Cashing out in mid January 2020?

[Charlotte Bartlett]

20 hours ago, Chic Aeon said:

Financial institutions such as money markets. They do have my SSN (which of course stated for many years that it was NOT to be used for identification -- irony there) but they have never asked for a current utility bill etc and I do not need to go through any steps each year to continue to "prove" who I am.   Perhaps they should be doing that, but they are not -- this in four cases. 

 

 

So far as the "mandatory" SSN information -- there ARE a few places where you ARE required by US law to give your SSN. 

 

The bottom line is still of course just how much you want to transfer that money out of SL.  And if you are comfortable with them having that information, then great.  

 

 

Money Market Accounts at Financial Institutions should be performing KYC and validating your address.    It wouldn't be each year, more likely each 5 years they would refresh their data and it may be they are able to do that via your credit and other reports versus asking for your documentation again.

[Chic Aeon]

5 hours ago, Charlotte Bartlett said:

Money Market Accounts at Financial Institutions should be performing KYC and validating your address.    It wouldn't be each year, more likely each 5 years they would refresh their data and it may be they are able to do that via your credit and other reports versus asking for your documentation again.

Well in my case they haven't iasked for any info in at least a decade, more like two and I don't take money out. It just sits there and I don't put money in. So there must be a "loophole" someone. I asked a friend today and he hasn't been asked either.  That's all I can say. Obviously not going to mention the financial institutions but they are "biggies" :D.  Maybe I am grandfathered in since I have been there for oh so many years :D. Can't say. 

[Mollymews]

5 hours ago, Charlotte Bartlett said:

Money Market Accounts at Financial Institutions should be performing KYC and validating your address.    It wouldn't be each year, more likely each 5 years they would refresh their data and it may be they are able to do that via your credit and other reports versus asking for your documentation again.

pretty much yes this is how it works

in the fine print for organisations like Paypal, Tilia, etc it usually says that they will try to RL identify us electronically with the information they already have on us, and/or from the minimal amount of information initially asked for in our account application

the fine print usually goes on to say that, when they are unable to do this then they will ask us for additional information to secure our RL identity

for example.  The minimal amount of information that Tilia initially asks for in establishing our account would be our SL account name, and any Payment Method information we may have on file for purchasing services from Linden (Premium, Tier, L$)

this inward flow of money is regulated/governed by the Trusted status of the Payment Method providers - credit card company, Paypal, etc). There is a thing in the regulations called the Chain of Trust where organisations are able to trust other organisations when those organisations are compliant.  Linden can trust Tilia, Tilia can trust VISA, VISA can trust the bank, etc

for an outward flow (cash out) then Paypal etc must be able to to trust Tilia. For this Tilia must RL-know who it is transmitting money to Paypal on behalf of.  Tilia can't use the fact that Paypal already knows who owns a Paypal target account. Paypal has no way of knowing that the person initiating Tilia to transmit money to them (Paypal) is the actual same person who owns the Paypal account. Paypal trusts that Tilia knows who this person is  

[Luna Bliss]

I just cashed out to Paypal without any problems. Was half-expecting I'd need to resubmit details but fortunately all went smoothly.

[Jaimy Hancroft]

They can hurry it up a bit this review is taking a week now , bit unethical to completely block someones earnings imo.

[Da5id Weatherwax]

On 1/20/2020 at 3:05 PM, Jaimy Hancroft said:

They can hurry it up a bit this review is taking a week now , bit unethical to completely block someones earnings imo.

There's a difference between "holding pending verification" - which they must do if your identity is insufficiently verified by Tilia to be "trusted" for regulatory purposes - and "denying" the transfer - which blocks it completely and which they can only do with legal or contractual justification.

LL may have had sufficient verification for the regulatory environment in which they used to operate, and may have transferred some or all of that to Tilia when that aspect of the business was spun off due to regulatory changes. If that transferred information met the new regulatory requirements that Tilia, an exchange as defined and regulated by FinCen, has to operate under they will not ask for any extra and neither will there be a delay to verify. If not, they must ask for the additional data and must not release your transfer until that additional data is verified. Them be the laws, and the regulatory penalties for failing to comply with 'em are ugly.

