Author

Topic: KYC methods which make identity theft more difficult - are they possible? (Read 352 times)

legendary
Activity: 3906
Merit: 6249
Decentralization Maximalist
-snip-
Well I think you mean exactly the same method I mentioned in the last post, isn't it?

Basically it means outsourcing the KYC to the bank, which is perfectly reasonable, as banks normally have a strict KYC but also are relatively trustworthy, at least it is less likely that your KYC data at a bank will be hacked, and most people already have a bank account so they would have done the KYC anyway.

To a nice extent this method method makes it harder for attackers to use a stolen bank account because the random amount would  be difficult to guess the transaction would require the interaction of the user and the verification service checks multiple factors and necessary details like (amount, sender, recipient, and user confirmation), this adds an extra layer of security.
The problem is that if the account is really stolen, and the hacker has got access to its online banking, then he can pass the test.

That's why I proposed to do it two times with at least 15, better 30 days in-between. After the first "pass", the account gould get only access for crypto activities, so it's ensured that a hacker can't compromise the bank account further (e.g. transferring money to the exchange to buy Bitcoin and then exchange it to Monero or CoinJoin it). Only after the second "pass" it becomes extremely unlikely that the legitimate owner wouldn't notify the bank and the authorities, and thus only then the "fiat ramp" should be enabled.

Actually this is very similar how on some P2P exchanges you can make sure that you're not selling to someone with a stolen bank account: if the hash of its bank data is integrated in the account information and has a certain age.

There may be still a problem: if a hacker is able to open a bank account with fake data from a different person. This has happened with some "online banks" with a KYC process vulnerable to such practices, like those that only require a single ID photo. So for higher limits it may be needed to repeat the process again every couple of months, because with every month that passes, the probability that the person to which the data belong notices the problem decreases.
sr. member
Activity: 448
Merit: 560
Crypto Casino and Sportsbook
I bump this topic because I still consider it important, and would like to read more about "safe" KYC methods.
Nice One d5000.
Another possible way is transaction authentication wit a random amount. This method is quite ok and I've used it a couple of times.
For this method the verification service generates a random unique amount let's say a small but unique amount like $0.23 or $1.17. Then the user  initiates a transfer of the exact random amount from their bank account to a particular given account which would be provided by the verification service.
After  that the verification service can then proceed to check the transaction details, ensuring the amount, sender, and recipient match. The user then confirms the transaction, either by logging into their bank account or through a secure channel.

To a nice extent this method method makes it harder for attackers to use a stolen bank account because the random amount would  be difficult to guess the transaction would require the interaction of the user and the verification service checks multiple factors and necessary details like (amount, sender, recipient, and user confirmation), this adds an extra layer of security.
legendary
Activity: 3906
Merit: 6249
Decentralization Maximalist
I bump this topic because I still consider it important, and would like to read more about "safe" KYC methods.

I've actually forgot one of the most popular methods before the "KYC craze" in recent years, which also is okay for me: Prove you own a bank account. This is mostly done the following way: The service sends a small amount, or a code, to you via a bank transfer. If you are able to provide that code or the exact amount, that proves that the bank account is under your control.

I suspect that this method wasn't deemed enough in recent years because of the rampant problem with stolen bank accounts. But there would be actually an almost 100% safe method: Make the user prove his ownership of the bank account twice, about 30 days between the first and the second time. If the bank account was stolen, it is almost impossible that the criminal would be able to submit that proof twice because the owner of the account for sure would have already gone to the police, or at least contacted the bank to block the account.

I've added this method to the OP. Posts about more methods, even those only locally available, are highly appreciated Smiley
legendary
Activity: 3276
Merit: 2442
They want to know who you are.

They need your ID scan, your selfie, your email, your phone number, sometimes proof of residency…

I don’t think they will give up on any of these. The war is already lost pretty much. Just have fun while they still allow you use cash and make p2p trades. Soon that will be gone too.

