The most significant security problem with Namecheap is really this: It only takes a 4 digit PIN to perform any action on an account through live chat (which seems to be outsorced to Eastern Europe), even if the account is protected with a 2FA... All you need is the PIN, and an attacker can do anything to the account.
That's not good verification. It takes a couple of minutes to produce convincing fake ID scans, and they aren't going to have anything to verify them against.
And presumably they wanted you to send those photos to them as an unencrypted email attachment, right?
As someone mentioned above, they publish a gpg key for sending this data.
As for fake IDs, yes, it is certainly possible to create them. But when it is so much easier to socially engineer your way into another service like Namecheap, it creates a disincentive for going after Gandi (and other similar hosts).
No security measures can be foolproof, possibly short of sending someone to your home to take a DNS sample, but at least they're trying for a better solution.
Other comments in this thread have indicated that Gandi will take GPG-encrypted emails have have published their public key for this purpose: https://wiki.gandi.net/en/gandi/documents
Faking ID scans adds a whole layer of law enforcement on top. I'm uncertain about the situation in the US, but in germany the fake itself is punishable by law (up 10 ten years). It also creates more traces to look at and creates work. You'd also need much more information to create a convincing fake id scan of your intended victim. It's all about increasing the amount of work for the would be attacker.
But producing fake scans isn't covered by this law, scans aren't even an official document. In fact, it is illegal for a german company to ask you to send them scans of official documents.
> You'd also need much more information to create a convincing fake id scan of your intended victim
To fake a good enough passport scan you'd need your victims name. That's all the rep is going to have.
That was a few years back when another well-known registrar only required the last 4 digit of the customer's credit card, and would even help them guess if they didn't remember.
I sent the ids by fax (yeah a few years back, I still had a fax machine).
I thought asking for id's + phoning on the number listed in the whois database was a good cross check, especially back then.
Most will require a password reset email, I'd say that's significantly better than asking for ID scans.
Edit: Since I'm getting some downvotes I'd really like to know how one could possibly argue that asking for ID scans is better than email resets. You can't really forge the ability to receive email at an address, but you can very easily replace the name on an ID scan.
Even if the email account is compromised it's still stronger proof of identity than ID scans.
An attacker can't just pretend to be able to read your email, such ability is too easy to conclusively prove. To be able to read your email they need to hack you somehow.
But for a fake ID the attacker only needs to throw your name in a PSD and they're good to go.
You can get AWS customer support to reset your password if you know the last 4 digits of the credit card used to pay for the account. This is the same info that's printed on any credit card receipt.
If they have your bank account number for whatever reason you can also use last 4 of the bank account number. Your bank account number is not secret by design and most people only have one.
They publish a GPG key to use for this purpose, which puts them leaps and bounds ahead of most other hosting/domain providers who do identify verification.
I've had process issues like this with them; their CEO is responsive on email/Twitter and the email alias on this page: http://www.gandi.net/no-bullshit gets things fixed. They're not perfect, but they are quite human.
>Without context, anybody could say the same thing about anything. Care to share more?
Sure! Gandi received an abuse report regarding someone using one of my domains to scan for open dns resolvers. I informed Gandi that there was nothing I could do about this and expected that to be the end of it. Instead, they suspended my domain and started demanding that I send them ID proof.
As I needed the domain back I sent them a redacted photo of my id card, after which they demanded to see the full id. I decided to terminate my relationship with them.
I feel that this was absolutely unacceptable and likely unlawful behaviour from them as they had absolutely no need for that information. This wasn't a whois dispute.
FWIW I painlessly transferred five domains away from Gandi (ironically, to Namecheap), and I was never prompted for anything like a scan of my passport.
Didn't Cloudflare just launch a domain registration service for its high profile clients which can't afford downtime due to a support worker making a mistake like this?
Sometimes you get what you pay for.