I submitted my extra info as soon as that was possible by making a small cashout (outside my usual sequence) and sending them the extra doco they asked for. That initial one took longer than usual due to the verification delay but since then my cashouts have proceeded as fast as - or in most cases faster than - they did before the cutover to Tilia processing.

[Karma Avedon]

On 1/18/2020 at 11:44 AM, Charlotte Bartlett said:

Out of interest, what type of RL institutions are you talking about?

My credit union, bank and Paypal itself to name a few.

Since this just now seems to be the new common practice, I have bitten  the bullet and provided the information requested (sort of) and had my account unfrozen so I can transfer Lindens to a paypal account  again if I ever choose to do so. As I have said, my main concern is not what LL (Tilia is just LL staff) will do with my info. My problem is what others will do with it and if you read Tilia's "secure process" you realize it is only a matter of time before it falls into other's hands, as happened in 2006  In their own FAQ on Privacy and Security, they admit that the data is not even encrypted.  LL has already had
With the information I provided,  a person  who obtained it could do the following with ease:

Obtain a driver's license
Apply for a credit card
Obtain my birth certificate
Open a bank account.

Thanks for all the feedback. I am just going to cross my fingers and go on.
 

 

[Chic Aeon]

It is funny how threads go. My intent with this one was to see if cashing out to Paypal was still "quick" and for some it seems it is. In Sansar they are still waiting for the "oldtimer rate" to return and we are coming up on a month now.  I question whether they will start asking for that same person info in Sansar. Since I am no longer making much money there I don't plan to transfer money out anyway, but I was just interested in what was happening here.   So two of my friends had to "reconfirm" the info that they sent in long ago for one and in August for another, but some people have had no changes.   All very mysterious and I don't see a pattern.

But thanks for all the info. And "no" Paypal has never asked me to prove who I am either. Can you imagine? With all the folks in Paypal? A Nightmare.    Welcome to the New World Order. Some things WERE better long ago. Some things are better now. 

 

As to the Opensim comment --  Kitely (the big on-line Market) only asked for your Paypal email. That's it.  I think they ask for your RL name too but I suspect you could put in anything. They are based in Isreal I think.   

 

Edited January 23, 2020 by Chic Aeon
adding info

[bigmoe Whitfield]

On 1/18/2020 at 3:05 PM, Jacie Rae said:

I just want my money out of second life. I went to Opensim and its great! I don't need some off the wall company to steal my identity. It is definitely not worth that kind of threat for 60 bucks. I transfer bank to bank in RL all the time and no one asks me for my ssn. There has to be another way as i see from reading it here, there are too many ppl not willing to have their identity stolen. no wonder SL is declining. Many designers are leaving because of these policies. So we cant have any LL forever if we hand out ssn over to this company , whoever they are, or they will charge us fees until all of our LL is gone.. 

LL is required by law, you are not going to be able to skirt the legal requirements enacted by the us government. 

[Grumpity Linden]

5 hours ago, Karma Avedon said:

As I have said, my main concern is not what LL (Tilia is just LL staff) will do with my info. My problem is what others will do with it and if you read Tilia's "secure process" you realize it is only a matter of time before it falls into other's hands, as happened in 2006  In their own FAQ on Privacy and Security, they admit that the data is not even encrypted. 

Karma, quite to the contrary, your information is more secure within Tilia.  It is certainly encrypted.  Soft Linden wrote a blog about it, describing the additional layers of protection built in to the Tilia design.  To quote in part:

Our engineers created a new “personal information vault” project. This vault uses modern algorithms to encrypt sensitive information in a way that would require both enormous computing power and an enormous amount of memory for an attacker to crack… if they could even get a copy of the encrypted data. These algorithms are specifically tuned to defeat expensive decryption acceleration hardware. And all of this new encryption is wrapped around the encryption we already used - encryption which was the industry standard at the time. These are entire new layers using encryption technologies which didn’t exist when Second Life was new.

