VoIP.ms sends ID documents over plaintext email (RE: Michael Bazzell Leaving Twilio for VoIP.ms)

Update 29-02-2024:
Since this publication Michael Bazzell has updated his post to answer the concerns discussed in this post and now contains the line “… I NEVER recommend sending a copy of your ID to any company, and encourage you to fight this if requested.”

In his latest post Michael Bazzell recommends the use VoIP.ms for getting a VoIP number. I like to counter this recommendation and warn you about this company.

When you sign up for VoIP.ms they will require you to upload a form of identity document with picture. This alone should be a red flag.

Thank you for choosing VoIP.ms. We look forward to seeing 
you get started with our award-winning platform.

To comply with our compliance policies, standards, and the 
regulatory requirements we follow, please provide proof of 
your identity. Your proof of ID can be a photo or a scanned 
copy of any of the following:
- Driver's license
- Passport
- Any other official government ID with a picture 

After the verification process is complete, you will have 
access to our platform and be able to explore the different 
features we offer. The files you submit to Us are for 
identification purposes only and are not stored; they are
systematically deleted after the verification process is 
complete.

You can also reply to this email with any questions or 
concerns you might have regarding our verification process.

Best regards, VoIP.ms Team

Now what happens if you actually submit a picture here, I wondered? Who is verifying this, and where does this end up? To figure this out I uploaded a test image and proceeded. If you read the title you know what is next. I received an email from VoIP.ms with an attached image including my uploaded test image sent using helpdesk[.]com. Your official documents would end up in some vague ticket system should you actually supply this data to them. This ticket system on their end uses Postmark for sending this email to you, your sensitive data spreads.

It's not often that I disagree this much with Michael Bazzell's recommendations. In his post he also explains how he doesn't care about the KYC because the phone number is tied to your real name in most ways. What he forgets to mention is that you are not only exposing your real name but also picture, and all other data available on the ID. This significantly increases the risk of a potential data leak and abuse in identity fraud amongst others.

On the note of KYC, note that it is perfectly possible to get a phone number without KYC requirements, like via openly discussed on the Privacy Guides' forum: JMP.chat.

Concluding, even if you do associate a number with your real name (I don't agree that that is always needed) you should not have to increase the amount of parties that know that so easily.

Subscribe via RSS:
listed.to/@ph00lt0/feed