back to article Apple asked me for my BANK statements, says outraged reader

Apple is believed to have asked some online shoppers to hand over copies of their driving licence, passport and bank statements to verify their identity. A concerned Reg reader alerted us to Apple's data-slurp requests after she received one herself - and was told by her bank that they had never heard of private companies …

COMMENTS

This topic is closed for new posts.
  1. Gunda

    You want to buy subsidized phone, cough up your private data. They are lending you money and want to ensure you don't default. Buy a phone upfront if you don't like it. Even people in poor countries cough up full dough to buy phones.

    1. Velv
      FAIL

      FAIL - no Credit Agreement with Apple

      No subsidy, no loan.

      The customer is buying on a Bank issued Credit Card, so as far as Apple is concerned the customer is buying it outright.

      The Bank is taking the credit risk, not Apple, and the Bank has already completed the necessary identity verification to issue the card.

      1. Anonymous Coward
        Anonymous Coward

        Re: FAIL - no Credit Agreement with Apple

        I'm guessing that Apple have had so much fraud that the banks are holding Apple liable for fraudulent purchases unless they demand extra proof of identity.

      2. Number6

        Re: FAIL - no Credit Agreement with Apple

        Actually, for an on-line transaction where the customer is not present, the bank reserves the right to charge back to Apple in case of fraud, so in this instance Apple are indeed taking the risk. The three-digit security code on the back helps a bit, but if someone's nicked your card, or noted the details while handling it, that's not much of a barrier.

        I'd still tell them where to stick their security check though. Perhaps there needs to be a mechanism where they can put it through normally but raise a flag with the bank, who will contact the customer to verify that it's a genuine transaction on the card (as they do occasionally anyway if you raise one of their security flags).

        1. Carl Fletcher

          Re: FAIL - no Credit Agreement with Apple

          Not if they implement Verified By Visa or Mastercard SecureCode, which moves the onus on the bank in verifying a genuine user.

          1. Anonymous Coward
            Anonymous Coward

            Re: FAIL - no Credit Agreement with Apple

            "Not if they implement Verified By Visa or Mastercard SecureCode, which moves the onus on the bank in verifying a genuine user."

            Only one of my Mastercards has that online verification. The Barclaycard Mastercard one doesn't - yet the Barclaycard Visa one does.

            One day the Barclaycard Mastercard bounced a big order to my regular IT supplier to my normal address. They left it to the supplier to tell me. Apparently a <£1k transaction triggered their fraud alarm. The helpline put me through a lot of questions. I pointed out that I bought expensive things from that supplier several times a year - which a history check would confirm. They admitted their fraud data trend only went back about a month or so.

            To add insult to injury - it then took another four phone calls before the supplier reported that the transaction was finally unblocked for them.

          2. Not That Andrew

            Re: FAIL & Verified By VISA

            Dunno about the Mastercard SecureCode but Verified by VISA seems to move the onus onto you to prove it wasn't you who made the purchase rather than move the burden of identifying the user to the bank.

          3. Anonymous Coward
            Anonymous Coward

            Re: FAIL - no Credit Agreement with Apple

            While we don't know quite all the relevant details, those anti-fraud precautions are not world-wide. I was once told that Chip and Pin was introduced to counter Fraud by bank staff. That's not a world-wide system.

            What I see, from US companies, is an apparent lack of card security, compared to UK and European operations. And the big-name card handling companies, Mastercard and Visa, are distinct companies from the US corporations, just as Paypal is a separate company in Europe.

            I am seeing my own problems with getting payment to US companies. Thankfully, I have not seen this solution. I don't get paper statements from either my bank or my card company.

            [Anonymous for obvious security reasons]

        2. Anonymous Coward
          Anonymous Coward

          Re: FAIL - no Credit Agreement with Apple

          "Perhaps there needs to be a mechanism where they can put it through normally but raise a flag with the bank, [...]"

          Both my Mastercard and Visa cards have the potential of a further online password double-check by the issuing bank. The Mastercard transaction requires knowledge, on both sides, of a two-part password set by myself.

          When the online credit card transaction goes to completion the screen is transferred to the issuing bank's verification service. It then presents me with a personal phrase that I constructed - to which my reply is my personally constructed password. Not perfect, especially against a screen scraper and key logger, but pretty good verification. It gives me confidence I am not being phished for my password.

          It would be even better if I could use my Pin Sentry mechanism to produce an offline authentication code like I do for my bank account.

        3. Alex Walsh

          Re: FAIL - no Credit Agreement with Apple

          Verfied by Visa? I have to punch in 3 digits from my 8 digit password to confirm a lot of online purchases.

        4. Alan Brown Silver badge

          Re: FAIL - no Credit Agreement with Apple

          "Actually, for an on-line transaction where the customer is not present, the bank reserves the right to charge back to Apple in case of fraud,"

          You need to rewrite that. Even for offline transactions where the customer IS present and has provided a PIN (and CCTV security footage shows that it is indeed the customer, not someone using a purloined cards), the banks can and will chargeback in case of a dispute - and hit with penalty charges which are not removed should the dispute prove groundless.

          I know, because as a retailer it happened to me on multiple ocasions. It's one of the reasons for encouraging people to move to direct debits or bank transfers

          Then there's the massively high cheque fees banks charge in an all-out attempt to encourage retailers to stop accepting them, or the high standing fees and surcharges attached if your card processing is below threshold numbers or average transaction values. Bank commissions can easily hit 30% on debit card payments if there are a lot of sub £10 transactions.

          Basically the banks rape and pillage. Retailers were forced to swallow that until recently. I suspect Apple have gone too far, but I'm not surprised they're making these kinds of demands, given recent stories such as the guy who got mugged of his cards+ipad and documented the assailant making multiple purchases from Apple on stolen cards, then flogging 'em on Ebay - however in that particular case the mugger had enough stuff to fulfill most of the demands from Apple. I'd be going for a request to provide a photo showing face + holding up a handwritten copy of the order number, along with some other form of phptographic ID.

      3. Rich 2 Silver badge
        Mushroom

        @Velv - (Unfortunately) you are wrong!

        While I find Apple's behaviour in this contemptible, your comment "The Bank is taking the credit risk, not Apple" is not actually correct in the harsh reality of business banking.

        I used to run a small web-based retain business and I used to accept credit/debit card payments. It's all unnecessarily complicated, but basically, if you are a company and the target of credit card fraud then I wish you the very best of luck getting your money back from the bank after you have shipped the purchased goods and then find out the card was used fraudulently. The bank will usually point at clause xyz and tell you to whistle.

        It really annoys me when I see adverts aimed at Jo Public with tag lines along the gist of "don't worry about using your card on-line - we (the bank) will make sure you don't lose out". Notice that the banks DON'T say that THEY will cover the costs. That's because they don't! They pass the buck on to the retailer. This is why the banks have never really taken credit card fraud seriously. Because most of the time, the cost to the bank is nothing; either the customer pays or the retailer pays.

        1. Equitas

          Re: @Velv - (Unfortunately) you are wrong!

          And all too often, the seller has not exercised due care.

          I've suffered credit card fraud on a couple of occasions, one of which involved my (rather improbable) purchase of a bicycle from a cycle shop on the South coast of England, the said bicycle to be delivered by carrier to Essex, while the registered address for the card was in the North of Scotland. No attempt was made to check before making delivery to an address other than that to which the card was registered.

          1. mike2R

            Re: @Equitas - (Unfortunately) you are wrong!

            As others have said, the seller is taking the risk, not the card holder - you got the fradulent transaction returned to you didn't you? You were mildly inconvenienced perhaps, the seller lost the funds and is out the item they shipped to the non-registered address.

            The reason merchants take the risk is that so many people want it. For all sorts of reasons people find it convenient to have things shipped to alternate addresses, so merchants offer them the service and take the risk.

            If you really want to blame someone who isn't the thief, blame yourself for allowing your card details to escape into the wild. Without that, the unfortunate merchant wouldn't have been defrauded (yes I recognise that with the way the system works, this is pretty much impossible and there are so many compromised cards out there that one more is utterly irrelevant. But it makes more sense from blaming the poor merchant for being defrauded).

        2. Alan Brown Silver badge

          Re: @Velv - (Unfortunately) you are wrong!

          "Because most of the time, the cost to the bank is nothing; either the customer pays or the retailer pays."

          FWIW, by the time penalty charges are levied, banks make more money from fraud than they do from legitimate transactions.

