Have you ever bought from a website with name/age/birthdate verification?

#1

The ONLY times I’ve ever had to verify my name/age/birthdate was on vape related web sites when I wanted to purchase something…

** This has now come to bite me (and possibly YOU) in the ASS.**

Normally, I don’t put any “personally identifiable data” on the internet, but a web based user verifier company has been hacked… because they are/were stupid in how they stored their data. I usually don’t worry about hacks, but after all the hacks and data theft on the internet, you would think a company that was storing data about YOU would have their shit together and have it locked away and actually “difficult” to hack into, but NOT like this…

I got an email yesterday from a web site I subscribe to :
https://haveibeenpwned.com/

And it seems verifications.io was caught with their pants down, and they had a database open to the world with no passwords… that contained personally identifiable information about YOU.

I don’t know if I should be all that concerned, but now there’s even more personal data out there. I’m not that concerned, because I’m poor and have no money, but just really, really pissed off that a company had no idea what a “secure” infrastructure consists of… I’m not a data security guy, but even I know not to do what they did…


Here's a cut/paste from their email:

An email on a domain you’re monitoring has been pwned

You signed up for notifications when emails on [XXXXXXXXXXX] were pwned in a data breach and unfortunately, it’s happened. Here’s what’s known about the breach:

Breach: Verifications.io
Date of breach: 25 Feb 2019
Accounts found: 763,117,241
Your accounts: 3
Compromised data: Dates of birth, Email addresses, Employers, Genders, Geographic locations, IP addresses, Job titles, Names, Phone numbers, Physical addresses
Description: In February 2019, the email address validation service verifications.io suffered a data breach. Discovered by Bob Diachenko and Vinny Troia, the breach was due to the data being stored in a MongoDB instance left publicly facing without a password and resulted in 763 million unique email addresses being exposed. Many records within the data also included additional personal attributes such as names, phone numbers, IP addresses, dates of birth and genders. No passwords were included in the data.
6 Likes
#2

I don’t think this kind of information can do a lot of harm. You can find this information online. Most people happily broadcast this to the entire globe but even when they don’t, it’s all searchable.
It’s your personal ID and creditcard numbers you have to worry about, they didn’t get any of that, and…

So you’ll be fine :grin:

Personally I’ve never been asked for verification of anything and I would most likely move on and buy somewhere else if they ever did.
Hell, I don’t even use the Cloud cause I’m not really convinced they are able to keep my personal data secure

6 Likes
#3

Thanks for letting the community know, I myself have never used a site that asked for that I don’t think but I’ll check anyway, cheers :beers:

6 Likes
#4

Sorry to hear it @DaveDave. Only verification I will abide are simple calendar checks or a yes/no when first arriving at the site. I have not and will not do third party verification of any kind. There are too many sites I can find stuff on to have to use one of them. I’m always leery of using PII (that personally identifiable information) because there are so many out there dying to get hold of it.

5 Likes
#5

The following is a good summary of the situation though I think in reality its is even worse. I avoid disclosing PII but it is a futile effort. The following is a recent essay by John W. Whitehead - constitutional attorney and founder of the Rutherford Institute. I am loosely associated and can attest that they genuinely fight for our rights in the US.

And no, I will not buy from vape vendors that demand that I transmit Drivers license info or other PII.

6 Likes
#6

I have used such sites. I send them a photo of my drivers license with everything blurred out except my name and birth date. They have all accepted it with no question. If I google search my name, far more detailed information is already available mostly from public records such as owning a home, divorce, business, etc…

I have not been loose with my information in the past, it was already available before the internet was a thing. If I search my name on Zabasearch or Spokeo, they will list my age, all my past addresses, siblings, parents, ex-wives and phone numbers.

The state I live in is so backwards and corrupt anyways, I figure my info has already been pilfered. It seems like every few years they bust rings of DMV employees stealing info and selling fake licenses. Now, if you are under the radar and you don’t show up in any or all searches, and wish to remain so, by all means protect it well.

3 Likes
#7

If you have a bank account, a credit card, a mortgage, car loan, whatever… Even if you have never been online once in your life, your information is still out there. Because obviously every business and government entity stores their data electronically, and rarely is it air-gapped. No one can hide unless they were born in a cave and live in one forever with no connection to the world. An un-person, as it were.

3 Likes
#8

You are correct. I am not attempting to minimize the situation or say that since you are already known to the world that you should just give out your info willy nilly. I am not giving these vape sellers any info that they couldn’t verify with a simple google search, and in my case its often because I have different shipping and billing addresses. When I send a copy of my license, it only shows that my name and age are correct. No address, no license number, no photo, no ID number, no weight, height or eye color. Protect your info all the time

2 Likes
#9

I’ve never been asked to send/upload a copy of my drivers license before, and I wouldn’t send it even if asked – especially to a vape “store” – if they use an age verification service, ok, but not Joe Blow, at a vape store.

The “service” just asked for, IIRC, name, email and DOB. If you entered a fake DOB, the email address you used is blocked (I tried!). That’s why they got a second or third email, because I had to try again with a different email address.

