Discussion:
[lopsa-tech] Google wants images of my passport, driver's license, bank statement, etc.
lopser
2012-08-20 19:05:31 UTC
Permalink
Farewell google. What else can I say? Seriously.

I tried to purchase something from the Google Play store, in my android tablet today, and I keep getting an error that doesn't say much of anything. "Your order could not be processed. Please try again." So I tried a different credit card, I tried adding new credit card, still generic error messages.

So I tried logging into google wallet via web browser. They ask for Account Verification. Which includes Driver's License, (upload scanned images), passport, or other photo ID, bank statement, credit card statement, and/or utility bill.

Here's what they say:
We were unable to verify the credit or debit card information for your recent order. Your order has been cancelled and your card was not charged. Rest assured that Google is committed to preserving the security of your information and providing a safe online shopping experience.

To resolve this issue, you'll need to scan the following verification documents to your computer and then upload them below.

If you don't have a scanner, please click here. (Fax option)

Until we receive and verify the requested documents, future orders will not be processed. Please do not create additional accounts.

If you choose not to submit these verification documents, your account will remain suspended and you will not be able to place orders or access your Google Wallet account.

They ask for my driver's license, passport, bank statement, credit/debit card statement, utility bill.

Obviously, I'm not going to give them any or all of that stuff. Just so I can pay them $0.99 for some stupid app.

When I pay other companies, they do normal things, like, redirect me to Verified By Visa, or stuff like that. This whole process is taking place over SSL secured https... And I have a strong password and two-factor authentication on my google account... So there's seriously no way for any fraud to be taking place either by me or anyone else trying to hack my account or anything. This is going way too far. Nobody in their right mind should give any credit card payment processing center their driver's license, passport, bank statement, etc.

Foolish. Baaah!!! I want to play my stupid video game! ;-) Too bad...
Steven Kurylo
2012-08-20 21:07:25 UTC
Permalink
Post by lopser
This is going way too far. Nobody in their right mind
should give any credit card payment processing center their driver's
license, passport, bank statement, etc.
Foolish. Baaah!!! I want to play my stupid video game! ;-) Too bad...
I regularly get asked for additional ID when using my credit card in
person. I've seen stores with a blanket policy even. Why should a
online retailer be any different? Though I'm not sure why more places
don't do the verified by Visa process.
drich
2012-08-20 21:24:37 UTC
Permalink
On Mon, Aug 20, 2012
Post by lopser
This is going
way too far. Nobody in their right mind should give any credit card
payment processing center their driver's license, passport, bank
statement, etc. Foolish. Baaah!!! I want to play my stupid video game!
;-) Too bad...
I regularly get asked for additional ID when using
my credit card in
person. I've seen stores with a blanket policy even.
Why should a
online retailer be any different? Though I'm not sure why
more places
don't do the verified by Visa process.
Just be aware that
it violates the merchant agreement for a seller to refuse your
transaction with a Visa or MasterCard because you don't show ID. Of
course, your card also isn't valid unless you sign it ("See ID" isn't
valid for that), but stores will still usually accept. This article
talks about it a bit along with why you *shouldn't* show your ID for
credit card transactions:


http://credit.about.com/b/2011/05/21/no-id-required-for-credit-card-purchases.htm
--
Dan Rich <***@employees.org>
http://www.employees.org/~drich/
[1]
"Step up to red alert!" "Are you sure, sir?
It means changing the
bulb in the sign..."
- Red Dwarf (BBC)

Links:
------
[1]
http://www.employees.org/%7Edrich/
Benjamin Krueger
2012-08-21 01:57:28 UTC
Permalink
There's no requirement for ID in person. But is that the same requirement for online merchants? The rules are different there and I wouldn't make any assumptions.
Post by drich
Post by Steven Kurylo
This is going way too far. Nobody in their right mind should give any credit card payment processing center their driver's license, passport, bank statement, etc. Foolish. Baaah!!! I want to play my stupid video game! ;-) Too bad...
I regularly get asked for additional ID when using my credit card in
person. I've seen stores with a blanket policy even. Why should a
online retailer be any different? Though I'm not sure why more places
don't do the verified by Visa process.
http://credit.about.com/b/2011/05/21/no-id-required-for-credit-card-purchases.htm
--
"Step up to red alert!" "Are you sure, sir?
It means changing the bulb in the sign..."
- Red Dwarf (BBC) _______________________________________________
Tech mailing list
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
drich
2012-08-21 17:43:21 UTC
Permalink
Reverse that -- it isn't that there isn't a requirement for id, but
that they are forbidden from refusing to accept your card because you
don't show it.

On-line is completely different as are phone
transactions, they are both card-not-present transactions. I'm pretty
sure they can't require ID on that either, but it has been quite a while
since I read one of the merchant agreements.

On 2012-08-20 18:57,
Post by Benjamin Krueger
There's no requirement for ID in person. But
is that the same requirement for online merchants? The rules are
different there and I wouldn't make any assumptions.
Post by Benjamin Krueger
On Aug 20,
On 2012-08-20 14:07, Steven Kurylo
On Mon, Aug 20, 2012 at 12:05 PM, lopser
Post by lopser
This is going way too far.
Nobody in their right mind should give any credit card payment
processing center their driver's license, passport, bank statement, etc.
Foolish. Baaah!!! I want to play my stupid video game! ;-) Too
bad...
Post by Benjamin Krueger
I regularly get asked for additional ID when using my
credit card in
Post by Benjamin Krueger
person. I've seen stores with a blanket policy even.
Why should a
Post by Benjamin Krueger
online retailer be any different? Though I'm not sure
why more places
Post by Benjamin Krueger
don't do the verified by Visa process.
Just
be aware that it violates the merchant agreement for a seller to refuse
your transaction with a Visa or MasterCard because you don't show ID. Of
course, your card also isn't valid unless you sign it ("See ID" isn't
valid for that), but stores will still usually accept. This article
talks about it a bit along with why you *shouldn't* show your ID for
credit card transactions:
http://credit.about.com/b/2011/05/21/no-id-required-for-credit-card-purchases.htm
[1]
--
Dan Rich <***@employees.org>

http://www.employees.org/~drich/ [2]
"Step up to red alert!" "Are you
sure, sir?
It means changing the bulb in the sign..."
- Red Dwarf
(BBC)

