Have you ever thought about why companies and apps are now requesting a passport or driver's license just to sign-up or confirm your age? It seems small right? Well… the issue is these ID identification requirements give rise to new risk for accidental disclosure of data.
Governments want companies to truly confirm who each person account keeps as user accounts as a means to prevent fraud and keep kids safe online. Fair enough… until the hackers get your ID card credentials. The minute companies start keeping millions of ID cards, it's a treasure trove that opens them up to risk of identity theft because it can be all used to hack a person, simply.
Here is why that is terrible:
When bad actors get access:
That’s the same as saying “Keep everyone safe, but please be sure to make sure you have everyone’s ID in one big folder to access, which is conveniently easy to hack.” That does not make sense, right?
In essence, businesses now have additional risk because they are complying.
Governments want companies to truly confirm who each person account keeps as user accounts as a means to prevent fraud and keep kids safe online. Fair enough… until the hackers get your ID card credentials. The minute companies start keeping millions of ID cards, it's a treasure trove that opens them up to risk of identity theft because it can be all used to hack a person, simply.
The issue in all this?
To the extent that computer programs collect your ID information makes them all that more of a target to hackers because they need your ID to create havoc. They love this stuff because an ID has everything they will need — first and last name, address, birthdate, and even a photo.Here is why that is terrible:
- They’re now keeping massive stores of sensitive data.
- Sometimes they are hiring third-party services that may or may not be secure enough.
- More than a password gets stolen if a hacker successfully gains access — in fact, the whole identity can be stolen.
Who is getting hit?
This is not an industry-specific problem. It's everywhere - health care, banking, social media, shopping, etc. Anywhere that you need to "verify your identity" can catch you in the fray.When bad actors get access:
- The company loses trust and is financially penalized.
- Users get scared and stop using their service.
- Teams lose weeks repairing the breach.
Why "collect less" doesn't work anymore
For years, we told our customers and clients, "Only collect what you need.” However, some laws now force companies to collect more.That’s the same as saying “Keep everyone safe, but please be sure to make sure you have everyone’s ID in one big folder to access, which is conveniently easy to hack.” That does not make sense, right?
In essence, businesses now have additional risk because they are complying.
What can be done
If you’re a business:- Only collect what’s necessary.
- Cross-check your security if you are using a third-party to verify someone’s ID.
- Encrypt & monitor all ID data – don’t treat it as standard file.
- Be transparent with your users on why you’re collecting – and storing - for ID.
- Ask yourself “Do I trust this site with my ID?”
- Only upload documents if you need too.
