To establish trust I asked them to Facetime and share IDs mutually, but they balked. I've tried this before and people are generally reluctant. Asking for a mutual phone call with a trusted person was also met with suspicion.
Ultimately, I met the escrow agents and sellers face-to-face at their business to collect business cards and transfer information. There's still no better authentication than meeting a person at their place of business: they have business cards, an office, co-workers – half a dozen signals to verify identity.
Despite the high incidence of wire fraud and identity theft, authentication protocols are all one-sided. Customers require credentials but there's no way to authenticate the business agents. This goes beyond banking to include healthcare, utilities, credit bureaus, the tax industry – any business relationship that shares sensitive or personal info.
tl;dr :
So, how do you go about establishing trust with strangers in order to share sensitive information or transfer money? What process and / or tech do you use to identify & trust the other side of the transaction?
My Proposal :
On the social side, we need to improve the culture of verifying identity to encourage a mutual process. Both sides need to share IDs and proofs of identity for any transaction to be sound.
As for technology, we need better systems to empower customers to validate the authenticity of agents, including one-time tokens and business verification. A system like "The Work Number", used for employee verification, could be effective to validate business agents without compromising them. These systems need to be stable over legacy channels like phone, fax, wire transfers, paper checks & email – systems that will remain for 30+ years.
As software engineers we need to establish trust mutually and give more attention to the business-side of the trust relationship.
You don't. You make it so they are no longer strangers by identifying them. Buying a house? Get an agent, broker, and/or company that is licensed. Finance through your credit union. Etc. Nobody is participating in high-risk transactions as a professional without a company/license. Most jurisdictions simply don't allow it.
In general, that carries to other types of secure transactions as well - we have systems in place that handle the trust concerns. Use them, don't re-invent the wheel.
In the UK someone tried to sell me a house that they didn't own. Luckily I worked out that it was a fraudulent sale before transferring significant sums of money. I did out-of-band identity verification by getting the real owners details from two neighbors, then calling up the letting agent who was managing the property. The letting agent was not aware that the property was listed for sale.
After the dust settled I attempted to recover some of my costs. According to my lawyer when the seller is committing fraud the buyer is liable for the mortgage, and usually the buyer never gets any money back. Normally the buyer declares bankruptcy. Basically all of the professionals involved have to show that they took reasonable steps to verify the seller's identity. The buck gets passed all the way to the fraudster who is usually long gone.
Whenever I tell people this story they usually struggle to believe that the buyer ends up bankrupt, but the buyer does normally go bankrupt.
Moral of the story is that your gut is telling you to do the right thing. If the seller won't spend 5 min to take a selfie then buy another house. You are responsible for verifying the identity of everyone in the chain.
I like this idea but:
> validate business agents without compromising them.
What is the value here? Legally conducted business has no need for this.