Links:
------
[1]
http://credit.about.com/b/2011/05/21/no-id-required-for-credit-card-purchases.htm
[2]
http://www.employees.org/%7Edrich/
lopser
2012-08-21 04:25:26 UTC
Permalink
Kurylo
I regularly get asked for additional ID when using my credit card in
person. I've seen stores with a blanket policy even. Why should a
online retailer be any different? Though I'm not sure why more places
don't do the verified by Visa process.
In physical stores, I regularly get asked to see my driver's license, and I don't mind showing it. They don't make a copy of it, they just look at it, and look at my face, and check the name matches my credit card, and move on.

They certainly don't ask me for my bank statements or passport.

But most importantly, they don't keep a copy of it.
Tom Limoncelli
2012-08-21 02:09:18 UTC
Permalink
SInce their email said "We were unable to verify the credit or debit
card information for your recent order." and you are unhappy with how
they sought to verify you are who you say you are. I understand how
frustrating that can be. What method would you prefer we use to
verify you are who you say you are? I will gladly forward your
suggestions to the product group (no promises, but I am very
interested in what you suggest)

Tom
(not speaking for Google, but employed by them)
lopser
2012-08-21 04:36:40 UTC
Permalink
Sent: Monday, August 20, 2012 10:09 PM
SInce their email said "We were unable to verify the credit or debit
card information for your recent order." and you are unhappy with how
they sought to verify you are who you say you are. I understand how
frustrating that can be. What method would you prefer we use to
verify you are who you say you are? I will gladly forward your
suggestions to the product group (no promises, but I am very
interested in what you suggest)
Tom
(not speaking for Google, but employed by them)
Do what every other credit card point of sale vendor does. Take the credit card number, expiration date, name on card, and CVV code. Then pass it along to Visa or Mastercard or whoever for processing. If possible, use Verified By Visa, or Mastercard Securecode, or whatever the equivalent alternative is offered by that particular credit card company.

The mere fact that I logged in to google as myself, and I previously saved my credit card info there, should be all that google cares about.. Or better yet, use Verified by Visa. (and similar alternatives.)

It's understandable and understood that a bank will need to verify your home address, and various forms of personal information in order for you to open an account. They're going to hold your cash and they need some way to verify that you are a real person (govt requirement), you are who you say you are (again, govt requirement), and they need to verify your identity when somebody comes in claiming to be you and requesting all your cash. That's more of a personal requirement.

When you buy a battery from http://www.batteriesonline.com, they should not ask you for your SSN, your photo id, etc. They should take your credit card info, and ask Visa or Mastercard (or whoever) to verify it. They can use Verified By Visa, or Mastercard Securecode, or whatever equivalent alternatives are offered by some other banks... When they do this, the consumer is redirected to their credit card site, and asked to verify some of the personal information that was submitted when the credit card account (or bank account) was opened. Visa or Mastercard (or whoever) will simply say "yes" or "no" to the vendor. The vendor does not get your personal verification information. The vendor is not able to go make purchases at other sites using the information you just gave them.

If Google is supposedly increasing security by asking consumers for this information, shouldn't batteriesonline.com also ask for it, to increase their security? And amazon, and ChineseMemory2Cheap.com, and UsedCalculators4Less.com ... Shouldn't they all be asking for this kind of information?

Emphatically, the answer is no. A big fat no.

It is the job of the vendor to communicate with the consumer securely, via https. The consumer will provide credit card info to the vendor, and after that, the vendor is supposed to use that information to get funds from the credit card / bank. It is the job of the bank to keep your private funds and private security information private. The bank that you entrusted to hold your cash should be the only entity holding the verification documents necessary to access your cash. These verification documents should never reach the hands of the vendor, whom you are agreeing to pay a fraction of your cash in exchange for goods and services.
Tom Limoncelli
2012-08-21 16:39:24 UTC
Permalink
Post by lopser
Do what every other credit card point of sale vendor does. Take the credit card number, expiration date, name on card, and CVV code. Then pass it along to Visa or Mastercard or whoever for processing. If possible, use Verified By Visa, or Mastercard Securecode, or whatever the equivalent alternative is offered by that particular credit card company.
I'm not sure I understand the situation so please help me understand
if I'm not. It seems like Google did contact one of those companies
and the card was rejected. It sounds like you feel Google should have
given up at that point. If I'm understanding you correctly I'll
forward that along as I promised. Am I understanding you correctly?

Tom
--
http://EverythingSysadmin.com -- my blog
http://www.TomOnTime.com -- my videos
lopser
2012-08-22 02:42:20 UTC
Permalink
Post by lopser
Post by lopser
Do what every other credit card point of sale vendor does. Take the credit
card number, expiration date, name on card, and CVV code. Then pass it
along to Visa or Mastercard or whoever for processing. If possible, use
Verified By Visa, or Mastercard Securecode, or whatever the equivalent
alternative is offered by that particular credit card company.
I'm not sure I understand the situation so please help me understand
if I'm not. It seems like Google did contact one of those companies
and the card was rejected. It sounds like you feel Google should have
given up at that point. If I'm understanding you correctly I'll
forward that along as I promised. Am I understanding you correctly?
I have no reason to believe google is attempting to process my request when I try to buy something. Google won't even let me add another card. I have no reason to believe google is trying to process the order and getting rejected upstream. Google is doing the rejecting, not the bank.