          THAT is why they don't do all that much to curb card fraud,

      4. henrydddd

        Re: FAIL - no Credit Agreement with Apple

        Apple's attitude has always been a 'we own our customers and we can do anything with them that we feel like"

      5. Anonymous Coward
        Anonymous Coward

        Re: FAIL - no Credit Agreement with Apple

        Absolutely,

        They can f*k off. Bashing Apple just became fun again

    2. Alan 6 Silver badge
      FAIL

      read the frickin' article man

      Seriously not far in, just at the start of the third paragraph

      "After ordering an iPad for her young son" - so not a phone, and not subsidised

    3. Brent Longborough
      WTF?

      "Apple" and "Subsidized" in the same context?

      That's pretty challenging! Don't people realise that there are other options than handcuffing yourself to Apple?

    4. The Man Who Fell To Earth Silver badge
      Mushroom

      New Apple Motto

      All your identity are belong to us.

    5. Anonymous Coward
      Anonymous Coward

      If you read the article, the lady in question was buying the ipad outright and not asking for credit or a subsidised device. This is intrusion of the worst kind and shows how arrogant some companies are, it used to be the case that having money was enough reason for a compant to sell something. to someone.

      If it were me I would tell them to stuff their product and go else where

    6. jonathanb Silver badge

      If you are buying direct from Apple, it isn't a subsidised phone. Subsidised phones come from the telephone companies like O2, Vodafone and so on.

    7. Anonymous Coward
      Anonymous Coward

      Speaking as a credit card fraudster, I'm outraged Apple will no longer accept transactions that are flagged by the credit check service as potentially fraudulent. Don't people realise Apple are a big company and should be prepared to simply foot the bill. I'm glad you all on this forum agree it is mighty discourteous not to dispatch goods to me, even if experience as shown you, you will more likely as not be footing the bill. It's my right you should sell me whatever I demand and frankly, if you want to see proof of my ID. FUCK OFF.

      Sorry anyone who disagrees with me is affecting my livelihood and therefore an arse-hole.

    8. lambda_beta
      Linux

      subsidized or 'look at all the idiots out there'

      you people are stupid morons if you think apple is subsidizing anything!

    9. asdf
      Trollface

      wow

      89 downvotes as a I write this. I salute you Mr. Troll and just so you hit your triple digit target have another but know I don't do it out of malice but out of respect.

    10. Anonymous Coward
      Anonymous Coward

      Another info/access grab lurks in your Paypa account

      After many years of Paypal use with no issues, I suddenly got a note that I was very close to passing my "limit" of $10,000 of transactions. Hunh!

      Now in order to continue using Paypal, I must give them direct access to my bank account (take out money as well as put it in). They get hacked or disagree with me; they just take what they want.

      The note says that this is necessary to insure my security and verify me (I guess "my realness") after at least 6 years (I believe a good deal more) and $10,000 of transactions without a problem. Virtually all me paying someone. And they have my credit card.

      And there are many things that they have locked up to the point that Paypal is the only way to make a transaction. Can you say unreasonable leverage of an almost monopolistic market position. This BS should be stopped by someone in government regulation.

      1. Anonymous Coward
        Anonymous Coward

        Re: Another info/access grab lurks in your Paypa account

        " I must give them direct access to my bank account (take out money as well as put it in)"

        Eh? You are saying that Paypal wanted to have your username and password to your online banking?

        Or are you just saying that they wanted a direct debit that you could cancel or claim back on at any time?

        Other than that PayPal can't take money out of your account (apart from reversing a transaction they have made due to error with 24 hours).

        Therefore I don't think you are being entirely truthful.

        1. Dave Bell

          Re: Another info/access grab lurks in your Paypa account

          What I often see is a bit of confusion over just what is going on. From my time running a business, I know some of these things. Some people misunderstand. Some businesses give lousy explanations. And some people seem to want to boast of their superiority.

          I've been with Paypal for a long time, I had to "verify" my account at the start, and that involved a debit/credit double on my bank current account. I don't think it needed an open-ended permission, but it was a long time ago. So all I can say is you should look carefully at what they are asking for. But I didn't have a problem, and getting verified is worthwhile. Once they have confirmed the current account, you can send money to Paypal through your internet banking, at a lower fee.

          Paypal are a bank. So feel free to be suspicious. Being a bank is not the sign of reliability that it was.

          1. Anonymous Coward
            Anonymous Coward

            Re: Another info/access grab lurks in your Paypa account

            Are you saying that Paypal were given access to your bank account to withdraw money?

            If so then you are also talking rubbish.

            The only way a company can withdraw unauthorised money from your account is via a credit/debit card, a direct debit or the reversal of transaction within 24 hours.

            Credit card is the worst as you'll have to continually chargeback for each offence or cancel your card.

            Direct debits can all be cancelled and money retrieved if taken.

            Reversals can only be for the amount they have just credited.

            Paypal will only verify if you either set up a direct debit mandate or they credit your account with two low transactions and you confirm what those amounts are.

      2. RTNavy

        Re: Another info/access grab lurks in your Paypa account

        Which Government would you like to step in? Their practices cover many International boundaries and jurisdictions.

      3. Anonymous Coward
        Anonymous Coward

        Re: Another info/access grab lurks in your Paypa account

        The way round that is set up a second bank account, link paypal to that, make sure it has no overdraft facility and never keep more than about £100 in it. That's what we did at work when Paypal and eBay wanted a bank account to link to

      4. Equitas

        Re: Another info/access grab lurks in your Paypa account

        Give them the number of an account with only a nominal amount of money in it.

  2. AndrueC Silver badge
    Thumb Down

    But I don't think any private company should have the right to ask you to send over such personal documents by email.

    Having the right to ask isn't the issue. Choosing to comply is where the problem lies in my opinion.

    Anyway just 'cos it's in the T&C doesn't mean it's enforcible. If a term is unreasonable it's null and void. Just tell them to stuff it and take your business elsewhere.

    1. Tom 38

      Not just Apple

      I've had this kind of response from standard UK based etailers before. I once ordered a whole bunch of kit from overclockers.co.uk on a Wednesday evening, paid by card, they took payment from my account

      Thursday arrives, I'm in work and then the retailer insisted that at that point they could go no further without me emailing me them scans of utility bills or bank statements, because this was an address they had never shipped to before,

      I can't do that from work, so they won't ship the goods I've already paid for in time to arrive for the weekend, so I told them where they could stick their request, got a refund and bought everything that evening on the TCR.

      1. Sir Runcible Spoon

        Re: Not just Apple

        Indeed.

        "'Tell us everything about yourself or we won't sell you our products'"

        Sounds fair enough, see ya.

        They'll learn, as long as people stand up for themselves that is.

        1. zb

          Re: Not just Apple

          Not just Apple but airbnb too. They just asked me to upload a copy of my driving licence and did not reply when i told them no way.

          If too many people just blindly follow instructions like these other companies will copy and they will soon control everything. And so will the people who hack them.

      2. Gordon 10
        Thumb Up

        Re: Not just Apple

        That shower at Pixmania were also notorious for doing this. Possibly the only occurence of things actually improving after Dixons were involved.

        1. Anonymous Coward
          Anonymous Coward

          Re: Not just Apple @Grodon 10

          Pixmania tried this on me. They lost a sale and all future sales, which might be drop in the ocean but given enough drops they should learn.

          As for Apple's "It's in the T&Cs that they reserve the right to verify blah, blah , blah...", Very simple, I reserve the right to shop elsewhere.

    2. Anonymous Coward
      Anonymous Coward

      Unencrypted

      Remember folks - email in insecure. They are absolute morons to ask for a full ID-theft package by email. Why not https upload to the main Apple site? Still dodgy, but less so than email.

      Also note the asymmetry here - why not ask for the Apple employee's equivalent data in exchange?

    3. regadpellagru
      Thumb Down

      Exactly !

      Everyone and their dog can ask for everything. Everyone and their dog ARE & WILL ask for everything.

      Heck, I'm asked on a weekly basis for my yearly revenue by some random people in North Africa, hunting

      for people interested in solar panels. I've even been asked for the copy of the judgement for my divorce by the ***hole in charge of my kid's school ! That doesn't mean any of the people got it !

      Why people are doing whatever they're asked by phone/email is beyond me. There is some teaching to be done: reflect on what the random guy is asking - determine if they're entitled to - refuse or accept.

      Also, as stated above, f*** the T&C that are mandatorily agreed, as you can't do anything before you've agreed. If they are not reasonable, as per law, they're void, as per law again.

    4. Shasta McNasty
      FAIL

      User Fail

      Let me get this straight.

      She's a regular reader of El Reg, yet she willingly handed over personal documents when asked for them via EMAIL as part of buying a fondleslab of the fruity variety but only thought it suspicious AFTER they were sent?