So they already have your info, they’re just confirming that “you are you”.

Oh well. :man_shrugging:
These damned repositories (aka: private companies) of OUR info should know better by now ! Instead of an apology and a slap on the wrist, their penalty/fine should be large enough that they would want to secure that info at all times.

3 Likes
#10

Its very frustrating that so much of our information is out there and freely shared. Its never safe. A dedicated hacker could get it if they wanted to if they haven’t already. On the other side of it, we would be pissed if they didn’t make an attempt to verify and someone made a fraudulent purchase on your credit card. The drivers license thing is equally silly. I am not all that skilled with photo editing, but could whip up a picture of a fake in a few minutes. I have only sent my license picture to three vape stores. All well known and been around for a long time. That doesn’t mean their info is protected or that they don’t have a crooked employee that will steal it. I had a feeling they were only verifying rather than using it as a primary source of ID. I am more concerned about the credit card information I give them than my blurred out license. I agree that if a company stores your info, there should be real and substantial penalties for letting someone steal it.

I know that once I bought from a vendor that uses shopify, my info is linked to any other vendors that also use it. Its convenient but also scary. Sadly its the price we pay for instant gratification. We could go back to the old way of seeing something in a catalog, sending a check or money order with the order form via snail mail and maybe get the item 6 weeks later. Sometimes its like “Ohhhhhhh look at that shiny new RTA… I must have it”

1 Like
#11

I’m conflicted about that, a little. First off, who says Google searches are 100% trustworthy. A kid or identity thief could easily upload crap profile stuff that would be crawled and available via search. Secondly, any store that sells online should have to verify that a buyer is sincere— if it applies to vaping, it should apply to everything. You can’t get a credit card in your name if you are not at least 18 (AFAIK anyway), so it’s the responsibility of the seller only to verify the shipping address matches the CC address, or make a reasonable effort to learn why it is different. I do not feel a seller should have to verify identity. Making vape sites do it is just sour grapes and vindictive.

2 Likes
#12

As far as verification goes… Amazon is a great example of lax requirements. All someone needs is my Amazon password, and they can buy anything they want and ship it anywhere they want, no questions. They store CC info and even let you ‘one click order’. And you can send it anywhere. It’s a convenience thing and I like it for sending stuff to friends and family to save me the extra shipping cost and hassle. But it’s a blank check for anyone who can breach your creds. So poo on vape site verification garbage. Symptom of a hateful, spiteful, over-reaching government.

2 Likes
#13

Its all stupid as far as I am concerned. Usually for me it comes down to how much I want an item, is the vendor reputable and how much I want an item? Did I repeat myself? Probably. Oooohhh USPS says my package is in the mailbox! What? Oh right.

I agree with everything you said. Paypal is similar in that I can send to other addresses. Add to the frustration for online vape stores that states have different legal ages for vaping and if they sent stuff to an 18 year old here in CA and got caught, they would probably have to pay dearly. I don’t like any form of government being involved in much of anything, I also don’t want my favorite vendors getting in trouble and going out of business.

1 Like
#14

When I began ordering vape stuff online I dealt with an east coast seller repeatedly. Then they instituted the verification garbage and asked me to send a copy of my drivers license. I had bought from them on eBay prior to that and had used PayPal. They claimed that they had to have my info on file and it was “the law” in their state. Whats the matter with this picture?

I replied that :

  1. I was eBay and PayPal verified by address and bank account.
  2. They had my user ID info from prior transaction showing that I have been an eBay member since 1999. They could easily check.
  3. If a bank or credit card company issues a card to a minor they have no legal recourse against that minor. e.g. if you have a credit card that is proof you are of age. (The only way they will issue is if a parent or guardian is the primary cardholder)
  4. The laws of their state do not abrogate my rights under the laws of my state. My drivers license is state issued.
  5. To go fuck themselves and to never claim that any law empowers them to compel me to do anything.
3 Likes
#15

I guess I should add that even FDA doesn’t have jurisdiction over private citizens. I fail to understand why people have allowed the blurring of the lines of power and can only attribute this to the virtual elimination in the educational system of the concepts of dual sovereignty and the concept of federalism as being one of limited powers. I am a citizen of the State of Indiana and a citizen of the United States i.e. “All rights not enumerated” “belong to the state and to the people.” (10th Amendment) No large central government has ever existed that did not devolve into a tyranny.

3 Likes
#16

Preach the truth my brother! I consider myself a believer in the constitution rather than belonging to any political party. Radical, I know. We have allowed everything to stray so far off course, its crazy.

4 Likes
#17

Ha ha. Keeps my blood flowing to let er rip once in while. :crazy_face: :rofl:

4 Likes
#18

Not to mention, the fact that they may not even let you know (depending on server location/co-location)…

2 Likes
#19

Soooooo… Someone from Kentucky or Virginia is what you’re saying essentially? :wink:

3 Likes
#20

Some Eastern Missouri folk may qualify too! :crazy_face:

4 Likes