Even after all of these changes, the old protection remains in place at the bottom of that stack. Figuratively speaking, we locked the old vault inside a bigger, stronger vault. We chose an approach where we didn’t need to decrypt information in order to enhance your protection.

There is another key part of this project: Our storage mechanisms for sensitive customer information are now isolated from Second Life. The information isn’t stored at the same physical location anymore, and hasn’t been for a while. But the difference is more than physical.

Second Life’s servers do not have direct access to Tilia information that isn’t required for daily Second Life usage. Even developers who have worked at the company for a dozen years - developers who have full access to every last Second Life server - do not have access to the servers that store and protect the most sensitive information. A policy of least privilege means fewer opportunities for mistakes.

Even within Tilia, key information is further segmented. This means that compromising one database inside of Tilia is insufficient to decrypt and correlate sensitive data without compromising a different service. We have deployed numerous commercial products which help monitor for access, abuse, or data copying attempts for data that is made available to Tillia employees. This means that even an attacker with all employee access credentials, access to employee multifactor authentication tokens, and all Tilia access permissions would still face some challenges in avoiding early detection.

 

 

[Da5id Weatherwax]

Exactly, @Grumpity Linden - I've had the dubious privilege of being the lead analyst on two such projects during my career and that sounds pretty much like an implementation of the requirements I wrote in either case. Least privilege, separation of duties and a layered defense in depth. Along with the stuff I'm sure you implemented but didn't write about - because such details aint ever for public consumption - like rigorous access logging, an intelligent IDS setup and designing the infrastructure in such a way that even if somebody was able to bash through all of that layered defense they couldn't do it without setting off alarms to tell you it had happened.

[Nikilei]

The breach at TransUnion and the theft of millions of people's identities. well that goes to show that if they can't keep people's data safe, how can we expect LL to?

[Chic Aeon]

A creator acquaintance contacted me tonight asking questions about SSNs and Tilia and cashing out to Paypal et al.  He will be leaving too and possibly moving to another platform.  Of all the creators that I know, the ones that DID go along with the new rules are the ones that are pretty desperate for money. They felt they had no choice since they had to pay the bills.   The ones that didn't depend  on SL for living expenses have mostly left or stopped creating or just do a bit now and again for fun (like me).  Again, that wasn't the point of my topic, but here we are.

 

It is now the end of day 23 at Sansar with people still waiting to cash out and "official" hopes of "next week maybe".  Some of the creators over there are working EXTREMELY hard on a new official LL project (no monetary payment) hoping to help. This continued stonewalling is so VERY UNFAIR to them -- and I said so loudly on Discord tonight. I also took a snippet of that post for posterity.   I hope there are answers soon. Sadly I am not counting on it. 

[Da5id Weatherwax]

21 hours ago, Nikilei said:

The breach at TransUnion and the theft of millions of people's identities. well that goes to show that if they can't keep people's data safe, how can we expect LL to?

Anyone can foul up. If you're going to not do business with somebody because of that level of risk I presume you have no bank account, no home, no vehicle and are not registered to vote. And why you have any online identity at all is a mystery....

[steeljane42]

5 hours ago, Chic Aeon said:

Of all the creators that I know, the ones that DID go along with the new rules are the ones that are pretty desperate for money. They felt they had no choice since they had to pay the bills.   The ones that didn't depend  on SL for living expenses have mostly left or stopped creating or just do a bit now and again for fun (like me).  Again, that wasn't the point of my topic, but here we are.

I know plenty of creators, too. No one really cared too much and most continue as is (most are very unhappy about 5>10% on MP, though, but that's another story). Doom and gloom is quite popular topic at any given day, but at the end of the day Tilia is LL and companies change ToS from time to time.