      Me thinks she reads but does not understand.

    5. Anonymous Coward
      Anonymous Coward

      Anyway just 'cos it's in the T&C doesn't mean it's enforcible. If a term is unreasonable it's null and void. Just tell them to stuff it and take your business elsewhere.

      Perfectly agree with the T&C remark, but I'd still buy the goods. I take that decision on the basis of the kit's benefit to me. If I had to modify that due to the behaviour of idiots I'd spend most of my time reviewing my IT needs :).

      However, I pity the poor schlob who would get the job of getting ID data off me. I do not take kindly to companies trying to acquire personal information and I have all the resources at my fingertips to make any company abandon that idea rather quickly.

      Apple was in this context actually the more moderate of providers so it's disappointing to hear they are abandoning that position. I hope they try this with me, it'd be entertaining to see how they manage the PR fallout afterwards (evil grin).

  3. Frankee Llonnygog

    Haven't they ever heard of ...

    Knowledge-based Authentication?

    Anyway, I thought notaries only certified documents. Do they also acts as experts on authenticity?

    1. Dave Bell

      Re: Haven't they ever heard of ...

      I know several notaries in the USA.

      They are little more than minor office staff who have taken a course and got a licence from the state, so that they can say "This document is a copy of the original that I saw." They have some sort of official seal locked in their desk. It's a formalised way of being a witness.

      When they see the original document, and put it through the office photocopier, that's a worthwhile legal confirmation. In this case, they might be making a copy for several different files, and don't have an original document, so it sounds dodgy. Their seal and signature hardly means anything.

      "notary" can mean very different things in different countries.

      I can see a notary's stamp being part of routine office procedure in this area, but the foundation, in this case, is unsound.

  4. cheveron

    They've been doing this since at least 2006

    I remember them asking for some private information they didn't have any reasonable reason to ask for when I ordered a MacBook through the online store. I cancelled the order and went through a reseller instead.

  5. Buzzword

    Private companies DO do this

    Want to rent a flat in London? Letting agencies regularly ask for 3-6 months of bank statements as proof of income. Recruitment agencies also ask for scans of passports. To rent a car using just a debit card (not a credit card), at least one major car rental company asks for not only a driving licence, but also a passport and a proof of address such as a utility bill or a bank statement.

    There's nothing particularly unusual in Apple wanting to check the identity of their customers.

    1. AndrueC Silver badge
      Thumb Down

      Re: Private companies DO do this

      There's nothing particularly unusual in Apple wanting to check the identity of their customers.

      Except that in the other examples there's no change of ownership and you are entering into an ongoing relationship. Those transactions involve trusting that the customer will continue to honour the agreement and/or respect the issuer's property.

      When you're buying an iPhone you own it (last I heard). There is no need for ongoing trust between the customer and apple. Or if there is it's trust in the opposite direction eg; Will Apple provide support for me when I want it?

      1. Anonymous Coward
        Anonymous Coward

        Re: Private companies DO do this

        unfortunately you don't own it 100%... oh you might own SOME of the mineral components that make up the hardware but that's about it...

        Apple might just as well have sold you a brick with specific percentages of different minerals in it and with a terms of service contract attached to that brick.

        Btw, the brick also comes with NDA-like terms about reverse-engineering the minerals in your possession.

      2. Brent Longborough
        Headmaster

        Re: Private companies DO do this

        Nice post, but one minor error:

        "When you're buying an iPhone you own it"

        should read:

        "When you're buying an iPhone ït owns you"

    2. Velv
      Gimp

      Re: Private companies DO do this

      iPad = ~£500

      Car = >£5,000

      Flat = >£50,000 (OK, a very tiny one, but you get the idea)

      So yes, there are occasions where private companies do collect proof of identity. Pubs do it for a pint (<£5), and that's a legal thing (<18). You make your own choice if it's justified to release your personal details.

      1. Rukario

        Re: Private companies DO do this

        @velv > Pubs do it for a pint (<£5), and that's a legal thing (<18).

        Pubs don't (normally) take copies/scans of the proof of identity though.

    3. Anonymous Coward
      Anonymous Coward

      Re: Recruitment agencies also ask for scans of passports

      ... because they need proof you are legally allowed to work in the UK. My employer keeps asking me for the same, but so far I insist on showing them my birth certificate instead (since that is sufficient).

      1. Number6

        Re: Recruitment agencies also ask for scans of passports

        Given that you might not have a passport, showing an alternative is perfectly reasonable. However, they've got a box to tick on a form that asks for a passport scan and won't be able to sleep in bed at night until it's been properly ticked. It's a hard life being a bureaucrat.

        However, a UK birth certificate isn't necessarily proof of citizenship. Unlike some countries, we don't automatically grant citizenship to people who are born here, although the exact rules change form time to time. I know someone who was born to a foreign mother who was not married to the British father and so ended up with the mother's citizenship despite being born in a UK hospital and so getting a British birth certificate.

        1. Anonymous Coward
          Anonymous Coward

          Re: Recruitment agencies also ask for scans of passports

          I had thought that if you you were born here with a British father, to a foreign mother then you could choose which nationality you applied for when you reach majority. Some people have dual nationality.

        2. Anonymous Coward
          Anonymous Coward

          Re: Recruitment agencies also ask for scans of passports

          Actually we did confer british citizenship upon those born in this country until about some point in 83/84

          After that date you only got british citizenship conferred upon you if both of your parents were british, it which case you got your citizenship rubberstamped. Otherwise you had to apply for it

          So there are quite a few people of working age, who may not have a passport, but do have a birth certificate and who had citizenship automatically granted up on them.

        3. Anonymous Coward
          Anonymous Coward

          Re: Recruitment agencies also ask for scans of passports

          I know someone who was born to a foreign mother who was not married to the British father and so ended up with the mother's citizenship despite being born in a UK hospital and so getting a British birth certificate

          Meanwhile my younger son was born while I was on a 3 year placement in the US so he has a US birth certificate (large A4 certificate with Calif state emblem and lots of fancy script etc to put my older son's UK "short form" birth certificate to shame!) + then a 2nd certificate from the UK Embassy to confirm he was registered there along with details of myselff, my wife and both our parents along with references to the relevant sections of the UK Nationality Act which gives my son UK citizenship! And, as he was "born in the USA" he is also an American citizen (and as a result probably required to file US tax returns when he turns 18!)

          1. EngineersAnon

            Re: Recruitment agencies also ask for scans of passports

            large A4 certificate with Calif state emblem and lots of fancy script etc to put my older son's UK "short form" birth certificate to shame!

            Actually, a US State is much more likely to issue Extracts from Vital Records (birth certificates, marriage licenses, death certificates, etc) on US standard "letter" paper (8.5" x 11" = 216mm x 279mm) than on the ISO standard A4 (210 mm × 297 mm)

            *end pedantry*

            *at least for now*

        4. StooMonster
          Childcatcher

          Re: Recruitment agencies also ask for scans of passports

          RE: "UK birth certificate isn't necessarily proof of citizenship"

          That's right, I have friends who are married where one is American and the other an EU citizen, their children were all born here in UK — and thus have British birth certificates — and grown up and gone to school here but they cannot get British passports.

          So the kids have got dual citizenships of their parents homelands, but they always think it's a bit weird (you'd think they were British if you talked to them).

      2. Alan Brown Silver badge

        Re: Recruitment agencies also ask for scans of passports

        "but so far I insist on showing them my birth certificate instead (since that is sufficient)."

        Birth certificates are not identity documents. Given enough information about you anyone can obtain a copy - and that is the first step for anyone who is in the business of identity fraud.

        The fact that birth certificates are used as the basis for a lot of identity documentation shows how much of what you trust is really a house of cards.

    4. Fihart

      Re: Private companies DO do this

      We may not like it but landlords, car hire companies are entrusting items worth many thousands £/$ to you and have better reason to demand ID than a mere retailer of electronic trinkets.

      It's also a question of what they do with the information -- IT companies have the means and motivation to abuse that information.

      1. NomNomNom

        Re: Private companies DO do this

        "We may not like it but landlords, car hire companies are entrusting items worth many thousands £/$ to you and have better reason to demand ID than a mere retailer of electronic trinkets.

        It's also a question of what they do with the information -- IT companies have the means and motivation to abuse that information."

        Sure but car hire companies could drive your information around towns very fast without you even realizing it.

        1. JEDIDIAH
          Linux

          Re: Private companies DO do this

          The real problem here is that a consumer was sent something that looked like a phishing email that then directed them to transfer highly sensitive personal data over an insecure channel. Apple was engaging in something that looks like a scam. They are encouraging people to lower their resistance to some very dangerous data practices.