If the credit card gets declined, then it is my opinion the vendor should give up and simply tell the consumer, "declined." But that is not happening here. I have no reason to believe google is even attempting to process the transaction.

If the credit card were getting declined, then google asking for my passport wouldn't change anything. So this furthers the belief... Google is not attempting to process the transaction. It's not being declined by the credit card company. It's google policy.
Josh Smift
2012-08-22 14:57:25 UTC
Permalink
l> Google is not attempting to process the transaction. It's not being
l> declined by the credit card company. It's google policy.

Have you contacted Google support to find out whether this is their
policy, and if so, what the policy actually is?

It sounds like most people who use Google Wallet have never had to do
anything like this, so it seems odd that they're asking you to. Maybe
there's a reason. (Or maybe it's a glitch and they'd be shocked to hear
about it and would immediately fix it. Or maybe they've recently put some
new policy in place. Who knows, but it might be more fun to find out than
to just say "this sucks I'm never shopping here again".)

-Josh (***@infersys.com)
lopser
2012-08-22 20:04:51 UTC
Permalink
On Behalf Of Josh Smift
l> Google is not attempting to process the transaction. It's not being
l> declined by the credit card company. It's google policy.
Have you contacted Google support
Have I contacted who? (I just want to hear you say "google" and "support" together again. ;-) hehehehe

If you can show me where google support exists, I'll happily contact them. There's no such thing.
It sounds like most people who use Google Wallet have never had to do
anything like this,
To kill both birds with one stone ... I guess I'll go to the google forum, and search around, and post something, and see what happens.

Nope ... Didn't have any luck. Try as I might, I can't find any forum or contact form anywhere... There is the gmail support forum, but that's for gmail, not google wallet. As far as I can tell, there is no support for google wallet.

They do have support for merchant accounts on google wallet.... I'm not permitted, as a consumer.
Jonathan Nicol
2012-08-22 21:21:29 UTC
Permalink
https://support.google.com/wallet/bin/request.py?contact_type=wallet_general
"To give us a call directly, please call 1-855-492-5538. "

That wasn't very hard to find...
Post by lopser
On Behalf Of Josh Smift
l> Google is not attempting to process the transaction. It's not being
l> declined by the credit card company. It's google policy.
Have you contacted Google support
Have I contacted who? (I just want to hear you say "google" and
"support" together again. ;-) hehehehe
If you can show me where google support exists, I'll happily contact
them. There's no such thing.
It sounds like most people who use Google Wallet have never had to do
anything like this,
To kill both birds with one stone ... I guess I'll go to the google
forum, and search around, and post something, and see what happens.
Nope ... Didn't have any luck. Try as I might, I can't find any
forum or contact form anywhere... There is the gmail support forum,
but that's for gmail, not google wallet. As far as I can tell,
there is no support for google wallet.
They do have support for merchant accounts on google wallet.... I'm
not permitted, as a consumer.
_______________________________________________
Tech mailing list
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
lopser
2012-08-22 21:57:38 UTC
Permalink
On Behalf Of Jonathan Nicol
https://support.google.com/wallet/bin/request.py?contact_type=wallet_ge
neral
"To give us a call directly, please call 1-855-492-5538. "
That wasn't very hard to find...
How did you find that? Did you first login to google wallet and then click on help? Because remember, I can't login to google wallet. Er ... I can login, but the only page they will show me is the "Account Verification" page. When I click the ? icon for help, it's just white.

Here's what I was able to find, and how I found it:

I posted a message on gmail help forums, asking how to find google wallet help. Then I thought I would post a link to that message here, so I logged back into gmail forums, to get a URL to the message. I don't see any way to get a copy-able URL, but while I'm in there, I notice, by viewing my post, there is a backlink trail at the top... Google Product Forums > Gmail > My message. These are clickable, so I click the Google Product Forums. (Something I searched for and couldn't find until I posted and viewed my post.)
Phil Pennock
2012-08-22 22:27:10 UTC
Permalink
And I'll write a little about, in another email...
Much as I have my own gripes about Google's customer service, I'm not
sure how this is relevant to technical discussions for LOPSA.

If we're debating PCI compliance and security implications of process
flows for validating identity, then that's germane and relevant. Some
of this thread has been on topic.

But unless there's something substantive _for_ _LOPSA_ in the results of
that support discussion, perhaps there's a better forum for it?


Myself, I use Google+ for all sorts of things, including noting Google
problems; if the Google employees who follow me get upset enough at my
doing so, then instead of unfollowing me they might get around to
implementing tagging: so then topics can be exempted from following,
they can suppress #googlefail posts and remain blissfully happy while
still seeing my cat pictures. :)

(Those GoogleFail posts typically are only shared with my extended
circles)

-Phil
lopser
2012-08-23 00:06:51 UTC
Permalink
Post by Phil Pennock
Much as I have my own gripes about Google's customer service, I'm not
sure how this is relevant to technical discussions for LOPSA.
Google Wallet is your only option to pay for Google Apps. I'm lucky that this happened to my home account where I'm not using google apps, and it didn't happen to my work account.

Besides, it's a tech thing, that could conceivably happen to any of us who depend on our tech. Some people here are interested, and participating in the conversation.
lopser
2012-08-22 23:13:39 UTC
Permalink
From: lopser
But there is a Click 2 Call form there. I enter my phone number, and they will
call me. Which I did. And I'll write a little about, in another email...
I got on the phone with a representative from Google Wallet. I explained that I first noticed I wasn't able to purchase something in Google Play, getting a generic error message, so I tried logging into Google Wallet to find out any more information about it, and I get the Account Verification page, which requests me to upload scanned copies of my driver's license, passport, bank statement...

