Apple asked me for my BANK statements, says outraged reader Apple is believed to have asked some online shoppers to hand over copies of their driving licence, passport and bank statements to verify their identity. A concerned Reg reader alerted us to Apple's data-slurp requests after she received one herself - and was told by her bank that they had never heard of private companies …
No subsidy, no loan.
The customer is buying on a Bank issued Credit Card, so as far as Apple is concerned the customer is buying it outright.
The Bank is taking the credit risk, not Apple, and the Bank has already completed the necessary identity verification to issue the card.
Actually, for an on-line transaction where the customer is not present, the bank reserves the right to charge back to Apple in case of fraud, so in this instance Apple are indeed taking the risk. The three-digit security code on the back helps a bit, but if someone's nicked your card, or noted the details while handling it, that's not much of a barrier.
I'd still tell them where to stick their security check though. Perhaps there needs to be a mechanism where they can put it through normally but raise a flag with the bank, who will contact the customer to verify that it's a genuine transaction on the card (as they do occasionally anyway if you raise one of their security flags).
"Not if they implement Verified By Visa or Mastercard SecureCode, which moves the onus on the bank in verifying a genuine user."
Only one of my Mastercards has that online verification. The Barclaycard Mastercard one doesn't - yet the Barclaycard Visa one does.
One day the Barclaycard Mastercard bounced a big order to my regular IT supplier to my normal address. They left it to the supplier to tell me. Apparently a <£1k transaction triggered their fraud alarm. The helpline put me through a lot of questions. I pointed out that I bought expensive things from that supplier several times a year - which a history check would confirm. They admitted their fraud data trend only went back about a month or so.
To add insult to injury - it then took another four phone calls before the supplier reported that the transaction was finally unblocked for them.
While we don't know quite all the relevant details, those anti-fraud precautions are not world-wide. I was once told that Chip and Pin was introduced to counter Fraud by bank staff. That's not a world-wide system.
What I see, from US companies, is an apparent lack of card security, compared to UK and European operations. And the big-name card handling companies, Mastercard and Visa, are distinct companies from the US corporations, just as Paypal is a separate company in Europe.
I am seeing my own problems with getting payment to US companies. Thankfully, I have not seen this solution. I don't get paper statements from either my bank or my card company.
[Anonymous for obvious security reasons]
"Perhaps there needs to be a mechanism where they can put it through normally but raise a flag with the bank, [...]"
Both my Mastercard and Visa cards have the potential of a further online password double-check by the issuing bank. The Mastercard transaction requires knowledge, on both sides, of a two-part password set by myself.
When the online credit card transaction goes to completion the screen is transferred to the issuing bank's verification service. It then presents me with a personal phrase that I constructed - to which my reply is my personally constructed password. Not perfect, especially against a screen scraper and key logger, but pretty good verification. It gives me confidence I am not being phished for my password.
It would be even better if I could use my Pin Sentry mechanism to produce an offline authentication code like I do for my bank account.
"Actually, for an on-line transaction where the customer is not present, the bank reserves the right to charge back to Apple in case of fraud,"
You need to rewrite that. Even for offline transactions where the customer IS present and has provided a PIN (and CCTV security footage shows that it is indeed the customer, not someone using a purloined cards), the banks can and will chargeback in case of a dispute - and hit with penalty charges which are not removed should the dispute prove groundless.
I know, because as a retailer it happened to me on multiple ocasions. It's one of the reasons for encouraging people to move to direct debits or bank transfers
Then there's the massively high cheque fees banks charge in an all-out attempt to encourage retailers to stop accepting them, or the high standing fees and surcharges attached if your card processing is below threshold numbers or average transaction values. Bank commissions can easily hit 30% on debit card payments if there are a lot of sub £10 transactions.
Basically the banks rape and pillage. Retailers were forced to swallow that until recently. I suspect Apple have gone too far, but I'm not surprised they're making these kinds of demands, given recent stories such as the guy who got mugged of his cards+ipad and documented the assailant making multiple purchases from Apple on stolen cards, then flogging 'em on Ebay - however in that particular case the mugger had enough stuff to fulfill most of the demands from Apple. I'd be going for a request to provide a photo showing face + holding up a handwritten copy of the order number, along with some other form of phptographic ID.
While I find Apple's behaviour in this contemptible, your comment "The Bank is taking the credit risk, not Apple" is not actually correct in the harsh reality of business banking.
I used to run a small web-based retain business and I used to accept credit/debit card payments. It's all unnecessarily complicated, but basically, if you are a company and the target of credit card fraud then I wish you the very best of luck getting your money back from the bank after you have shipped the purchased goods and then find out the card was used fraudulently. The bank will usually point at clause xyz and tell you to whistle.
