Fully agree here - I would say that I am a bit shocked at the lack of regulation regarding access to people’s identity documents as compared to credit cards. Credit/debit cards are your money, and there’s an entire network of both regulations and intermediaries working against fraud in this space.
Your identity can create new credit cards. It can take out loans. It is inherently a higher order security risk, and therefore should by default have more restrictions. I as a consumer trust Stripe to do the right thing, but I do not trust its customers. This seems to be the most reasonable stance, but yet the policy does not reflect that. I am concerned that this wedges open a really big new avenue for cybercrime without having any sort of regulations in place a-la PCI audits.
> Your identity can create new credit cards. It can take out loans. It is inherently a higher order security risk, and therefore should by default have more restrictions.
It's a security risk because of the first couple things you listed. The problem is that identity cannot be simultaneously a secret and a public identifier. As the name should suggest, identity serves a much better use as a public identifier. So we should stop treating it like a secret and start creating real infrastructure for actual secrets.
By the way, this is completely analogous to credit cards. There's a reason the industry has moved to chip cards physically and tokenized cards virtually. And that's because the card number was serving as both identity and secret, and that doesn't work. The deviation is that, in this case, we've decided to make the credit card numbers a secret which is cryptographically protected (chips) or at the very least stored in an opaque manner (tokens).
> I would say that I am a bit shocked at the lack of regulation regarding access to people’s identity documents as compared to credit cards.
To some degree it's because there isn't much point. You can call up my home state today, pinky promise that you're me, hand over $20, and they'll ship you my birth certificate or other important documents. We don't have private keys or other kinds of unique identifiers assigned at birth, so attempts to lock it down further would lock people out of their own identities.
Scale does matter, and a breached database of identity documents is definitely worse than having to pay a nominal fee and wait a few days, but given the context of other manual labor like securing loans I'm not sure the extra ease would result in much more fraud.
It's supposed to work in quite a few countries, and not all make it so easy. Given the requirement in my country for ID when obtaining any other ID, I'm actually puzzled about what happens if you lose everything.
For me, the general process would require a police report for lost/stolen ID (mandatory, so that it can be marked as lost/stolen so that it would be detected if someone tries to use it) and verification with the data they have on file - nowadays with EU biometric IDs they can be quite sure that I'm the same person as the one who got the previous ID as the face and fingerprints can be verified.
There's an honor system in many places. You sign a document stating you are who you say you are, and have it witnessed by someone who is "deemed trustworthy" - local police, teacher, clergy.
Your identity can create new credit cards. It can take out loans. It is inherently a higher order security risk, and therefore should by default have more restrictions. I as a consumer trust Stripe to do the right thing, but I do not trust its customers. This seems to be the most reasonable stance, but yet the policy does not reflect that. I am concerned that this wedges open a really big new avenue for cybercrime without having any sort of regulations in place a-la PCI audits.