How Do We Decentralize KYC Data? Hacker Sells User Data from Major Exchanges

January 23, 2019 / by Angel Reyes

When users enter the crypto space, they may experience the troublesome process required by exchanges and ICOs — know-your-customer (KYC). KYC is the backbone of government oversight on modern financial institutions, aiming to keep tabs on investors and prevent money laundering.

KYC, however, can result in identity theft security risks and violations a user’s right to privacy. While certain exchanges have maintained their ideological views and have avoided implementing KYC, many are realizing the necessity of complying with government regulations to continue operation without trouble.

The implications of KYC afflict exchanges and customers alike as darknet market vendor “ExploidDOT” attempts to sell user data from various top exchanges.

According to CCN.com, the hacker posted an ad in July 2018 and has been peddling identity cards, driver’s licenses, social security numbers, and more. The hacker claims to have obtained documents from Bittrex, Poloniex, Bitfinex, and Binance in the hundreds of thousands.

A CCN.com informant claims to have contacted the individual and received sample documents to prove the legitimacy of this claim. While the validity of this claim is difficult to determine, the implications of compromised KYC data exist regardless.

Many jurisdictions have KYC rules that require a multitude of documents that can be used for innumerable malicious activities if stolen. Hackers could easily take out loans or mortgages or purchase items online with available information, spelling disaster for customers.

The necessity to hand over one’s information to numerous centralized companies results in an unmanageable security risk. In the crypto space, this risk is ten-fold as numerous dishonest and poorly managed exchanges and projects get user data handed to them on a silver platter. In addition to many users storing their tokens on exchanges, the exposure to hackers and theft has become worrisome.

What can exchanges do about KYC laws though? When caught between upholding ideological beliefs and the full force of powerful governments, often there will be an unfavorable compromise. To not uphold KYC practices would be to sentence budding exchanges to a swift and early death. If this is the case, a workaround that both complies with regulation and preserves privacy and security must be created.

A team at the University of Luxembourg has developed a paper detailing a smart contract-based method for decentralized identity management. The proposed “KYCE” — an Ethereum based smart contract — would use a cryptographic accumulator to store an easily amended white list of addresses. Zero-knowledge proofs are implemented to verify users’ eligibility of different transactions without disclosing their private information to anyone except the KYC provider.

Exchanges or token creators can facilitate KYC-compliant smart contracts that automatically verify each transaction and determine whether a user has sufficient legal permission before executing the order. While this approach still places individuals at the mercy of government regulations, their information is protected by the security of the blockchain and exposure is minimized.

Additionally, if an external KYC provider was utilized, exchanges could streamline their signup process and incentivize those new to crypto to take part.

Short of a full crypto takeover of global payment systems, KYC is likely to exist and be required. The best option is to come up with decentralized solutions that are a compromise with existing ones until a paradigm shift allows decentralization to permeate all levels of society.