They won’t budge. Only take more from us. Unless…

They get a nice punch in the mouth.
legendary
Activity: 2408
Merit: 2226
Signature space for rent
We can't change the methods of identity verification since they are not in our hands. The verification companies should change their policy on how to protect users from stealing their identities. If users data doesn't store any online storage, then it's impossible to steal their identity. It's a pretty simple solution that should be taken by verification companies. After completing the verification process, documents should be stored offline with a reference number. So that could be accessed and found by authorised persons only. Any other solution won't work perfectly for online verification. And offline verification is unrealistic for such a wide range of crypto services.
hero member
Activity: 3164
Merit: 937
I'm not the biggest expert in this area, but AFAIK, three online services are being used by most crypto companies for online verification.
Jumio, Onfido and ID.me(there might be more, but these are the most popular according to my personal experience). I can assume that these three verification services are the ones storing ID and selfie photos and they are required to keep them safe from hackers.
It would be a total nightmare, if all centralized crypto exchanges were keeping sensitive personal data submitted by their own users.
Anyway, I have no idea how to make KYC more user-friendly. KYC has always been a pain in the a*s for me. You can't make the process of sharing sensitive personal data "more user-friendly", because nobody wants to share his/her personal data over the internet.
It's like trying to make the process of going to a dentist more pleasant. Even if it becomes more pleasant, nobody would want to go to a dentist.
legendary
Activity: 3906
Merit: 6249
Decentralization Maximalist
Not only in employees, trust must also exist on the side of companies that do KYC.
Of course.

One could ask what is better, use services which do the KYC themselves, or those who pay a third party authentication service?

In general, I think I'd prefer the third-party service, because they should work with the newest standards regarding identity theft protection and storage of the documents. Ideally, they wouldn't even need to store them, only to give an "OK" to the service provider, that the data of their users is correct. And the "verified data" items should also be stored more safely, of course.

One could argue that identity verification services could be an especially interesting target for hackers to steal identities, but I guess these would target mainly "DIY KYC" crypto services and smaller specialized KYC services knowing that their practices aren't on the newest state of the art. Only in the case of a big, established service provider I'd accept them to do KYC themselves.

The problem is of course that often you don't even know who does the KYC verification - the crypto service provider or a third party, and which third party. So you don't know whom you'd have to trust. It is definitely better if the provider clarifies this on their website or in their ToS.

I thus agree that there are many problems with KYC and it should be avoided if possible. But for some service categories it's difficult, and thus I continue to think that thinking about "best practices" - or better: "least worst practices" - isn't a bad idea.
legendary
Activity: 2716
Merit: 1859
Rollbit.com | #1 Solana Casino
Possible, but there are still chances that someone who work to these sectors can make a copy of your data with a work of phone's camera. Maybe not your photo ID, but your basic info can still be used to trick you especially to those who want to scam you, or hack your bank accounts.
In all KYC schemes some trust is needed to the employees of identity services. The problem is that if a services store a high-resolution images of its users and their ID documents, if they get leaked much more harm can be done than with basic info or low-resolution ID document copies.
-snip-
Not only in employees, trust must also exist on the side of companies that do KYC.
This will certainly have repercussions for the long term, as they keep high-resolution copies of KYC, and all identities are clear.
There have been many incidents of many people's identities being leaked or even sold to other companies that are usually engaged in insurance, hospitality and tourism and such.

Of course, you have already received calls from unknown numbers and offers insurance services, discounts on hotel room reservations and obscure seminars.
The issue of KYC is complex, and there is still no way out for consumers to be completely safe and trust that their identity is not misused.
For those who are quite skeptical and put privacy first, of course there will be no good methods, they will not give real identities casually.
hero member
Activity: 2212
Merit: 670
Signature designer - start @$10 - PM me!
Do other such methods exist which still allow an trustable verification making identity theft difficult? Are there examples in the Bitcoin/crypto service world?
I think, you can imitate the method of "Kim Jong-Un", this will be a trustable verification in a while, and your real identity will be safe from theft. Here's how (don't be surprised...lol)
https://twitter.com/zachxbt/status/1655929037770899457
I'm sure there are many well-known platforms out there that still have weak verification systems.
legendary
Activity: 3906
Merit: 6249
Decentralization Maximalist
Possible, but there are still chances that someone who work to these sectors can make a copy of your data with a work of phone's camera. Maybe not your photo ID, but your basic info can still be used to trick you especially to those who want to scam you, or hack your bank accounts.
In all KYC schemes some trust is needed to the employees of identity services. The problem is that if a services store a high-resolution images of its users and their ID documents, if they get leaked much more harm can be done than with basic info or low-resolution ID document copies.

There's no such thing here, especially in my area, even the basic requirement in schools as parents needs your phone contact, how much more on those info verification, they always needs contact info, so either email or phone will always be a requirement.
No, it's not needed normally. For example website owners often can simply access their servers via SSH which uses a simple asymmetric encryption scheme, you store your public key on the server and authenticate with your private key stored on your device. (Well, and also Bitcoin works this way Smiley )

The same principle can be used for all kinds of communication. If the customer has a Nostr account (an open source social network), then he can identify simply with his private key and exchange messages, chats etc. so this could be even used for "contact".

