• J
  • No Comments

The Unseen Danger of KYC

We constantly hear the dangers that centralized exchanges face. Stealing of assets is the biggest concern. The remote nature of a crypto hack causes people to feel they’re so vulnerable since inherently, it can come from anywhere. I think there is a bigger threat than a crypto robbery of an exchange. The information that is potentially available to attackers if they are to gain access to crypto exchange data will cause much more damage than funnelling of stolen crypto funds.

Linkability

The linkability of real world identities to crypto addresses make it extremely easy to use publicly available information against someone. With enough data points, an attacker can use websites like people finder or been verified, that host publicly available data to discover the residences of their targets within minutes.

It is only a matter of time before KYC data for some of these larger exchanges are breached. Binance (the world’s largest crypto exchange by volume) has not only suffered a cryptocurrency hack but also recently suffered a KYC data breach, Though their CEO suggested it might have been a third-party that was breached, the customer’s personal data was still linked to binance.

“Data Breaches Happen All the Time”

It seems like every other week there is another data breach. This doesn’t prove that its a natural part of society. People should be their biggest protectors of their own data. Learn from the data breaches and apply what you know moving forward.

Data breaches like the recent Capital One breach, the LinkedIn breach from a few years ago, and Cambridge Anayltica are a few different examples of how varied the data sets are. It doesn’t only affect the private sector. When dealing with this information, many knee-jerk responses beg for more regulation to help “protect” or make it tougher for the bad guys to get this information. Bureaucratic involvement, contrary to popular belief, does not actually solve this. History tells us, even the government cannot protect their own from massive data breaches. Both the Office of Personnel Management Breach and the recent Border Patrol breach , which are very different from the other breaches mentioned above because these governmental breaches also include biometrics.

When you lose access to your biometrics, you obviously can’t change/reset your biometric password. The realization that you will manage your identity better than others puts you in control of what you deem appropriate for your data. Data management by different platforms can be one indicator for someone when choosing a platform.

The issue exists when an end-user is made to forcibly give up data. A response to people involved in Law Enforcement were told they needed to give their fingerprints to justify background searches on potential hires. They are told they need to give their fingerprints or they wouldn’t be hired. When speaking about this topic, I aim to address the root cause. The digitizing of these records make it much easier for someone to gain access from remote locations as opposed to physical copies. You give up convenience for a much more secure setup.

I point out this topic to address the current issue of data that is stored by these centralized cryptocurrency exchanges. New AML/KYC regulation that was introduced with the PATRIOT Act of 2001 created larger barriers that not only institutions needed to comply with but also affected the regular individual on the street. There was KYC/AML regulation that already existed but attacks on U.S. soil gave the government a pre-text to implement the PATRIOT Act in the name of “security”. Funding terrorism was the underlying reason that the government needed to watch how all money was moving throughout the world.

This is THE major focal point of this data management/breach issue. It is the crux of the issue. It is what allows and forces the collection of this sensitive data. It is now mandated across all U.S. exchanges, that there needs to be some kind of KYC/AML information on every end-user if they are planning on using an American crypto exchange. Even if and individual chooses to deposit $5, there must be AML/KYC information on this person.

The institutional players are used to this so they have no worries using legal entities or operations and handing over the information of the legal entities that can protect their identities. The retail crypto user doesn’t have the luxury to have their cash flow through some obscure legal entity to protect their identity so they must give all of this private data away.

How Do Hackers Get this Information?

There are many different attacks that can be launched against a normal company. This includes the various ways attackers can gain access to personal information. When you then consider a company that is holding financial assets that can move cross-border extremely easily as well as a trove of personal data, you can understand why. This article addresses a few of the major reasons why they make such a viable target including: “Monetary gain, human error and security vulnerabilities” Human error can lead to most vulnerabilities but as we’ve seen from specific types of attacks, browser zero day exploits are being used as well.

