Ask HN: Hetzner asking for passport for new account? just me, or everyone?
Just made a Hetzner account, activated 2FA, the usual.
Then go to buy a storage box, and I get this;
> Our automated system check indicates that your account information has an increased level of risk. Please choose one of the following verification methods:
And you can pay 20 EUR up front by PayPal, or hand over your passport (fat chance!)
Is this genuine, or does everyone get this and it's a fake reason?
(I've signed up to pay by bank transfer, so I'm also wondering why they don't ask me for pre-payment by bank transfer. As it is, no way on God's clean earth they get a passport, and I'm not on Paypal, so will try to use a friend's, but seems my second try to board Hetzner train has bounced - first time I left almost immediately, when I saw spaces not permitted in passwords.)
Hi there, Katie from Hetzner here. We are extra careful about new accounts because we find that it helps us to prevent abuse, and in situations where a new account is somewhere in the grey zone of possibly real or fake, we may ask for additional information, or a PayPal payment, like in this situation. If you choose PayPal, the €20 will go on your account in the form of credit and will automatically be used towards your future invoices. If you decide to cancel your account, and there is credit left on your account, we will refund you for that amount. For the passport (or other documents) -- We have very strict data protection laws here in Germany and the EU. We only use this data to confirm your identity, and after that, it is automatically deleted from our systems after a short time. We have a data protection team who customers can contact if they have any questions at data-protection@hetzner.com. --Katie
So, two or three things.
1. You replied here, and stated and reasonably and rationally Hetzner's case. That's excellent.
2. I emailed Hetz two days ago, explained the situation (passport a no-no, friend has PP, but I'm signed up with bank transfer so could I just use that).
Hetz replied saying account has now been enabled and I'm good to go.
Also excellent.
3. The observations in this reply about passport - if you've been hacked and not noticed yet, all passports passing through your hands are being exfiltrated (assuming attackers cares about them, of course). You'd only realize how long its being going on for once the breach is detected. I'm not worried about what you are going to use it for, I trust you - the concern is that security is basically impossible and everyone gets breached sooner or later. There's nothing you or any organization can say or do to ameliorate this concern. The basic ground working assumption is : everyone is hacked, if not already, then sooner or later, and it won't be noticed for some time. Given that, how do we behave? what do we do? how do we act? obviously, identity via passports is off the menu.
Finally, there's no info during sign about about passport document being held only for a short time; seems potentially useful to have that.
You're sensitive to your passport information being stolen. You don't trust their security. That's all perfectly OK.
Fortunately they offer other option(s), which it seems you made use of. So you're all good.
A different user may have different priorities, and may choose a different option.
Which is fine. Options are good. There's no requirement that you have to like the ones you don't use.
> We only use this data to confirm your identity, and after that, it is automatically deleted from our systems after a short time.
Isn't that what every company says before a data breach proves otherwise? I've been hearing a lot about Hetzner, thought about trying it out, but if the service is requiring me to submit a passport or even any form of ID, then absolutely not. Your service is dead to me.
It's not requiring you to submit a passport. That is just one of the options.
Feel free to use a different option.
You raised some red flags with the information you provided. This doesn't happen to everyone. A support rep from Hetzner has spoke a bit more about this process on WebHostingTalk before[1], although they don't get into which specific heuristics may result in flagged accounts for obvious reasons. I'd imagine it's a combination of things like unpaid balances on previous accounts, IP address reputation, uncommon e-mail domains and so on.
[1] https://www.webhostingtalk.com/showthread.php?t=1810197&p=10...
Good.
I've seen, or I think I've seen, AWS and Twitter giving completely fake "security" reasons for eliciting additional information. I made an account on Twitter, did nothing with it at all, next day was told I violated the T&C and needed to prove my identity by handing over phone number.
So I'm cagey about this sort of thing. Obviously, actual real security concerns are a good thing to see, people are thinking about the issue and taking care, and asking for validation is naturally what you do and it's better than a flat no. OTOH, passport is BS - solves their security risk but gives me a security risk.
Either you want to be a customer or you won't.
Using a friend's paypal will get you banned for sure.
Why not just provide the passport if you want to use their service, jf that's their requirement.
It's an expensive document which is hard and slow to replace, and when Hetzner get hacked - and they like everyone will be, sooner or later - I would have to do that.
No problem for Hetzner, and it solves their authentication problem. Big problem for me.