Media
Overcoming Bias and Prejudice: The Effects of Data Breaches
August 2019
It is a truth universally acknowledged, that a company in possession of good intentions, may nevertheless fall foul to a data breach. With the current models used to comply with regulations, and the stipulations of the regulations themselves, companies are required to store the personal information of customers or users of financial institutions. Know Your Customer (KYC) and Anti-Money Laundering (AML) are necessary to prevent bad actors from being able to use the systems for illicit purposes, but the downsides are making news headlines all too often; hacks or leaks result in personal data being stolen - not to mention the associated risk of significant fines through GDPR that are now being levied against some companies.
This was the unfortunate situation that Binance found themselves potentially facing recently, as an anonymous attacker claimed to have possession of thousands of photos from Binance users’ KYC data. Demanding 300 bitcoin to not release the information, the attacker then posted photos as ‘proof’ on a Telegram group, leading to a slew of angry and concerned customers flooding the Binance twitter feed.
Whilst the attacker posted photos of personal information, it should be noted that the veracity of the documents is not yet established. The appearance of the pictures led people to believe they were real, but Binance responded by pointing out that none of them showed the company watermark, throwing doubt as to whether the documents were real. Binance stated:
“These images do not contain the digital watermark imprinted by our system. Our security team is hard at work pursuing all possible leads in an attempt to identify the source of these images, as it remains unclear where they were obtained.”
Regardless, the authenticity of the leak is somewhat immaterial. Hopefully, the claims are proved to be false, but Binance has already suffered from the mere possibility of a breach. The issue isn’t just if this happened, but that this could happen - and indeed it happens all the time. The fact that Binance is the company in question is unfortunate for them, particularly as the exchange lost 7,000 BTC when it was hacked earlier this year, but really, would anyone be surprised if a major company were to announce a catastrophic data breach tomorrow?
Some of the largest companies in the world have been hacked in recent years (and these are just the events we hear about). If they can’t protect data, how can anyone hope to?
The short answer is; they can’t. At least, not with traditional approaches.
With the current popular models of handing personal information over to other companies, we all acknowledge the risk of a ‘honeypot’ - one hacker’s can’t ignore. There are always methods that will allow a malicious actor to take over a computer, and with computers of financial institutions or large companies, it’s not hard to see why unscrupulous people would aim for the goldmine of information. There needs to be a better method of verifying identity to keep data private whilst preventing hackers from stealing information.
This is precisely the solution Blockpass is working on.
From its inception, Blockpass has been answering the problem of how to prove identity whilst maintaining privacy. The Blockpass Mobile App is the first solution to this. By providing the capability to create, manage and store their own identity on mobile devices, a user is in control of their own data - rather than having a third company act as a custodian to their personal information. Blockpass and verifiers used by Blockpass do no store or keep personal information once the initial verification is done, meaning the user will be the only person in control of their verified identity. To prove this, Blockpass is working with the Blockpass Identity Lab in Edinburgh Napier University to enable Proof of Deletion - showing that a person’s identity is not kept by Blockpass or verifiers. By not holding the information, Blockpass avoids the potential for a hack to steal thousands of people’s personal data - an event we see happen on a regular basis to other companies around the world.
By hosting the data on an individual’s mobile device, the user can be sure they are the ones controlling who has access to their information - sharing it only with the necessary companies when they choose to, and being able to withdraw their information at a later date. This also has the added benefit of reducing the financial incentive for attackers. Mobile phones are becoming increasingly hard to hack, and are fairly secure compared to other devices. Combined with this, there is no ‘honeypot’ of thousands of people’s information for attackers - only one. These two aspects drastically decrease the allure of this to hackers, who will be much more likely to go after more lucrative targets.
But this is just early days for Blockpass. Through our work with the Blockpass Identity Lab, we are researching and developing technologies that will enable the verification of people without revealing a single piece of personal information about them. When this technology is released, there will be no need for personal companies to see or store user information at all. Customers will simply be able to send a certificate saying their KYC and AML checks have been passed and the technology will be able to mathematically prove that this is the case. Providing regulators understand and approve the developments, this could eventually become the norm for KYC and AML checks around the world.
When Blockpass’ goal is fully realised, the type of situation that Binance and so many others have found themselves in will cease to be possible. When a malicious actor claims to have stolen information from a company - the company will be able to show that they never had the personal data to begin with. Once we see this come into effect, data hacks and fines through GDPR that make headlines will become a thing of the past as we use technology to provide a safer and more privacy-focused future.
