Topic: KYC methods which make identity theft more difficult - are they possible? (Read 227 times)

They want to know who you are.

They need your ID scan, your selfie, your email, your phone number, sometimes proof of residency…

I don’t think they will give up on any of these. The war is already lost pretty much. Just have fun while they still allow you use cash and make p2p trades. Soon that will be gone too.

They won’t budge. Only take more from us. Unless…

They get a nice punch in the mouth.

We can't change the methods of identity verification since they are not in our hands. The verification companies should change their policy on how to protect users from stealing their identities. If users data doesn't store any online storage, then it's impossible to steal their identity. It's a pretty simple solution that should be taken by verification companies. After completing the verification process, documents should be stored offline with a reference number. So that could be accessed and found by authorised persons only. Any other solution won't work perfectly for online verification. And offline verification is unrealistic for such a wide range of crypto services.

I'm not the biggest expert in this area, but AFAIK, three online services are being used by most crypto companies for online verification.
Jumio, Onfido and ID.me(there might be more, but these are the most popular according to my personal experience). I can assume that these three verification services are the ones storing ID and selfie photos and they are required to keep them safe from hackers.
It would be a total nightmare, if all centralized crypto exchanges were keeping sensitive personal data submitted by their own users.
Anyway, I have no idea how to make KYC more user-friendly. KYC has always been a pain in the a*s for me. You can't make the process of sharing sensitive personal data "more user-friendly", because nobody wants to share his/her personal data over the internet.
It's like trying to make the process of going to a dentist more pleasant. Even if it becomes more pleasant, nobody would want to go to a dentist.

Of course.

One could ask what is better, use services which do the KYC themselves, or those who pay a third party authentication service?

In general, I think I'd prefer the third-party service, because they should work with the newest standards regarding identity theft protection and storage of the documents. Ideally, they wouldn't even need to store them, only to give an "OK" to the service provider, that the data of their users is correct. And the "verified data" items should also be stored more safely, of course.

One could argue that identity verification services could be an especially interesting target for hackers to steal identities, but I guess these would target mainly "DIY KYC" crypto services and smaller specialized KYC services knowing that their practices aren't on the newest state of the art. Only in the case of a big, established service provider I'd accept them to do KYC themselves.

The problem is of course that often you don't even know who does the KYC verification - the crypto service provider or a third party, and which third party. So you don't know whom you'd have to trust. It is definitely better if the provider clarifies this on their website or in their ToS.

I thus agree that there are many problems with KYC and it should be avoided if possible. But for some service categories it's difficult, and thus I continue to think that thinking about "best practices" - or better: "least worst practices" - isn't a bad idea.

Not only in employees, trust must also exist on the side of companies that do KYC.
This will certainly have repercussions for the long term, as they keep high-resolution copies of KYC, and all identities are clear.
There have been many incidents of many people's identities being leaked or even sold to other companies that are usually engaged in insurance, hospitality and tourism and such.

Of course, you have already received calls from unknown numbers and offers insurance services, discounts on hotel room reservations and obscure seminars.
The issue of KYC is complex, and there is still no way out for consumers to be completely safe and trust that their identity is not misused.
For those who are quite skeptical and put privacy first, of course there will be no good methods, they will not give real identities casually.

I think, you can imitate the method of "Kim Jong-Un", this will be a trustable verification in a while, and your real identity will be safe from theft. Here's how (don't be surprised...lol)
https://twitter.com/zachxbt/status/1655929037770899457
I'm sure there are many well-known platforms out there that still have weak verification systems.

In all KYC schemes some trust is needed to the employees of identity services. The problem is that if a services store a high-resolution images of its users and their ID documents, if they get leaked much more harm can be done than with basic info or low-resolution ID document copies.

No, it's not needed normally. For example website owners often can simply access their servers via SSH which uses a simple asymmetric encryption scheme, you store your public key on the server and authenticate with your private key stored on your device. (Well, and also Bitcoin works this way )

The same principle can be used for all kinds of communication. If the customer has a Nostr account (an open source social network), then he can identify simply with his private key and exchange messages, chats etc. so this could be even used for "contact".

The big advantage to use a Nostr-like system to authenticate instead of email is that the user can create as many Nostr accounts as he wants, and everything is done on his own computer, so there is no intervention from a third party like an e-mail provider. So it's much easier to create one account for each KYC service you use, and thus for hackers it's more difficult to link the data together and build identities.