He said, that means there's a hold on your account. This could come up for a lot of different reasons, and I do need to verify my identity. They'll need those documents in order to reinstate my account or I won't be able to make purchases.

I asked for some sort of statement, reason why it's on hold, or something... I said from my perspective, google is just a vendor, and I wouldn't give copies of my passport and bank statement to random online vendors.

He said he understands my concerns, you're basically submitting your identity, and you don't have to if you don't want to ...

Which means to me, I can never buy anything from google ever again. So google's telling me they'll refuse to sell me anything unless I provide this information.

He said there is no override, for whatever reason, for the security of all the users, they do this... but I cut him off, "This is the exact opposite of security." I told him, even when I go tell people about this, they say, "It must be a phishing attack." Nobody believes Google would really ask for this type of information in order to purchase an app on your phone. I don't have any reason to trust google any more than any other vendor. I would never give this to any vendor. This is something I give to a bank to open an account.

He said google wallet is a payment service, so it's more like a bank and not the same as a vendor. "You're not paying google wallet, you're paying *through* google wallet." He said he's never had anyone call in and say "I don't trust google," once you've given them your credit card information, that's all they need to make purchases. (I think I might be the first person who bothered putting in the effort to call in and complain about this. I think most people simply submit to the bullying.) I told him I don't mind giving my credit card number, cvv code, expiration date... Because that's normal to make a credit card purchase, and I'm communicating over https, and it's a verified site, and google is a reputable vendor, but when they're asking for something much more than that... I don't know your security policies. I don't know which google employees have access to this information, or if any employee becomes disgruntled, uploads it all to China... Can you imagine how many people are out there trying to hack into google? There is no way Google is as secure as the NSA or the CIA, and they've been hacked before.

Heck, Google has been hacked before. This is the type of information you simply don't give out to anyone, because it's exactly the type of information some bad guy could use to steal your identity.

In response to him saying Google Wallet isn't a vendor, they're a payment service, I said... When you want to buy something from google play or google apps, the only way you have available to pay is through google wallet. And I've never seen google wallet used for anything other than google products. So from my perspective, this looks like a vendor who wants copies of my bank statement and driver's license and passport.

He said he understands, he can see my point of view, but google doesn't have a lot of products. The developers are the people who make apps... I said, if I were a vendor with a storefront, selling tomatoes, that I bought from the local farm for $0.50, and I'm selling them for $1.00, that means I'm selling something that I bought from somebody else. As a consumer, buying an app in google play, I'm not buying an app from the vendor. They don't have a storefront, they're not the ones taking my credit info. I'm buying an app from google, and google is a reseller who's distributing the developers' products.

He said, that makes sense, if you don't trust it, you shouldn't put your information into it, and he said, he wouldn't put his information into it if he didn't trust it. But he does trust it. So I asked him, How can you say "I trust it?" Google is what, 100,000 employees? You trust all 100,000 of those employees? I have no idea which ones have access to this information.. His response was "Something can happen with *any* payment service. People sometimes get screwed over with PayPal." Which is to me, a blanket acknowledgement, that sure, Google Wallet can make mistakes too.

I felt like we were sidetracking too much. So I asked him if he could please look into the system somehow and tell me why my account is getting flagged... I'm a security person myself. I actually generate and memorize random passwords, encrypt all my information everywhere, use 2-factor authentication, have a PIN on all my devices for making purchases, and a gesture-based screen lock... It is extremely unlikely that anyone is using my account without my knowledge or consent. He said he doesn't have access to a whole lot, the only thing he can see is that there's a hold on it. They don't want him telling people why they're being flagged, they don't want him to *know* why people are getting flagged, because then people could figure out what google's doing internally. I quote, "Google doesn't want our people to know, how they work internally." Which is a great reason for *me* not to trust them with my identity information. They don't even trust themselves with knowledge of why an account is on hold, but I'm being fed the kool-aid of blanket trust for the organization as a whole...

We finally concluded, with: Google will not sell me anything, now and for the rest of my life, unless I provide this information... Unless... When I pressed him for some escalation or some path to resolution, he did say he can escalate to another team. It can only be escalated via email, there is no phone number, they don't communicate via phone. He said, "I can give them *my* word, but that's not going to mean much to them, they're not going off another employee's word, know what I mean?" He said, they might just tell me the same thing. I quote: "If you want to be able to make purchases from google again, without submitting those documents, this is the only way."

So that's where it stands for now.
Betsy Schwartz
2012-08-21 11:04:35 UTC
Permalink
So we know this was real? It's such a bizarre request that my initial
reaction was that it was a phish of some sort. What sort of reaction
from the credit card company causes an "unable to verify" result?

IMHO Google should ask for a valid credit card or send the buyer off
to negotiate with the issuing bank, but not start collecting this
other sort of information. Google is out of line to do anything other
than accept, reject, or report suspicious use of, a credit card.

(the banks, on the other hand, should be a hell of a lot more careful
about issuing credit cards, but that's another discussion)
Josh Smift
2012-08-21 11:11:34 UTC
Permalink
BS> So we know this was real? It's such a bizarre request that my initial
BS> reaction was that it was a phish of some sort. What sort of reaction
BS> from the credit card company causes an "unable to verify" result?

I had a similar question the last time I got a Verified By Visa redirect,
actually, because it popped up in a frame in the middle of the vendor's
web site, making me wonder how the heck I was supposed to know that it was
legit, and and not the vendor phishing for information that they shouldn't
have. Maybe there was something obvious there, but at the time I didn't
see it... So how *are* you supposed to know that a Verified By Visa thing
is legit?

