I’ve recently encountered trouble with Privacy.com and MySudo identity verification. Particularly, I recently reconfigured an iPhone I had from a few years ago and attempted to enter the MySudo ecosystem with the goal of getting virtual cards. After I paid the MySudo subscription fee I attempted to walk through the identity verification process and failed. My name is absolutely tied to my home address publicly.
Privacy.com was a similar story, except they locked me out after I gave them my SSN and bank password. Both companies requested ID verification through third-party services who share data with marketing agencies.
What were the circumstances, for those of you who passed the initial verification steps with a company similar to MySudo or Privacy.com, that lead to success? Did you establish a Privacy.com account before you moved away from a big tech email provider? Perhaps our VPN’s are flagged more aggressively now? I find that there’s a lack of documentation in this area. I think I may be locked out of these two payment security options unless I give them (and their “partners”) a copy of my unredacted ID and face.
So the question is this: How do we create the ideal circumstance early-on in the Privacy journey so we can establish these accounts without trouble?
I’ve chosen to go ahead and bit the bullet. I understand that these companies are financial institutions, and given a better situation I imagine they wouldn’t be using these horrific third-parties that steal our information. I believe the long-term benefits of having these virtual cards will outweigh the inevitable identity fraud that will occur once these photographs leak. I’ll hope that my ID expires before any of these services get hacked. I’m considering also picking up a Revolut account for over-seas travel since my face and ID are now at risk anyways, but I haven’t done much research into Revolut besides a surface-level review.
Regardless I still think having a repository of “success stories” for future visitors would be a good step in the right direction with regards to resisting the stealing of our personal data. Until then, I imagine this post won’t see much activity nor would I expect it.
I’m not American, so Privacy.com and MysSudo are not even available to me. But if they were, this would be good enough a reason not to trust them with my information. I’d rather use an actual bank that provides virtual credit cards. I would assume that those exist now in the US?
IMO, your IP address/VPN location should be irrelevant because you need to be American or live in the US to qualify. You can be an American who lives in Japan. The only scenario where it might be complicated is if you are an American who has never lived in the US. I have a few friends who are in this situation, and it may mean that they are not completely in the system and may not have a bank account in the US, because they were born and live abroad their entire life.
Hey Purple. Turns out I had much to say about all this. Apologies for the text wall.
After researching this option, it appears that most “actual” bank virtual cards require the usage of the same name and billing address. They do offer multiple card numbers and CVC codes. While that’s great for security, it doesn’t do anything for my privacy.
I appreciate this comment since I wasn’t clear in my original post: I am an American living on American soil. I have never left the country, although I do possess a passport. I agree that the IP’s should be irrelevant, however many companies disagree with our stance. Many banks still flag VPN IP logins as malicious and lock us out. I had to unlock my personal bank account many times at an in-person location whilst attempting to get my bank to settle into the VPN IP range I use on my home network. This has not been an issue as of late, so long as I log into my account from this precise IP range.
I thought about this quite a bit since I agree with the principal. I think it’s obnoxious that my actual bank can just look at my ID, whereas these companies find the need to store it for multiple weeks or even years whilst scraping the information to share with third parties. I admit I’ve been quite unsettled the last few evenings since I did it.
However, weighing it against the alternative provided some perspective. Had I not done this, given a five-year time frame, I would not possess the ability to purchase anything not obtainable with cash with privacy. That means every merchant, business, etc would have the ability to take my true name, address, date of birth, card number, phone, etc. While this information does not include my face nor ID, it does leave me significantly more exposed than I have to be now. I don’t have to consider these options anymore since I possess an activated account with these two virtual card providers. Where one fails I can access the other. Since I’m at risk anyways I’ve also been researching Cryptocurrency exchanges so I could potentially hold Cryptocurrency for true financial freedom (at least until it’s regulated into the ground).
Not to mention, while these companies do sell the raw information, the recent ID breaches that include our face photos have been considered “leaks”, making me believe they were not intending for that particular data to become exposed. Otherwise it would not be a “leak”, it’d just be “sharing data for marketing purposes”. This doesn’t make it okay, but it does give us a more detailed picture of what these people believe is okay and not okay to give away.
I choose to consider a five-year time frame since after this time period my ID will have expired, and given good fortune I may no longer live at my current address. If I can assume nomad-status similar to the way described in our favorite book, I will be further protected. My image being exposed isn’t a pleasant thought, however I have never possessed any social media accounts. Searches for my image online won’t turn up anything I am not aware of.
Considering these circumstances, assuming I can play the game right, I should be in a much safer situation in a handful of years than I am right now. If my ID leaks, it leaks. I will deal with the threats (again). Not everyone is so fortunate, hence my advocacy for what we tend to stand for around here. I don’t believe this is okay, nor should we ever accept this as normal.
