Random Thoughts – Randocity!

So, I know how much everyone love my rants. Well, here’s another one. This falls under personal security and internet security common sense. Today, let’s explore the safety of Google Wallet and it’s so-called verification system.

What is Google Wallet?

Basically, it’s another type of payment system like Paypal or Amazon checkout. Effectively, it’s a way to pay for things or send money on the Internet using Google. That’s about as simple as it gets. Who uses it? I certainly don’t nor will I ever if Google doesn’t change its ways.

Verification of Identity

Like most other payment systems, they want to know who you are. Or, at least, that the person who is wanting to use the payment system owns the card or bank accounts added into their system. However, each one of these payment systems usually does verification in similar ways. For example, Paypal verifies you by requiring you to add a checking account (i.e., routing and account info) and then adding a small amount of money to your checking account. Later, you enter those two tiny amounts of money into their verification panel and you’re all set. That’s pretty much it for Paypal. This is similar to other financial institutions like E-Trade.

Google’s Verification = Stupid

And I thought Paypal’s verification was stupid. Leave it to Google to diverge and make it even more difficult. In the verification form, Google requires you to enter your social security number, your birth date, your home address, your phone number and various other information that could easily lead to identity theft. Then they require that you submit it. Information, I might incidentally add, that is not required for you to use an established credit card or bank account for payment. After all, banks are already required to identify you before opening an account. This is the whole reason why Paypal’s verification system is enough. Paypal merely hangs onto the coattails of the bank that has already previously verified your identity when you opened the account. I digress.

When their entry form doesn’t work, they require you to attach a PDF document of a government issued identification card. Not only is that stupidly manual, who the hell know what Google is going to do with that PDF file once you send it to them? Why would you want to do this anyway? Seriously, you’re not opening a bank account with Google. You’re not getting anything out of it by sending this to Google. And, you’re opening yourself up to huge personal risk by leaving PDF documents of your identification cards floating around on the Internet for hackers to find. Seriously, what is Google thinking here?

For me, that’s a big red flag and a BIG FAT NO to Google. I have no intention of providing any physical paperwork to a private corporation. If you can’t figure out proper method to identify the user electronically, that’s not my problem.

Legal Compliance?

I know that Google claims that this is all in the name of Federal compliance, but I’m quite sure the compliance laws don’t require you to verify a user using any specific implementation techniques. Clearly, Paypal is able to comply with these laws without requiring a PDF version of physical government issued identification. The reality is that Google also does not need a copy of this. That they claim that this is required to fulfill legal obligations is smoke and mirrors.

No, it’s quite clear, Google’s verification system is broken and completely unnecessary. They can certainly comply with all identity verification laws without resorting to asking for a copy of your identification be submitted to them in PDF or any other format.

Merchant Requirements

In fact, while credit card issuers like Visa and Mastercard don’t forbid asking for identification when using a credit card, the merchant must still accept the card for payment as long as it’s properly signed without seeing an ID. Because Google wallet requires actually seeing your identification before using some services with your credit card, this violates card issuer rules regarding the requirement for seeing identification before purchases. On the other hand, unlike a retailer who has the physical card in hand, Google cannot see your card and whether it’s signed. But, the spirit of this rule remains. Using a method of charging a small charge to the card and asking you to check the statement, then supply that dollar amount should be enough to verify that you own that card and that you have access to statements… just like Paypal and E-Trade.

Because a lot of statements have now become e-statements online, the small charge method doesn’t necessarily verify your physical address. Though, if they need to verify your physical address, they can simply send a postcard with a code. Then, have you enter that code into a verification panel once you receive it. In fact, this is really the only method that will verify your physical address is valid.

Google Wallet’s Usefulness?

With all of that said, Google has failed to make any traction towards becoming a defacto wallet. In fact, there are so few merchants that actually use Google Wallet, it’s probably safer not to verify with Google. Being as unused as it is around the Internet and seeing as Paypal is the primary method of paying for things today, it’s too much of a personal risk to submit PDFs of your passport or drivers license to a random corporation. You have no idea where that PDF might end up. Though, it will likely end up on Google drive because Google likely requires its employees to eat Google’s own dogfood (i.e., uses its own services).

And since the risk of using Google drive is as yet unknown with all of the Facebook-like features that Google has added (and continues to add), it wouldn’t surprise me to find Google internal documents accidentally shared through a Google employee’s personal account via Google+. This would obviously be bad for Google, but it wouldn’t surprise me. That’s why you don’t upload PDF files to corporations like Google. In fact, I wouldn’t share PDF files of that type on any network drive unless it’s encrypted and passworded. Better, don’t put it there in the first place.

Companies requiring copy of a personal ID

Personally, I won’t do this type of ‘give me a copy’ verification for any company unless I’m opening a bank account, credit card or need to provide it for some specific financial transaction. Even then, I will only transact that business in person and allow the person long enough time to see the documents to get what they need from it. And no, they are not allowed to photocopy it unless there’s some specific requirement.

I especially won’t do this with companies as big as Google or Microsoft when no transaction is involved. As companies grow larger and larger, employees get more and more careless in document handling. Asking for photocopies of identification cards, social security cards, credit card faces or any other issued card is not cool and I have no intention of ever providing that to a company for any identification purposes unless I’m actually performing a transaction. I won’t do it for ‘just in case’ services that I may never use. Doing so stupidly leaves a financial time bomb out there ready to be exploited.

The most they need is the number off of the face. If a company cannot make do with what’s printed on the face of the card (by being typed in), they get nothing. Just like giving your check routing information to a company such as Paypal is like writing a blank check, giving copies of physical documents to corporations is tantamount to identity theft. I simply don’t trust corporations with access to copies of my physical documents.

Though, were Google to set up a storefront and I could walk in and hand my card to someone to visually inspect and then maybe have them swipe it (although, I’d prefer not), I’d be somewhat okay with that. But, knowing a PDF file is floating around on the internet somewhere with a copy of my physical card, that’s not in any way cool. I will never do that for any corporation sight unseen no matter who they are. Since there’s no way to transact business with Google in person, there’s no way I’ll ever verify my identity for Google Wallet.