Afterpay Requesting via Email your ID and Bank Statement

I’ve been frozen out of my Afterpay account because of a request for my ID and Bank Statement by them via email. But how can they protect my details while the email is in transit to them. I’ve been emailing them and asking them to guarantee my privacy and detail protection and all I get is there usual response;
"We understand how important security is so we ensure that your personal information is protected. Afterpay secures and protects customer’s data. how

As part of our security process for our customers we do random check on accounts. As per our terms, Afterpay can request this at any time.

We will get back to you in 48 hours with an update once we receive the requested information.
Until then, your account will remain temporarily frozen."

This issue and status has remained unsolved for months because I’m reluctant to give them these details via the internet through email. They refuse to give me any full proof response to this!! And do you think I can actually speak to anyone at Afterpay!! Huh!! Not likely!! It’s like trying to talk to a concrete wall!!!

Welcome to the community.

Have you read the Choice article on Afterpay?

I can understand your concern about maintaining security of your personal information, but as has been evidenced lately, it is more likely that your data would be obtained through a hack of Afterpay, rather than an interception of your email.

If you owe money to them, it is probably wiser to send them what they want and pay off the debt before they pass it to debt collectors. If you don’t owe money, …run!

Information flowing between email client and email server across the network exists for a very small amount of time. Maybe tenths of a second.

Of far more concern would be that if you owe money, and you are seen to be playing games by not authenticating yourself when asked, you could be handed over to the debt collectors as @meltam mentions.

Or just lose access to Afterpay, which may not suit your spending requirements.

I’m not with Afterpay, never have been, yet recently I received a verification code from them. ‘Fat fingers’ ?

Hi @KPerrin, welcome to the community.

No business will ‘guarantee’ privacy as it is impossible to do so. What Afterpay has is a Privacy Policy which outlines how they manage collected data:

Have you asked if the information can be provided in other ways - such as by post (which could be less secure than email) or lodging directly through their online customer portal?

There is a high chance that some of their customers many not be internet savvy and they might provide alternative solutions to those who are ‘connected’.

Setting up an account with AfterPay (or any business) means that you accept the terms and conditions. One can’t pick and chose what they agree with after an account is set up, as you had agreed to their account verification processes in the account set up process.

If you don’t like their identity verification processes (which are required by law since they are a licensed financial provider), then you have the option not to deal with them. However, if you need services of similar businesses, they will also require identity verification as it is required by law. It isn’t something one chose not to do.

Use this page (https://help.afterpay.com/hc/en-au/requests/new?ticket_form_id=360000864771) to provide the details. It has a link at the bottom to allow attachment of files (which can include images of your proof of ID). This page is https and signed with a legit SSL certificate, as such it is probably one of the better secure ways to provide the information.

Very secure indeed.

I would think that the HTTPS web page is where Afterpay requested the original poster to go to to provide verification in the first place in their email.

@KPerrin could perhaps say if this was the case.

Speaking as someone who has (and still is) an engineer that designs and builds data and Internet transit networks…I can tell you that interception of data of email and web traffic across the wire is rare. Not completely unheard of, but very rare. It’s too hard for the vast majority of malicious parties to do this, especially remotely because it often involved elements of physical access to the wire. There are far easier ways to get your hands on data than sniffing data in transit. The volumes of data flowing around are so phenomically enormous that even to capture and save all of five seconds of data across a major carrier link and reassemble it into meaningful useful data would be nearly impossible. We’re talking tens of thousands of simultaneous streams of data all at varying rates and it’s unknown what they are or who they are to or from. Too hard to be practical and more importantly it requires some pretty expensive equipment, physical access and people with very good skills to get anything useful out of it. Most hackers prefer cheap, remote access and have varying degrees of skillz

And if you assume that transit via email is not safe, then you would have to consider if the main alternative which is sending a paper copy through the post, is any more or less secure. I’d say it is significantly less secure than via email! Get my hands on something in transit or that is mis-delivered to my address and I have the originals in my hand! Oh…or a Fax? Yep, accidentally sent to the wrong number and you’d have no idea that it had even happened, and for most places your fax would be either scanned in to email or printed off on physical paper at the recipients premises anyway.

It is MUCH MUCH easier to break into the sending or receiving machines to get that sort of information because it is (often) already in plaintext and already assembled in a way it can be used unlawfully.

See… it all comes down to trust of the party you are sending the data to not the transit to get there.

What is, has, and will continue to be the #1 threat is what happens to that data and your documents after they are received. You have no control over that, nor visibility of it. You have to 100% trust that the other party maintains physical and logical security over the information they have. In this case you have to trust that Afterpay are careful with the handling of those documents. It doesn’t matter if they are posted, emailed, or in a computer system the care factor and the concern here is the same. There is no difference between a bank statement that is posted or a bank statement PDF printed off.

A pile of client paperwork like bank statements and personal details left on a staff member desk in an office where visitors walk past is a real risk that you’d never even know was happening.

Which is where Medibank and Optus amongst others are in hot water right now. Not because data was intercepted over the wire or in an email or in transit, but data that they had saved/stored on a server was broken into and a copy taken of it.

So you’re absolutely on the money in terms of asking about it, and Afterpay as well as any organisation that deals with Personally Identifiable Information should have a very clear and well defined policy backed up with suitable physical and electronic controls over who has access to that information. I’ve highlighted physical because that is still a major security threat that many people overlook.

Yes. Too true.
In a database, unencrypted. With metadata telling everyone what the field names are, and the format and values allowed in each field.
And API’s to access the data from Internet and internal apps. And tools for reporting and tuning and extracting subsets of the data.