Sources:
https://cointelegraph.com/news/binance-investigating-kyc-leak-fud-as-user-selfies-allegedly-exposed
https://www.coindesk.com/binance-kyc-issue
https://www.newsweek.com/binance-hack-telegram-kyc-data-extortion-changpeng-zhao-cryptocurrency-bitcoin-1452989
https://www.ccn.com/binance-bitcoin-exchange-kyc-leak/
Whilst the attacker posted photos of personal information, it should be noted that the veracity of the documents is not yet established. The appearance of the pictures led people to believe they were real, but Binance responded by pointing out that none of them showed the company watermark, throwing doubt as to whether the documents were real. Binance stated:
“These images do not contain the digital watermark imprinted by our system. Our security team is hard at work pursuing all possible leads in an attempt to identify the source of these images, as it remains unclear where they were obtained.”
Regardless, the authenticity of the leak is somewhat immaterial. Hopefully, the claims are proved to be false, but Binance has already suffered from the mere possibility of a breach. The issue isn’t just if this happened, but that this could happen - and indeed it happens all the time. The fact that Binance is the company in question is unfortunate for them, particularly as the exchange lost 7,000 BTC when it was hacked earlier this year, but really, would anyone be surprised if a major company were to announce a catastrophic data breach tomorrow?
Some of the largest companies in the world have been hacked in recent years (and these are just the events we hear about). If they can’t protect data, how can anyone hope to?
The short answer is; they can’t. At least, not with traditional approaches.
With the current popular models of handing personal information over to other companies, we all acknowledge the risk of a ‘honeypot’ - one hacker’s can’t ignore. There are always methods that will allow a malicious actor to take over a computer, and with computers of financial institutions or large companies, it’s not hard to see why unscrupulous people would aim for the goldmine of information. There needs to be a better method of verifying identity to keep data private whilst preventing hackers from stealing information.
This is precisely the solution Blockpass is working on.
From its inception, Blockpass has been answering the problem of how to prove identity whilst maintaining privacy. The Blockpass Mobile App is the first solution to this. By providing the capability to create, manage and store their own identity on mobile devices, a user is in control of their own data - rather than having a third company act as a custodian to their personal information. Blockpass and verifiers used by Blockpass do no store or keep personal information once the initial verification is done, meaning the user will be the only person in control of their verified identity. To prove this, Blockpass is working with the Blockpass Identity Lab in Edinburgh Napier University to enable Proof of Deletion - showing that a person’s identity is not kept by Blockpass or verifiers. By not holding the information, Blockpass avoids the potential for a hack to steal thousands of people’s personal data - an event we see happen on a regular basis to other companies around the world.
By hosting the data on an individual’s mobile device, the user can be sure they are the ones controlling who has access to their information - sharing it only with the necessary companies when they choose to, and being able to withdraw their information at a later date. This also has the added benefit of reducing the financial incentive for attackers. Mobile phones are becoming increasingly hard to hack, and are fairly secure compared to other devices. Combined with this, there is no ‘honeypot’ of thousands of people’s information for attackers - only one. These two aspects drastically decrease the allure of this to hackers, who will be much more likely to go after more lucrative targets.
But this is just early days for Blockpass. Through our work with the Blockpass Identity Lab, we are researching and developing technologies that will enable the verification of people without revealing a single piece of personal information about them. When this technology is released, there will be no need for personal companies to see or store user information at all. Customers will simply be able to send a certificate saying their KYC and AML checks have been passed and the technology will be able to mathematically prove that this is the case. Providing regulators understand and approve the developments, this could eventually become the norm for KYC and AML checks around the world.
When Blockpass’ goal is fully realised, the type of situation that Binance and so many others have found themselves in will cease to be possible. When a malicious actor claims to have stolen information from a company - the company will be able to show that they never had the personal data to begin with. Once we see this come into effect, data hacks and fines through GDPR that make headlines will become a thing of the past as we use technology to provide a safer and more privacy-focused future.
Sources:
https://cointelegraph.com/news/binance-investigating-kyc-leak-fud-as-user-selfies-allegedly-exposed
https://www.coindesk.com/binance-kyc-issue
https://www.newsweek.com/binance-hack-telegram-kyc-data-extortion-changpeng-zhao-cryptocurrency-bitcoin-1452989
https://www.ccn.com/binance-bitcoin-exchange-kyc-leak/