Taking a selfie with your ID card — is it safe?

“Please upload a selfie with your ID to verify your identity” — such requests are becoming increasingly common for various online services. Banks, car rental services, even potential employers or landlords may ask for such photos.

Whether you should share your confidential data in this way or not is a personal decision. We’ve laid out all the pros and cons, and prepared tips on how to protect yourself if you do need to take such a selfie.

Should you take a selfie with your documents?

Without an “ID selfie”, you may not be able to install certain banking apps, register for services like car sharing, or quickly apply for a loan. The choice here is very straightforward.

Want to use these services? Take a photo. Worried about the security of your data? Don’t take a photo. But then, for example, you won’t be able to make a bank transfer, rent a car quickly, or solve your financial issues with an instant loan. The stakes are obvious: either you gain access to these services, or your prioritize your own safety.

A common argument from those who choose to take ID selfies is that their data has already been leaked multiple times, so they’re not afraid of potential security risks. Well, if you’re dishing out the ID card selfies left and right, using the same password like “12345” across all accounts for years, it’s likely that your data has already been compromised.

To know for certain whether your data has been leaked or not, use our protection, and in the Data Leak Checker section, provide all the email addresses that you (or your loved ones) may have used to register for online services. Users of Kaspersky Premium can also check their phone numbers in the Identity Theft Check section. Then, our app will automatically search for data leaks in the background, notify you if any are found, and advise what needs to be done in each case.

What could go wrong?

Unfortunately, with rare exceptions, we can almost never know how companies actually store and process our data. Normally, all that users get to hear about their personal data is that its security is taken very seriously and therefore it’s stored very carefully. You’ll agree that this kind of messaging doesn’t inspire much confidence — especially when it’s not backed up by anything except a privacy policy page on the website.

Often, services store your data for too long. For example, one popular European car-sharing company stores user data for as long as 10 years. In that time, you might change residence several times, quit driving, or simply forget about the car-sharing service — but your personal information will still be stored on the company’s servers. And since, according to the agreement, the company can transfer client data to third parties, then theoretically your ID-card selfie could end up in someone else’s hands without your knowledge. And this is not an example of a “bad” company, but a harsh reality: almost all organizations that request IDs during registration process your data under similar conditions. And that’s just the official side — we haven’t mentioned leaks…

Data transmission will be carried out according to the European security regulations, but this is not guaranteed

Data leaks from car-sharing companies are a classic issue: such companies have been subject to hacker attacks since their inception. Sometimes these leaks lead to absurd situations. In Russia, criminals registered fake accounts in car-sharing services using stolen passport photos, then booked expensive cars, violated traffic laws, and caused accidents. Where did they get the data? From leaks of customer data from other car-sharing companies!

And we shouldn’t forget the more obvious threat — unexpected loans. Of course, large banks are unlikely to issue a loan based solely on an ID selfie, but less accountable organizations that hand out microloans to practically anyone — sure thing. And if you suddenly find a dozen such loans in your name, it’s bad news. Not to mention the fact that another unreliable company now has your ID selfie.

These ID card selfies are a universal tool in the hands of criminals. In addition to the above scenarios, fraudsters can open a shell company in your name or register a SIM card using your identity to break the law in various ways. And the more services support remote online registration — the greater the risks of taking selfies with ID cards.

Criminals have long been selling sets of photos and videos of people holding white sheets of paper the size of standard documents on underground websites to forge photos and bypass standard KYC (Know Your Customer) procedures. And if they get hold of a real selfie with a passport — it’s a goldmine…

How to reduce the risks

Unfortunately, despite the significant risks, sometimes we may still have to take these photos. So the best we can do is approach the process with maximum care. How to protect yourself?

• Study the company’s privacy policy. Before sending your document selfies, find out everything you can about the company. Check where and by whom your data will be processed, how long it will be stored, and whether the company can pass customer information to law enforcement, third parties, or even to other countries.
• Investigate the company’s history of data leaks. Find out if there have been any customer data leaks. If there have, did they occur more than once? What kind of information was leaked? How did the company respond to the breach? You can find this out using search queries like Company_Name data leaks, or Company_Name data breaches.
• Add watermarks to your selfie. If you decide it’s worth the risk, add watermarks to the selfie with the name of the service you’re sending it to. This can be done easily on your smartphone using the built-in photo editor to overlay semi-transparent text, or by using free apps – there are plenty of them in any app store. This way, even if the photo leaks, it will be much harder for criminals to use it to register with another service.
• Send the photo through the official app or website of the service. Do not use messengers or email to send document selfies.
• Delete the selfie immediately after sending if your device lacks reliable protection. Don’t forget to remove the selfie from your messages (if possible) and from the Recently Deleted folder on your smartphone or the recycle bin on your computer.
• Regularly check your credit history. Check with your bank to find out how to be notified promptly of changes to your credit history.
• Use maximum protection for all your devices alerting you to identity theft and data leaks.
• Use Kaspersky Password Manager Identity Protection Wallet to store and share sensitive documents and photos encrypted across all your devices.
• Compare the value of the service being provided against the value of your ID card selfie. And absolutely never give out your personal data for monetary rewards.