Escrow.com Is Now Asking For Photos of Personal Docs

[Cdomains]

Escrow/com Is Now Asking For Photos of Personal Documents.

I just logged in to Escrow/com and they are now asking for extensive verification including Photos or scans of ID's and other personal and business documents to be stored on their servers.

I have used them for years for all my transactions.

With all the hacks of servers happening around the world and security breaches exposing us to identity theft I have refused to give photos of my ID's and other documents to companies who request it.

I will not do business with Flippa for this reason.

I recently had my account frozen at a registrar that asked me for this and I refused.

Will you give photos of your personal ID's, bank records, etc to Escrow/com or will you use another service?

Personally, I think I am going to take my business somewhere else.

I am really disappointed about this after all these years.

---

Related:

• New Escrow.com Account Verification Process

 

[dnbknowledge]

Unfortunately, we'll probably end up flooded with more and more intrusive regulation to "fight the good fight" yet at the same time, governments all around the world are funding various shady organizations themselves whenever it suits their geo-political agenda... hypocrisy at its finest.

None of this is Escrow.com's fault, they simply have to comply and other escrow services (which don't yet do this) will have to do the same to avoid getting slapped with huge fines (like what happened with Escrow Hill in Texas a while back) or shut down.

 

[Jurgen Wolf]

Even Bodis now asks for US-taxform...
Regarding ParkingCrew, Sedo - such taxform is unnecessary, because both companies are German.

 

[DN_Hunter]

We've got just over a million user accounts, so to avoid overwhelming the verification team we're displaying the request to verify your account to 50% of users. Once we lift that up to 100% I'll also reach out with an email to everyone, as well as an explainer in the banner next time you log in.

In my mind this was done sort of backwards. If it were my company, I would have

1. sent out an email to all existing accounts first that explains the laws, and also explains your rollout/enforcement process.
2. already put an explainer banner for all existing accounts in case anyone missed the email
3. updated the sign-up page to include the requirement that extensive verification will be needed in order to open an account with Escrow. This might actually work in your favor from a "Buyers" point of view -- you can claim that all account holders have gone through the government-accepted approval process so that you know your seller has been confirmed. But it all depends on how much information the buyer is willing to provide for a domain name...

Also, as someone else pointed out earlier in this thread -- the regulations clearly state that Covered financial institutions must comply with these rules by May 11, 2018

So perhaps Account holders should have until some cutoff date to verify their account (closer to 17 months from now...)

Or perhaps you can have rules that say transactions above "X" amount, both parties need to be verified, but for transactions below "X" amount then you do not need to be verified as long as Credit Card or PayPal is used... (or something like that, I'm just spit-ballin...)

Regards,
DN

 

[Kate]

The main reason clients don't want to provide the information is not the time taken (50 seconds is not worth complaining about).
It is the discomfort in knowing that your private information is stored secured and confidentially with another third party. People just do not like to share their private information - even if the information is sent to a heavily Government regulated secure financial firm. This has nothing to do with business.

The problem is not that users do not trust your firm. They do, since they are willing to remit $,$$$ sums and more.
The problem is that they don't have faith in the IT systems of third parties in general, for very good reasons. It has to be assumed that any website can and will be breached at some point, sadly.

And as said above, many purchases are once-only, so buyers don't want hassle for a one-time transaction.

My advice is to send documents by post, to be retained offline, something that Jackson Elsegood has said can be done.

Which leads me to another question since we have two escrow companies posting here. Do you have penetration tests conducted on a regular basis against your systems, as part of corporate policy or per applicable regulations (PCI/DSS etc) ?

@Jackson Elsegood
@FairTrial

 

[Cdomains]

This used to just be for banks, but from the most recent guidance is now being applied to all financial institutions.

I can see how Escrow/com would be viewed as a financial institution because it is a middleman for financial transactions, and so sending these ID's would be required.

But are registrars considered financial institutions?

Probably not.

If not, they will not be subject to the same rules as Escrow/com?