          Landlords and and car rental shops usually ask for these things on paper and/or face to face.

          Plus there's the whole CAR or HOUSE versus a cheap gadget thing...

          Being put through the wringer makes a bit more sense when $250K or $500K could be on the line.

          1. wowfood

            Re: Private companies DO do this

            I'd hardly call iPhones cheap, but I see where you're coming from.

    5. Anonymous Coward
      Anonymous Coward

      Re: Private companies DO do this

      If I apply for a job, my employer needs to know I'm eligible to work in the UK. A passport is pretty good at demonstrating that. Do Apple need to I'm a UK citizen before they'll sell me an iPad? No.

      Should Tesco ask me if my papers are in order before they'll sell be some bananas?

    6. Captain Scarlet
      Unhappy

      Re: Private companies DO do this

      Wow thats a lot of downvotes just to say its not just Apple, most American companies I have used from the UK require a copy of my Passport. This is mainly for renting dedicated servers, but many EU companies also do this.

      I hate Apple but as Buzz has said its nothing new or out of the ordinary.

  6. Alan Denman

    Blank cheque bullion bonus system next?

    As the product is so good some people will be happy to send a blank cheque as a thank you.

    Obviously the ones who only get 1 cent taken from their account will tell us about their generosity on this matter.

  7. Dr_N

    Fairly common in France

    This is SOP for many smaller French online retailers who lack the muscle/insurance to claw back money on fraudulent sales.

    Easiest method to deal with the problem is not to use them.

  8. dougal83

    Buy a google nexus. Problem solved. Bargain too!

  9. RAMChYLD Bronze badge
    Boffin

    Apple are not the only ones

    I've had a similar request from Crucial (you know, Micron's sales arm) when buying some memory from them for the first time. Come to think of it, Dell did that too the first time I tried to get something from their online store...

    No big deal, I just gave them a photo of my driving license, since the driving license holds absolutely no verification value in this country where the Identity card is considered the official proof documentation.

    1. Number6

      Re: Apple are not the only ones

      I wonder what they'd make of my driving licence, given that it's an old non-photo one?

      1. Kubla Cant

        Re: Apple are not the only ones

        I too have one of the old A4-sheet driving licences. It's lived in my wallet since 1999, so it's in a pretty ragged state. I ought to charge wear and tear to anyone who asks to see it without good reason. My objective is to avoid the cost / time / hassle of getting a plastic one for as long as possible.

        1. Bill Fresher

          Re: Apple are not the only ones

          "It's lived in my wallet since 1999"

          "My objective is to avoid the cost / time / hassle of getting a plastic one for as long as possible."

          The photo needs to be renewed every ten years so your drivers license is invalid and if you get caught using it you'll get a £1000 fine.

          1. Dr_N

            Re: Apple are not the only ones

            The UK driver's licence is still an A4 paper one. The new ones just have a photo ID card associated with it.

            Old paper-only licences will become invalid in 2015.

            Not much time to get it changed really.

      2. JP19

        Re: Apple are not the only ones

        "I wonder what they'd make of my driving licence, given that it's an old non-photo one"

        Gees no wonder we have crap with ID cards and national identity registers when we have thinking like this.....

        Do you think Dell or Apple are going send someone round to your house to look at you before shipping a laptop or whatever?

    2. NomNomNom

      Re: Apple are not the only ones

      I would just send them fake information

  10. Dave Perry
    Meh

    Proving stuff

    I once had to send a copy of my pay slip (front over only - I'd have told them to do one if they asked for the inside) to prove I worked in an education for one of their hundreds of pounds discounts, which I could live with.

    The next time I bought something, a couple of years ago, I went through the online HE store using work internet which is hard to get on without being at an approved institution - a stock spec MBP arrived days later without need of further documentation.

  11. Kevin Fairhurst

    Not just Apple

    My wife was ordering a dozen charms online from Thomas Sabo, and they decided that they wanted scans of bank statements, passport etc. When my wife kicked up a stink & said that they had delivered to her before, using the same payment method and delivery address, they relented and sent out the order...

    Any company sending out untraceable goods need to be extra cautious against potential fraud, as the card company WILL put a chargeback on them and they will be the ones that lose out, not the end customer, and certainly not the bank. I think the banks need to put some additional measures in place so that the company contacts the bank for proof of address or whatever, and if the bank decide that the address doesn't match, it is the bank that contacts the customer for any proofs. Then and only then does the bank release the funds to the vendor, who sends out the goods.

    That won't happen though, because the BUNCH OF BANKERS that run the banks wouldn't make as much money!

    1. Rikkeh

      Re: Not just Apple

      Purchases of assets in a single transaction or linked transactions totally over €15,000 trigger anti-money laundering rules (as you can launder your dirty cash through buying up shiny things and then selling them on eBay etc). Once that happens, you have to check up on who the customer is.

      I suspect that someone at apple (and your charm company) has overreacted to the theoretical risk that someone might buy an iPhone every day for a month without the company noticing and decided to go overboard and check *everyone*.

      Sadly, whoever has made this decision has calculated that they'll suffer less for inconveniencing everyone and grabbing their personal data unnecessarily than they will in the unlikely event they get done for failing to prevent money laundering.

      1. jonathanb Silver badge

        Re: Not just Apple

        Only if you buy €15,000 of stuff and pay cash for it. If you pay by card, cheque or bank transfer, it doesn't trigger the money laundering rules.

    2. Zimmer
      Coat

      Re: Not just Apple----correction

      ... surely a Typo ? It's a WUNCH of BANKERS...

      1. Nigel 11
        Coat

        Re: Not just Apple----correction

        and I've recently been seeing a lot of headlines starting BANKS HIT ...

  12. nevstah

    but...

    do they keep this documentation on file forever? is it destroyed properly? do they sell it on to 3rd parties and link it up to other information stored about you?

    what if you dont have a passport, or an ID card, or a drivers licence????

    1. Anonymous Coward
      Anonymous Coward

      Re: but...

      Then you're like me, and won't be buying that way. I can't anyway … no credit card either. I have a 18+ proof-of-age card, that's it. My bank account relies on a passbook.

      My one and only Apple device, a 2008-model MacBook, was bought second hand. So I had none of this nonsense.

      As for handing this sort of identity information out … I do hope for consumers' sake they provide the individuals with a GPG or S/MIME key to encrypt it with. I'll bet they don't though!

      1. NomNomNom

        Re: but...

        on the plus side you will have a fighting chance of escaping skynet

  13. nowster

    Have Apple UK registered this use and storage of personal information with the Information Commissioner?

    1. Frankee Llonnygog

      Nah

      > Have Apple UK registered this use and storage of personal information with the Information Commissioner?How would they know to do that?

      It's well known that Apple can't afford lawyers to advise them

      1. Kristian Walsh

        Re: Nah

        Apple's EU sales are run out of Cork in Ireland, so registration would be with the Irish Data Protection Commissioner. Link: http://www.dataprotection.ie/ViewDoc.asp?fn=%2Fdocuments%2Frights%2FRightsHome%2Ehtm&CatID=2&m=r

        Sounds like a misapplied process. The transaction value in this story is far too low for this kind of verification to be required, unless the card company thought it was a "suspicious" transaction.

        Actually, I just tried to buy a laptop (not from Apple) this morning and had the same thing happen to me... phone call to VISA, and was told there was no reason except that it was unusual activity -- surely if I was buying laptops regularly it would be more unusual...

  14. g e
    Holmes

    "They've basically turned me into a future Android user"

    No shit.

    1. Conrad Longmore

      Re: "They've basically turned me into a future Android user"

      It's not as if Google have access to your personal information. Oh, wait..

    2. Frankee Llonnygog

      Re: "They've basically turned me into a future Android user"

      Because no retailer selling Android phones ever asks for documentation?

  15. JaitcH
    WTF?

    If a PASSPORT is good enough for a COUNTRY ...

    just who the hell do companies like Apple think they are?

    Many statements can easily be word processed, especially when pumped out by an on-line banking system. Many people don't have passports and yet more don't have driving licences.

    This is yet another form of discrimination targetting well defined areas of the population.

    Besides, 'supporting documentation' is easy to manufacture/forge.

    CAUTION: Western Union AND Moneygram DEMAND TWO PICTURE IDs in every country they cash out in! (Even when all your documents have been stolen)

    1. nevstah

      Re: If a PASSPORT is good enough for a COUNTRY ...

      its often not good enough for a company!!

      i was asked to provide proof of ID by way of utility bill. i didnt have one of these, so offered my passport.