It really annoys me when I see adverts aimed at Jo Public with tag lines along the gist of "don't worry about using your card on-line - we (the bank) will make sure you don't lose out". Notice that the banks DON'T say that THEY will cover the costs. That's because they don't! They pass the buck on to the retailer. This is why the banks have never really taken credit card fraud seriously. Because most of the time, the cost to the bank is nothing; either the customer pays or the retailer pays.
And all too often, the seller has not exercised due care.
I've suffered credit card fraud on a couple of occasions, one of which involved my (rather improbable) purchase of a bicycle from a cycle shop on the South coast of England, the said bicycle to be delivered by carrier to Essex, while the registered address for the card was in the North of Scotland. No attempt was made to check before making delivery to an address other than that to which the card was registered.
As others have said, the seller is taking the risk, not the card holder - you got the fradulent transaction returned to you didn't you? You were mildly inconvenienced perhaps, the seller lost the funds and is out the item they shipped to the non-registered address.
The reason merchants take the risk is that so many people want it. For all sorts of reasons people find it convenient to have things shipped to alternate addresses, so merchants offer them the service and take the risk.
If you really want to blame someone who isn't the thief, blame yourself for allowing your card details to escape into the wild. Without that, the unfortunate merchant wouldn't have been defrauded (yes I recognise that with the way the system works, this is pretty much impossible and there are so many compromised cards out there that one more is utterly irrelevant. But it makes more sense from blaming the poor merchant for being defrauded).
"Because most of the time, the cost to the bank is nothing; either the customer pays or the retailer pays."
FWIW, by the time penalty charges are levied, banks make more money from fraud than they do from legitimate transactions.
THAT is why they don't do all that much to curb card fraud,
If you read the article, the lady in question was buying the ipad outright and not asking for credit or a subsidised device. This is intrusion of the worst kind and shows how arrogant some companies are, it used to be the case that having money was enough reason for a compant to sell something. to someone.
If it were me I would tell them to stuff their product and go else where
Speaking as a credit card fraudster, I'm outraged Apple will no longer accept transactions that are flagged by the credit check service as potentially fraudulent. Don't people realise Apple are a big company and should be prepared to simply foot the bill. I'm glad you all on this forum agree it is mighty discourteous not to dispatch goods to me, even if experience as shown you, you will more likely as not be footing the bill. It's my right you should sell me whatever I demand and frankly, if you want to see proof of my ID. FUCK OFF.
Sorry anyone who disagrees with me is affecting my livelihood and therefore an arse-hole.
After many years of Paypal use with no issues, I suddenly got a note that I was very close to passing my "limit" of $10,000 of transactions. Hunh!
Now in order to continue using Paypal, I must give them direct access to my bank account (take out money as well as put it in). They get hacked or disagree with me; they just take what they want.
The note says that this is necessary to insure my security and verify me (I guess "my realness") after at least 6 years (I believe a good deal more) and $10,000 of transactions without a problem. Virtually all me paying someone. And they have my credit card.
And there are many things that they have locked up to the point that Paypal is the only way to make a transaction. Can you say unreasonable leverage of an almost monopolistic market position. This BS should be stopped by someone in government regulation.
" I must give them direct access to my bank account (take out money as well as put it in)"
Eh? You are saying that Paypal wanted to have your username and password to your online banking?
Or are you just saying that they wanted a direct debit that you could cancel or claim back on at any time?
Other than that PayPal can't take money out of your account (apart from reversing a transaction they have made due to error with 24 hours).
Therefore I don't think you are being entirely truthful.
What I often see is a bit of confusion over just what is going on. From my time running a business, I know some of these things. Some people misunderstand. Some businesses give lousy explanations. And some people seem to want to boast of their superiority.
I've been with Paypal for a long time, I had to "verify" my account at the start, and that involved a debit/credit double on my bank current account. I don't think it needed an open-ended permission, but it was a long time ago. So all I can say is you should look carefully at what they are asking for. But I didn't have a problem, and getting verified is worthwhile. Once they have confirmed the current account, you can send money to Paypal through your internet banking, at a lower fee.
Paypal are a bank. So feel free to be suspicious. Being a bank is not the sign of reliability that it was.
Are you saying that Paypal were given access to your bank account to withdraw money?
If so then you are also talking rubbish.
The only way a company can withdraw unauthorised money from your account is via a credit/debit card, a direct debit or the reversal of transaction within 24 hours.
Credit card is the worst as you'll have to continually chargeback for each offence or cancel your card.
Direct debits can all be cancelled and money retrieved if taken.
Reversals can only be for the amount they have just credited.
Paypal will only verify if you either set up a direct debit mandate or they credit your account with two low transactions and you confirm what those amounts are.
But I don't think any private company should have the right to ask you to send over such personal documents by email.
Having the right to ask isn't the issue. Choosing to comply is where the problem lies in my opinion.
Anyway just 'cos it's in the T&C doesn't mean it's enforcible. If a term is unreasonable it's null and void. Just tell them to stuff it and take your business elsewhere.