(Thirty seconds of research turns up
https://en.wikipedia.org/wiki/Verified_by_visa#Verifiability_of_site_identity,
suggesting that it's not just me. Which bleah, because it's sort of a good
idea, but the current implementation is really terrible from a phishing
point of view.)

-Josh (***@infersys.com)
lopser
2012-08-23 03:53:38 UTC
Permalink
I hope this will be my final comment on this thread, but I figured out what went wrong. About 6 months ago, my 2yr old daughter was playing with the tablet, and spent $50. I got an email thanking me for the purchase, so I immediately tried to refund it (but I was too late), and I searched around and discovered the ability to create a PIN for purchases, to prevent it from happening again.

I know now, but I didn't know then, that I should have contacted google wallet. At the time, I tried to contact Android Market, or Google Play, whatever they were called at the time. To this day, as far as I can tell, there is no way to contact google play.

I called american express. Explained that it's just a simple mistake, it won't happen again, it should be easy to refund, but I can't find any way to contact the vendor. I asked them if they have any way to contact the vendor? They said yes, they do.

So Amex tried contacting google, and some time later (I don't know if it was days or weeks) Amex contacted me, to tell me, they had no response from google, so Amex refunded the transaction.

Now I will say, that's plenty of reason for google to be suspicious about my account. But I still disagree with the requirement to upload driver's license, passport, bank statements, or else never be able to purchase anything from google ever again.

It's sheer coincidence that I had this other experience, trying to purchase something in Euros today. Because that experience illuminates perfectly, what google should be doing instead.

Guess what? Account seems to be compromised? Use the information from "Account Recovery Options." Duh. ;-)

I've certainly given all this info to google wallet now... Maybe I'll get a response... Don't know what, or if, they'll say anything about it yet.
d***@lang.hm
2012-08-23 04:06:40 UTC
Permalink
Post by lopser
Guess what? Account seems to be compromised? Use the information from
"Account Recovery Options." Duh. ;-)
are you aware of the trouble that Mat Honan just had to go through as a
result of people using the insecure "account recovery options" of apple?

Given the high publicity that his case has recieved, I would expect that
many of the online providers are trying to be less forgiving and flexible
right now to try and keep the next set of headlines from being about them.

David Lang
lopser
2012-08-23 13:45:07 UTC
Permalink
Post by d***@lang.hm
Post by lopser
Guess what? Account seems to be compromised? Use the information
from
Post by lopser
"Account Recovery Options." Duh. ;-)
are you aware of the trouble that Mat Honan just had to go through as a
result of people using the insecure "account recovery options" of apple?
If people give insecure verification information ("Q: Please verify your PIN." "A: Five, Five, Five, Five.") then they can't blame the company. Garbage in, garbage out.

I'll certainly admit there are a lot of people out there who fall into precisely this category. But at some point, people need to be held responsible for their own lack of security.

I'll agree on the point of Apple's policy being broken. Verify the last 4 digits of your credit card? Anybody could know that.
d***@lang.hm
2012-08-23 19:27:13 UTC
Permalink
Post by lopser
Post by d***@lang.hm
Post by lopser
Guess what? Account seems to be compromised? Use the information
from
Post by lopser
"Account Recovery Options." Duh. ;-)
are you aware of the trouble that Mat Honan just had to go through as a
result of people using the insecure "account recovery options" of apple?
If people give insecure verification information ("Q: Please verify your PIN." "A: Five, Five, Five, Five.") then they can't blame the company. Garbage in, garbage out.
I'll certainly admit there are a lot of people out there who fall into precisely this category. But at some point, people need to be held responsible for their own lack of security.
I'll agree on the point of Apple's policy being broken. Verify the last 4 digits of your credit card? Anybody could know that.
While I agree that Apple did stupid stuff, I think you are missing the
forest for the trees.

Most of the information that's used for "account recovery" options is
finable (where were you born, your mother's maiden name, your pet's name,
etc) due to the ease of searching for what was at one point obscure data
about you.

Encouraging more use of such tactics is not a smart security move.

David Lang
Paul Graydon
2012-08-23 19:50:40 UTC
Permalink
Post by d***@lang.hm
Post by lopser
Post by d***@lang.hm
Post by lopser
Guess what? Account seems to be compromised? Use the information
from
Post by lopser
"Account Recovery Options." Duh. ;-)
are you aware of the trouble that Mat Honan just had to go through as a
result of people using the insecure "account recovery options" of apple?
If people give insecure verification information ("Q: Please verify
your PIN." "A: Five, Five, Five, Five.") then they can't blame the
company. Garbage in, garbage out.
I'll certainly admit there are a lot of people out there who fall
into precisely this category. But at some point, people need to be
held responsible for their own lack of security.
I'll agree on the point of Apple's policy being broken. Verify the
last 4 digits of your credit card? Anybody could know that.
While I agree that Apple did stupid stuff, I think you are missing the
forest for the trees.
Most of the information that's used for "account recovery" options is
finable (where were you born, your mother's maiden name, your pet's
name, etc) due to the ease of searching for what was at one point
obscure data about you.
People actually use real information for the account recovery
questions? Wow...

Paul
lopser
2012-08-23 23:41:40 UTC
Permalink
On Behalf Of Paul Graydon
Post by d***@lang.hm
Most of the information that's used for "account recovery" options is
finable (where were you born, your mother's maiden name, your pet's
name, etc) due to the ease of searching for what was at one point
obscure data about you.
People actually use real information for the account recovery
questions? Wow...
heheh, I know I sure don't use real information for those questions. In fact, I use random dictionary words, and I record them all in an encrypted password manager... But most people... Most people either use real information, or at least, something they could easily remember.