The big advantage to use a Nostr-like system to authenticate instead of email is that the user can create as many Nostr accounts as he wants, and everything is done on his own computer, so there is no intervention from a third party like an e-mail provider. So it's much easier to create one account for each KYC service you use, and thus for hackers it's more difficult to link the data together and build identities.

That this kind of registration isn't very popular for typical "massive" internet (and also crypto) services is true, but technically it's absolutely no problem.
hero member
Activity: 882
Merit: 792
Watch Bitcoin Documentary - https://t.ly/v0Nim
Offline verification service, registration without email or phone number, selfies with dates, street selfies, what next? you just trying to make a new North Korea to adopt a very strict rules and if someone not follow it, he would get a shot by unknown sniper.
He is not making a new North Korea. KYC procedures will widely be implemented in many services, it's inevitable because majority of people have no problem with it and even vote for it to get rid of money laundering and illegal activities because they think that KYC procedures will really get rid of it (while it won't) and have no problem if their data is leaked.

I think there is no safe way to make it difficult for thieves to use your stolen identity because it's super easy to get rid of watermark and with the advancement of AI in graphics, it's really becoming superior. Here is a new problem: https://cointelegraph.com/magazine/deepfake-deep-throat-woke-grok-open-ai-problem-fetch-ai-ai-eye/
hero member
Activity: 1554
Merit: 880
pxzone.online
- Offline verification services.
Possible, but there are still chances that someone who work to these sectors can make a copy of your data with a work of phone's camera. Maybe not your photo ID, but your basic info can still be used to trick you especially to those who want to scam you, or hack your bank accounts.

- Registration without email or phone].
There's no such thing here, especially in my area, even the basic requirement in schools as parents needs your phone contact, how much more on those info verification, they always needs contact info, so either email or phone will always be a requirement. Not unless you input a wrong email or phone there

What every KYC verification service needs is to encrypt every data that was sent to their server like a 2-3 multi private keys needed in order for them to retrieve such data from their server.
legendary
Activity: 2212
Merit: 7064
Do other such methods exist which still allow an trustable verification making identity theft difficult? Are there examples in the Bitcoin/crypto service world?
There are some blockchain solutions that allow verification that proves you are a real person (not a bot) without exposing your real identity.
I don't know of any other method for verification that is used anywhere else, but I guess in theory personal information can be split in several parts, encrypted and kept on blockchain.
That would mean there is no single point of failure, and nothing could be hacked to steal your data, except maybe getting partial information.
IPFS aka InterPlanetary File System, or something similar, could be used for storing information like this.
legendary
Activity: 3906
Merit: 6249
Decentralization Maximalist
...
theymos' ideas are interesting, thanks. They seem a bit technical though - many users would chose to use non-KYC services instead. Such a protocol could however be fully automated, I guess.

1miau's thread was already linked to in the OP Smiley

Perhaps the title should be changed to "KYC methods which make using stolen identities more difficult" because this certainly doesn't do anything about identity theft itself.
Mmh, I don't know. Identity theft has many stages, you have to first create a fake (or real) identity linking different data items together (email address, name, photo, ID number, etc.), and only then you can "use" it on a service. The "non-email" method, for example, attacks the "identity creation" stage, as it makes it more difficulty to create links between data sets, and normally many items are needed to really steal the identity. So I think the title isn't that bad as I'm interested in techniques which make the whole "identity theft" process more difficult. Wink

But I have always wondered, why not support webcams as well? Since everyone is videoconferencing with them nowadays, it doesn't hurt to allow verification with a desktop or laptop.
I think there are services allowing that. Kraken for example allows photo upload, mobile device, or webcam. But just Kraken's method (require ID and photo separately, i.e. a photo without the ID nor the name of the service/date) is one of the worst, because these items can simply be used without any particular modification if the hacker is able to connect the identities, it doesn't require "faking skills".

So... you're suggesting we should trust in centralization?

Offline verification service, registration without email or phone number, selfies with dates, street selfies, what next? you just trying to make a new North Korea to adopt a very strict rules and if someone not follow it, he would get a shot by unknown sniper.
Of course I'm Kim Jong Un Wink

As a more serious reply: It might be possible to use non-KYC services exclusively, but I believe not even 10% of Bitcoin users are doing that. Even "oldtimers" used Mt Gox. For the remaining 90%, they have to suffer some form of KYC sometimes when they deal with Bitcoin services. Thus, it's not a bad idea to point out KYC methods which make identity theft at least a little bit more difficult, so people can actively select services offering them, instead of relying to methods like an ID photo which can be simply stolen and used on another service.