I had quite the fight with customer service, over multiple days, over these issues. I got unlucky, I was flagged. I hoped that we could potentially start a conversation on how to not get flagged by pooling together success stories, but a mere forum post wasn’t going to do that. If it’s not a conversation worth having then that’s fine with me. Not like I can do much now anyways!
Really?! That is surprising. What’s the point of a virtual card if you can’t change the name?
In regard to the billing address, I would be shocked if that’s actually true. From my experience, you never have to put your real billing address, the one actually tied to the credit card, when you are using it. When I order something online, and I am not staying at the address linked to my card, I will use one of the following as my billing address:
A. The address I am actually staying at.
B. The address I am having my items delivered to.
C. A fake address, which is usually a hotel’s address.
I have never had any issues. And this is with my real credit card, which I have stopped using online since I started using virtual credit cards. But even with virtual cards, I’ve never had that issue with my bank. I rarely give my real address.
But it’s possible that different banks/countries have different rules.
Have you considered IronVest?
Yes, I’ve heard stories on Michael Bazzell’s podcast about people in the US who got their bank accounts freezed because they used a VPN. To me, that is insane. Especially when you’ve got MFA to confirm your identity.
In other countries, banking apps don’t care about VPNs, but they require that you share your location when you want to make a transaction. To me, that is also insane.
Sounds like you really thought about it and made a thorough assessment of the risks you’re taking. I wish you the best of luck. I also hope that better services come along, including banks that allow you to have any name on your card and let you use any address.
Turns out, I’m completely wrong! It is the zip code that has to match, not the actual address. That’s entirely my fault. This does give room for some flexibility, more than I gave it credit for. This would be nice as a base-layer for paying for things that I would like to have tied to my identity (such as my email addresses in case of account theft, I would like to be able to prove I do indeed own the addresses).
Yes. IronVest has some very strange data-collection policies with regards to biometrics. From their “biometric privacy policy”:
IronVest will request that its Vendor permanently destroy your biometric data three (3) years after your last interaction with IronVest products and solutions unless a longer period is permitted under applicable law or regulation.
Three years? Minimum? UNLESS A LONGER PERIOD IS PERMITTED? I know that financial services are meant to keep our identifications and transaction histories for 7 years, and compared to that this sounds good, but what exactly are they doing with that data in the 3-year period? They seem a little obsessed with biometrics data, to the point I’m not comfortable with it. Not to mention from their base privacy policy:
Biometric authentication is both stronger and provides better experiences than other means of authentication usually provided online.
I’d love to see the proof for that, since I can’t seem to find any.
That’s pretty wild. I can’t remember the last time I used location services for any reason, let alone for this. Guess I’d probably get a dedicated “bank-phone” and only use it outside the immediate chain where I set up the account. At that point though, it might be simpler to just walk into the bank and do the transaction.
I try. I appreciate the back and fourth. It’s nice to have a sanity check that isn’t “why would you want to use a VPN? Don’t criminals use VPN’s to hack my credit card?”. I have heard this before. That wasn’t a very productive conversation.
That is definitely better. However, I know a lot of people who when they move to another country, will use their new country’s address as their billing address on forms when they shop online, but they haven’t officialy changed their address with their home country’s bank.
In other words, imagine a German moving to the US. They still use their German credit card in the US, and when they shop online, they use their US address and zip code as their billing address, even though they have not officially changed it with their bank. As far as their bank is concerned, their billing address is still their German address and zip code. The payment will still work. I’m surprised that isn’t the case in with US banks.
This is very strange indeed. I will have to ask IronVest about that. IronVest was one of the first companies that offered email aliases and virtual credit cards. Long before SimpleLogin and Privacy.com. They have been around for many years. Back then, IronVest was called Blur, and they were owned by a company called Abine. They changed their name a couple of years ago.
Because their MaskedCard (Virtual Card) service was US only, I never upgraded to a paid subscription. But I had asked about it, and they required no KYC beyond your real credit card details. And from your real credit card, you could create virtual credit cards with a name and address that are unlinked to your real details. The address and zip code was the company’s. The name was whatever you wanted.
Then Privacy.com came along. I don’t know if Privacy.com surpassed IronVest as a virtual credit card service, but I wouldn’t be surprised if they did. Privacy.com requires a lot of KYC, and it’s possible that its popularity along with the rise of cryptocurrency transactions pushed US regulators to require that all financial services to require some KYC beyond credit card details, which might have prompted IronVest to ask for more data.
I believe IronVest changed their policy maybe 2 years ago? Because they were on the verge of officially allowing virtual credit cards for anyone around the world, and encouraged people from other countries to beta test it. And again, the only requirement was your credit card. I was excited to use it. But then suddenly they suspended their Virtual Credit Card service for everyone and for many months, which coincides with all the changes being made internally.
What I don’t understand about IronVest’s KYC requirement
When you buy a new phone, you often have the option to set up biometrics to unlock it, which is either your fingerprint or your face. Many apps that have the option to unlock with biometrics will use the biometrics that you have already saved on your phone to authenticate you. It’s the case for password managers and even banking apps.
