Emailing a Photo ID for verification?

[Financierge]

I was happily setting up a Betterment account the other day, ready to start a new era of saving, when boom, they couldn't verify my SSN. I haven't been in the workforce long enough to file taxes, and expect this is the problem. I called Betterment, and the customer service lady was very nice, but said something I found unsettling. I need to email a picture of a photo ID (driver's license, etc.) to be verified.

I feel fairly comfortable with Betterment, comfortable enough to give them my money to invest, but sending important information through email has always been a no-no. I asked if this was safe to do, and she stated their servers use bank-level encryption, etc, etc, which I don't doubt. It's the transit between the sender and recipient that is less secure, and there's nothing either of us can really do about that in a standard email. I sent a follow-up message stating my discomfort and asking for any other way to complete verification. I'm still awaiting their response.

So my fellow Mustachians, what do you think? Would you send sensitive information through an email? Or would you wait until a later time when the SSN may work?

[Cathy]

I haven't been in the workforce long enough to file taxes, and expect this is the problem.

This is not related to filing tax returns.

Many data collection companies such as Equifax, Experian, TransUnion, and lesser known others, offer "identity verification" products where the business purchasing the product can run a customer's details through private databases and see if it matches any record contained within. Betterment and many other businesses purchase these services and use them supposedly to verify the identity of prospective or actual customers. Generally speaking, the Terms of Service for many online services will include a clause specifying that the service provider has the right to run these checks on you. Betterment's agreements contain such a clause.

However, any filings you make with the IRS will almost certainly not be in these private companies' databases because tax records are confidential except for enumerated situations. The list of situations where tax data can be disclosed is quite lengthy but it does not include selling the data to private companies. See 26 USC § 6103.

If you crave for your personal information to be included in commercially-operated data clearinghouses which are (i) very loosely regulated, (ii) poorly-secured, and (iii) susceptible to abuse, the easiest way to join these databases is to obtain one or more credit cards, which pretty much guarantees that your information will make its way into a large number of databases, as the credit card application and agreement will contain terms authorising broad disclosure of your information.

TransUnion has informed me in private correspondence that their identity verification product will not consider a person's records to be a match to the data supplied for verification unless the person has existed in the databases for at least six months. My general experience is that this is the case for other such products as well. The exact time period may not be six months for all of them, but you can expect it to be a while after obtaining your first credit card before these products will start considering your identity verified.

As for your question, there is no need to send the data in plaintext. Betterment allows you to specify a security question and security answer when you sign up. The correct way to handle security questions on services is to view them as a form of password, and to specify a unique randomly-generated token, just like you do for all other passwords (if you take security seriously). By "unique", I mean that every time you are asked for a password, it should be unique from every other password that you have ever used. However, unlike passwords, which are typically stored in hashed form, and would not generally be available to view by customer service representatives ("CSRs"), security answers are typically stored in plaintext and can be viewed by CSRs. Indeed, Betterment will ask your for your question's answer if you call them on the phone.

Based on this, what I do for businesses that ask me to send them documents over email is that I put the document into a PDF and then encrypt the PDF using a key which is derived from my security answer on file. I then inform the business to open the PDF using the security answer which they should be able to view on their files. I used this exact procedure with Betterment, and they had no objection to it, and it worked fine. To date, only one business has declined to comply with my procedure here, and I simply did not do business with them.

[Financierge]

TransUnion has informed me in private correspondence that their identity verification product will not consider a person's records to be a match to the data supplied for verification unless the person has existed in the databases for at least six months. My general experience is that this is the case for other such products as well. The exact time period may not be six months for all of them, but you can expect it to be a while after obtaining your first credit card before these products will start considering your identity verified.

That explains some of the weirdness I've gotten before with my information.

The correct way to handle security questions on services is to view them as a form of password, and to specify a unique randomly-generated token, just like you do for all other passwords (if you take security seriously).

Finally, someone who doesn't think I'm crazy for making up answers to security questions! And as far as taking security seriously, I most definitely do. I keep important files in heavily encrypted locations, and type sensitive information with the on-screen keyboard tool. :)

...what I do for businesses that ask me to send them documents over email is that I put the document into a PDF and then encrypt the PDF using a key which is derived from my security answer on file. I then inform the business to open the PDF using the security answer which they should be able to view on their files. I used this exact procedure with Betterment, and they had no objection to it, and it worked fine. To date, only one business has declined to comply with my procedure here, and I simply did not do business with them.

Aha! This was exactly what I was contemplating, but I couldn't figure how to get them the key for the encryption. I'll still wait for their response to my message, but this is a mostly perfect solution to the issue! Thank you very much, Cathy!!

[WerKater]

I need to email a picture of a photo ID (driver's license, etc.) to be verified.

I feel fairly comfortable with Betterment, comfortable enough to give them my money to invest, but sending important information through email has always been a no-no. I asked if this was safe to do, and she stated their servers use bank-level encryption, etc, etc, which I don't doubt. It's the transit between the sender and recipient that is less secure, and there's nothing either of us can really do about that in a standard email.

Ask them whether you can send them an encrypted mail. This is incredibly easy nowadays (just google for Enigmail and/or OpenPGP). It is not very widespread yet (which I find insane). But I feel that if a bank or bank-like institution asks you to send them e-mails containing sensitive information, they ought to offer that.

[Friar]

Cathy,

That sounds like a secure way of doing things. What do you use to keep track of all the different passwords?

[Spork]

There are a number of good password managers around.  Bruce Schneier (internet security and crypto guru) has one called password safe.

I personally just use a hand rolled manager:  a good file encryption suite and some scripts wrapped around them to add/search the file.

But you are correct to feel weird about sending unencrypted personal information.  Many (most?) banks and agencies will have their own web-based messaging system for handling this sort of thing. 

[Financierge]

Betterment Support replied over the weekend and said exactly what Cathy did.

"Great to hear back from you. Generally, customers who are concerned about the security of their information will submit this information using a password protected, secure .pdf. You can simply make the password an answer to one of your Betterment security questions.

If you have any other questions or inquiries that we can assist you with, please let us know. Thank you for being a Betterment customer, and have a wonderful day."

Therefore, I have sent my info via this method. Thank you all very much! Hopefully all is fine and dandy now, and I can begin my plans for world domination by frugality. Mwahaha!!

Ask them whether you can send them an encrypted mail. This is incredibly easy nowadays (just google for Enigmail and/or OpenPGP). It is not very widespread yet (which I find insane). But I feel that if a bank or bank-like institution asks you to send them e-mails containing sensitive information, they ought to offer that.

I agree. This should be far more common than it is. It's so easy to do, and it makes things much safer. Alas, it takes time for the world to change.