When there is a data breach, most of the time it can come from a misconfigured server. A public facing server that is misconfigured can allow outside access to the server. Once an attacker gains access to the server, the attacker will attempt to do as much as they can to gain access to whatever information this database is holding. Searchable internet connected devices provided by Shodan gives people the ability to poke around anything that is touching the internet.

If it is connected to the internet and not properly secured/configured for a company’s use case, they’re left vulnerable to people around the world that are looking to exploit this. A crypto exchange has a large target on its back due to all of the information/crypto centralized there, so they have their work cut out for them.

What Do You Have to Lose?

Everything or mostly everything. Barring the crypto assets being stolen from the exchange (I am assuming there is no exchange assets stolen, just the databases managing the exchange accounts). To understand what a data breach of this size/scale would look like, we need to first understand what information is at risk. Assuming that the attackers can collate the data on every user using the breached crypto exchange, the data that could possibly be included in a data set like this would be:

  • physical address

  • photos including images of the account holder/passports/licenses

  • withdrawal addresses (This information tied with the physical address is THE information that a potential attacker would need to carry out monitoring/attempts on your crypto)

  • IP information (This can be mitigated using a VPN but it won’t help obfuscate your KYC information that the attackers also obtain)

  • financials (source of wealth, employer, bank account information) This doesn’t affect every KYC’d account, but the larger accounts will have needed to supply this which would then make these the larger targets.

  • trading activity (trading activity shows how much capital is flowing through the account)

  • login activity

 

“If You Don’t Like it Don’t Use it”

You hear this from people telling you to not use it if you have such a big problem with it. That would be a proper response if there were other options available to use, but there isn’t. If you are on-boarding to an American exchange, you MUST complete the AML/KYC data for the crypto exchange. Its mandatory, there is no way around it. If I took this approach and decided not to use it because I’m worried about my data, I am essentially shut out of buying crypto. The other options are illegal(or near illegal) for U.S. citizens to use(So you are stuck using their monopolistic process or be a [potential?] criminal). This personal data transferal occurs after having done a very similar process with your bank to open an account. Now the crypto exchange must manage this very sensitive personal information for all of their clients as well as their actual business line.

What’s Worse Than Having Your Crypto Stolen?

The picture I helped paint is to build a foundation for what users of these KYC exchanges will face in the near future. The KYC exchange hack that affected some Binance users, the crypto hack of Binance, as well as other exchanges being hacked since the beginning of crypto exchanges shows that they’re very profitable. Now, imagine if that KYC data and account data were to be extracted(No funds lost, just information on the end-user leaked). The implications from this kind of attack are huge. We know there are attacks launched against these exchanges daily. Coinbase publicly came out and spoke about some of these extremely sophisticated attacks just recently. These exchanges aren’t impenetrable and as a security researcher directly involved in data management, it is only of matter of time until there is a breach of this nature. The goal is to keep the damage as minimal as possible.

Once data regarding your personal information/crypto exchange account are breached together, the public is going to be exposed to a data set we have not seen before. Crypto addresses can now be linked to personal identities. These hacks will be publicly available on the dark web and on the clear web soon after. This breached information is indexed into a database, and will allow anyone that obtains this info to then search for anyone in that breach. Your real name/physical address and crypto addresses are now tied together. This gives the attackers and users of this data full access to end-user’s crypto holdings/physical address. Even if end-users have moved funds out of these wallets, attackers can always chase the crypto. This differs if using a private crypto-currency, but I’m sure it wouldn’t be a very big lift to compute how much private crypto an end-user has bought on the breached exchange.

This is even more telling than the information that a blockchain forensics company can compile. This is the exact personal identity of the owner of that address.

The Danger Surrounding this Data Set

We have already seen that attackers are trying to de-anonymize Bitcoin, Litecoin, and other coins similar to them. The aim for these attacks is to obtain the real world identity of these crypto holders and extort funds from them. If attackers are looking to go through an arduous process of de-anonymizing users one at a time, imagine how this data could be leveraged against the users of the breached exchange. It completes 2 steps for the attackers already.