That this kind of registration isn't very popular for typical "massive" internet (and also crypto) services is true, but technically it's absolutely no problem.

He is not making a new North Korea. KYC procedures will widely be implemented in many services, it's inevitable because majority of people have no problem with it and even vote for it to get rid of money laundering and illegal activities because they think that KYC procedures will really get rid of it (while it won't) and have no problem if their data is leaked.

---

I think there is no safe way to make it difficult for thieves to use your stolen identity because it's super easy to get rid of watermark and with the advancement of AI in graphics, it's really becoming superior. Here is a new problem: https://cointelegraph.com/magazine/deepfake-deep-throat-woke-grok-open-ai-problem-fetch-ai-ai-eye/

Possible, but there are still chances that someone who work to these sectors can make a copy of your data with a work of phone's camera. Maybe not your photo ID, but your basic info can still be used to trick you especially to those who want to scam you, or hack your bank accounts.

There's no such thing here, especially in my area, even the basic requirement in schools as parents needs your phone contact, how much more on those info verification, they always needs contact info, so either email or phone will always be a requirement. Not unless you input a wrong email or phone there

What every KYC verification service needs is to encrypt every data that was sent to their server like a 2-3 multi private keys needed in order for them to retrieve such data from their server.

There are some blockchain solutions that allow verification that proves you are a real person ^{(not a bot)} without exposing your real identity.
I don't know of any other method for verification that is used anywhere else, but I guess in theory personal information can be split in several parts, encrypted and kept on blockchain.
That would mean there is no single point of failure, and nothing could be hacked to steal your data, except maybe getting partial information.
IPFS aka InterPlanetary File System, or something similar, could be used for storing information like this.

theymos' ideas are interesting, thanks. They seem a bit technical though - many users would chose to use non-KYC services instead. Such a protocol could however be fully automated, I guess.

1miau's thread was already linked to in the OP

Mmh, I don't know. Identity theft has many stages, you have to first create a fake (or real) identity linking different data items together (email address, name, photo, ID number, etc.), and only then you can "use" it on a service. The "non-email" method, for example, attacks the "identity creation" stage, as it makes it more difficulty to create links between data sets, and normally many items are needed to really steal the identity. So I think the title isn't that bad as I'm interested in techniques which make the whole "identity theft" process more difficult.

I think there are services allowing that. Kraken for example allows photo upload, mobile device, or webcam. But just Kraken's method (require ID and photo separately, i.e. a photo without the ID nor the name of the service/date) is one of the worst, because these items can simply be used without any particular modification if the hacker is able to connect the identities, it doesn't require "faking skills".

Of course I'm Kim Jong Un

As a more serious reply: It might be possible to use non-KYC services exclusively, but I believe not even 10% of Bitcoin users are doing that. Even "oldtimers" used Mt Gox. For the remaining 90%, they have to suffer some form of KYC sometimes when they deal with Bitcoin services. Thus, it's not a bad idea to point out KYC methods which make identity theft at least a little bit more difficult, so people can actively select services offering them, instead of relying to methods like an ID photo which can be simply stolen and used on another service.

The paradox thing is that some of these ideas seem "intrusive" at a first glance, like submitting a selfie with ID, but a selfie with ID is already a little bit safer than the ID photo itself.

Thanks for the link to the "street selfie" idea, didn't know that. Lol. That's of course totally over the top, even if it is simply an extension of the "link image with service name/date" technique to make identity theft even more difficult.

What apple is trying to implement will not eliminate totally the risks associated with KYC, especially data leakage. But then, their proposed solution will only centralize the data in one central server of the government thereby having only one point of failure. This obviously has some advantages and disadvantages.

The advantage will be the legal implications of it, which will try to protect the right of the person who is completing KYC.
While the disadvantage will be risk of attack. Since there's only one central point of KYC, hackers and criminals will channel all their energy to that point and who knows, they can hit the jackpot.

Unless there is a government entity trying to preserve user data, there will always be exposure to a third party. There are some solutions that Apple is trying to provide, and I hope that countries will push them, which is establishing a government company that verifies your data and then sends confirmation to these third parties that you are the user in question for a small fee. In this way, you will ensure that your data does not leave one party and that this party can be held legally accountable if the data is leaked, but I do not think that such government agencies exist.

about email use protonmail paid service It allows you to create dozens of alternative emails using the same email, which forward messages to the primary email without revealing it.