      'sorry thats no good, we need a utility bill'

      note - thats for proof of ID, not address

      1. Number6

        Re: If a PASSPORT is good enough for a COUNTRY ...

        Given the trend for on-line billing, it's quite possible to not have a recent utility bill. If they'll accept one you've printed yourself then you can just make one up, which sort of defeats the object of the check in the first place.

        1. cosymart
          Meh

          Re: If a PASSPORT is good enough for a COUNTRY ...

          I was asked for a utility bill by a car hire firm, I asked them what address they would like me to put on it... Confused the hell out of them :-)

    2. Anonymous Coward
      Anonymous Coward

      Re: If a PASSPORT is good enough for a COUNTRY ...

      Many statements can easily be word processed, especially when pumped out by an on-line banking system.

      Which is why you read reports of people complaining that someone is asking to see a bank statement as proof of id and not accepting an online banking printout but requiring an "original" from the bank which then turns out to cost £10+ for people with "online-only" accounts.

  16. Anonymous Coward
    Anonymous Coward

    Well of course they would! We don't want just any old riff-raff getting their grubby paws on a piece of iShinyShiny.

    Our Cult of Jobs have standards, y'know!

    1. John G Imrie

      The Jermy Clarkson test.

      Travels abroad, check. (must have passport)

      Drives a motor vehicle on the public road, check (must have driving licence)

      Has bank account, check. (lost money when published bank details)

      Pretentious git likely to buy iThing, check.

  17. Neil Alexander
    Facepalm

    "she emailed over copies of them... and then immediately began panicking"

    When people are asked for these kinds of details, why are they not asking why first? Why does common sense never seem to prevail before people act?

    1. Andrew Jones 2

      Re: "she emailed over copies of them... and then immediately began panicking"

      In the same situation I would have emailed my documents - the important part of the email is that the email is being sent to *THE* apple domain and not just any address that has apple in it, Thus I could be 100% certain that at the very least - the email was going to *someone* at Apple.

      1. Phil O'Sophical Silver badge

        Re: "she emailed over copies of them... and then immediately began panicking"

        > certain that at the very least - the email was going to *someone* at Apple.

        Well, you can be certain that one of the recipients is someone at Apple. Since email is generally not encrypted or secured against any form of interception or copying, your ID details could have been intercepted by anyone at any of the ISPs it crossed, not to mention anyone the anonymous Apple employee forwarded it to, deliberately or accidentally.

      2. Rob Carriere
        Thumb Down

        Re: "she emailed over copies of them... and then immediately began panicking"

        "Thus I could be 100% certain that at the very least - the email was going to *someone* at Apple."

        Yes, because no one has ever managed to hack DNS.

      3. Anonymous Coward
        Anonymous Coward

        Re: "she emailed over copies of them... and then immediately began panicking"

        It takes one line in your hosts file to redirect an e-mail to one domain to any server you choose. Add to the fact you have no idea whether the e-mail will make the entire journey encrypted anyone along the route could sniff that e-mail. Even if you connect to your mail servers using SSL, there's no guarantee that your mail servers will talk to Apple's using it.

        You sir, are ripe for the quote: "As soon as you think you're secure, you're not."

    2. Evil Auditor Silver badge

      Re: "she emailed over copies of them... and then immediately began panicking"

      Some people do ask first, just not all. Otherwise a Raman Ojo (probably a mule, of "mobile number UK Freelotto") with the fancy address 119 London Road, Modern, Surrey, SM13 4OU, UK would be £700 richer. I wonder how many stupid fall for this...

  18. Joe 35

    NOot true that only Apple asks for this

    You wrote "and was told by her bank that they had never heard of private companies asking for this information."

    This is not at all unusual for many third party online travel companies. (Usually, the ones with the worst reputations.)

  19. Petrossa
    Flame

    In France its obligatory if you take a cellphone line with it. The whole lot. Identity,proof of residence,bankstatement. To prevent 'terrorists' to have cellphones it seems.

    1. TeeCee Gold badge
      WTF?

      Identity,proof of residence,bankstatement.

      s/terrorists/tourists/.........

    2. Evil Auditor Silver badge

      Prepaid mobile

      ...prevent 'terrorists' to have cellphones

      You buy a prepaid SIM in Belgium and phone the contact center to activate the card. (Not sure how it is in France though.)

      Case 1 CC: Are you a resident of Belgium? Me: No. CC: Your card is now activated.

      Case 2 CC: Are you a resident of Belgium? Alter ego: Yes. CC: question after question and ten minutes later: Your card is now activated.

  20. Alex 0.1

    Easy workaround

    I know this must be a challenging concept for some people, but if you're in the vanishingly small group who

    1) want to buy an iThing

    2) haven't done so before

    3) have some oddities in your order such as details mismatches which means Apple are rightly wary of it being fraudulent, and

    4) don't want to prove that you are, in fact, you and that your card isn't being used without your permission (and are also blind to the fact that if Apple didn't do this, you same outraged people would be claiming that Apple are crappy for not verifying orders properly and letting people's cards be fraudulently used

    then couldn't you:

    5) walk into a shop and physically, you know, buy one? How's that hard?

    "and was told by her bank that they had never heard of private companies asking for this information."

    Whoever told her that is an idiot, and so's she for believing them. Private companies ask for verification documents all the time, leaving aside the fact that many online retailers will do exactly this for suspicious orders, the likes of solicitors, estate agents, letting agents, investment advisors, banks etc all do exactly the same for everyone that walks through the door (and are all private companies), though more for money-laundering than card fraud reasons.

    1. Richard 12 Silver badge

      Re: Easy workaround

      4) Don't want to be yet another victim of identity theft by handing the full package off to anybody who happens to be listening or gets the forwarded email.

      4.5) Would like to deal only with companies complying with EU data protection laws.

      - I cannot work out how this request can possibly comply, as its neither "reasonable" not "secure", both of which are necessary under EU law.

  21. Anonymous Coward
    Anonymous Coward

    Apple is not unique...

    Other retailers have done this. You don't need to send them a statement that shows transactions... you can blank out the transactions if you want, blur them or whatever. All they want to see is what you're already being asked by other retailers. I am not surprised when some company insists that I provide a utility bill and/or bank statement along with driving licence to prove who I am. Blank out all unnecessary information, and you're sorted.

    That an online vendor does it is somewhat unusual, but considering that this retailer (Apple) has been hit a lot with fraudulent transactions (generally purchases of their goods with cloned cards, which then get cancelled and Apple left out of pocket), this is arguably the only way they can make sure you are you and your card purchase is legit.

    1. Davidoff
      FAIL

      this is arguably the only way they can make sure you are you and your card purchase is legit.

      Nonsense. The proper way for Apple (and any retailer that acts professionally and not just like a bunch of morons) is to flag the transaction as 'suspicious' with their payment provider, which will trigger the customer's CC provider/bank to cross-check with their client to make sure the transaction is genuine. Simple, easy and secure. No need to ask for personal information from your customers.

      When consumers are so naive to give out personal data without thinking first it's no surprise CC fraud levels are at an all-time high.

      1. Anonymous Coward
        Anonymous Coward

        Re: this is arguably the only way they can make sure you are you and your card purchase is legit.

        Davidoff, you'll find that Apple does this too, in addition to the request for address verification for very high-value items. Once they're satisfied once that you are who you say you are, they'll flag it and you don't have any other issues.

        When you change cards on your Apple account and immediately try to buy a high-value item, be prepared to have the 'fraud alert' trigger again.

    2. FutureShock999

      Re: Apple is not unique...

      Totally laughing that someone downvoted you on this...because you are 100% correct. As someone who does a LOT of online purchasing, I have had it happen at least 3 or 4 times, plus innumerable times I've had to phone my bank and verify a transaction because of fraud prevention. And none of it from Apple (I usually go to an Apple store for fruity purchases).

      Anyone that is raising a stink about this just hasn't done that much online shopping - it isn't unique to Apple, it applies to any company that is being hit hard by fraud and has easily re-sellable merchandise. The banks have policies to ensure THEY don't get stuck with fraud as much anymore, so now it is on the retailer.

      The "email us these things in an unecrypted email" side is a worry however...as someone said, a secure upload to a HTTPS:// site would have been better.

      1. Da Weezil
        WTF?

        Re: Apple is not unique...

        I Still think the correct people to inquire about the authenticity is the CC issuer, they have a lot of information on file already, information that is "historic" and verified. Apple cannot have as much of a factual base for a check of submitted "documents" as your CC company / DC issuing bank would have if they called you for a verification check - which would use information already supplied and held on file.