These apps don’t have a record of the biometrics saved on your phone. IMO, IronVest should be satisfied with this type of authentication.
However, increasingly now, I have noticed that many apps, especially financial apps, are no longer satisfied with using your phone’s biometrics to authenticate you. They want you to provide your biometrics to them, so that they have a record of it. And often they are not satisfied with fingerprints, they want your face.
That is what one of my banks is doing. They require that I have my face scanned by their app in order to authenticate myself. Even though I had to physically provide my fingerprints at their branch when I opened my bank account, and hence their app could authenticate me with a fingerprint scan, they are not satisfied with that.
This angers me very much, because I have no idea which company my bank hired to perform the facial rec, nor how they use this data. I intend to inquire about nit it just with my bank, but to complain to my local data protection authority. If this is what IronVest is doing, I would not be ok with it.
They are also US only and their virtual credit card service appears to tbe in Beta.
Yeah, it’s wild and extremely frustrating.
Most people are too lazy to do that, and understandably so. If they can do a transaction from their phone, why would they waste hours to go to the bank? When I have to do a transaction, I now do it from my computer since there is no location requirement. But I don’t always have a computer with me so it can still be annoying.
I am currently working using a location spoofer. I haven’t figured out how to make it work yet, but once I do, I will make a transaction from a fake location, and then call my bank to inquire about it to see if it actually works. I also intend to complain to my local data protection authority to complain about this.
It could always be the case that they actually don’t care about the zip, just the name, but say that they require these things to push people towards a certain direction. I’m unsure about this, and given the opportunity I’d be testing this out and finding the limits.
Remembering how KYC used to be makes me upset, not because I think it’s a problem, but because it sounds so reasonable. Why not let the banks worry about KYC and assume that if I have a Credit Card I must have been verified? I do remember Blur’s re-branding to IronVest, but it never really meant much to me.
That’s quite the theory. That would not surprise me even one bit. “What do you mean they can buy things without using their real names? They must all be criminals!”.
I’ve always used passwords for my financial items, so I can’t speak to this personally. I won’t pretend that this surprises me these days, but it certainly isn’t a comforting thought. Makes me wonder if this is more regulation circumvention. Can’t break into the phone? Call the bank.
I have perused Cloaked yes. The card service is in closed beta, so I think I’ll have to wait for that to drop. They’ve been working on it since 2023, although it looks like the initial announcement page has been taken down. This might be the wrong link.
This always confused me. I want to use a phone app? Give us your location. I use the web-app on a desktop? No location needed. Sounds like the location isn’t actually required to make a transaction, so what are they doing with it?
That’s a neat idea. I’m curious if something like this works, as that could be used for good defense against unreasonable accesses of our “location”. Could also be nice when traveling.
All banks use passwords for online banking. However, it is my understanding that most banking apps will require that you set a passcode after you’ve authenticated yourself with your password the first time. Once you set a passcode, you have the possibility to choose to unlock your phone with biometrics. Using biometrics to unlock your phone is not mandatory, but increasingly some banks are not satisfied with fingerprints to unlock. Moreover, for some transactions they require facial rec, which sucks. One of my banks requires that I record myself and repeat certain words that appear on-screen.
I am personally very skeptical of Cloaked. They are not open sourced as far as I know, and I am personally not a fan of services that are geo-locked. Despite the fact that they allegedly plan to launch in certain countries, I don’t think they will ever be global, as in, anyone in the world will be able to sign up.
Indeed. I don’t know what it’s like where you are, but every transaction I make from my desktop will ask for confirmation on my mobile device. Meaning that if I don’t have my phone, I can’t do any transaction from web because they are verified on my phone. Luckily, the verification does not require I share my location.
That’s why I will ask my bank about the transaction I intend to make with my spoofer, to verify it works. If they tell me my transaction was made from a location I’ve never been to, I will know it’s legit.
Such a great question that I’ve also struggled with. You essentially hit a wall trying to preserve privacy whenever banks and real-world payments are involved.
Privacy and the other virtual card vendors are great at isolating the threat of card fraud and creating a layer between your transactions and your bank, but they also operate in the same regulated environment as the banks and all use third-party KYC providers like Plaid, Sumsub and Persona to satisfy their compliance and AML requirements because it’s probably too expensive and cumbersome for them to build their own KYC service.
Unfortunately, each of these KYC providers operate like a black box so you never really know how they’re doing their checks and if they reject you, they’re not even legally allowed to tell you why. I can only suggest that you request your personal data from each service to understand what they currently have collected and look for clues as to what the discrepancies may be.
Unfortunately most of them don’t make this easy and simply ask you to send a free-form email to privacy@blahblahdotcom with your request, rather than making it easy for everyone to do in a self-serve manner (presumably to discourage this behaviour as it’s manual/time consuming for them).