I do hope people get their money out of Sansar before it completely dies, though. Which, I also hope, is soon. I guess it'll be a sad day, for a very few people who actually did enjoy it for their reasons, but companies of LL scale can't afford to just burn money on nothing forever. Google can, Amazon can, Microsoft can, but not smaller ones.

[Chic Aeon]

9 hours ago, Da5id Weatherwax said:

Anyone can foul up. If you're going to not do business with somebody because of that level of risk I presume you have no bank account, no home, no vehicle and are not registered to vote. And why you have any online identity at all is a mystery....

I have five bank accounts, own my own home and am registered to vote.  We each (as seen on these forums) have our own level of online security comfort. I find it odd, since you say that you are a "security" person (or past one anyway) that   this is your point of view. You are OF COURSE allowed to have it. No argument there.  

 

Edit: I see that wasn't aimed at me, but that is still my response as it appears to be a generalized comment :D. 

Edited January 24, 2020 by Chic Aeon
adding info

[Da5id Weatherwax]

19 hours ago, Chic Aeon said:

I have five bank accounts, own my own home and am registered to vote.  We each (as seen on these forums) have our own level of online security comfort. I find it odd, since you say that you are a "security" person (or past one anyway) that   this is your point of view. You are OF COURSE allowed to have it. No argument there.  

 

Edit: I see that wasn't aimed at me, but that is still my response as it appears to be a generalized comment :D. 

One of the things you learn very early on in cybersecurity is that the moment you start thinking your system can't be breached, you are setting yourself up for it BEING breached. There is always a mistake somebody can honestly make, there will always be somebody with enough access who can be social-engineered into using it wrongly, the latest and most rigorously patched technical solution will have a gap in it somewhere, even if nobody knows about it yet.

Your aim in effective cybersecurity, as opposed to bells-and-whistles "security theater", is to change the risk/reward proposition for the potential attacker. While you cannot make it impossible for an attacker to get in, you can make it hard enough that it's not worth it to them. You further shade this decision  on their part in the way you want it to go by building in stuff that might not have a direct impact on whether they can get in or not but does have implications for whether they can get away with it.

Take my own network, for example. I've secured it as best I can, building a dedicated firewall box that has no local hdd, it boots off a dvd and runs everything in a ramdisk. When I update or patch that system I burn a new dvd for it on my build box and junk the old one.This means a reboot will *always* restore the system to a "clean" configuration even if somebody compromised it. You can't rootkit a system you can't write to. I have  daily-updated AV and local firewall rules on all the machines inside that boundary, so idf somebody does crack my firewall they still have to get past the interior machines local defenses. This is NOT an impervious setup, even though I promptly patch all holes as they are discovered. A really good hacker could probably get in, but I pretty much guarantee you that a scriptkiddie couldn't and there is nothing on my network that would make it worth the while for a really good hacker to go after it.

Then there's the layer an attacker can't see, my IDS box. That machine can see all traffic on my internal network but is invisible to the network- I made the patch lead connecting it to the network myself and did not connect the Tx wires. That system can hear everything but cannot talk. If any traffic on my network trips any of the snort profiles for "hacker activity" a custom program will drop the modem control lines on the systems COM port and a relay will cut the power to the boundary box from my provider, isolating my network from the outside world while retaining all logs and any "internal edits" the hacker might have made for me to peruse at my leisure and close off the hole they used before restoring my external connection. I might not be able to guarantee they can;t gert in, but I CAN guarantee that they will leave visible footprints and I'll know they were there.

[Luna Bliss]

My credit card was hacked recently (nothing to do with SL at all).  I never figured it would happen to me.  Fortunately I was not responsible for any of the charges, which were considerable.

[Jacie Rae]

so if i delete my account from sl and/or tilia will they still try to charge after i get my money out of L$

[Chic Aeon]

44 minutes ago, Jacie Rae said:

so if i delete my account from sl and/or tilia will they still try to charge after i get my money out of L$

According to Grumpity at the Town Hall Tilla meeting last year (there is a video) people will ONLY be charged if they have a USD balance and they are inactive for a year. If you leave  and take all your money with you you will not be charged.  If you left some money in your USD balance then they would take from that after a year of inactivity.  You don't need to close your account just take your money out or use it in SL if you are not willing to do the Process Credit info bit.    You might want to delete your Paypal and credit card info after you are done getting your money out but in theory it wouldn't matter as there would be no money in your USD account.   Again there is a video about this you can find on YouTube. Brent was there also (hope I got his name correct). 

