How KYC/AML poses a serious threat to your privacy and should not be used at all
The dark market with KYC documents
Imagine a dark-market web site, where you can choose the identity of any person (of a hundred thousand whose sensitive KYC/AML documents have been leaked), his or her passport/ID, proof of address, selfie including the photo where he or she holds his or her passport. Then you choose a service where you want to be verified using the selected identity. You pay in XMR. In a few minutes or hours, you receive the fully working credentials of the verified account for the given person.
Now you can start laundering millions through this new identity.
Does it sound like a bad dream?
This scenario is technically feasible now.
Two days ago ccn.com released an article “Hacked Customer Data From World-Leading Cryptocurrency Exchanges For Sale On The Dark Web?” where on the darknet market called “Dread,” a vendor going by “ExploitDOT” is attempting to sell user data from the know-your-customer (KYC) data top cryptocurrency exchanges ask for, required by most jurisdictions.
Today my colleague contacted the seller who offered him the price 15 USD for each document (passport or ID, proof of address, selfie photo), totalling 45 USD per one person. It is necessary to buy at least 100 KYC identities (together for 4500 USD). The seller was willing to use a trusted escrow service for a crypto transaction which means this offer may be trustworthy.
It does not matter if this information is true or not. It may be true now, or it may be true in the future. The consequences are the same.
KYC/AML is a severe privacy threat
Let’s analyze the potential consequences:
1. If you have ever used the KYC/AML process of the hacked crypto exchanges, YOUR PRIVACY IS COMPROMISED.
2. Also, anyone can use your leaked personal documents to open any fake account using your name and launder millions of dollars through fake crypto exchange accounts.
We are getting to the situation when globally enforced KYC / AML process may lead to compromise privacy of millions of people. In addition, potential hackers can perform the impersonation attacks with stolen identities.
Let’s think about:
How much harm the globally enforced KYC/AML has already caused or may cause in the future to the privacy of millions of people?
How many criminals and terrorists have been identified and caught thanks to the KYC / AML process?
It is not easy to bypass the KYC/AML process
1. Many KYC/AML processes require your photo with your ID/passport.
The “dark-market” KYC documents package, of course, will contain all necessary verification material — including the photo of persons holding their ID/passport. Everything that was already hacked or could be hacked.
2. You have to use and upload the current up-to-date proof-of-address.
Changing the date in the proof-of-address is probably the easiest thing to do. Some people told me you could use Indian or Pakistani assistants to do that for few dollars.
3. Many crypto exchanges now require video KYC process.
Last month at 35c3 in Leipzig we saw an excellent presentation, how this process can be easily bypassed “Circumventing video identification using augmented reality”. This video provides a step-by-step tutorial on how KYC video streams can be augmented with computer-generated official ID cards, including all visible watermarks.
Of course, any video KYC process can be improved, but this will endanger your privacy even more.
4. Many crypto exchanges require your mobile number verification.
To bypass this requirement, you can buy an anonymous SIM card (in the EU there are still countries where it is possible) or use the service like hushed.com to buy the US/UK anonymous mobile number.
Improving KYC/AML processes will expose your privacy even more!
The expected reaction of exchanges will be to improve KYC/AML processes — to make live video calls with the given persons, to take their fingerprints, face patterns or other biometric material, require other sensitive documents - to improve the authenticity of the verification process.
Finally, you will expose much more sensitive material collecting in one place that can be hacked and misused in the future.
Improving the KYC/AML processes is not a real solution; it will just make KYC/AML even more dangerous privacy threat.
The expanding and omnipresent market with KYC documents makes the authenticity of KYC verified accounts worthless. Everybody can say — I am sorry, I didn’t make these transactions at all, someone misused my identity and made an ugly impersonification attack. I am not responsible for anything.
Logically, you cannot blame anyone for doing anything if everybody can easily copy his identity. You cannot win any legal process, because there is no real accountability.
As security IT expert who is aware of the power of nasty 0-day exploits and 0-day malware, I am wondering why we still don’t have a massive infection of 0-day “child-pornography” malware (ransomware). This malware can compromise millions of computers downloading there a lot of random child porn. The ransomware can blackmail users to pay a ransom or to report their IP address with child porn to the police.
This “child porn” malware infection would cause chaos, police would not be able to distinguish who is a real victim of this malware (especially when the malware will be deleted by itself) and who is a real pedophile. Millions of people would face criminalization because of possession of child pornography. Saving millions of innocent people against the fake criminalization will probably require complete decriminalization of the child pornography.
We should be aware that hacking the exchanges to reveal millions of sensitive KYC documents or spreading 0-day “child porn” malware is a real risk that is definitely technically feasible.
We cannot afford to have any laws that will cause criminalization of innocent people because of impersonification attacks.
Long live decentralized exchanges!
Using any services requiring KYC/AML verification is a privacy threat today and may be an even more serious privacy threat in the future.
Fortunately, you have an option to avoid it — use decentralized crypto exchanges instead which do not intervene to your privacy.
Check the best ones here. The comprehensive list is available here. My favorite one is Bisq that supports direct crypto-fiat and fiat-crypto exchanges without KYC/AML.