Maybe now it is time to consider using some of the registrar services for selling domains instead of having to risk our privacy and security by uploading sensitive docs to Escrow/com or any other company for that matter.

And by the way, don't let anyone tell you their servers are safe.

Most of the top US companies have been hack/ed in the last few years and have had sensitive info stolen.

What makes Escrow/com think theirs are so safe.

They're not!!

And let's not forget employees have direct access to this info.

Employee theft of personal info is also a real problem for companies.

 

[Jurgen Wolf]

My advice is to send documents by post, to be retained offline, something that Jackson Elsegood has said can be done.

And then be filmed by any camera???

 

[Kingslayer]

Everything is done in the name of terrorism nowadays and let’s face it its bullshit.

We’ve got the snooper charter now in the UK, something similar being talked about in the US and many other countries. I can’t sign up to a free e-mail address or website any more without putting phone verification details in, what’s all that got to do with terrorism? It’s just to snoop and/or to pass info on to 3rd parties to send you rubbish.

I understand Escrow.com was forced into this by US government legislation, but obviously it’s going to affect your business. It’s going to prevent buyers who use Escrow.com for a 1 off transactions from using Escrow.com, people don’t want or have the time to do this therefore it may also stop sellers recommending a deal being completed through Escrow.com and possibly an escrow site outside the US (not obligated to this) being a new site of choice to oversee deals.

 

[carob]

I understand Escrow.com was forced into this by US government legislation.

Not sure about that. Even the stuff they themselves quoted referred to 2018 and does not specify photo id - they could approach this very differently.

Verifying identity does not mean demanding ID - that could well make you a date with Mr Photoshop.

 

[Kingslayer]

Not sure about that. Even the stuff they themselves quoted referred to 2018 and does not specify photo id - they could approach this very differently.

Verifying identity does not mean demanding ID - that could well make you a date with Mr Photoshop.

Tbh I’ve not clicked on the link, I just read the OP’s post.

If that’s not the case, then maybe it’s just to give staff a good giggle at mug shots? As you say photo Id can easy be forged.

Me personally I think providing a name/address/confirmed phone number/bank details and a system where funds aren’t released until a buyer confirms to Escrow.com they have received agreed goods is secure enough.

If not obligated by law, why change something that works? ‘Change’ in a more inconvenience way is how businesses lose custom, not grow.

 

[FairTrial]

...
Which leads me to another question since we have two escrow companies posting here. Do you have penetration tests conducted on a regular basis against your systems, as part of corporate policy or per applicable regulations (PCI/DSS etc) ?
...
@FairTrial

Kate,
Believe me, I would rather trust Transpact.com with my securely held personal information than my large bank to whom I am forced to provide the same information.

Where the organisations differ is that Transpact.com was built around two pillars from the start - Security and AML/CTF.
And we actively maintain the company around those two principles.
So we are constantly on the look out for threats, both to payment and to information. We have to - believe me, it is a scary world out there.
Our whole rationale and raison d'être is to provide security.

We exist for security. For that very reason, we do not comment publicly on our security procedures, as that would only give information to criminals, but you can rest assured that your concerns are met.

Will we give a cast iron guarantee that the Chinese or US Government will not hack into our systems ?
No, as no-one in their right mind with any knowledge of IT security would do so (every encryption key requires a decryption key somewhere). Hopefully they cannot, and we take steps to ensure they cannot, but we are not going to bet on it.
But believe me, those parties will already be in possession of the information we securely hold anyway, so they would not be learning anything new.

Sorry if this is not the answer you were looking for, but at least when you deal with Transpact.com you know you are dealing with a company that takes payment and data security most seriously, that exists to provide security, and is constantly re-evaluating and monitoring threats.

 

[Shimmy]

Here's my 2 cents on this change. I agree Escrow.com does have the obligation to verify, follow the know your customer law per domainers receiving money.

I don't agree if these requirements are enforced if an end user is making a purchase with a credit card transaction. Reason: If that were the case every site you visited online would require documents before you could purchase anything, not gonna happen.

@Jackson Elsegood , can you respond to this. Buyers using a credit card to buy an item happens on every other site, why would you require ID from them?