I defintiely get the point. Aside from having your biometrics on record, it's very difficult for anybody to conclusively verify your identity. If somebody were trying to forge my identity in the present situation, they could generate a copy of a driver's license and a fake utility bill as easily as they could figure out the name of the street I grew up on, or my father's middle name. Which is to say ... In my personal opinion, either one of those options would probably eliminate most would-be identity thieves. But neither one would deter Anonymous or the CIA from impersonating me.
Edward Ned Harvey (lopser)
2012-08-26 00:58:39 UTC
Permalink
From: lopser
I hope this will be my final comment on this thread, but I figured out what
went wrong.
Heyyy!!! That worked! I didn't upload the docs, and my account has been reinstated.

So, in summary, here's what I learned:

#1 Yes there is a google play (android market) help forum; you just can't get there by going to google play.

For all of google support, start at http://support.google.com
I mean ... If you go to Google Play, then there is no path to find the Google Play Support page. But it definitely exists. How stupid is that? ;-)

"Support" isn't even one of the options under the "More" tab... Seems like a major omission. ;-)


#2 If your account is on hold (you're being prompted for verification driver's license, passport, bank statements, etc) call the Google Wallet support number, or use Click 2 Call, to have them call you. Explain nicely to whoever you get, that you are seeing the Account Verification page requesting your driver's license, passport, bank statements, etc. You don't know why your account is on hold, you don't want to give out these types of documents, etc. Expect them to tell you there is no workaround, you simply have to do it, and they won't tell you why. And ask them what escalation options you have. "Seriously, I'm banned for life? And you won't tell me why? And based on this, I'm expected to submit personal information about myself? Can't I talk to a manager or something?"

The person I talked to sent me an email, and told me, when I reply to the email, my response will automatically get entered into the support notes for this case, and will be reviewed by the second level support person. I replied the same day, with all the explanation I could think of.

Two days later (maybe three) I got a response from the second level person, saying my account has been verified, taken off hold, and I'm now permitted to make purchases through google wallet again.

I was skeptical, and I tested it before I said Thank You. ;-)
Chucktr
2012-11-10 11:47:50 UTC
Permalink
Post by Edward Ned Harvey (lopser)
From: lopser
I hope this will be my final comment on this thread, but I figured out what
went wrong.
Heyyy!!! That worked! I didn't upload the docs, and my account has been reinstated.
#1 Yes there is a google play (android market) help forum; you just can't get
there by going to google play.
Post by Edward Ned Harvey (lopser)
For all of google support, start at http://support.google.com
I mean ... If you go to Google Play, then there is no path to find the Google
Play Support page. But it
Post by Edward Ned Harvey (lopser)
definitely exists. How stupid is that?
"Support" isn't even one of the options under the "More" tab... Seems like a
major omission.
Post by Edward Ned Harvey (lopser)
#2 If your account is on hold (you're being prompted for verification
driver's license, passport, bank
Post by Edward Ned Harvey (lopser)
statements, etc) call the Google Wallet support number, or use Click 2 Call,
to have them call you. Explain
Post by Edward Ned Harvey (lopser)
nicely to whoever you get, that you are seeing the Account Verification page
requesting your driver's
Post by Edward Ned Harvey (lopser)
license, passport, bank statements, etc. You don't know why your account is
on hold, you don't want to give
Post by Edward Ned Harvey (lopser)
out these types of documents, etc. Expect them to tell you there is no
workaround, you simply have to do it,
Post by Edward Ned Harvey (lopser)
and they won't tell you why. And ask them what escalation options you have.
"Seriously, I'm banned for
Post by Edward Ned Harvey (lopser)
life? And you won't tell me why? And based on this, I'm expected to submit
personal information about
Post by Edward Ned Harvey (lopser)
myself? Can't I talk to a manager or something?"
The person I talked to sent me an email, and told me, when I reply to the
email, my response will automatically
Post by Edward Ned Harvey (lopser)
get entered into the support notes for this case, and will be reviewed by the
second level support person. I
Post by Edward Ned Harvey (lopser)
replied the same day, with all the explanation I could think of.
Two days later (maybe three) I got a response from the second level person,
saying my account has been
Post by Edward Ned Harvey (lopser)
verified, taken off hold, and I'm now permitted to make purchases through
google wallet again.
Post by Edward Ned Harvey (lopser)
I was skeptical, and I tested it before I said Thank You.
Well, I'm glad that it worked out for you. However, I followed your procedure
and got the run around -and- DID NOT get my account re-instated. They still are
demanding the identification. The card that I am trying to use has been honored
by PayPal for years -and- still is!! -But- I purchased the app, that I was
trying to purchase from Google, somewhere else and paid for it with PayPay
-using the card that Google would not honor. However, it didn't work. Why??
Because the license verification was through Google and they didn't honor it!!
So they not only foil Credit Cards they also foil "legitimate" purchases through
another vendor!!

There really ought to be/is something illegal about this. Getting really
ridiculous. Now I either have to send them a copy of a utility bill or bank
statement -and- my drivers license -or- I won't be able to get apps for my new
phone --- EVEN IF I PURCHASE THEM SOMEWHERE ELSE!!
Edward Ned Harvey (lopser)
2012-11-11 00:59:05 UTC
Permalink
On Behalf Of Chucktr
Well, I'm glad that it worked out for you. However, I followed your procedure
and got the run around -and- DID NOT get my account re-instated. They still are
demanding the identification.
I don't know if this helps at all, but I figured out what was wrong in my case. Several months before, my 2yr old spent $50, so I did what I could to get it refunded, but couldn't find anyone at google to contact. So then I called the credit card and asked them if they have some way to contact someone at google, they said yes they do. Some more time passed, and the credit card company contacted me back, saying they got no response from google, so they refunded.