 

 

Edited January 28, 2020 by Chic Aeon
adding info

[Nikilei]

On 1/24/2020 at 3:38 AM, Da5id Weatherwax said:

Anyone can foul up. If you're going to not do business with somebody because of that level of risk I presume you have no bank account, no home, no vehicle and are not registered to vote. And why you have any online identity at all is a mystery....

You don't "do business" with TransUnion, they do your business. "Anyone can foul up"? You are making excuses for companies who do don't what is necessary to protect your information? Well you deserve to have your identity stolen then! My point was is your data isn't safe if it is online.  By the way, using a real photo, you have lent yourself to facial recognition software without you even giving consent.  Don't ask me what I am doing here,. ask yourself that troll!

[Da5id Weatherwax]

40 minutes ago, Nikilei said:

You don't "do business" with TransUnion, they do your business. "Anyone can foul up"? You are making excuses for companies who do don't what is necessary to protect your information? Well you deserve to have your identity stolen then! My point was is your data isn't safe if it is online.  By the way, using a real photo, you have lent yourself to facial recognition software without you even giving consent.  Don't ask me what I am doing here,. ask yourself that troll!

Oh my, we are getting a little hot under the collar aren't we? Go ahead download the RL photo. If you want I'll even provide a full-face one without glasses or other stuff in the way. Use it in whatever photo recognition software against any database you like. I do not attempt to hide behind "online anonymity" at all - which, by the way, should have been a pretty strong hint that I wasn't trolling anyone since a troll pretty much depends on not being known. I'm saying nothing to you or anyone else that I wouldn't say in person to your face.

"Anyone can foul up" is not making excuses for anyone. If they knowingly do not make their best good faith effort to secure your data, or knowingly fall short of accepted standards in doing so, then of course hold them responsible. But the fact remains that no cybersecurity arrangement is unbreachable. This, in part, is why I don't try to conceal who I am. Somebody wants to dox me, with a little research they can. Heck, they can attend one of my sets in SL, listen for me to play an original track and then a little google-fu will  likely find them an mp3 of it online with my real name in the "artist" tag and from that starting point there's public records enough to get most of it.

But use that information fraudulently and I will know somebody did and be in a position to shut it down either immediately or in pretty short order. I know the risks and have taken steps to minimize them. But I've been on the 'net since it was called ARPANET and have had my fingers in so much of its history, one way and another, that I'd be findable and identifiable even if I were frantically trying to scrub all traces of my RL identity from the online world. 

80% (or thereabouts) of security breaches are accomplished not by hacking the code, but hacking the people. Social engineering a customer service rep into violating policy or a sysadmin into "fixing a problem." You'll get more scam robocalls trying to social engineer you into breaching your bank card yourself than you will crooked waitresses trying to skim it, because the crooks know it works. And yes, anyone can foul up. Show me somebody who claims to have never made a mistake at work and I'll show you a liar.

[Nikilei]

You can't protect yourself!  No matter how hard you try too. There have been so many security breaches from financial institutions to government agencies. Why? Because they often do not do enough to protect themselves. If you really want to get into cybersecurity, check out KrebsonSecurity.com  He is brilliant and his job is to hack the hackers.  Anyway, it's up to you if you want to leave your life wide open. Next time you go to the pharmacy and fill a prescription? The DEA has access to every prescription you have filled since the inception of PDMP; same with all your medical records.  Everything you do, say, watch, read, ect. is data mined and stored all without your consent.  If you don't mind living in a draconian society that's your choice but most people do.  I do. And guess what, I have never "fouled up" and I am not a liar. I have also been part of the net back  when it was Lexus/Nexus; long time and have seen the many changes happen to our society because safeguards for our privacy were not put in place. I called you a troll only because you were talking like one. 

