecker).The claim by the company asking (pixmania in my case) was 'to reduce fraud'...blah-blah...So why then, I asked them, have you decided to do this check AFTER you have debited my credit card? If you wanted to prevent fraud you would do this check before debiting a 'possibly stolen' card wouldn't you?

All the reseller has to do, as stated before, is either check to make sure the delivery address is the same as the CC address, use one of the 'verified' schemes, or flag the sale as suspicious - they have no reason to see any personal ID documents. The funny thing with pixmania was they wanted to confirm my address and asked for a copy of my passport (which doesn't have my address on it - idiots).

2
0
Anonymous Coward

Re: this is arguably the only way they can make sure you are you and your card purchase is legit.

Davidoff, you'll find that Apple does this too, in addition to the request for address verification for very high-value items. Once they're satisfied once that you are who you say you are, they'll flag it and you don't have any other issues.

When you change cards on your Apple account and immediately try to buy a high-value item, be prepared to have the 'fraud alert' trigger again.

0
0
Silver badge

Not uncommon for this kind of nonsense

Services like Entropay are so anally retentive about security that if you don't use your account frequently enough for their satisfaction that they'll suspend the account and you'll have to screw around supplying documentation to reactivate it (and usually 3 or 4 rounds of argumentation to random customer service drones trying to explain you've supplied it multiple times already).

Some businesses just have a stick up their backsides about fraud and / or security that they force customers to jump through hoops. I've given up using Entropay because of this. I can't be bothered to deal with a service which treats customers like criminals the whole time.

1
0

Will they ask for my inside leg measurement or a chest X-ray?

Yes because they need to know which other people they can match you with to create a Human Cent-iPad.

7
0
Thumb Down

EBuyer have started to do this as well. I refuse to buy from them now.

Alan

1
0

"Apple told me they carry out spot checks for security reasons. But I don't think any private company should have the right to ask you to send over such personal documents by email."

They have the right to ask, you have the right to tell to go and fiddle with themselves.

Also, never, ever send such data in the clear via email. It's why we have encryption and other security measures.

4
0
Anonymous Coward

correction

"Also, never, ever send such data in the clear via email..." should read

"Also, never, ever, send such data."

3
0

Re: correction

Not really.

So long as you have verified the contact (by some means) and they have need to see the data (for whatever reason) you can send it (or let them retrieve it). That communication should, however be secured and the recipient required to keep their copy secure until they are done with it (whereupon it should be destroyed).

I wouldn't reply to a random email though. I'd call the company and then ask them for an FTPS site, GPG key or something similar.

0
0
Silver badge

Has nobody spotted the biggest problem?

BY EMAIL.

Unencrypted email.

Bog-standard, plain-text email.

Not a chance in hell, matey, even if I thought you had a genuine reason to ask for those documents (and T&C's do not make a genuine reason, sorry... otherwise everyone's T&C's would include "user must give financial control of his bank account in case he does a runner").

Sod the fact that they asked for it (hell, take out credit and everyone will ask for all sorts of things that you probably won't want to give them anyway), question why an IT company - of all people - would ask you to send important personal documents by unencrypted email across a public Internet.

And then ask why this customer only queried the request AFTER HAVING SENT THE DOCUMENTS. I mean, come on. FFS.

12
0

Because...

...IT companies are, by and large, run by business people not techies.

0
0

Not sure what the big issue is to be honest, I just applied for 12 months 0% interest on a lens, I had to submit a copy of my passport (or photo driving license)

Maybe the credit score for the person in question didn't quite meet up with the criteria for an outright pass and required additional ID.

0
7
Flame

"Customers are apparently allowed to black out "sensitive details" on the copied documents, according to our source. "

Well, that's sorted then... they can have a copy of my back statement and passport... ill just blank my photo, my address, DOB, Account & passport numbers, expiries, transactions, bank address, etc....

and possibly scan a turd for good measure too..... effort to clean the scanner glass after - totally worth it....

1
0
Silver badge
Go

Poo into a clear plastic bag...

... problem solved!

0
0
Silver badge

Put a piece of cling film over the glass before applying the turd. If you smooth it out properly it's invisible to the scan and makes cleaning up a lot easier.

0
0
Silver badge
Coat

Re: cling film

Either

a) don't put the poo in the document feeder - it will jam

b) on a flat-bed scanner, don't close the lid too rapidly (and also use cling film on top of the poo)

0
0
Anonymous Coward

This is why I love The Register

Where else would I find practical advice on how to scan a poo?

2
0
Trollface

hmmm... wheres Eadon to stand up for this??

0
0

There's no mention of or link to MS, so he's probably not bothered.

However, it's never stopped him before...