This puts a name to everyone’s crypto address that is using these exchanges. Physical risk now becomes a major threat. It is no longer a string of characters. There are faces and names tied to these addresses(both physical and crypto).

What’s Really at Stake

Bank robbery statistics from the FBI in 2011 show us that the average heist garnered a little more than $7,500.00. Criminals are willing to employ violence/threat of violence to steal money from facilities whose sole purpose is to protect that money. An individual that has their crypto account information leaked alongside their physical address makes it that much easier for an attacker.

There are a few things that can be done but it isn’t very easy. That’s why people opt to use centralized providers. Most KYC data doesn’t change very often. There are a few available options that I’ll touch on but it doesn’t completely remove the risk.

 

What Can I Do Today?

As of today there are solutions (some better than others) to try and mitigate your risk exposure to a breach like this.

Different Crypto Withdrawal Addresses

When withdrawing crypto from an exchange, they document the address you are withdrawing to. To help create a more difficult trail to follow, you should always withdraw to a different address. This only helps hide total amounts from being collated into a single account, and an attacker with some basic technical knowledge shouldn’t have a tough time calculating the total amount purchased by an end-user and also scraping blockchain information to see if the data set matches real world blockchain info. You just create a tougher trail to follow so that you don’t make yourself the lowest hanging fruit.

Scrub the Internet of Public Facing Information

The next suggestion adds a bit more obfuscation to your physical surroundings. This also depends on what information was breached from the exchange. If just your name, a picture of you, and your passport was breached from the site, then this option will be more efficient.

There are ways for people to remove publicly available information from data brokers like the sites I mentioned above. You can go through all of these and begin the process of removing this information one at a time. It is a long tedious process but if it helps put a barrier between you and an attacker then it’s well worth it. Attacks can range from porting your cell phone with the publicly available information to physical attacks to extort crypto from the target.

If your physical address is included in this data set, this process won’t help unless, of course, you don’t live at the residence that is in the data. Like mentioned above, this personal data deletion will be tedious and requires an active approach but it is possible with the right approach, to get rid of the publicly facing data of your personal residences.

Private Cryptocurrencies

Private crypto will obfuscate your total balance that is sitting in your account on the blockchain(as long as they leverage something similar to stealth addresses). Hiding your total balance will hide how much is currently available in your crypto wallet, but (this is only assuming one exchange that an end-user is breached at a time) the attacker can still calculate the amount of times you’ve purchased the private currency on this breached exchange and assume you have, at one point or another held x amount of private crypto. If buying private crypto on an exchange and its breached in an attack like the one posited above, you only have plausible deniability on your side.

True Decentralized Exchanges

This is probably the most beneficial solution to the crypto end-user. True decentralized exchanges like Bisq offer decentralized trading that uses arbitrators and multi-sig accounts to transfer crypto. Information is only shared between the buyer and seller. The upside of an actual DEX is that data is all stored client side, and not in a centralized repository. This makes an attackers job exponentially difficult. An attacker would need access to your device to obtain this kind of information which is a much larger hurdle than gaining access to a database that stores all user information on it.

I say “true” decentralized exchange because many DEX’s that exist today that don’t require your physical address and other sensitive information don’t actually allow fiat on-ramps or they’re focused on tokens only.

Another option besides true DEX’s are exchanges that don’t store information server-side. If there are exchanges like this out there, that’s another potential solution. If there is a breach of this centralized exchange, there isn’t any information for a potential attacker to use against you.

It is only a matter of time before the data in these centralized exchanges (Both KYC and account data/records) are breached and leaked to the public. Once it is out there, that information can’t be taken back. The linkability between identities and personal crypto addresses/holdings is a bigger danger than even losing your crypto because this adds a physical danger dynamic that hasn’t been broached yet. Setting yourself up so that you are not affected by this is the best possible way for you to hedge your crypto holdings from being public record.