I've had this kind of response from standard UK based etailers before. I once ordered a whole bunch of kit from overclockers.co.uk on a Wednesday evening, paid by card, they took payment from my account
Thursday arrives, I'm in work and then the retailer insisted that at that point they could go no further without me emailing me them scans of utility bills or bank statements, because this was an address they had never shipped to before,
I can't do that from work, so they won't ship the goods I've already paid for in time to arrive for the weekend, so I told them where they could stick their request, got a refund and bought everything that evening on the TCR.
Not just Apple but airbnb too. They just asked me to upload a copy of my driving licence and did not reply when i told them no way.
If too many people just blindly follow instructions like these other companies will copy and they will soon control everything. And so will the people who hack them.
Pixmania tried this on me. They lost a sale and all future sales, which might be drop in the ocean but given enough drops they should learn.
As for Apple's "It's in the T&Cs that they reserve the right to verify blah, blah , blah...", Very simple, I reserve the right to shop elsewhere.
Remember folks - email in insecure. They are absolute morons to ask for a full ID-theft package by email. Why not https upload to the main Apple site? Still dodgy, but less so than email.
Also note the asymmetry here - why not ask for the Apple employee's equivalent data in exchange?
Everyone and their dog can ask for everything. Everyone and their dog ARE & WILL ask for everything.
Heck, I'm asked on a weekly basis for my yearly revenue by some random people in North Africa, hunting
for people interested in solar panels. I've even been asked for the copy of the judgement for my divorce by the ***hole in charge of my kid's school ! That doesn't mean any of the people got it !
Why people are doing whatever they're asked by phone/email is beyond me. There is some teaching to be done: reflect on what the random guy is asking - determine if they're entitled to - refuse or accept.
Also, as stated above, f*** the T&C that are mandatorily agreed, as you can't do anything before you've agreed. If they are not reasonable, as per law, they're void, as per law again.
Let me get this straight.
She's a regular reader of El Reg, yet she willingly handed over personal documents when asked for them via EMAIL as part of buying a fondleslab of the fruity variety but only thought it suspicious AFTER they were sent?
Me thinks she reads but does not understand.
Anyway just 'cos it's in the T&C doesn't mean it's enforcible. If a term is unreasonable it's null and void. Just tell them to stuff it and take your business elsewhere.
Perfectly agree with the T&C remark, but I'd still buy the goods. I take that decision on the basis of the kit's benefit to me. If I had to modify that due to the behaviour of idiots I'd spend most of my time reviewing my IT needs :).
However, I pity the poor schlob who would get the job of getting ID data off me. I do not take kindly to companies trying to acquire personal information and I have all the resources at my fingertips to make any company abandon that idea rather quickly.
Apple was in this context actually the more moderate of providers so it's disappointing to hear they are abandoning that position. I hope they try this with me, it'd be entertaining to see how they manage the PR fallout afterwards (evil grin).
I know several notaries in the USA.
They are little more than minor office staff who have taken a course and got a licence from the state, so that they can say "This document is a copy of the original that I saw." They have some sort of official seal locked in their desk. It's a formalised way of being a witness.
When they see the original document, and put it through the office photocopier, that's a worthwhile legal confirmation. In this case, they might be making a copy for several different files, and don't have an original document, so it sounds dodgy. Their seal and signature hardly means anything.
"notary" can mean very different things in different countries.
I can see a notary's stamp being part of routine office procedure in this area, but the foundation, in this case, is unsound.
Want to rent a flat in London? Letting agencies regularly ask for 3-6 months of bank statements as proof of income. Recruitment agencies also ask for scans of passports. To rent a car using just a debit card (not a credit card), at least one major car rental company asks for not only a driving licence, but also a passport and a proof of address such as a utility bill or a bank statement.
There's nothing particularly unusual in Apple wanting to check the identity of their customers.
There's nothing particularly unusual in Apple wanting to check the identity of their customers.
Except that in the other examples there's no change of ownership and you are entering into an ongoing relationship. Those transactions involve trusting that the customer will continue to honour the agreement and/or respect the issuer's property.
When you're buying an iPhone you own it (last I heard). There is no need for ongoing trust between the customer and apple. Or if there is it's trust in the opposite direction eg; Will Apple provide support for me when I want it?
unfortunately you don't own it 100%... oh you might own SOME of the mineral components that make up the hardware but that's about it...
Apple might just as well have sold you a brick with specific percentages of different minerals in it and with a terms of service contract attached to that brick.
Btw, the brick also comes with NDA-like terms about reverse-engineering the minerals in your possession.
iPad = ~£500
Car = >£5,000
Flat = >£50,000 (OK, a very tiny one, but you get the idea)
So yes, there are occasions where private companies do collect proof of identity. Pubs do it for a pint (<£5), and that's a legal thing (<18). You make your own choice if it's justified to release your personal details.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