        Too many companies seem to think they have the right to chapter and verse about us. I wouldnt/havent had any issues over being called by the card issuer, I would be very disturbed to be asked to submit ID documents to a company selling me something, especially via an insecure submission method, thats without the data protection issues that may arise.

      2. Anonymous Coward
        Anonymous Coward

        Re: Apple is not unique...

        @futureshock999

        Sorry but I cannot disagree more. I have been asked for this type on info (only once - and refused point blank). I have never been asked by any other service and buy everything online (yep, even food and clothes - 'cos I'm a lazy fecker).The claim by the company asking (pixmania in my case) was 'to reduce fraud'...blah-blah...So why then, I asked them, have you decided to do this check AFTER you have debited my credit card? If you wanted to prevent fraud you would do this check before debiting a 'possibly stolen' card wouldn't you?

        All the reseller has to do, as stated before, is either check to make sure the delivery address is the same as the CC address, use one of the 'verified' schemes, or flag the sale as suspicious - they have no reason to see any personal ID documents. The funny thing with pixmania was they wanted to confirm my address and asked for a copy of my passport (which doesn't have my address on it - idiots).

  22. DrXym

    Not uncommon for this kind of nonsense

    Services like Entropay are so anally retentive about security that if you don't use your account frequently enough for their satisfaction that they'll suspend the account and you'll have to screw around supplying documentation to reactivate it (and usually 3 or 4 rounds of argumentation to random customer service drones trying to explain you've supplied it multiple times already).

    Some businesses just have a stick up their backsides about fraud and / or security that they force customers to jump through hoops. I've given up using Entropay because of this. I can't be bothered to deal with a service which treats customers like criminals the whole time.

  23. Irongut Silver badge

    Will they ask for my inside leg measurement or a chest X-ray?

    Yes because they need to know which other people they can match you with to create a Human Cent-iPad.

  24. Alan Sharkey
    Thumb Down

    EBuyer have started to do this as well. I refuse to buy from them now.

    Alan

  25. The BigYin

    "Apple told me they carry out spot checks for security reasons. But I don't think any private company should have the right to ask you to send over such personal documents by email."

    They have the right to ask, you have the right to tell to go and fiddle with themselves.

    Also, never, ever send such data in the clear via email. It's why we have encryption and other security measures.

    1. Anonymous Coward
      Anonymous Coward

      correction

      "Also, never, ever send such data in the clear via email..." should read

      "Also, never, ever, send such data."

      1. The BigYin

        Re: correction

        Not really.

        So long as you have verified the contact (by some means) and they have need to see the data (for whatever reason) you can send it (or let them retrieve it). That communication should, however be secured and the recipient required to keep their copy secure until they are done with it (whereupon it should be destroyed).

        I wouldn't reply to a random email though. I'd call the company and then ask them for an FTPS site, GPG key or something similar.

  26. Lee D Silver badge

    Has nobody spotted the biggest problem?

    BY EMAIL.

    Unencrypted email.

    Bog-standard, plain-text email.

    Not a chance in hell, matey, even if I thought you had a genuine reason to ask for those documents (and T&C's do not make a genuine reason, sorry... otherwise everyone's T&C's would include "user must give financial control of his bank account in case he does a runner").

    Sod the fact that they asked for it (hell, take out credit and everyone will ask for all sorts of things that you probably won't want to give them anyway), question why an IT company - of all people - would ask you to send important personal documents by unencrypted email across a public Internet.

    And then ask why this customer only queried the request AFTER HAVING SENT THE DOCUMENTS. I mean, come on. FFS.

    1. Adze

      Because...

      ...IT companies are, by and large, run by business people not techies.

  27. Kebablog

    Not sure what the big issue is to be honest, I just applied for 12 months 0% interest on a lens, I had to submit a copy of my passport (or photo driving license)

    Maybe the credit score for the person in question didn't quite meet up with the criteria for an outright pass and required additional ID.

  28. Matt_payne666
    Flame

    "Customers are apparently allowed to black out "sensitive details" on the copied documents, according to our source. "

    Well, that's sorted then... they can have a copy of my back statement and passport... ill just blank my photo, my address, DOB, Account & passport numbers, expiries, transactions, bank address, etc....

    and possibly scan a turd for good measure too..... effort to clean the scanner glass after - totally worth it....

    1. Simon Harris
      Go

      Poo into a clear plastic bag...

      ... problem solved!

    2. Number6

      Put a piece of cling film over the glass before applying the turd. If you smooth it out properly it's invisible to the scan and makes cleaning up a lot easier.

      1. JetSetJim
        Coat

        Re: cling film

        Either

        a) don't put the poo in the document feeder - it will jam

        b) on a flat-bed scanner, don't close the lid too rapidly (and also use cling film on top of the poo)

    3. Anonymous Coward
      Anonymous Coward

      This is why I love The Register

      Where else would I find practical advice on how to scan a poo?

  29. Matt_payne666
    Trollface

    hmmm... wheres Eadon to stand up for this??

    1. Silverburn

      There's no mention of or link to MS, so he's probably not bothered.

      However, it's never stopped him before...

    2. Number6

      Probably off getting some photos for his passport application?

  30. nexsphil

    Taking the piss again

    Apple will have to start reining in this type of arrogant shit. Joe Public is not as enamoured as they once were in the iphone heyday, and people who follow the tech news tend to really dislike them. They've had their wild youth, now it's time to grow up a bit before a significant backlash kicks off.

  31. This post has been deleted by its author

  32. Anonymous Coward
    Anonymous Coward

    Personal details such as this should NEVER be sent by email. It is not a secure protocol.

  33. Don Jefe
    Meh

    The Crappy Part

    Is that the only way this sort of behavior doesn't manifest at other companies is for customers to go through the process, validate their identity then cancel the order. If people refuse to hand over the documents then Apple (in this case) will assume they've stopped a fraudulent transaction. If Apple proves that this method cuts down on charge backs then the practice will grow everywhere. The only way to document that legitimate sales are being negatively impacted is for people to cancel after proving who they are: This is a real clusterfuck for everyone.

    1. Davidoff
      Holmes

      the only way this sort of behavior doesn't manifest is for customers to go through the process

      No, it isn't. And it's naive to think that Apple will consider all cancelled orders to have been fraudulent. It's even more naive to believe that sending them the requested documents and then cancelling will teach them a lesson that asking for these documents in unacceptable. If anything, it just confirms that most consumers are like kettle on the way to the slaughter house, ready to be taken out.

      The *ONLY* way to address this is to tell Apple (or any merchant trying this nonsense) that this is unacceptable and that they should go through their payment provider who will gladly trigger a verification with the customer's CC provider or bank.

  34. heyrick Silver badge

    I was asked for this stuff to "register" my mobile phone with the provider

    [in France, other jurisdictions may vary]

    Apparently some anti terrorism excuse (isn't it always these days?). I said I would *post* a colour copy of my passport with "copie" written on it in board marker, and there is no way in hell they are getting copies of bank statements. And using email for this is not an option. I would havepointed out that other providers exist, but the girl I was talking to sent me the postal address by SMS while I was talking to her.

  35. PsychicMonkey
    FAIL

    "After sending that information, I thought I had been hacked"

    erm no, you were not hacked. You sent them your details, that's the complete opposite of being hacked.

  36. Chad H.

    Well

    I was asked for this by a poker site once. Sent an angry email saying "Do you seriously want me to send these sort of details through an unsecure channel" and immediately (no kidding, acutally immediately) got a response back saying verification accepted, you're now free to play.

    1. JetSetJim

      Re: Well

      Maybe it's a poker site that is plagued by bots scamming the fleshies with their accurate statistical calculations. Angry rant => fleshie => ok to play

  37. ThatGuy
    FAIL

    It could be Apple clamping down on fraudulent app store activity

    I live in South Africa, and we have our own app store. Quite frankly it is absolute crap. Not even angry birds is available. So a lot of iOS devices are registered with fraudulent US/UK addresses in order to gain access to those respective app stores. Maybe Apple is trying to stop this sort of activity.

  38. Paul 164

    Shocking...

    "Apple told El Reg it does not comment on individual cases"

    You mean to say Apple actually RESPONDED to The Register?!

  39. Anonymous Coward
    FAIL

    The wrath of Apple?

    "our reader - who works in the IT industry and does not want to incur the fruity firm's wrath by revealing her name"

    `There's an old Italian saying: you fuck up once, you lose two teeth', Steve J0bs

  40. Anonymous Coward
    Anonymous Coward

    Where I work we will request a copy of passport or drivers license as a ID check to confirm the customer is who they say they are.

