Raisin, stop abetting identity theft.

Today I got a strange request from Raisin, a large European financial service provider. They wanted me to upload a new copy of my passport, because the old one I used to register my account is about to expire. This puzzles me. And the way they asked is downright dangerous.

First of all: I have other bank accounts that never asked me to do this. Why is this even necessary? They know who I am and have verified my identity already, based on my soon to expire passport. Are they even allowed to ask for this again? Or is there some arcane rule somewhere in Europe that requires them to do so? If anybody knows more, I’d love to hear about it in the comments.

What’s worse, the email they use to ask this is the perfect phishing email. It contains a link that I should click to upload a scan of my new passport. The link points to a domain that is not raisin.nl or similar. Now this email may be legit (it probably is), but such emails train Raisin customers to click links in emails from Raisin. (And, by extension, to not be suspicious of links in emails from other financial institutions.) If criminals realise Raisin does this, they can also send such emails (that are phishing emails) and Raisin customers would not be able to tell the difference. With severe consequences.

Moreover, the email seriously suggests that I can also send a scan of my passport by email to their customer service department. WTF? Seriously? Email is notoriously insecure. Customer service departments are notoriously insecure. And if anybody gets hold of a scan of my passport, I run a serious risk of identity theft. They also (conveniently) forget to tell me how I should make a more-or-less secure scan of my passport to prevent identity theft, by hiding certain fields and adding a watermark.

Raisin, please stop abetting identity theft.