I think very likely, the reason google was willing to reinstate my account was because I could tell them this story, and I told them I never lost my card or anything, and I have since installed a PIN for purchases on all my android devices, and so forth. So I not only confirmed my identity by knowing something only I would know; I also assured them the account hasn't been compromised.

I learned in the process, that both google play (or android market, whatever it was called at the time) and google wallet have a support site, where you can contact them. (I guess you must know this already, as it sounds like you've already contacted them.)

It might help your situation if you can come up with an explanation for why they shut off your account. It also might help if you simply contact the same support number again. While they are probably well enough organized to see it's a repeat request - I certainly don't assume so. You might reach a different person who sees things differently.

Worst case, there's nothing preventing you from starting a new gmail account. Except obviously, that's annoying, especially if it means losing any apps you already paid for. But you can add more than one account to an android device... And google play honors them both. So you can still have your regular email account in there for sending/receiving email, while also having another account that isn't blocked from purchasing stuff.

Note: I haven't tested the 2nd account idea with a locked account. I have added my account and my wife's account to our shared tablet, and that works fine, or at least it did when I checked, etc etc, google may always change stuff... etc etc, I could be wrong.
lopser
2012-08-23 03:41:18 UTC
Permalink
Post by Tom Limoncelli
What method would you prefer we use to
verify you are who you say you are? I will gladly forward your
suggestions to the product group (no promises, but I am very
interested in what you suggest)
You know what? Nevermind Verified by Visa, etc. As other people have mentioned, it can be infeasible in some circumstances, and not every bank or vendor is equipped to use that stuff.

Today I tried to buy something in Euros (completely independent and unrelated to google.) The transaction was declined. My bank immediately called me. An automated system informed me that this is the credit fraud prevention system, and if I have any doubts about the identity of the system calling me, I could get their phone number from their website or the back of my card, and call them instead. It asked me my security question, "what is the make and model of your first car" to confirm my identity. (I'm not just some hapless person who just had his wallet, credit cards, and cell phone stolen.) It asked if I'm in control of my cards, and did I authorize the following transaction?

I told it Yes. So it told me, that I should resubmit my transaction, we apologize for any inconvenience, and thank you for using this system. In the future, if I know I'm going to be performing suspicious activity, I can call them to notify them in advance, to avoid any inconvenience.
Brandon Allbery
2012-08-21 14:33:45 UTC
Permalink
Here's what they say:****
We were unable to verify the credit or debit card information for your
recent order. Your order has been cancelled
Note that this is a boilerplate version of "your credit card was submitted
and they (i.e. not Google, but upstream) rejected it". I couldn't tell you
why, or why it continued for multiple cards, but you might want to verify
that your cards are still valid and *then* take it up with Google. Not
sure who they work with but this might be some contractual thing, or even
possibly a bug where a rejection is "stickier" than it should be.
--
brandon s allbery ***@gmail.com
wandering unix systems administrator (available) (412) 475-9364 vm/sms
lopser
2012-08-22 02:37:07 UTC
Permalink
Sent: Tuesday, August 21, 2012 10:34 AM
Post by lopser
We were unable to verify the credit or debit card information for your recent
order. Your order has been cancelled
Note that this is a boilerplate version of "your credit card was submitted and
they (i.e. not Google, but upstream) rejected it".  I couldn't tell you why, or
why it continued for multiple cards, but you might want to verify that your
cards are still valid and *then* take it up with Google.  
I agree with your interpretation of the words, but unfortunately, not correct. I have always had two credit cards (one visa, one mastercard) in google, which I have used numerous times before. These are the same cards that I use elsewhere, for automatic recurring charges as well as in person for daily purchases. My cards are still good everywhere else. Google is the only place having a problem.

I cannot eliminate the possibility that both Visa and Mastercard identified google as a hotspot for credit fraud and therefore they both blocked google. But I have no reason to believe such a thing.

Whenever my banks suspect anything suspicious, they reject the transaction, and they call me for verification. That has happened several times before - but didn't happen with thi
Billy Vierra
2012-08-22 23:26:57 UTC
Permalink
Quick bit of background, about 9 years ago I worked for one of the largest cc processing companies in the world (they processed like 9/10 cc transactions in the US).

The issue is actually a lot more complicated than you are realizing / probably have any reason to know.

Let's start with how a transaction get processed:

There are usually 3 parts to this:
* CC Authorization (using the CC # and exp date)
* CVV2 (The 3 digit code on the back of your card) (they charge like $0.10 for this)
* AVS (Address Verification) - Quick note on this one, it can only process the digits in the address so if the address on the card was "123 Main St Apt #4, Any Town CA, 91000" the following would match as well "1234 Nowhere, NotMyTown NV, 91000") (they charge like 0.25 for this)

Verified by Visa / Mastercard SecureCode, while great and have been catching on, are still not available from all banks. Even fewer have it available to work on mobile networks. If Google required this, they would have a lot of customers they would turn away and last time I built a system that needed Verified / SecureCode (probably a lil over 2 years ago) there was no way of knowing if it was available or not, it either passed that it was verified or it says it didn't pass verification.

So as you can see from a merchant perspective there really is not a lot of help from Visa/MC to prevent fraud (will get into why in a few).

As a work around to this many online merchants started using 3rd party software that would check and see if the IP address used was within X miles of the billing zip code (using GeoIP), checking for proxies, so on and so forth. Many of these would give a % of the charge not being fraud that really was their own internal algorithm and had nothing to do with Visa/MC.

