I want to register to a site (something like Steam that you can add money and buy later) and for the registration to be completed, it asks for a photo to be taken with my phone of my identification card (with my ID number and personal details like my name, age, place I was born etc). Is it safe to give them a photo of my ID card? Can they do anything with it without my permission?
I'm talking about ID cards, not credit cards.
No, it is not safe.
They are using this to reduce their exposure to impersonation, but not very well. The reality of web cameras is that they get an easily forged card, and there may be more than one Don Flig out there. Once they get the card data, they can use it in (at least) exactly the way that they're asking you to use it. Imagine arguing with some random organization billing you that you never signed up, and they have a copy of your ID.
They, like all companies, are exposed to data breaches, and it is very hard to assess how likely that is. When that happens, all the data on the card you give them will be exposed on the internet and to criminals.
Sadly, knowing that its not safe, the odds are that you must now decide between using the site on their terms, faking a card and submitting it, and not using their site.
In general terms, if you provide digital copy of your Photo ID you are giving unspecified third party a very powerful tool enabling them to perform identity theft via social engineering. I think a great deal of paranoia is warranted in this case.
With the updated information, that PaySafeCard are requesting this I would be more confident it's not a scam / social engineering attempt, they are a legitimate and registered UK company. Although - any one can be vulnerable to a breach, so the question is do you trust them to securely store a significant piece of your identity? Do they store it permanently, if so , how and where? Do they destroy it after initial verification? These are perfectly valid questions and their customer services team should be able to answer you and comfort any doubts, if they can't then don't trust them with your data.
It will probably not be possible to determine whether it is safe or not.
I had this recently on a well known accommodation booking site, I looked at the assurance offered by the service provider that the site was using and it was not particularly compelling so I did not submit anything.
I would not submit a full image of any official documentation to any site without some form of independent corroboration that security claims can be trusted.
However it depends what is on your ID card as to whether you should be concerned or not, I would say that the place your were born is not something that you would want to risk being compromised and it is generally not readily available on the Internet for most people, but on the flip side many people will submit it in a security question without giving it a second thought.
Other things I would not be comfortable providing...document reference number and signature along with anything else specific to the ID.
From what I have observed there are specific aspects of the ID that will be checked, for example a signature can probably be edited out of a scan without impacting the ID check, but a lack of document ID is probably going to cause it to fail.
When making your decision put things into perspective about the way you normally treat your personal data (i.e. break it down into a list: name, address etc) and decide first whether you would submit all of the information in a website registration form - it may be that you have already provided the site much of your information!
Having said all that, personally I would advise against it...once information has been leaked you cannot get it back.
Ask yourself why they would possibly need your id card info. Or ask them directly why they think they need your id card. But anyway if you have the least of doubt just don't do it. If they have malicious intents, they can do whatever they want once they have that data. Besides, it's not only the site self that can abuse this data. Data breaches can also result in data getting leaked and consequently be abused. Whilst you can change a leaked password you cannot change your ID. So I would not give away this kind of data easily..
Chances are they use a automatized software to read out those informations and match them against your supplied information - and no human will ever see those. Where i live (Austria) we have a law restricting the collection of such datas for a short timespan and a need to secure them properly from arbitrary human access. Since www.paysafecard.com seems like a huge company, i doubt they can afford to have inner security flaws.
– Gewure Jan 04 '17 at 15:43