It’s a CYA move on their part. Especially when they took it with no age info shown. Another thought... What would stop a kid from sending mom or dads id picture?
Almost positive they have little funding for tech development. But they have to subscribe to a CC service and provide a secure connection for said service. The credit card companies (collectively) could provide this verification at no cost to the retailer. Guess the question is whether it is worth their while. How many online sales are there (and not just vape products) that require age verification?
What requirements are needed for online alcohol purchases?
Signature and id on delivery. My 84 yo mom in law gets a kick out of it when she gets wine delivered. She’s clearly over 21, but still gets “carded”.
I guess that's true. The CC companies or PP must have already checked out a bunch of stuff about you that should include your age. Maybe they charge the vendor for providing that info. Or maybe providing it would make them legally liable for underage sales or something.
What about the prepaid “credit cards” that you buy like gift cards. I’ve used them to order things online before
We remove liability with having the CC confirm age – it’s done digitally and that information is already on your file. The retailer and CC are already required to establish communication (digitally) to verify the card number, name and needed funds. Age is just one small added step. No personal information is shared, just a confirmation the buyer is over the required age.
Prepaid CC can’t be used for all online services. You could pay for your merchandise with a prepaid card, but age verification is required through a legit credit card.
Larger merchants contract with a third party like Veratad to do the authorization. It may or may not pop up mid complete transaction with a prompt if the initial attempt with name and address doesn't match their preexisting database. I don't know the behind the scenes step by step, but they provide the API for the website to incorporate into their shopping cart, so it's passed by SSL, assuming that's properly configured, and the certificates are up to date, and, and,.........you're in the field and know the pitfalls far better than me.
If that first pass screen fails (common if you've recently moved, didn't keep your address up to date with DMV and whatnot), they will pop up still within the SSL link and request your last 4 SSN numbers. If that doesn't hit they'll ask for a photo of your ID, passport or drivers license. You are allowed to block the DL number (I do although it really is pointless as most DMV records are public already) and I guess even your photo I but fail to see the point of that, and other than backing out the license number to satisfy some irrational belief that makes it safer, you upload it. They'll do an OCR scan for name and DOB. Rarely, and again, Veratad is the largest but there are lots of other players in the market, including some that opened up just to cater to the vape market like Blue Check, they might rarely ask for a selfie of you holding the ID just to verify you don't look 12 years old. The verification authentication approval is passed back to the vendor who is now able to complete the transaction and charge your method of
payment. The vendor doesn't get anything from the transaction other than the authentication number or whatever from the verification service. In the event of an FDA drop by they can demonstrate that all orders were cleared before completion by the age verify people. So they can demonstrate an audit trail which the FDA can go chase with Veratad or whoever.
Initially as all this got imolemented in late 2016 early 2017 small vendors did it themselves, literally printing out a hard copy of your ID and sticking it in a folder for the FDA should an enforcement SWAT team descend on them. Needless to say, most vapers didn't get behind that I'll advised approach, and so third party authentication is used by just about any vendor large enough who's dealt with on this forum. There's even a thread listing which method and service is used by each vendor to keep members aware of who and what thru were dealing with. It's still occasionally active and around, but not sure it's been kept up to date as much these days.
So unless the vendor is still doing their own hand verification and saving files for production if ever approached by the FDA I'd say all of the larger online sites rely on third party companies for simplicity, real time verification at the time of order ( no need to wait until the end of the day for your 19 year old part time employee to try and match up the emails with ID'S to the orders, who will probably use at least one of those accounts you've given them access to to order a dozen pies from Domino's for their friends one Saturday night), and avoid the liability of keeping that primary data in house where the above event can occur.
How secure are those verification services, well, according to them very, and rave about all the giant companies who rely on and trust them. I'm sure they're well run and try to runs things securely.
Oh, did I mention one of the other very big companies who do this has a division just for age verification. That's good old Equifax. So there's that.
And verification through the cc alone wouldn't be sufficient as who's to say you're not using Dads Amex. Now you could still use Dad's Amex as you probably know his DOB, you might have his SSN, and could have grabbed a photo of his DL with your phone (same thing I used to photograph my own DL, I just keep one saved in my photos that I blacklined the #, as I frequently order from my phone and it's easy to get it if I need to). As a matter of fact, a woman filed a complaint with the FDA during those underage hearings about her son doing precisely that and the kid got the package, so clearly they were still selling to minors despite the rules. I kid you not, she insisted it was the vendor's fault despite the kid swiping dad's ID
So that's the process. It means well, it's implemented in a manner that should be secure, but we all know there are still limitations under the best practices used to secure our data.
