DOING KYC – DON’T LET YOUR IDENTITY GET STOLEN
Alarming statistics
According to “2018 Identity Fraud: Fraud Enters a New Era of Complexity” from Javelin Strategy & Research, in 2017, in the US alone 16.7 million consumers became victims of identity fraud, a record high that followed a previous record the year before. That means every minute around 32 victims of identity fraud! Criminals are engaging in complex identity fraud schemes that are leaving record numbers of victims in their wake. The amount stolen hit $16.8 billion last year as 30 percent of U.S. consumers were notified of a data breach last year, an increase of 12 percent from 2016. For the first time, more Social Security numbers were exposed than credit card numbers. In fact, according to the US Department of Justice, drug trafficking is now being replaced by identity theft as the number one crime.
What is identity fraud
According to Wikipedia Identity fraud is the use by one person of another person's personal information, without authorization, to commit a crime or to deceive or defraud that other person or a third person. Most identity fraud is committed in the context of financial advantage, such as accessing a victim's credit card, bank or loan accounts. False or forged identity documents have been used in criminal activity (such as to gain access to security areas) or in dealings with government agencies, such as immigration.
Often today, the identities of real persons are used in the preparation of these false documents.
The government of the Netherlands describes identity fraud as when criminals use forged or stolen identity information, for instance to buy goods in someone else’s name and avoid having to pay. People smugglers, drug traffickers and terrorists also use stolen identity information.
Identity fraud is rapidly increasing, especially online.
The price of forged and stolen passports
Obtaining a stolen or forged passport on the dark net is not difficult, but it’s also not cheap. Phony or stolen passports can cost thousands of dollars depending on the quality and the country named on the coveted travel document. In 2016 American and European security officials spoke of an “epidemic” created by a spike in demand from asylum-seekers — and from terrorists like those who carried out the Paris attacks, two of whom were carrying counterfeit documents. That epidemic even got bigger in 2017.
Scams in the blockchain space
The blockchain space is no different from the rest of the world and is full of scammers trying to trick you in sending money and run away never to be seen again.
Many of us have been scammed before or have heard of so called exit scams. And if you have not been scammed you can call yourself the lucky one. But what if you not only sent money (Ethereum, Bitcoin, Fiat or other currencies) to these scammers and you also uploaded a copy of your passport, ID, Driver’s license, with or without a utility bill as proof of address?
The amount of sensitive data on an identification document varies from country to country but without crossing out (sensitive) data and watermarking the purpose and the receiver on a copy of these documents it’s an easy way for scammers to start using your identity for criminal purposes or to obtain all of your (other) personal information for that purpose.
And you are paying the bill(s) or even worse you also have to deal with the legal issues that arise from illegal activities performed in your name.
Regulations and Know Your Customer (KYC)
With regulations in mind projects and exchanges in the blockchain space en masse started to have KYC procedures to identify their customers and ask applicants for proof of identity. Some even ask proof of address.
Background vector created by Lexamer - Freepik.com
Know your customer (alternatively know your client or 'KYC') is the process of a business verifying the identity of its clients and assessing potential risks of illegal intentions for the business relationship. The term is also used to refer to the bank regulations and anti-money laundering regulations which govern these activities. Know your customer processes are also employed by companies of all sizes for the purpose of ensuring that their proposed agents, consultants, or distributors are anti-bribery compliant.
KYC controls typically include the following:
- Collection and analysis of basic identity information such as Identity documents (referred to in US regulations and practice as a "Customer Identification Program" or CIP);
- Name matching against lists of known parties (such as "politically exposed person" or PEP);
- Determination of the customer's risk in terms of propensity to commit money laundering, terrorist finance, or identity theft;
- Creation of an expectation of a customer's transactional behaviour;
- Monitoring of a customer's transactions against expected behaviour and recorded profile as well as that of the customer's peers.
The collection and use of personal data is subject to strict legal rules and leads to a series of obligations for a company or organization. These are the obligation to report, the obligation of information, quality control of data, the security obligation and the maximum retention periods and the destruction of personal data.
National governmental bodies supervise compliance and may take enforcement measures in the case of infringements of the law.
The paradoxes
The first paradox is that the businesses in the blockchain obviously want to comply with regulations in order not to get legal issues but the fact is that many are not regulated yet and not supervised. So technically they are not allowed to collect and hold your personal data. Moreover the question is what their assessment was on what documents should be accepted as proof of identity and how much of the personal data on that is needed in order to verify your identity and store it. There is no way you can make sure that they collect more or maybe less than they need or that they comply with the obligations that come with the process of collecting personal data.
The second paradox is a paradox in general for all companies and organizations that collect and use personal data. The more personal information these organizations collect of a person the more they are at risk of being a target of hacks aimed at getting personal information for criminal purpose. And therefore YOU are more at risk. There have been numerous cases of organizations being hacked to obtain personal information. Simply guilelessly giving them all personal information (e.g. a full copy of your passport or id or driver’s license and/or utility bill) without knowing the real need, compliance or their authorization is like bringing the pigeons to the cat.
Recently a lot (or maybe all) that are whitelisted for Fantom received a scam email asking to send Eth to a (obviously) non Fantom wallet address. At least one of the whitelist participants reported to have received an email using her real name when in fact her email address does not contain her name. Although Fantom responded that their KYC data were encrypted and their security was not breached somewhere in the chain someone got hold all of the personal info of whitelist applicants.
