text

Is KYC (Know Your Customer) Safe?

Source text:

https://bitcointalk.org/index.php?topic=5221497.0

All of us are afraid of losing money due to hacks, scams, our own mistakes or even bad decisions (buying useless shitcoins, selling coins too late or too early, etc). Most topics cover issues such as these. But when it comes to losses, you should be aware that there’s more than money which can be lost. By this, I’m talking about identity theft of personal data of any kind. Protecting this data and paying attention to privacy should have at least the same priority of protecting your money. After all, money is replaceable; it’s "only" a financial loss. Once identity is stolen, however, there is no chance of its undoing.

This is where the issue begins. One of the best ways to protect yourself from identity theft is to understand the false assumptions of KYC. Some crypto services require its users to undergo a so-called “KYC” nowadays. KYC means “know your customer” and forces users to send personal documents to a company or organization. This is already becoming a problematic issue that some companies are very strict and will not allow you to use their services, even if you just want to purchase crypto worth only a few hundred dollars.

The official purpose of KYC should be to prevent money laundering (known as AML, anti-money laundering) and terrorist financing. Strict KYC and AML were mainly introduced by the US after 9/11 and many countries are guided by the SEC in setting KYC as a requirement. AML existed before but only for institutions and big amounts of money. Average customers were affected only after restrictions introduced by the SEC.
At first glance, KYC sounds good for shutting down criminal activities. Unfortunately, this looks very different in reality. KYC in crypto doesn’t necessarily help to stop money laundering or reduce criminal activity; nor does it help to prevent terrorist financing. On the contrary - KYC endangers our privacy and encourages criminal activities (via KYC scams, identity theft and other means).



KYC is encouraging identity theft

When someone is doing KYC, they are forced to hand out parts of their personal identity to a third party (such as an exchange, ICO, etc). After that point, they aren’t in control of the process anymore and are totally exposed on the third party to handle their sensitive data safely. If something should be hacked, the affected people can't do anything.

Everyone who has concerns about the safety of their data and won’t submit personal information required for KYC is excluded from using the service.

It’s clear that risks for normal users are inevitable when they are forced to give their personal data to unknown people or a centralized service. There is simply no guarantee that our personal data is safe there and even big companies with high security standards can be maliciously hacked.

As with all things in a digitized world, companies / organizations that collect KYC are vulnerable to hacks. We have seen that when big companies like Binance get hacked, the hackers are able to steal a large number of KYC materials.

These are just the events that have been reported. It is therefore not unlikely that this is just the tip of an iceberg of nasty KYC hacks that have not yet been publicly acknowledged, because such knowledge would, of course, harm the business of exchanges or the KYC providers themselves a lot. There is no doubt, that professional hackers are developing ways to successfully hack and obtain personal data relevant for passing KYC.

This leads to another problem: with KYC enforcement everywhere, personal documents are becoming a valuable black market commodity and there already exists a huge incentive to hack or steal identities. It is therefore inevitable that a huge illegal market for identities will arise if KYC should be enforced everywhere.
All users who are forced to perform KYC of any sort run the risk of their personal data ending up for sale on the black market. This in turn makes it easy for criminals to purchase "identity packages" composed of hacks on the black market which contain all the data they need to impersonate the user whose data was hacked, and to open an account under their name through which they can perform illegal activities.

Quote

Two days ago ccn.com released an article “Hacked Customer Data From World-Leading Cryptocurrency Exchanges For Sale On The Dark Web?” where on the darknet market called “Dread,” a vendor going by “ExploitDOT” is attempting to sell user data from the know-your-customer (KYC) data top cryptocurrency exchanges ask for, required by most jurisdictions.

Today my colleague contacted the seller who offered him the price 15 USD for each document (passport or ID, proof of address, selfie photo), totaling 45 USD per one person. It is necessary to buy at least 100 KYC identities (together for 4500 USD). The seller was willing to use a trusted escrow service for a crypto transaction which means this offer may be trustworthy.

Source

Hacked identities can be very valuable for criminals, especially if the identity can be tied to other details relevant for crimes against the affected individual. Some of these include:

  • name and physical address (from various documents or bills)
  • government-ID, passports, pictures or selfies
  • biometric data (fingerprint, face- or iris-scan)
  • various data from utility bills, source of wealth, employer or bank account
  • passwords, used e-mail address
  • used crypto addresses including deposits / withdrawals (+ linking other related addresses via blockchain research)


Criminals can use this data in various nasty ways:

  • They can use it to commit criminal activities simply by impersonating the person whose data was hacked and open an account under their name through which they can perform illegal activities.
  • Criminals can use some of the data to access other accounts of the person whose data got hacked:
    • resetting accounts via e-mail address
    • resetting accounts via biometric data
    • trying to hack other sites using the same password
  • One of the worst aspects of this would be the possibility of a criminal collecting enough hacked data about a person to evaluate how profitable a robbery would be. This would require:
    • the physical address of a victim (obtained from a personal document), and
    • information about their wealth (obtained from deposits / withdrawals on the account from linked crypto addresses, or documents like source of income, source of wealth etc).

    Such a set of data could be enough to assess a victim for a possible robbery. Even if the scammers are located in a different country, they could sell information about “promising robbery targets” to other criminals in the home country of the victim.

  • Alternatively, criminals can collect and match data with other hacked data to make the data set more valuable for resale.


KYC is encouraging scams

In addition to identity theft, KYC offers a new revenue of profit for scammers, which is a currently rising scam strategy called “KYC scams” that are executed as follows:

  • Users deposit crypto on a service without requiring KYC.
  • After enough people have deposited, the site announces that KYC is now mandatory and all funds are frozen.
  • The site blackmails users into performing a KYC. If a user does not want to do this, their crypto is lost, seized by the exchange. If the exchange is a scam, they additionally have valuable identity documents of their customers that they could sell or use for themselves.
  • The users have no chance of defending themselves.


The same strategy is also used by bounties, especially altcoin bounties from shitcoin ICOs. Therefore, it is important to be aware of KYC scams. These happen especially with unknown exchanges or shitcoin bounties. It is recommended to use only trustworthy, large exchanges which could not afford to lose its credibility by pulling a KYC scam.

Under no circumstance should users perform KYC for KYC scammers. A reputable exchange will always use the terms and conditions under which the user has deposited their money, and send a KYC implementation notification while users still can withdraw funds at lower limits. This way, users can have a chance to withdraw their cryptocurrencies without being scammed.



KYC helps scammers stay undetected

KYC is highly appreciated by all sorts of scammers because criminals can remain undetected and continue their illicit activities by just using hacked or stolen identities to pass KYC. When a lot of money is involved, nothing will stop them:

  • There is already a big pool of identity sets on the black market available, mostly from other KYCs hosted or hacked by scammers. The more complete the data sets are, the more valuable they get. To pass a KYC, the criminals only need to acquire the relevant data records on the black market.
  • Additionally, the scammers could also organize an ICO themselves or set up a scam exchange and request a KYC there. They can determine the data they need based on what they intend to do with it later. This would make it possible for criminals to obtain specific KYC data for a selected ICO or exchange.


Somewhat counter-intuitively, some "experts" are now proposing to enforce an even more excessive KYC procedure that crypto service customers must adhere to, including the submission of better quality scans or more data, including biometric data. This line of thinking is utterly wrong because such measures are likely to endanger the safety of users even more:

  • Biometric data (fingerprint, face or iris scan), can also be used for illicit purposes once they end up being hacked by criminals. The damage to those affected is perhaps several-fold worse as biometric data is among the most sensitive that can be disclosed.
  • An improvement in the quality of the submitted data only means that hackers can receive even more accurate and therefore more valuable data. This improved level of quality makes it easier for criminals to impersonate others.
  • Criminals are increasingly starting to reconstruct missing parts based on existing, stolen KYC records. Methods of circumventing video identification, such as “deep-fake videos,” are developing rapidly. The production of realistic masks, which can hardly be distinguished from real people, is another way to fool identification process. Methods have already been presented at the 2018 35c3 in Leipzig, through which video identification procedures were demonstrated to be circumvented.

    These techniques may be at a very early stage, and their results not perfect, but in principle they are already possible. The prospects of rising profitability in the event that KYC is enforced everywhere excessively incentivizes scammers to develop KYC-faking methods to an even greater degree.

    In principle, only a few criminals are needed: those who are able to verify accounts with hacked data. This service could be sold to other criminals via the darknet, which alone would make it possible to completely undermine a KYC process.



Therefore, if KYC was designed to stop criminals from doing their job, it has already failed miserably. There are probably millions of KYC data sets on the black market, with this number increasing daily as KYC enforcement becomes more widespread.

With the latest emerging techniques for manipulating all online KYC procedures, criminal gangs are well positioned to verify accounts and sell them to other criminals at a high price on the black market. Alternatively, they could simply hack already-verified accounts and sell them.

Therefore, criminals with evil intentions have a large number of options to choose from to circumvent most kinds of KYC practices.



Conclusion: KYC is useless

The primary result of this evaluation is apparent: KYC is not only useless but ultimately encourages what it is supposed to prevent. KYC creates new areas of crime (identity trading of real users) and boosts existing areas of crime (criminals can now go undetected by abusing the identities of innocent users). It also blatantly endangers the privacy and security of all customers.

Therefore, the advertised effectiveness of digital KYC in crypto unfortunately exists only in theory. The community would be better off acknowledging the fact that not only KYC is useless, but it is also dangerous and promotes crime. Since documents for KYC are sold illegally on the web or are even faked by artificial intelligence, KYC doesn’t actually prove anything anymore.

In fact, KYC is encouraging scams and crime as well as endangering the privacy and safety of all customers through identity theft. This creates a dangerous dynamic for users who are forced to perform a KYC check: tons of personal documents are being collected by criminals and will likely go public in the future to a degree we have not seen before.



How to protect from KYC?

Be careful and try to evaluate whether using the service is really worth risking identity theft, including all of the associated negative consequences. Also be mindful of what addresses you link to an account should it be hacked. Linking your identity with bitcoin / altcoin addresses cannot be undone if someone knows how to associate them.

It is recommended to use trusted services without KYC like P2P exchanges or you can trade here on the forum using a trusted escrow.

Avoid KYC for everything else:

  • No KYC for altcoin / shitcoin bounties or altcoin / shitcoin airdrops where the owners are likely scammers or incompetent.
  • No KYC for shitty exchanges where the owners are likely scammers or incompetent.
  • No KYC for low amounts of money where it’s just not worth the risk (this probably includes everything that doesn’t make you rich).


It’s important to point out the dangers of KYC as a preventative measure. After all, it is only a matter of time before a major KYC scandal makes the general public aware of how dangerous and useless KYC actually is. Unfortunately, it will be too late when it happens, and the damage will already be done. You are welcome to link this text so that as many users (and providers) are aware of KYC’s flaws as possible.

In particular, providers who abuse the security of users to fill their own pockets should be aware of their irresponsible behavior.

It is recommended to use a provider that does not request KYC information (or whose limits are justified). This is not only to protect ourselves, but also to support providers who protect their customers.


Final note: I have been writing this text for a while now, since early 2019. In the time since I initially summarized most of the known facts, there have been several informative articles published on the internet that analyze the problems of KYC in detail and call it out.
The points I have made so far have not only been confirmed when reading through these articles, but I have to admit, I underestimated the danger and uselessness of the KYC by far in my original version. The technology and the criminal market for KYC is already far more advanced than I feared and is likely to become even more lucrative due to the increasingly excessive enforcement of KYC. Criminal fraudsters have discovered KYC for their own benefit to commit a new strategy of crimes (such as the KYC scam), to conduct identity trades, and at the same time, to continue their criminal activities unnoticed with identities of innocent users.
It would be useful for security, data protection and crime prevention if it was quickly recognized by the public that digital KYC is not a solution, but instead a risk that endangers every innocent user.



Keep in mind:

The digital world isn’t as simple as many people believe. As an average crypto or internet user, you may make many mistakes, but just a single wrong move is enough to cause risk even if everything else is perfect.
Scammers are often intelligent, hiding traces of their activity and taking advantage of misconceptions. One such misconception is KYC for centralized services, which are often easy to attack and bypass.
If we, the average users, don’t care for our privacy, don’t educate ourselves or don’t claim our right of protection from criminals on the web, we may get into trouble very quickly. Privacy means protection from such scammers, and it’s a valuable good which all of us are entitled to claim. Privacy is not a crime, it’s our protection on the web against criminals and a personal right which we should try to secure whenever possible.

Feel free to share this article or translate it to your local board (you can reserve a translation via PM to avoid double translations). There’s a lot of misinformation promoting a non-existent need for KYC, but if people look into the details it'll help the prevention of many crimes and scams.




More interesting articles pointing out the danger of KYC:

https://medium.com/@wilderko/how-does-kyc-aml-pose-a-serious-threat-to-your-privacy-and-should-not-be-used-at-all-88f7acd3f3b

https://medium.com/mycrypto/be-careful-with-your-kyc-documents-978ab532f2be

https://blog.goodaudience.com/the-unseen-danger-of-kyc-e3e1c4448eee