My answer to it is a lock on my credit reports so no one can query unless I provide preauthorzation to the credit companies like Equifax, check my accounts for activity almost every day (which now is so simple to do online it's silly not to), notify the travel department of my bank card issuers when traveling so they know to expect activity outside my usual geographic area, and find the fraud departments have gotten really good with 5 am texts to verify if I was really trying to send money to Cuba. It's a pain to get a new card and number and update all the autopay stuff like Netflix and Spotify, but I'm about as safe as I can make it for myself short of cutting myself off and only completing transactions in cash.
Yes, I use two factor authentication whenever it's available and never give out anything ever over a phone call or even in response to an email unless I log onto the inquiring service through an Addy I type in myself. I don't click on links no matter how "real" the email looks or reads, and I never open attachments unless they're expected, regardless of the sender.
One time I got an email from my daughter with a subject line that just read wrong for her style. I called her and of course she didn't send it, and we found her contact list got hacked. Even tracked it down to her use of a "free" public wifi connection at the airport when traveling. Probably logged in through one of those spoofed routers they set up in public spots with wifi, hoping you select the one that looks legit even though it's off by a letter or two when you chose it. She now uses a VPN. And that email was digitally shredded. Even the trash isn't really safe enough for me for things like that.
A good hacker doesn’t need the last 4 of your ss or your drivers license number. I get that you’re trying to be secure.
But the truth is, for probably 90% of us, the horses are already out of the gate. There’s enough info out there now on almost everybody that it could happen any time to anyone.
But the truth is, for probably 90% of us, the horses are already out of the gate. There’s enough info out there now on almost everybody that it could happen any time to anyone.
Vapemail! Little Mölly V1 and the B2K. B2K apparently is not really my style any more...
Luckily, have a spare Haku ready to go!
Luckily, have a spare Haku ready to go!
Last edited:
@Eskie – WOW….that’s what I call a response. Truly hope you did not go through all that trouble just for my sake. A simplified version would have been sufficient. But honestly…thanks for the response (the Punk learned something today!).
There is no real full proof process – it’s about mitigating risk while providing an easy to manage service for the consumer. What you have mentioned above, to me, is convoluted and open to failure. And when the process fails we now rely on an unsecure method of transferring sensitive information that does not follow any set standards. You may be educated enough to perform this while mitigating risk, but not everyone will think or even act the same which could open the opportunity for compromise. The validation through CC was just a napkin idea – and one I think could work well. A secure link to the CC company is required for the purchase – any failure here means no sale (or delayed sale until that link is re-established). You have to provide a DOB to obtain a CC so the info is already available. Retailer has to confirm card #, name and funds with the CC so a simple yes/no to “is the buyer of age” would not be that difficult to implement.
I’ve never dealt with Veratad, so on a contingency level I have no idea what they have in place. I do know that financial institutions and CC companies invest greatly into contingency’s and DRP (disaster recovery plans) for any down time could mean a huge loss in profits.
As for little Johnny stealing your CC to buy age restricted items online - if he has access to your CC he also has access to your DL, SSN and probably other stuff you may not know about. Little Johnny probably also has a friend of age who buys him liquor and cigarettes – every town/city/community has that one old dude who just caters to minors. It’s a sad reality.
But thanks again for the reply – looking forward to the movie (joking)
There is no real full proof process – it’s about mitigating risk while providing an easy to manage service for the consumer. What you have mentioned above, to me, is convoluted and open to failure. And when the process fails we now rely on an unsecure method of transferring sensitive information that does not follow any set standards. You may be educated enough to perform this while mitigating risk, but not everyone will think or even act the same which could open the opportunity for compromise. The validation through CC was just a napkin idea – and one I think could work well. A secure link to the CC company is required for the purchase – any failure here means no sale (or delayed sale until that link is re-established). You have to provide a DOB to obtain a CC so the info is already available. Retailer has to confirm card #, name and funds with the CC so a simple yes/no to “is the buyer of age” would not be that difficult to implement.
I’ve never dealt with Veratad, so on a contingency level I have no idea what they have in place. I do know that financial institutions and CC companies invest greatly into contingency’s and DRP (disaster recovery plans) for any down time could mean a huge loss in profits.
As for little Johnny stealing your CC to buy age restricted items online - if he has access to your CC he also has access to your DL, SSN and probably other stuff you may not know about. Little Johnny probably also has a friend of age who buys him liquor and cigarettes – every town/city/community has that one old dude who just caters to minors. It’s a sad reality.