The paradox thing is that some of these ideas seem "intrusive" at a first glance, like submitting a selfie with ID, but a selfie with ID is already a little bit safer than the ID photo itself.

Thanks for the link to the "street selfie" idea, didn't know that. Lol. That's of course totally over the top, even if it is simply an extension of the "link image with service name/date" technique to make identity theft even more difficult.

legendary
Activity: 1288
Merit: 1081
Goodnight, o_e_l_e_o 🌹
There are some solutions that Apple is trying to provide, and I hope that countries will push them, which is establishing a government company that verifies your data and then sends confirmation to these third parties that you are the user in question for a small fee. In this way, you will ensure that your data does not leave one party and that this party can be held legally accountable if the data is leaked, but I do not think that such government agencies exist.

What apple is trying to implement will not eliminate totally the risks associated with KYC, especially data leakage. But then, their proposed solution will only centralize the data in one central server of the government thereby having only one point of failure. This obviously has some advantages and disadvantages.

The advantage will be the legal implications of it, which will try to protect the right of the person who is completing KYC.
While the disadvantage will be risk of attack. Since there's only one central point of KYC, hackers and criminals will channel all their energy to that point and who knows, they can hit the jackpot.
legendary
Activity: 2702
Merit: 4002
Unless there is a government entity trying to preserve user data, there will always be exposure to a third party. There are some solutions that Apple is trying to provide, and I hope that countries will push them, which is establishing a government company that verifies your data and then sends confirmation to these third parties that you are the user in question for a small fee. In this way, you will ensure that your data does not leave one party and that this party can be held legally accountable if the data is leaked, but I do not think that such government agencies exist.

about email use protonmail paid service It allows you to create dozens of alternative emails using the same email, which forward messages to the primary email without revealing it.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Perhaps the title should be changed to "KYC methods which make using stolen identities more difficult" because this certainly doesn't do anything about identity theft itself.

Camera and taking a live photo of your ID is still a good method. But I have always wondered, why not support webcams as well? Since everyone is videoconferencing with them nowadays, it doesn't hurt to allow verification with a desktop or laptop.
hero member
Activity: 714
Merit: 521
I don't think there's anyone yet discover to make identity theft difficult, if you're using a centralized exchange, there are two risk involved, your informations with the exchange are not safe, it could be intruded while the exchange itself could be under attack or go through censorship which does not gives you as well your own privacy, so there's nothing that could make it difficult for your identity to be more difficult to be under any attempts for theft or hack, except you choose to go by other means.
hero member
Activity: 882
Merit: 654
Leading Crypto Sports Betting & Casino Platform
Nice one, but you might be in another world right now as what you are pointing out is no longer possible in the current dispensation. The world is revolving, and at this stage, individuals, companies and even governments are becoming more digital, no one wants to be left behind, and for this, we do not have any choice but to embrace reality and work on the security and privacy of the kept data. This is the price we have to pay for the advancement and the benefits of technology as technology itself is not bad but we human beings using it.

Although the offline methods and others could give some layers of security, still, I tell you they are not absolutely safe as well, they can only limit the possibility of identity theft. There have been cases where the employees of the company you give your details and documents to duplicate, sell them or use them for other means.

Details and documents are not 100% safe when a third party is ever involved, your suggestion can only limit the damage, that's what I want you to know.
hero member
Activity: 1148
Merit: 796
So... you're suggesting we should trust in centralization?

Offline verification service, registration without email or phone number, selfies with dates, street selfies, what next? you just trying to make a new North Korea to adopt a very strict rules and if someone not follow it, he would get a shot by unknown sniper.

I could imagine methods based on cryptography, where an image for example can only be considered valid if the user signs it digitally together with a message that links it to a service and date.
Nothing different to NFTs and everyone can know your face, locations etc they might able to know your net worth too.
legendary
Activity: 2310
Merit: 4085
Farewell o_e_l_e_o
- Registration without email or phone. While email addresses or phone numbers seem not to matter that much if you have to submit an ID, photo or video, they are elements which could be linked to the rest of your data, making the construction of a fake identity easier. Thus, a registration based, for example, on a public key/private key pair (like on the Nostr network), is a little bit less dangerous.
I agree with risk from registration with email addresses or phone numbers. Non-tech users usually use one or two email addresses for multiple platforms that destroy privacy and even anonymity..

Theymos used to share his opinion on it and 1miau has an excellent thread on risks of KYC.