    Not all the time but sometimes.

    The customer has a choice. Supply or we do not accept their order and they are welcome to take their order somewhere else.

    1. Anonymous Coward
      Anonymous Coward

      Or the third choice

      Report you to the Data Commissioner for repeated leaks of personal data, and watch you squirm as they investigate.

      If enough if your customers do this you'll drown in paperwork.

  41. Crisp

    Not sure if the article is lambasting Apple

    Or the practices of businesses that need to know the ins and outs of a ducks arse before they sell you something and using Apple as an example.

  42. Anonymous Coward
    Anonymous Coward

    Adobe did me, and Nominet too

    When I wanted academic discount on Adobe CS Design Premium set, I had to send them scans of passport or ID card, bank statement proof of address, statement of fees to University, and student card — weirdly (at the time) they wouldn't accept PDF via email.

    I also similarly stung by Nominet once, when after having my domain for more than a decade, decided they needed proof of who I was and that I should have right to own my own domain. Not only did I have to send them scans of IDs, but also email logs and proof that I had purchased things with my email domains (e.g. invoices or delivery notes with my email addy on).

  43. ecofeco Silver badge
    WTF?

    WTF?

    Seriously. WTF?

    Apple FAIL.

  44. Dana W
    Meh

    I have a small pile of iDevices. Never seen or heard of such a thing.

  45. Paul Hovnanian Silver badge
    Big Brother

    Why?

    Apple is in a somewhat unique position with their product. They probably have the ability to reach out and 'brick' it should the payment not go through. Many iGadgets (with communications capabilities) can be bricked by their owners should they be stolen. It would surprise me if Apple hasn't retained some sort of 'God Mode' capability for themselves.

    Its possible that the identification requests are related to its network/communications capabilities and the desires of some governments to track all online and wireless traffic back to a real live person's ID. Back in the 'old days', I used to be able to land anywhere in Europe, pop into a phone store and pick up a SIM for my phone for cash. Now, many countries network operators seem to want a copy of a passport. Even for cash. That's not a payment issue. That's identification.

  46. Mika Peltokorpi
    FAIL

    Mega-fail

    "We reserve the right to verify the identity of the credit card holder by requesting appropriate documentation."

    How come previous scentence holds word APPROPRIATE?

  47. Reue

    Blizzard done the same

    Blizzard once asked me to send them a scanned image of my passport for 'security confirmation'

  48. clean_state
    Stop

    another one on the list: Nymgo

    VoIP outfilt Nymgo lately rejected my payment (which already went through with the bank) and started asking me for all sorts of private documents. Of course, their support never replied when I said "no way" and their support escalation procedure was equally a memory hole. Avoid them.

  49. Anonymous Coward
    Anonymous Coward

    One point though.

    The article says that they sent the ID to a notary. Working in a Solicitors practice I can be considered to be an authority on money laundering regulations as per the British money laundering regulations, and I have to ask a single question.

    Why did they send the ID to a notary? Maybe it's just me knowing what Solicitors and Notaries public can actually do, but while:-

    You can produce a copy and then certify that document as being a true copy of the original. You cannot certify a scanned copy as being a true copy of the original without sight of the original.

    You can certify a document as presenting a true likeness of the holder. You cannot do that without the holder being present.

    So, what are apple actually requiring the ID for?

    we certify this copy to be a true copy of the copy some bloke emailed us is not a way of checking ID. Comment from Apple is required here, and this deserves some digging because the answer apple have provided does not make any rational sense.

    1. JEDIDIAH
      Linux

      Make the stamp, sign the book.

      A Notary exists to verify that you are you when you are signing a legal document.

      Why Apple would send scanned copies of documents received throuh email to a Notary is anyone's guess. Perhaps someone thinks it sounds impressive and official.

      1. Richard 12 Silver badge

        Re: Make the stamp, sign the book.

        Yes, you're right - that line makes it considerably more likely that the correspondent was a victim of a phishing scam.

  50. Anonymous Coward
    Anonymous Coward

    Great security

    There is no way that a fraudster could ever think of any way of creating a fraudulent scan or JPEG photo?

  51. Sam Therapy
    FAIL

    People are forgetting the most important aspect of this story...

    You don't like Apple's T&Cs? Don't damn well buy from them, then! Simples.

    If everyone took that attitude, they'd change their policies pretty damn quick when they see their sales flatline.

  52. dan_in _ohio
    WTF?

    Are they totally nuts?

    I walked out of Radio Shack without purchasing a switch once because they "required" my phone number and name to make a purchase. I told them to go to h3!!. No way I'd buy an Apple product after hearing this. Businesses do not need that kind of personal info.

  53. channel extended

    I really need to know your data -U.S. Gov.

    Perhaps the reason that Apple is doing this is that govs are now requesting and storing more and more data on their citizens. After all computer security would be much easier to do if we simply give a company our data. They can track us and report when we do something suspicious or when we just do something.

  54. microfarmer

    apple's innards may be nefarious

    Being wary of any request like this is necessary, even when coming from Big Corps. No doubt there are criminal gangs inside that are slurping out private information and using it for nefarious reasons.

    Having directly researched an event where an Apple store clerk asked for an email password then having that password slurped into a spam botnet... no doubt there are others asking for more private details that they use for their own purposes.

    So Apple may have valid reasons for the request, but 100% guarantee they don't have good protections of that information from criminals on the inside.

  55. Darren2k10
    FAIL

    Additional Verification

    iPhones, iPads and iPods are amongst the most favourite items for fraudsters to use. The UK legal system is such that 99% of fraudulent card transactions are never brought to prosecution.

    All major banks state that 3d-secure in and of itself doesn't protect someones liability on its own, and it has been proven that there are high volumes of card transactions that pass 3d-secure where their bank do not implement the policy (Capital One, MBNA, to name but a few big names who often omit 3d-secure from their cards) - leaving the liability totally with the business.

    After performing basic checks, where there is doubt as to the authenticity of the billing person, identity documents and proof of address are the only methods whereby a company can verify that someone is not using a card fraudulently.

    People need to wise up to the dangers businesses face online, and when a company requests such documents, firstly, it is reasonable to contact the company separately to obtain or check the correct email or contact details to send the information to, secondly, to block out any private details that aren't required (lines from your bank statement for instance, but a piece of dark paper over, and scan in the copy), but also then to realise that these requests are unfortunately a part of the world we live in, and until our government get tougher on Card fraud, and stop thinking of it as a victimless crime because the consumer gets compensated from the bank or the business (wherein the business becomes the victim), it will be the only way to ensure that fraudulent phones, computers, and what-not aren't sent everywhere.

    1. bill 20
      WTF?

      Re: Additional Verification

      NO. People do not need to "wise up" to anything. It is NOT the place of retail businesses to start demanding sensitive, potentially exploitable PII from customers in order to back-up purchases. That kind of fraud-prevention is the duty of the banks and card-issuers; they are are the trusted holders of individuals' sensitive personal data. Anyone who willingly hands over such information to a retailer deserves everything they get. I can remember having to demand to speak to the store manager of a PC World branch because (even though I was paying cash for a small-value item) I refused to give my postcode at the checkout. The drone on the till simply could not proceed with the sale without that piece of information because of the way the company had chosen to design it's point of sale procedure. This unregulated harvesting of PII by the retail sector needs to be clamped-down on hard, with legislation if necessary.

      I repeat: IT IS NOT THE PLACE OF THE RETAILER TO DEMAND SENSITIVE PERSONAL DATA IN ORDER TO VERIFY A CUSTOMER'S IDENTITY: THAT IS THE ROLE OF THE FINANCIAL INSTITUTION PROVIDING THE MEANS OF PAYMENT.

      1. Darren2k10
        WTF?

        Re: Additional Verification

        And in an ideal world, there would be no fraud, and no-one would attempt to make profit. I agree that the financial institutions need to do more, however, we aren't living in a utopia, and as they have the power, it is as ever the middle-man the UK Small Businesses who foot the bill. So, sure, you can rant and rave if you want, but if it was your cash that was being used to have to pay for someone elses stolen credit-card, you may think that perhaps a little extra checking was worth the hassle.

        1. heyrick Silver badge

          Re: Additional Verification

          A little extra checking may BE the hassle.

          Who are you giving the information to? What will be done with it? What guarantee do you have that it won't be thrown out unshredded into a bin for easy harvesting by somebody? Is the person asking qualified or even authorised to be accepting this sort of information?

          The customer does indeed need to wise up, but perhaps not in the way that you think.