But thanks again for the reply – looking forward to the movie (joking)
It’s not a matter of what a good hacker can pull off. I know my home is not burglar proof, but I do not leave my front door wide open for all to enter and take what they want. If I do my part and reduce risk then I also reduce the temptation of compromise from the not so good hacker…or the curious who just wants to see what they can get away with.
The problem is that people freak out over an online verification process, intended for safety and accuracy, yet have no qualms with places like Equifax having all their information, and don't even blink an eye about using their credit card at the local Walmart.
I do virtually all my shopping online that isn't groceries. I have a sister in law who does none.. literally if she wants something purchased online she has me do it because she's afraid of having her information "out there".
She has also had her credit card information stolen and used on shopping sprees far far more than me due to local shopping that gave out no more information than is on that card of hers..
That's all anyone needs to steal from you.. a number.
People get scared, but your information is out there... it's been out there likely before you even knew it was.
Someone used my SS number and name to rack up student loans in another state while I was still in high school.. and I'm 50... I had no credit cards nor credit, yet some how my name and social ended up acquiring thousands of dollars in college tuition.. lol.
Our informations somehow been public our whole lives, and it takes so little for thieves to get what they want I'll take my chances and live my life without constant fear...
I refuse to allow theives to change my behavior when if they want it they will get it regardless of what I do.
I, unlike my SIL, won't spend twice as much on a daily basis so that those who steal from me are local instead of in the next state..
Good morning Shiny's. Freaking cold, even my Em is under the blanket. Unfortunately the fur babies seem immune and are creating havoc which they are currently getting away with.
Good morning shinies. I am at least going to "purchase" my wins from Ohms vapes and Flavor shack today. Pretty nice and inspiring to mix, which I should do soonish anyway.
I would say good morning but I forgot to stop my 5 am alarm and I went to bed late. AND I have to freaking go and be sociable at the "provider's Christmas dinner" which OY. I hate those things but I figured I better go. The roided husband yelled at me for lots of things.
I am wondering if he can be pleasant in public. Possibly.
Other things are on my list but tomorrow...
Anna
I would say good morning but I forgot to stop my 5 am alarm and I went to bed late. AND I have to freaking go and be sociable at the "provider's Christmas dinner" which OY. I hate those things but I figured I better go. The roided husband yelled at me for lots of things.
I am wondering if he can be pleasant in public. Possibly.
Other things are on my list but tomorrow...
Anna
And I did that on my phone...................................
OK, I was heading home from dinner on the subway and needed to occupy my time. I guess it was a tad long. Sorry for all that.
I think the credit card method could be interesting, but would require implementation through the credit card processor who's the bridge between the vendor and the issuer. That could create all sorts of complications for all involved, especially if the vendor needs to provide and audit trail on age verification, and would probably cost more in fees to the vendor than current methods cost. Theoretically as it's being passed back and forth through the shopping cart, it's as secure as the credit card processing. Granted, that's not saying much, but it's all we've got.
As for the consequences of information submitted being abused, it can happen through any transaction you make anywhere. Get money from an ATM or buy a transit ticket or any other POS self service location and folks can stick skimmers on to collect the day's transactions. They're making them smaller and stealthier to a point it's hard to know it's even on there if you're not looking for it. Go to a restaurant? They take your card and swipe it in back and return your bill to you. Nothing to stop the waiter from taking a second swipe with their phone and a little card reader attached. Finally, huge batches of aggregated numbers are bought and sold every day on the web. The price are low enough that if they run through (all automated of course) all of them and 0.01% work, they still made a profit. Most of this takes place outside the US making law enforcement virtually impossible. That's why banks and whatnot rely on progressively better systems to identify use that's out of character for the cardholder. Still annoying when you need to get a replacement card, but not terrible.
The best approach to prevent someone buying a townhouse with a mortgage you know nothing about is by requiring credit card agencies to lock your account to credit checks run without your prior approval. It's easy to do and all three of the big credit scoring companies now offer that. Still a good idea to peruse your credit score report every so often to look for errors, even on legitimate queries.
And good morning shiners! had dinner last night with my daughter and she asked what I wanted for Christmas. I asked her what her budget was. Crass, but my daughter works very hard at two jobs despite being in graduate school, so I don't want her overextending herself and doing something nutty. And guess what, she wants to get me a Drone on release! Score!
Then again she wants an Apple Watch 4 with 2 bands. Fortunately in aluminum so it could have been worse. I know I come out behind on that deal, but as I said, she's always been a hard worker since high school, both in school and in the job market when she really didn't have to, so letting her spend her money the way that makes her happy and my giving her a nice gift in return seems correct for me.
Rain rain go away,must mean I should buy a mod today?
Similar threads
- Locked