Perhaps the title should be changed to "KYC methods which make using stolen identities more difficult" because this certainly doesn't do anything about identity theft itself.

Camera and taking a live photo of your ID is still a good method. But I have always wondered, why not support webcams as well? Since everyone is videoconferencing with them nowadays, it doesn't hurt to allow verification with a desktop or laptop.

I don't think there's anyone yet discover to make identity theft difficult, if you're using a centralized exchange, there are two risk involved, your informations with the exchange are not safe, it could be intruded while the exchange itself could be under attack or go through censorship which does not gives you as well your own privacy, so there's nothing that could make it difficult for your identity to be more difficult to be under any attempts for theft or hack, except you choose to go by other means.

Nice one, but you might be in another world right now as what you are pointing out is no longer possible in the current dispensation. The world is revolving, and at this stage, individuals, companies and even governments are becoming more digital, no one wants to be left behind, and for this, we do not have any choice but to embrace reality and work on the security and privacy of the kept data. This is the price we have to pay for the advancement and the benefits of technology as technology itself is not bad but we human beings using it.

Although the offline methods and others could give some layers of security, still, I tell you they are not absolutely safe as well, they can only limit the possibility of identity theft. There have been cases where the employees of the company you give your details and documents to duplicate, sell them or use them for other means.

Details and documents are not 100% safe when a third party is ever involved, your suggestion can only limit the damage, that's what I want you to know.

So... you're suggesting we should trust in centralization?

Offline verification service, registration without email or phone number, selfies with dates, street selfies, what next? you just trying to make a new North Korea to adopt a very strict rules and if someone not follow it, he would get a shot by unknown sniper.

Nothing different to NFTs and everyone can know your face, locations etc they might able to know your net worth too.

I agree with risk from registration with email addresses or phone numbers. Non-tech users usually use one or two email addresses for multiple platforms that destroy privacy and even anonymity..

Theymos used to share his opinion on it and 1miau has an excellent thread on risks of KYC.

• Why KYC is extremely dangerous – and useless

The whole mixer discussion and also the ever-tightening regulations of Bitcoin/cryptocurrency services let me think about if KYC at least could be more friendly. Particularly, if there are practices and methods which don't allow hackers to steal the identity of the service users, or to link different personal data together.

Of course in general I strongly prefer non-kyc services (for well-known reasons - read this excellent thread by 1miau). But in particular for the fiat-Bitcoin on- and offramping step the services are limited, above all in some lesser-known currencies.

In reality, not the KYC data collecting itself is the most problematic step, but the verification process, which often involves images and videos of the user and his/her documents.

So here I want to collect methods and "best" or "least worst" practices which at least make it more difficult to facilitate identity theft.

- Offline verification services. In some countries "old-style" verification methods exist, like Postident in Germany. In these cases you go to a store, show your ID document, and the store employee thus confirms to the service provider that you are the person you impersonate. Sometimes, a copy of your ID document or passport has to be delivered, which makes the whole process a bit more vulnerable if this is stored digitally, but on the whole I think these methods are still preferrable because a black-and-white passport copy has often low resolution and would not be useful for a criminal trying to get an online KYC verification with your data.
- Registration without email or phone. While email addresses or phone numbers seem not to matter that much if you have to submit an ID photo, selfie or video, they are elements which could be linked to the rest of your data, making the construction of a fake identity easier. Thus, a registration based, for example, on a public key/private key pair (like on the Nostr network), is a little bit less dangerous.
- Selfies with dates and service names on paper (to link the photo/video to the registration date and the service). This is actually quite common, but I guess with the advent of AI imagery tools it is less efficient than it was before. (Edit: There are variants like a Street selfie where even more items are required to be present in the selfie like a sign with the street address, but these seem overly intrusive and carry other dangers, so I don't want to point out them as "good" examples here, even if they might make an identity theft more difficult too).
- Transparency - it should be clear who does the KYC verification and who stores the personal data - the service provider itself or a third party, and data about the third party should be provided in the ToS of the service (Providers located in countries where the GDPR or other restrictive data protection laws exist should offer this).

Do other such methods exist which still allow an trustable verification making identity theft difficult? Are there examples in the Bitcoin/crypto service world?


I could imagine methods based on cryptography, where an image for example can only be considered valid if the user signs it digitally together with a message that links it to a service and date. It would be basically the "digital variant" of the third method mentioned above. But the problem here is that this would have to be an universal standard, because the photo could also be used on another service which requires it.