Neil Turner's Blog

Blogging about technology and randomness since 2002

Verifying with Paynova

Paynova is a site in the ilk of PayPal, Google Checkout and Nochex in that it offers merchants secure online payment services, and a personal account system for users that remembers their card details. CD-Wow is one of Paynova’s clients and so rather than re-enter my card details every time I buy from them (which admittedly is 3-4 times a year but it saves hassle) I can use my stored details.

All users can save their card details and make small transactions with the site, but to make transactions over £100 you have to validate your account. PayPal does this in a relatively simple manner, but Paynova require you to send them a fax, containing “a copy of your bank-/credit card (front and back), a copy of your ID card, username of your wallet and contact information”.
Yes, they want me to send a fax. To Paynova’s HQ in Sweden.

In other words, rather than use their 128-bit RC4 encrypted HTTPS web site to send my details, they want me to send an unencrypted fax across international borders. A quick Google search found a number of ways that faxes can be intercepted, and it’s said that the US routinely monitors the contents of faxes in its bases around the world (the nearby RAF Menwith Hill base is allegedly among those used).

Somehow I don’t think I’ll be in a rush to verify my details. The potential for identity fraud from this is massive – anyone who can intercept the fax has my name, address, date of birth, passport number and credit card number.


  1. There was something similar in The Register today: a credit agency (which really ought to know about ID theft!) required someone to send scans of his debit card, front & back, via unencrypted e-mail.

  2. Does this comment system even work? I wrote a comment on this blog post some weeks ago, but I don’t see it now. I remember some parts of my comment, so if this works, I may post it again sometime.