Easy steps in preventing identity fraud
Government, businesses and the public are all helping to tackle it. Government authorities are working together to investigate identity fraud, and members of the public should take care when sharing personal details. In the Netherlands it is prohibited by law to ask a full copy of a passport or ID unless the organization is authorized by the government and is registered as such. And even when they are authorized there must be a clear need for a full copy so also those organizations are not allowed to ask for a full copy when the only purpose is identification. Here's a link to a government site (in English with video) of the Netherlands regarding the problem of identity fraud an how to prevent it.
[https://www.government.nl/topics/identity-fraud]
To verify your identity only your name, document type (i.e. passport, ID, Driver’s license) and document number are enough.
The Netherlands have even declared a passport photo as sensitive as it reveals gender, race and in some cases also religion. Telecom or car rental companies are allowed to copy or scan your passport but have to shield Burgerservicenummer (Citizenship number/Social security number) and the passport photo.
When you are asked to give personal information always ask what information they need exactly and what the information is used for. Don’t give more than they need.
Always ask if they accept a document that is less useful for criminal purposes and with less sensitive data on it as this is obviously preferred e.g. the front of a driver’s license (and not the back because in many cases this also has sensitive data on it). When giving a copy measures can be taken to make this as safe as possible: removal or unreadability of the BSN/Citizenship number/Social security number, photograph and signature. For this purpose cases or ID covers are on the market that shield the fields in question. Documents in The Netherlands issued from March 14, 2014 contain an RFID chip. The new covers block the reading out of this chip.
The government of The Netherlands has developed a special app for making a safe copy of an identity document:"KopieID". The app is available Dutch and in English in the Apple App Store, Google Play Store and Windows Phone. After taking a photograph of the passport or card, data can be made illegible and a watermark can be added.
Digital ID and Blockchains
Currently digital ID platforms are being developed. In addition to your passport and driving license, a phone application that enables you to prove your identity quickly and securely and also offers even more privacy options could soon be possible. As part of the Dutch Blockchain Coalition, TU Delft has joined forces with the Netherlands Identity Data Agency (RvIG), a division of the Ministry of Foreign Affairs and Kingdom Relations (BZK), IDEMIA (the current manufacturer of Dutch passports) and CMS law firm in developing an initial prototype for a digital stamp that could fulfil this purpose in the future. This digital identity is based on TU Delft’s innovative blockchain technology, known as Trustchain. The prototype was demonstrated at a BZK event held on 7 June 2018. After the summer, a consumer trial of this technology will be launched in two Dutch municipalities. Watch the video and read more on: [https://www.dutchdigitaldelta.nl/en/blockchain/tu-delft-helps-develop-digital-id-for-use-on-your-phone]
This is not the only blockchain development on digital ID’s. Some examples are TheKey, Civic, BlockAuth, ExistenceID, Sovrin. Just google “Blockchains and Digital Identity” and you will find many more.
As far as I know none of them have a mainnet live so we have to make do with apps like "KopieID". And I urge you to use it or make a safe copy manually by making sensitive (combinations of) data illegible and write the purpose, receiver and date on it.
To everyone: please be aware and stay safe!
To you thinking that this article is exaggerating things and that this won’t happen to you: the combination of data on your passport or ID card is the private key to your life, your existence and you should keep it as safe as your private key to your crypto wallet(s). Better safe than sorry and if you can prevent someone using it at your expense in a simple manner please do!
sources:
https://www.javelinstrategy.com/coverage-area/2018-identity-fraud-fraud-enters-new-era-complexity,
https://www.iii.org/fact-statistic/facts-statistics-identity-theft-and-cybercrime,
http://www.vocativ.com/news/241487/fake-passport-prices-black-market/index.html,
http://www.government.nl/topics/identity-fraud, http://www.safesmartliving.com/identity-theft-statistics,
http://www.scambusters.org/,
https://www.politico.eu/article/europes-fake-forged-stolen-passport-epidemic-visa-free-travel-rights/,
https://en.wikipedia.org/wiki/Identity_fraud,
https://en.wikipedia.org/wiki/Know_your_customer,
http://www.justitia.nl/privacy/kopie-paspoort.html,
http://wetten.overheid.nl/BWBR0033181/2012-07-12,
https://www.rijksoverheid.nl/onderwerpen/identiteitsfraude/vraag-en-antwoord/ben-ik-verplicht-om-een-kopie-van-mijn-identiteitsbewijs-te-geven-aan-een-bedrijf
✅ @ericbagchus, I gave you an upvote on your post! Please give me a follow and I will give you a follow in return and possible future votes!
Thank you in advance!
Great post Eric! An important warning to those of us in the crypto space. Its funny, we're so protective of our Private Keys yet have no problem sending such sensitive documents across the internet for KYC/AML. Its Identity Theft waiting to happen and we as a community need to address the problem before hacks become commonplace.
Thanks Angie, And yes too many are unaware. And that the risk is real is again demonstrated by the hack of Typeform, used by many ICOs for KYC. This was discovered on June 27. If someone sent KYC information via Typeform, these data could have been stolen.
https://www.typeform.com/data-breach-june-2018/#section_a61e8de4d5c2842f2de14bb016c32e6d
Hope ICO's, Projects and Echanges take note of this and take their responsibility too.
Very disturbing, HADAX,Huobi and Coinbase don't accept watermarked copies of ID's and do not accept crossed out sensitive data (e.g. Dutch BSN number). Their support agents don't answer why they don't accept this and why they need specific data.
Fortunately HADAX eventually accepted a copy of the front of my drivers license (BSN number is on the back) but I guess a lot of clients uploaded their iD's without watermark.
We as a community should not accept exposure to Identity Theft as these companies (and many more exchanges, projects/iCO's, brokers, wallets) do.