[Nikilei]

56 minutes ago, Da5id Weatherwax said:

58 minutes ago, Da5id Weatherwax said:

 

 

You'll get more scam robocalls trying to social engineer you

 

I forgot to add - don't pick up the phone when its a robocall. They are easy to spot. Friends and family's numbers show on the receiver. If you don't recognize the number, let the machine take it.   I do not talk to them ever but I do report phishing emails.  I just don't understand how, given your age, how you could not care about personal privacy. How can you not see where this is going, especially with the advent of AI?   This doesn't bode well for society. If Elon Musk even warns that safeguards need to be put in place now regarding AI before it is too late, that tells me a lot about the dangerous direction our technologic age is taking us.  Personal privacy is a gift that should be safeguarded not treated nonchalantly. Wow, this has gone way off topic!

[Da5id Weatherwax]

19 minutes ago, Nikilei said:

You can't protect yourself!  No matter how hard you try too. There have been so many security breaches from financial institutions to government agencies. Why? Because they often do not do enough to protect themselves. If you really want to get into cybersecurity, check out KrebsonSecurity.com  He is brilliant and his job is to hack the hackers.  Anyway, it's up to you if you want to leave your life wide open. Next time you go to the pharmacy and fill a prescription? The DEA has access to every prescription you have filled since the inception of PDMP; same with all your medical records.  Everything you do, say, watch, read, ect. is data mined and stored all without your consent.  If you don't mind living in a draconian society that's your choice but most people do.  I do. And guess what, I have never "fouled up" and I am not a liar. I have also been part of the net back  when it was Lexus/Nexus; long time and have seen the many changes happen to our society because safeguards for our privacy were not put in place. I called you a troll only because you were talking like one. 

Lass, I've spent more years working in cybersecurity than Brian Krebs. He's brilliant, yes, and probably a better counter-hacker than I am but wasn't it only 2000 or 2001 when he started specializing in it after an encounter with a worm program? I think that was the time, and it was only shortly after that I started to see his name on the program of conferences I'd been attending for years. He's also a really cool guy to have had a beer with at those early-days conferences. Smart as heck and witty too.

"back when (the internet) was Lexus/Nexus" ???  - It never was. The internet existed when that was a specialized standalone network and it joined the internet, it did not become it.

You are quite right that companies and agencies have historically done "not enough" to protect the data they hold. There were no laws or regulations setting any standards at the start and so they did the bare minimum - or nothing at all - and everyone from Crunch to Rob Morris had a field day. We were ALL hackers back then, when the worst that was likely to happen if somebody cracked your system was they'd leave an email for the sysadmin - from himself - snarking about the security hole he's left open. I remember working through the night on efforts to contain the Morris worm when it hit the university I was working at.

Then the crooks moved in. Companies and agencies were still not doing enough, because it wasn't seen as a priority. Even when the first standards were circulated they still had no force of law so companies saved on the bottom line by only paying lip-service to them. This was in spite of the advice of IT folks, we were still seen as "back office geeks" and not properly understood by management. It took some pretty horrible breaches before laws were written to hold companies liable for not following the standards. Even then there were all these legacy systems that were full of holes and the attackers had read the standards too and the "arms race" was in full swing.

Of course I "mind" living in a surveillance society. But toothpaste doesn't go back into the tube pretty easily. Once the can of worms is open the only way you'll get them back in is to use a much bigger can. Fortunately for me, and for others that have been around as long as I have and knew - even before the big breaches started being disclosed - that there was no more privacy on an email than on an old-fashioned postcard, that everything you did or said on the 'net was there forever, that the interconnection of data sets would enable a panopticon for a sufficiently capable organization, we recognized that you didn;t protect yourself by trying to not put the data out there (not unless you were intending to live off-grid in an earthship somewhere in the desert) but instead by mitigating the risks of it being seen.