1
0
Silver badge

Probably off getting some photos for his passport application?

0
0

Taking the piss again

Apple will have to start reining in this type of arrogant shit. Joe Public is not as enamoured as they once were in the iphone heyday, and people who follow the tech news tend to really dislike them. They've had their wild youth, now it's time to grow up a bit before a significant backlash kicks off.

0
0

This post has been deleted by its author

Anonymous Coward

Personal details such as this should NEVER be sent by email. It is not a secure protocol.

1
0
Meh

The Crappy Part

Is that the only way this sort of behavior doesn't manifest at other companies is for customers to go through the process, validate their identity then cancel the order. If people refuse to hand over the documents then Apple (in this case) will assume they've stopped a fraudulent transaction. If Apple proves that this method cuts down on charge backs then the practice will grow everywhere. The only way to document that legitimate sales are being negatively impacted is for people to cancel after proving who they are: This is a real clusterfuck for everyone.

0
0
Holmes

the only way this sort of behavior doesn't manifest is for customers to go through the process

No, it isn't. And it's naive to think that Apple will consider all cancelled orders to have been fraudulent. It's even more naive to believe that sending them the requested documents and then cancelling will teach them a lesson that asking for these documents in unacceptable. If anything, it just confirms that most consumers are like kettle on the way to the slaughter house, ready to be taken out.

The *ONLY* way to address this is to tell Apple (or any merchant trying this nonsense) that this is unacceptable and that they should go through their payment provider who will gladly trigger a verification with the customer's CC provider or bank.

1
0
Silver badge

I was asked for this stuff to "register" my mobile phone with the provider

[in France, other jurisdictions may vary]

Apparently some anti terrorism excuse (isn't it always these days?). I said I would *post* a colour copy of my passport with "copie" written on it in board marker, and there is no way in hell they are getting copies of bank statements. And using email for this is not an option. I would havepointed out that other providers exist, but the girl I was talking to sent me the postal address by SMS while I was talking to her.

0
0
FAIL

"After sending that information, I thought I had been hacked"

erm no, you were not hacked. You sent them your details, that's the complete opposite of being hacked.

2
0

Well

I was asked for this by a poker site once. Sent an angry email saying "Do you seriously want me to send these sort of details through an unsecure channel" and immediately (no kidding, acutally immediately) got a response back saying verification accepted, you're now free to play.

0
0
Silver badge

Re: Well

Maybe it's a poker site that is plagued by bots scamming the fleshies with their accurate statistical calculations. Angry rant => fleshie => ok to play

0
0
FAIL

It could be Apple clamping down on fraudulent app store activity

I live in South Africa, and we have our own app store. Quite frankly it is absolute crap. Not even angry birds is available. So a lot of iOS devices are registered with fraudulent US/UK addresses in order to gain access to those respective app stores. Maybe Apple is trying to stop this sort of activity.

0
0

Shocking...

"Apple told El Reg it does not comment on individual cases"

You mean to say Apple actually RESPONDED to The Register?!

4
0
FAIL

The wrath of Apple?

"our reader - who works in the IT industry and does not want to incur the fruity firm's wrath by revealing her name"

`There's an old Italian saying: you fuck up once, you lose two teeth', Steve J0bs

0
0
Anonymous Coward

Where I work we will request a copy of passport or drivers license as a ID check to confirm the customer is who they say they are.

Not all the time but sometimes.

The customer has a choice. Supply or we do not accept their order and they are welcome to take their order somewhere else.

1
2
Anonymous Coward

Or the third choice

Report you to the Data Commissioner for repeated leaks of personal data, and watch you squirm as they investigate.

If enough if your customers do this you'll drown in paperwork.

0
0

Not sure if the article is lambasting Apple

Or the practices of businesses that need to know the ins and outs of a ducks arse before they sell you something and using Apple as an example.

0
0
Anonymous Coward

Adobe did me, and Nominet too

When I wanted academic discount on Adobe CS Design Premium set, I had to send them scans of passport or ID card, bank statement proof of address, statement of fees to University, and student card — weirdly (at the time) they wouldn't accept PDF via email.

I also similarly stung by Nominet once, when after having my domain for more than a decade, decided they needed proof of who I was and that I should have right to own my own domain. Not only did I have to send them scans of IDs, but also email logs and proof that I had purchased things with my email domains (e.g. invoices or delivery notes with my email addy on).

0
0
Silver badge
WTF?

WTF?

Seriously. WTF?

Apple FAIL.

0
0
Meh

I have a small pile of iDevices. Never seen or heard of such a thing.

0
1

Page:

This topic is closed for new posts.

Forums

Biting the hand that feeds IT © 1998–2017