 

[pchip]

It is good that you finally added this. I did this with my paypal account in 2007..

PayPal doesn't require this for everyone. There are other ways to verify your identify that work just fine. When I verified through PayPal, I just did the verify the bank deposit thing to verify my identify. That should be enough for most people.

Plain and simple, I can't image the one time buyer/seller actually going through the verification process. It's just not worth it to them. So, it makes no sense for me to do it.

 

[Jurgen Wolf]

I just disabled Escrow.com integration in my Bodis settings.

 

[cipcip]

PayPal doesn't require this for everyone. There are other ways to verify your identify that work just fine. When I verified through PayPal, I just did the verify the bank deposit thing to verify my identify. That should be enough for most people.

Plain and simple, I can't image the one time buyer/seller actually going through the verification process. It's just not worth it to them. So, it makes no sense for me to do it.

Paypal not only required me the id, but also required a bill that shows the address that is in the id, like a utility bill. So I uploaded my id and my cable bill which is on my name.

 

[joro001]

It seems pretty clear that escrow.com have done nothing wrong here and sooner or later would have been forced to keep up with regulatory requirements.

However, as others have mentioned it is a major issue for domain sales, many buys are impulsive and often you can't even get the buyer to bother confirming they have received the domain, needing you as the seller to ask escrow to intervene and close the transaction manually. I've been through this plenty of times.

So asking buyers to go through this verification will kill deals it's as simple as that. I recently had my yahoo mail account hacked so I know all too well how wary many (including myself) are about giving out this sort of personal information.

The reality is that selling domains will be harder and i've been expecting regulations in one form or another to make life more difficult this year so here we are. Don't be surprised if we see more of these sort of changes and tightening regulations coming through.

 

[equity78]

Kate,
Believe me, I would rather trust Transpact.com with my securely held personal information than my large bank to whom I am forced to provide the same information.

Where the organisations differ is that Transpact.com was built around two pillars from the start - Security and AML/CTF.
And we actively maintain the company around those two principles.
So we are constantly on the look out for threats, both to payment and to information. We have to - believe me, it is a scary world out there.
Our whole rationale and raison d'être is to provide security.

We exist for security. For that very reason, we do not comment publicly on our security procedures, as that would only give information to criminals, but you can rest assured that your concerns are met.

Will we give a cast iron guarantee that the Chinese or US Government will not hack into our systems ?
No, as no-one in their right mind with any knowledge of IT security would do so (every encryption key requires a decryption key somewhere). Hopefully they cannot, and we take steps to ensure they cannot, but we are not going to bet on it.
But believe me, those parties will already be in possession of the information we securely hold anyway, so they would not be learning anything new.

Sorry if this is not the answer you were looking for, but at least when you deal with Transpact.com you know you are dealing with a company that takes payment and data security most seriously, that exists to provide security, and is constantly re-evaluating and monitoring threats.

You work for the company so of course you say that, but 1) it does not mean you won't get hacked and 2) most people here don't know you so they are not going to trust you because you said TRUST ME. Every company says security is a top priority. Security will mean something in the online world when companies have to pay penalties to their clients that had their info stolen. Then we will see better security or thin out the herd of companies that cannot compete.

 

[joro001]

You work for the company so of course you say that, but 1) it does not mean you won't get hacked and 2) most people here don't know you so they are not going to trust you because you said TRUST ME. Every company says security is a top priority. Security will mean something in the online world when companies have to pay penalties to their clients that had their info stolen. Then we will see better security or thin out the herd of companies that cannot compete.

I agree with this.

Yahoo mail kindly notified me that my account along with a ton of others were hacked and basically saying sorry we messed up, will try and do better next time. I'm pretty sure talktalk were hacked in a major way as well in the not too distant past, so i've been hacked at least twice in the last year or so that I am aware of via supposed "Big Companies" who clearly have no idea how to protect sensitive information from hackers.

Completely unacceptable and they should both be fined heavily for such a breach.
I am still annoyed about it.

I can't blame any buyers or sellers from being wary providing this sort of information.