So why are Visa / MC not caring about fraud? Fraud is where they make the majority of their money, at least when I worked there, and yes really. Visa / MC do not have to return any money to the card holders bank when fraud happens, the processor does. However Visa / MC would actually charge the Merchant an arbitrary fee. The range I saw was between $15 and $25 per fraud transaction depending on contract and volume. Now I am sure that some of it went to the processor, but I know that Visa / MC had a set fee per fraud transaction, then the processor charged more on top of that. Also they take the % charged per the merchant agreement (let's use 3% for ease of use) both on the transaction and on the refund.

So let's break that down real quick on a $0.99 charge that gets a charge back.

3% charge for transaction = $0.03
$0.10 for CVV2 = $0.10
$0.25 for AVS = $0.25
3% charge for the refund = $0.03
$15 (low balling this one) charge for the charge back fee = $15.00

So that $0.97 income for Google, now costs them $15.41

Ohh and the greatest part, if the Merchant can get you to repay them (legal threat / whatever), according to most merchant agreements, they cannot recover the fees they had to pay.

Even better, guess what the Merchant needs to fight a charge back, a signed credit card receipt (I have heard they allow signed contracts as well now, but the signature has to match what is on file with the bank). Online transactions cannot be fought (once again I am sure this has changed by now).

So what can the merchant do when they believe that a charge may be fraud? Ask for something that only person would have, which is what they have done here, bank statement / utility bill / driver's license / etc.

While I understand the frustration with it, hopefully you can now understand why this happens the way it does. :)

Billy Vierra
E-Mail: ***@sortatechie.com
http://about.me/bvierra

-----Original Message-----
From: tech-***@lists.lopsa.org [mailto:tech-***@lists.lopsa.org] On Behalf Of lopser
Sent: Tuesday, August 21, 2012 7:37 PM
To: Brandon Allbery; lopser
Cc: LOPSA Technical Discussions (***@lopsa.org)
Subject: Re: [lopsa-tech] Google wants images of my passport, driver's license, bank statement, etc.
Sent: Tuesday, August 21, 2012 10:34 AM
Post by lopser
We were unable to verify the credit or debit card information for
your recent order. Your order has been cancelled
Note that this is a boilerplate version of "your credit card was
submitted and they (i.e. not Google, but upstream) rejected it". I
couldn't tell you why, or why it continued for multiple cards, but you
might want to verify that your cards are still valid and *then* take it up with Google.
I agree with your interpretation of the words, but unfortunately, not correct. I have always had two credit cards (one visa, one mastercard) in google, which I have used numerous times before. These are the same cards that I use elsewhere, for automatic recurring charges as well as in person for daily purchases. My cards are still good everywhere else. Google is the only place having a problem.

I cannot eliminate the possibility that both Visa and Mastercard identified google as a hotspot for credit fraud and therefore they both blocked google. But I have no reason to believe such a thing.

Whenever my banks suspect anything suspicious, they reject the transaction, and they call me for verification. That has happened several times before - but didn't happen with this google situation.
Mathew Snyder
2012-08-21 18:34:44 UTC
Permalink
To be honest, that sounds a bit sketchy. Before blaming Google (I've never
heard of ANY company needing that kind of information) I'd look into
whether you're being phished.

That kind of request is more in line with an attempt at identity theft than
what Google would require for account verification. When my Gmail account
was hijacked a couple years back, they didn't ask for anything even
remotely close to what your seeing.

-Mathew

"When you do things right, people won't be sure you've done anything at
all." - God; Futurama
Farewell google. What else can I say? Seriously.****
** **
I tried to purchase something from the Google Play store, in my android
tablet today, and I keep getting an error that doesn't say much of anything.
"Your order could not be processed. Please try again." So I tried a
different credit card, I tried adding new credit card, still generic error
messages.****
** **
So I tried logging into google wallet via web browser. They ask for
Account Verification. Which includes Driver's License, (upload scanned
images), passport, or other photo ID, bank statement, credit card
statement, and/or utility bill.****
** **
Here's what they say:****
We were unable to verify the credit or debit card information for your
recent order. Your order has been cancelled and your card was not charged.
Rest assured that Google is committed to preserving the security of your
information and providing a safe online shopping experience.****
** **
To resolve this issue, you'll need to scan the following verification
documents to your computer and then upload them below.****
** **
If you don't have a scanner, please click here. (Fax option)****
** **
Until we receive and verify the requested documents, future orders will
not be processed. Please do not create additional accounts.****
** **
If you choose not to submit these verification documents, your account
will remain suspended and you will not be able to place orders or access
your Google Wallet account.****
** **
They ask for my driver's license, passport, bank statement, credit/debit
card statement, utility bill. ****
** **
Obviously, I'm not going to give them any or all of that stuff. Just so
I can pay them $0.99 for some stupid app.****
** **
When I pay other companies, they do normal things, like, redirect me to
Verified By Visa, or stuff like that. This whole process is taking place
over SSL secured https... And I have a strong password and two-factor
authentication on my google account... So there's seriously no way for
any fraud to be taking place either by me or anyone else trying to hack my
account or anything. This is going way too far. Nobody in their right
mind should give any credit card payment processing center their driver's
license, passport, bank statement, etc.****
** **
Foolish. Baaah!!! I want to play my stupid video game! ;-) Too
bad...****
_______________________________________________
Tech mailing list
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
lopser
2012-08-22 02:46:40 UTC
Permalink
Post by Mathew Snyder
To be honest, that sounds a bit sketchy. Before blaming Google (I've never
heard of ANY company needing that kind of information) I'd look into
whether you're being phished.
This has been discussed. In order to see the rejection, I browse to https://gmail.com and login. I use google public dns, so there's no chance of a dns poisoning. The SSL cert is signed by Thawte.

Furthermore, when you try to buy someting in android, the transaction doesn't take place at your device. The transaction takes place between the Google Play servers and the credit card company. So it couldn't possibly be a phishing
Loading...