  56. DaddyHoggy

    Handing over CC details

    I once had to go to work in Cape Town in South Africa. The hotel I was to stay in wouldn't confirm my booking until I had sent them, via email, a colour scan of the front and back of my credit card.

    I rang my credit card company (Tesco Mastercard) explained - they took the hotels details and the dates I was staying in SA. Told me they would process charges on my card only for my time in South Africa and from the hotel itself for one additional week after I checked out.

    It was the credit card company who suggested I put the images in a password protected zip file - email them - and then ring them up and give them the password. This we hoped would slow the casual/opportunistic interception.

    It was a worrying couple of weeks but it actually all went smoothly and I have since learned this is standard MO for many big hotels in SA.

    However, if a company like Apple wanted these details, just so I could give them money to buy something from them... well, that's easy, I wouldn't be buying anything from Apple...

  57. John Stirling
    FAIL

    colour scans?

    I believe it is a breach of crown copyright to make colour copies of a passport. Apple encouraging copyright theft. sounds like a headline to me.

  58. Anonymous Coward
    Anonymous Coward

    Out of all the things to get upset about people pick on Apple. Again... Yes I agree in the ideal world they should have no business asking for ID and any other personal info. But since when is this world perfect? I also agree that banks should be liable for fraud damage, may be then they would spend less on fat useless managers and implement the much needed verification techniques to help fight fraud...

    Anyway, what was the damage? A driving license/passport/any other id that you would have used in various places dozens of times already. Seriously? Okay, the bank statement is probably one step too far, but then again, do you really think your shopping habits are private? Wake up people... you are being tracked all the time. What's more you'll be under constant surveillance by Google in a few months once enough glasses are out there.

    The funniest part was when a threat to become an android user was issued. Yeaaaah like they care about your privacy and your data. Except they make money of your data. So why do you willingly post updates, personal info, photos, geolocation info and all other stuff on 'social networking' sites, but get aggro as soon as someone asks you to verify your identity? Do you not think next time it may just save you the headache if your card details get nicked?

    1. Richard 12 Silver badge

      No, it's facilitating ID theft

      If a miscreant gets hold of that email - easy to trivial - then they now have a handy and complete package to go on an ID fraud spree.

      After all, it's the full package of ID information a company like Apple consider good enough to identify you. So it's also enough for anybody else to claim to be you.

  59. gap

    And you can't just buy it in a store because?

    There is a simple approach, don't provide the information - particularly things like bank statements, then go buy the device in a store or from another online retailer. It's not like these prized goods are only available in the online Apple store.

  60. Anonymous Coward
    Anonymous Coward

    Not oresent

    If she didn't like their security for not present purchases, why didn't she just go to a store and pick one up in person?

    1. Anonymous Coward
      Anonymous Coward

      Re: Not oresent

      Perhaps she doesn't live close to one, or prefers the convenience of ordering online?

      It is crazy that Apple is asking for all these details, but I have to imagine that buying Apple stuff is pretty high on the hit list for stolen credit card information. Phones and tablets are probably the ideal for them, because they have a very high value per weight and per volume as compared to TV sets, and are much easier to resell compared to jewelry.

      When I had my credit card details nicked a month ago there were a few smallish purchases, then a $1649 online purchase from Best Buy. At the time I had assumed they tried to buy a high end TV, but now that I think about it, if they were smart they went for a few iPhones or GS3s.

  61. Shanghai Tom
    WTF?

    Colour copies of passports illegal ?

    I vaguely recall that taking colour copies of UK passports is illegal....

    1. HipposRule

      Re: Colour copies of passports illegal ?

      Indeed it is - had to do some research for travel money bureaus and scanners recently http://www.hmso.gov.uk/copyright/guidance/gn_20(old%20format).htm

      1. Anonymous Coward
        Anonymous Coward

        Re: Colour copies of passports illegal ?

        Ahh. Good old joined-up government. The UK Border Agency (or whatever it is called this week) requires employers to examine and keep copies of documents that prove an employee's right to work in the UK. Amongst the acceptable documents for this purpose is the UK Passport. The relevant UKBA guidance says nothing about copyright or colour copies.

        http://www.ukba.homeoffice.gov.uk/sitecontent/documents/employersandsponsors/preventingillegalworking/currentguidanceandcodes/comprehensiveguidancefeb08.pdf

        However employers are not, apparently, on the list of those auithorised to make and keep copies of passports according to:

        http://www.hmso.gov.uk/copyright/guidance/gn_20(old%20format).htm

  62. cordwainer 1
    Unhappy

    YGTBFKM

    That acronym is the only possible response....and mind you, I've been a Mac owner since 1985. But I swear some of their decisions the past few years are jaw-droppingly, mind-bogglingly WTF??!!!!

    It all used to be so easy, and friendly, and fun, and my hardware was so simple to upgrade and add to, and my OS so....so....stable (sob)

    Weeping and forlorn,

    c

  63. Mark 75

    hostgator and hetzner do similar

    Both have asked me to send them scans via email of driving licence and/or passport to prove my identity. Needless to say that I declined their request.

  64. Amorous Cowherder

    "and was told by her bank that they had never heard of private companies asking for this information."

    You ever shot stock photography? Well they ask for it! Shutterstock.com will not give you an upload account without you submitting your driving licence or passport to prove your identity.

  65. Wzrd1 Silver badge

    "Customers are apparently allowed to black out "sensitive details" on the copied documents"

    Works for me. I'd send them documents with every bit of text and my photograph blacked out.

  66. Dancress

    There's only one answer: The Finger, emailed along with a picture of a fine new Android tablet.

  67. JMcL

    Add Amazon to the wall of shame

    Amazon UK asked me for a scan of my passport last year when I had the temerity to buy, yes BUY, a Kindle book from the UK store, and have it delivered wirelessly in Ireland. This obviously caused an alarm and flashing red light to go off in the Amazon bunker warning that somebody might be trying to buy something via the UK (EU) rather than the US (err... not EU), where Amazon decided (in SOME fairness to them as a result of territorial rights bollox) that somebody who might not be living in the UK had to buy their books. I gave them a short and not very polite suggestion as to where they could stick their demand, and haven't heard from them since.

    Speaking as an author with a book available on Kindle, frankly I don't give a flying f**k if somebody lives on the moon if they want to buy a copy of my book.

  68. quicksilver
    WTF?

    You know you don't have to buy Apple products from the Apple store? You can buy them through Amazon and all sorts of other outlets, ones who don't demand DNA tests before handing over your goods.

  69. Lee Taylor
    Devil

    What do you expect when you try and join a cult?

  70. Nameless Faceless Computer User
    Devil

    There comes a point where consumers need to tell the company, No thanks, keep your fancy toys. Until we all have the ability to do this we will continue to be enslaved by them.

  71. YeahRight

    On the other hand

    I'm a victim of identity fraud, someone using my name and address set up a bank account and direct debit for an iThing which would eventually have brought debt recovery agents to my door. When I approached Apple they were more efficient and more help than the police, my bank and the company providing the credit agreement. I'm not a fanboi by the way.

    Apple seems heavy handed asking people to send proof of identity but their products are popular with criminals so they are in a tough position.

    I have had to sign up with CIFAS to make sure that any future finance agreements in my name go through more stringent checks. Something I've had to pay for. If Apple and the financial institutions involved were more on the ball I would have a lot more confidence in them and be twenty quid better off.

  72. bouncingwilf

    Cash is king!

    Buy direct from retailers using cash and deny the banks their "cut" of the transaction. You also frustrate the nasty " we want to know everything about everyone brigade" (Although I've had some interesting conversations at the checkout of say Dixons who always ask for postcode and house number - needless to say, I always tell them loudly it's none of their business!)

  73. Anonymous Coward
    Anonymous Coward

    Well, it's about time

    Cuddo's to Apple. It is about time somebody got serious about security and sought out legitimate means of verifying identities for over-the-net purchases.

    In fact, I think Apple should ask for a colour photo of every purchaser's penis, to be saved for comparison on future orders.

    Sorry girls, but a picture of the snatch would just be a shot in the dark.

    Or Apple could ask for a different photo and count the petals of everyone's rosebud, saved for comparison of course

    Another reason I will not buy Apple. They give fruity a bad name...

  74. HippyFreetard
    Linux

    You signed in blood!

    I'm not even surprised :)

  75. Anonymous Coward
    Anonymous Coward

    If we're not careful, this ends up being the new normal

    And it really is data slurping under the guise of fraud control. There are other ways of verifying identity. Sadly, The Reg isn't the place for massive, decision changing negative publicity. Don't expect t hear about this from any major news outlet.

This topic is closed for new posts.

Other stories you might like