 

[FairTrial]

...
Plain and simple, I can't image the one time buyer/seller actually going through the verification process. It's just not worth it to them. So, it makes no sense for me to do it.

Just for the record (which will probably be useful information to many here), the vast majority of buyers and sellers using our Transpact.com escrow service (which has required ID verification for many years) do go through the identity verification process, and do not refuse to provide the information - even for one-off transactions.
So this is not a significant problem for us.

For some clients for lower value transactions through our service, the client does not even realise their identity has been verified (as we are legally required to do), as they did not have to provide any extra documentation or take any action.

For larger transactions and other clients, the time taken in verification is normally minimal in relation to the transaction, and not a problem.

Only a vociferous but very small minority of clients refuse to provide identity verification, and so we refuse to transact with them (as we are mandated by law).
Of those, some refuse because they are privacy advocates scared their private data might be compromised, and many refuse because they have something to hide.

 

[Domainatic]

Maybe we should get someone from Escrow.com to talk over?

 

[TheWatcher]

Is this Escrow or Transpact thread?
I don't know transpact, and haven't use their service maybe someday.

Let's keep it for Escrow.com where it is already a lot of question from buyers and sellers.

 

[FairTrial]

You work for the company so of course you say that, but 1) it does not mean you won't get hacked ...

I agree with this.
Yahoo mail ...

Equity / Joro,
I agree with you both.
Read what I said, and I don't disagree.

Where Transpact.com (and hopefully Escrow.com - although I cannot speak for that company) is different to Yahoo, TalkTalk, Ashley Maddison, etc. is that Transpact.com is focused on security, and exists to provide security. That is all we do.
Those other organisations all have marketing agendas which means that security is an add-on .
With our escrow service, security is both the means and the ends and is central to our service, and we built the company from scratch around the pillar of security.
And that means that our watch never ends, and we constantly monitor and evolve our security.

Our firm's ethos is different from all the other firms you mention. That is actually important.

As I said, sorry - still no cast iron guarantee - anyone with any knowledge of IT security would concur (every encryption key requires a decryption key somewhere, and Nation-State hackers have immense power).

But knowing that our ethos, our strategy, and our constant monitoring are all security centered is important.
It might not be enough for you, but it is a key difference.

And I agree that all companies that are hacked should be fined heavily for such a breach.
(Although how do you then deal with Nation-State sponsored hackers who hack a company to put that company out of business due to fine, so that their own Nation-State rival company can take over the business lost ? - You are unleashing the possibility of simple Nation-State economic warfare at a button click).

 

[TheWatcher]

What the heck.
Are your company ISO 27001 or PCI/DSS certified?

 

[TheWatcher]

No answer.

 

[carob]

We've led the way on requiring customer ID verification for years, for larger transactions.
The reason is purely down to anti-money laundering and counter terrorist-financing laws, to prevent escrow services from being used to launder the proceeds of crime, and prevent the funding of terrorism.

We do not require these intrusive checks for our own purposes in any way whatsoever as we have the customer’s money, which is what counts - we would very happily ditch the checks, but they are imposed purely due to Government regulation (we have our own other security checks).
.

Would you kindly post a link to the specific legislation to which you are referring?

And explain also what checks you require, and whether they are explicitly required by that legislation.

 

[Cdomains]

My advice is to send documents by post, to be retained offline, something that Jackson Elsegood has said can be done.

What makes sending your personal docs through the mail any safer?

Also, how can you be sure how your docs will be handled once and if they arrive safely.

How do you know they won't be scanned into their systems once they receive them thorough the mail?

If they are scanned then what happens to the physical documents?

Will they be shredded properly, or just thrown in the trash?

Can anyone really be trusted with this sensitive info?

How many companies use "paper" systems and files anymore?

In the computer age - not many!

It is naive to think they will just store it safely.

And how safe is the storage anyway?

It may be safe from hackers, but now there is a physical form of your personal docs out there for someone to mishandle, steal or lose.

Giving any form of your ID's or personal docs is not worth the risk.