Online Gift Card Store Exposed Hundreds of Thousands of People's Identity Documents (techcrunch.com) 14
An anonymous reader quotes a report from TechCrunch: A U.S. online gift card store has secured an online storage server that was publicly exposing hundreds of thousands of customer government-issued identity documents to the internet. A security researcher, who goes by the online handle JayeLTee, found the publicly exposed storage server late last year containing driving licenses, passports, and other identity documents belonging to MyGiftCardSupply, a company that sells digital gift cards for customers to redeem at popular brands and online services.
MyGiftCardSupply's website says it requires customers to upload a copy of their identity documents as part of its compliance efforts with U.S. anti-money laundering rules, often known as "know your customer" checks, or KYC. But the storage server containing the files had no password, allowing anyone on the internet to access the data stored inside. JayeLTee alerted TechCrunch to the exposure last week after MyGiftCardSupply did not respond to the researcher's email about the exposed data. [...]
According to JayeLTee, the exposed data -- hosted on Microsoft's Azure cloud -- contained over 600,000 front and back images of identity documents and selfie photos of around 200,000 customers. It's not uncommon for companies subject to KYC checks to ask their customers to take a selfie while holding a copy of their identity documents to verify that the customer is who they say they are, and to weed out forgeries. MyGiftCardSupply founder Sam Gastro told TechCrunch: "The files are now secure, and we are doing a full audit of the KYC verification procedure. Going forward, we are going to delete the files promptly after doing the identity verification." It's not known how long the data was exposed or if the company would commit to notifying affected individuals.
MyGiftCardSupply's website says it requires customers to upload a copy of their identity documents as part of its compliance efforts with U.S. anti-money laundering rules, often known as "know your customer" checks, or KYC. But the storage server containing the files had no password, allowing anyone on the internet to access the data stored inside. JayeLTee alerted TechCrunch to the exposure last week after MyGiftCardSupply did not respond to the researcher's email about the exposed data. [...]
According to JayeLTee, the exposed data -- hosted on Microsoft's Azure cloud -- contained over 600,000 front and back images of identity documents and selfie photos of around 200,000 customers. It's not uncommon for companies subject to KYC checks to ask their customers to take a selfie while holding a copy of their identity documents to verify that the customer is who they say they are, and to weed out forgeries. MyGiftCardSupply founder Sam Gastro told TechCrunch: "The files are now secure, and we are doing a full audit of the KYC verification procedure. Going forward, we are going to delete the files promptly after doing the identity verification." It's not known how long the data was exposed or if the company would commit to notifying affected individuals.
Just say no (Score:3)
Probably not their only issue (Score:4, Funny)
Scanning IDs should be illegal. (Score:3, Interesting)
We ended up in this ID theft mess because there's a zillion of companies asking for scans/photos of ID documents to confirm users' identity every day. The purpose of an ID card is to verify your identity on the spot. Someone takes your ID and checks it against your face. This doesn't work over the internet because you lose the essential part where the person with the same face is present. ID documents should only be valid when presented in person. Period. Online platforms should use cryptographic digital ID protocols instead, with a proper request-response lifecycle so that every use or verification of your identity is verified every single time. Do that and most of online fraud goes away overnight.
They ask for ID to get you to abandon claim (Score:4, Interesting)
We ended up in this ID theft mess because there's a zillion of companies asking for scans/photos of ID documents to confirm users' identity every day.
Not quite. They ask for ID to get you to abandon a claim
Gift cards are often pre-stolen. Take them home from the store, and if you delay in registering them, like if it was a gift for a kid and they didn't register until a couple days after Christmas, you will find someone has already registered it and spent the money at a shady 7-11 in a bad neighborhood. It's like the gift card was scanned while on the store shelf and a computer is attempting to register all the numbers every day, maybe more frequently. So when a card is eventually sold they may get lucky and register before the purchaser, and with a little more luck their runner can get to the 7-11 before the real owner contacts the company,
When the real owner contacts the company, if the money is not spent yet, they are happy to cancel the old card number and issue you a new card if you send them your store receipt showing the purchase of the gift card.
However if the money is spent, getting a replacement card is a lot harder. Now the company would have to eat what was spent rather than just issue a replacement card. So now they want the store receipt and two official IDs, like a drivers license number and passport. At this point some gift card buyers are going to think, this f'd up company can't secure their gift cards so the numbers are not stolen off the store shelf, do I really want to trust them with my ID info? Some will answer no and not pursue a replacement card. Company avoids eating the cost of the fraud.
Re: (Score:2)
I've had a scenario like this happen. I sent a gift card to my step-father but as you said, it was pre-stolen. He got it all sorted out but I was really frustrated. What was suppose to be a simple gift to my step-father turned into a chore for him to access.
Needless to say, I don't do gift cards anymore. I'll give someone cash (as tacky as a gift card!) or Zelle them (tacky as a gift card!).
KYC/AML Considered Dangerous (Score:3)
Time to repeal the whole USAPATRIOT Act and withdraw from all overseas military adventures.
The Feds just make us targets of Bourbon St. attacks and the like.
"In theory" with perfect security it could protect us from Movie Plot Threats but in reality none of that exists and it just /causes/ identity theft.
Re: (Score:3)
Not a gift card, it's a scam (Score:2)
This company and the ones like it are not in business to make a small percentage or fee on the gift card.
They are in business to make the process of redemption as painful as possible to maximize the number of cards which are never redeemed. A large percentage (I would guess a majority) on here would hesitate to give a random company photos of their ID, especially for a $20 gift card to a chain restaurant. They already have the money from the giver, if the process is difficult and/or questionable enough, the
Re: (Score:2)
At least in Washington State, they are not allowed to charge any maintenance fees, and the total value of the gift card must be available to the owner. For example, I just cashed a gift card, for its full value, that had initially been issued in 2014.
Such blatant incompitence... (Score:2)
should be grounds for a corporate death sentence. The company should be completely dissolved, and the executives banned from being involved in any kind of financial company for the remainder of their lives.