BTW, email is a big privacy issue in general. It's too expensive (mainly time-wise) to create new email addresses, but if you use the same one, it creates tons of links. Ideally, you should use one email per service. I've had two ideas in this area:

First, you could create a simple email forwarding service like this:
 - Without registration (but maybe with a tiny fee via eg. Lightning), take a user's email address, generate a random key, and use the random key to encrypt the email address.
 - Also encrypt the email address with a server secret.
 - Give the user an email address of the form [email protected]
 - When the service receives email at a forwarding address, it decrypts the email first using its server secret, and then using the provided decryption key. Then it forwards the email to the email address
 - To destroy forwarding addresses, users could provide the service with both their forwarding address and target address, and the service could then send a confirmation email.

This would be convenient, and it'd fix the problem of services being able to connect users across multiple sites through email-address reuse. But it trusts the forwarder not to log the per-email decryption keys or give up the server secret key. Though if multiple services like this existed, you could chain emails through them to increase security.

My second idea is:
 - The user would be using his own software (like eg. Thunderbird or perhaps prontonmail). From this software, the user could instantly create low-capacity throwaway accounts on the server. Each throwaway account could be (or behave similar to) a POP3 account with low capacity (eg. 50MB) and quick message expiration (eg. 60 days).
 - The client software would use Tor and careful polling to download all of the messages on its throwaway accounts without leaking to the server info about which accounts are connected. To improve anonymity and efficiency, you could perhaps use PIR, or the server could publish hourly/daily bloom filters meant to match email addresses which received mail in the time period. The client software would collect all of the messages into a single inbox for the end-user. Since it polls frequently, the client wouldn't have to worry about the low limits on the individual throwaways.
 - The server could anonymously require a small one-time for each throwaway account by using blinded bearer certificates.

With this, the server shouldn't ever be able to connect any of the accounts together. You could also send mail from the throwaways.

The main thing necessary for this second idea is a really smart email client meant to juggle many throwaways. You also need a cooperative server allowing quick account creation (like cock.li), ideally via an API.
legendary
Activity: 3906
Merit: 6249
Decentralization Maximalist
The whole mixer discussion and also the ever-tightening regulations of Bitcoin/cryptocurrency services let me think about if KYC at least could be more friendly. Particularly, if there are practices and methods which don't allow hackers to steal the identity of the service users, or to link different personal data together.

Of course in general I strongly prefer non-kyc services (for well-known reasons - read this excellent thread by 1miau). But in particular for the fiat-Bitcoin on- and offramping step the services are limited, above all in some lesser-known currencies.

In reality, not the KYC data collecting itself is the most problematic step, but the verification process, which often involves images and videos of the user and his/her documents.

So here I want to collect methods and "best" or "least worst" practices which at least make it more difficult to facilitate identity theft.

- Offline verification services. In some countries "old-style" verification methods exist, like Postident in Germany. In these cases you go to a store, show your ID document, and the store employee thus confirms to the service provider that you are the person you impersonate. Sometimes, a copy of your ID document or passport has to be delivered, which makes the whole process a bit more vulnerable if this is stored digitally, but on the whole I think these methods are still preferrable because a black-and-white passport copy has often low resolution and would not be useful for a criminal trying to get an online KYC verification with your data.
- Proving ownership of a bank account (added Aug. 2024). The service provider sends a very small amount of money (a few cents) to the user and attaches a message. The user has to provide that message to the service. Doing that twice with at least 30 days between first and second time should be safe enough to deter most attempts to "game" that method, e.g. with a stolen bank account.
- Registration without email or phone. While email addresses or phone numbers seem not to matter that much if you have to submit an ID photo, selfie or video, they are elements which could be linked to the rest of your data, making the construction of a fake identity easier. Thus, a registration based, for example, on a public key/private key pair (like on the Nostr network), is a little bit less dangerous.
- Selfies with dates and service names on paper (to link the photo/video to the registration date and the service). This is actually quite common, but I guess with the advent of AI imagery tools it is less efficient than it was before. (Edit: There are variants like a Street selfie where even more items are required to be present in the selfie like a sign with the street address, but these seem overly intrusive and carry other dangers, so I don't want to point out them as "good" examples here, even if they might make an identity theft more difficult too).
- Transparency - it should be clear who does the KYC verification and who stores the personal data - the service provider itself or a third party, and data about the third party should be provided in the ToS of the service (Providers located in countries where the GDPR or other restrictive data protection laws exist should offer this).

Do other such methods exist which still allow an trustable verification making identity theft difficult? Are there examples in the Bitcoin/crypto service world?


I could imagine methods based on cryptography, where an image for example can only be considered valid if the user signs it digitally together with a message that links it to a service and date. It would be basically the "digital variant" of the third method mentioned above. But the problem here is that this would have to be an universal standard, because the photo could also be used on another service which requires it.
Jump to: