KYC Compliance Might Get You Hacked
KYC compliance, the regulatory standards that demand to know who you are and what you are doing with your money, are being adopted by Bitcoin exchanges more and more
KYC compliance, the regulatory standards that demand to know who you are and what you are doing with your money, are being adopted by Bitcoin exchanges more and more. But with hacks as large as the OPM hack and the high costs of Identity theft, is this secure?
KYC, AML and ABC (Anti-bribery and corruption) compliance are water to the sharks, whales and bubble fish of the financial industry. The collection of customer identity and activity data is such a tradition that even during a recession, the compliance officer industry is booming. Regulator's role is to pressure banks and exchanges into compliance, while law enforcement attempts to hook onto the bigger fish.
This relationship has intensified over recent years with increased pressure on financial institutions to collect and mine user generated data. This is driven in part by a large uptick of 'financial crimes' and fraud of the legacy financial system.
According to BankTech, “'In 2011 banks and financial institutions generated more than one million SARS (Suspicious Activity Reports), of which the IRS reviewed 775,000. Thus far in 2012, the IRS has reviewed 500,000 SARS with case size in the hundreds of millions of dollars.” Producing a steady income for lawyers and the compliance industry in general.
BankTech adds that “Among the growing and most troubling trends is the double income tax return refund fraud. The IRS has seen a disturbing number of cases of identity theft where social security numbers and other personal information are stolen -- usually by well-organized Eastern European crime networks -- and used to submit a duplicate tax return and claim a refund.” There were 500 cases prosecuted in 2012.
This is believed to be because of growing dependence on the Internet to expand the effectiveness of financial services, both corporate and governmental. Many government websites today take in claims through automated forms, and most major banks are heavy on online banking.
The problem is that their security rests on a foundation that is continually being shaken, that of third parties securely handling customer's personal information. And with online and telephone means of accessing financial services growing, the value of individual's personal information is also on the rise. Particularly to those willing to commit identity theft.
The costs of identity theft
To get an idea of the value of your personal information to malicious actors, we can look at a report from the Beureau of Justice Statistics (BJS), who reported that “identity theft cost Americans $10 billion [in 2013] more than all other property crimes measured by the National Crime Victimization Survey.”
That's right. While identity theft cost Americans $24.7 billion in 2012, losses for household burglary, motor vehicle theft, and property theft totaled just $14 billion, making it the most expensive and by consequence, profitable form of theft.
Here are some take aways from the BJS report, as provided by Business Insider:
- 85% of theft incidents involved the fraudulent use of existing accounts, rather than the use of somebody's name to open a new account.
- People whose names were used to open new accounts were more likely to experience financial hardship, emotional distress, and even problems with their relationships, than people whose existing accounts were manipulated.
- Half of identity theft victims lost $100 or more.
- Americans who were in households making $75,000 or more were more likely to experience identity theft than lower-income households.
The biggest government data breach in history?
On the early days of June, the Office of Personal Management (OPM), dubbed by Fortune as the US Government's human resource department, suffered a data breach that the outlet claims may be “the biggest ever in government history.”
OPM is responsible for storing and managing personal information from government workers in various US agencies, including officials working at the NSA and the Defense Department.
Originally believed to have compromised 4 million people, the estimated number has grown to a staggering 22 million government workers, with some estimates as high as 32 million. With US population about 320 million, that means roughly 15% were hacked.
J. David Cox, president of the American Federation of Government Employees, a union that represents more than 670,000 workers in the executive branch, claimed in a letter obtained by the Associated press that the data files contain “up to 780 separate pieces of information about an employee.”
According to OPM the breach compromised “background investigation records of current, former, and prospective Federal employees and contractors.” The types of information they believe was compromised includes:
- Social Security Numbers
- Residency and educational history
- Employment history
- Information about immediate family and other personal and business acquaintances
- Health, criminal and financial history
- Findings from interviews conducted by background investigators
- Usernames and passwords that background investigation applicants used to fill out their background investigation
- “and other details.”
Basically, everything you need to 'reset your password' or do some unholy social engineering. Most notably, the affected include NSA officials who of course may have privilaged access to information that the agency collects, opening a leak valve that could compromise a lot of the people whom the mass surveillance agency gathers data from.
The CIA was not compromised, given that they keep control of their own records.
Of course, OPM has been criticized as having had ancient security practices and not even encrypting the content gathered as a secondary security measure.
The fact that a crucial government database like the OPM was hacked, does not mean that more responsible organizations will also get hacked. But it does mean that a vast amount of people's information, used to determine just access to government and financial resources, could be used maliciously by the attackers.
Intelligence and Law enforcement officials were quick to point the fingers at china. However, foreign Chinese ministry spokesman Hong Lei criticized the claims as irresponsible and unscientific, saying that “We know that hacker attacks are conducted anonymously, across nations, and that it is hard to track the source,” adding that “It’s irresponsible and unscientific to make conjectural, trumped-up allegations without deep investigation.”
OPM is taking steps to protect the victims from identity theft on a variety of fields. Bringing relief to some. However at least one of the programs require even more personal information to be gathered by another third party, leading to 'frustration' from a portion of the victims.
Authentication without KYC
One of the most beautiful things about Bitcoin and blockchain technology in general, is that it does not require any personal information about its users, to authenticate their ownership. Whomever controls the private keys, which are lately represented by 12 word pass-phrases and other evolving security mechanisms, practically speaking represents ownership. This ownership is enforced by the decentralized consensus of the blockchain.
In centralized exchanges however, the ownership is enforced by the hosts of the exchange, and this seems to mean that they will revert to KYC practices of authentication. The problem that is becoming obvious however, is that holding on to this information raises their risk of being hacked - which is already high, since by definition they hold massive amounts of their user's crypto currency funds.
If a user's private keys are compromised, yes the money is most likely gone and they will have to start fresh with a new, completely different private key set. But if their KYC information is compromised, such as a picture of their passport, their phone number, social insurance number or any other such information, from any of the many agencies that hold a copy, well. Their financial security in such systems could be affected for decades to come.
This must have KYC reliant government and financial services rather nervous about the growing potential for fraud and identity theft.