Categories
Technology

The Poly Network hack is a good example of where digital identity is important for crypto

The @PolyNetwork2 hack is the story of an audacious heist (which the hacker might still get away with πŸ‘€).

But, it's also a story of how the world of identity and crypto are intrinsically linked – and will collide even more so as regulations change

A 🧡 from our CTO @ankurb

The hacker behind #PolyNetwork appears to have got lucky far beyond what they expected and didn't have an exit plan.

Getting crypto amounts that large out into fiat is extremely hard, since everything is on ledger and most exit ramps take users through KYC.

(image h/t @trmlabs)

Contrast this with the example of something equally audacious in the world of legacy banking, when North Korea’s Lazarus Group almost got away with stealing $1bn from Bangladesh’s national bank (they got away with $81mn) πŸ’Έ

The $1bn Lazarus heist hackers almost got away because:

– Timed perfectly, on a weekend, so that bank teams at the Federal Reserve Bank (!) in New York and Bangladesh Bank couldn't talk

– Warning messages weren't passed on because the hackers tampered with the printer (really!)

Can you imagine a blockchain network that only logged/audited messages during business hours on a weekday? πŸ˜‚

Over the hours and days the #PolyNetwork drama unfolded, firms like @chainalysis were able to track EXACTLY where funds were moving πŸ•΅οΈ

Given the open nature of blockchains, there was an analysis available within hours on how the hack took place from @kelvinfichter

This entire (separate) thread is worth a read) πŸ‘Œ

How does this tie back to digital identity?

Even outside the context of a crypto hack, the question "Who ACTUALLY controls this wallet/account?" crops up all the time.

There is a use case for anonymous payments in crypto – but also where the identity of receiver can be verified

To take an example, when @cheqd_io took funds in $USDC from partners, we had to get on a Zoom call to receive a small test transfer.

We screenshared to confirm to senders when the transfer went through that we had control of the wallet. Only then did we proceed with the rest.

Imagine if it was possible to verify the identity of both senders and recipients through completely secure and privacy-preserving means.

This is precisely the kind of interaction that #selfsovereignidentity enables for CeFi and DeFi (and so many more!) use cases πŸ’ͺ

Our CEO @fraser_again described the idea of confirmation of payees for crypto transfers and how @cheqd_io‘s technology can play a role in CeDeFi in this blog post we collaborated on with @unizen_io πŸ‘‰

"But what about sending crypto transfers only to human-readable wallet destinations, such as .eth addresses?", you ask πŸ€”

For starters, forget any shred of privacy for transfers in/out of well-known .eth address that are tied to your real identity πŸ˜”

Also, just because a .eth address was registered at SOME point in time and claimed by a "real" identity (say, by publishing it in Twitter display name) does NOT mean the wallet is still in control of the original owner at a later date.

SSI credentials provide an alternative 🧐

Self-sovereign identity credentials can also provide assurance the credential was *actually* issued to the individual presenting it to someone else.

This is artfully explained by @brent_zundel in this blog post πŸ‘‰

The crypto industry needs a better way to handle digital identity.

And at the same time, digital identity – which will increasingly move towards a user-centric model – will need business models that crypto rails can enable. πŸ€“

It remains to be seen whether the remainder of the #PolyNetwork funds are recovered.

We hope it does for the sake of the community who are anxious about being made whole πŸ™πŸ½

And one day, perhaps, we'll be able to know the ending of this saga…

Originally tweeted by cheqd.io (@cheqd_io) on 13 August 2021.

Categories
Technology

How banks get away with paying little attention to identity theft

Originally posted via this Twitter thread

The story this week fromΒ @mikulajaΒ on how his identity was stolen and used to open bank accounts and loans is deep-dive into the ugly side of how KYC works.

There’s another side to this story of how ID fraud impacts some demographics disproportionately.

The burden of responding to the fallout of ID theft is squarely on the person whose ID is stolen.

Often, the person impacted isn’t even a customer of the financial institution where attempts have been made to open accounts, and therefore it’s low priority for those companies. happens to know the finance/fintech space, and had contacts that could elevate the customer support requests to higher-ups. Even then, he found the process challenging and slow.

I wonder how many hours of Jason’s time all this follow-up took πŸ˜”

At the best of times, I know many that find dealing with banks anxiety-inducing. If you up the stakes with potential future impact on credit scores etc, those stakes get raised.

Add the hurdles of paperwork, filing requests with police, waiting on hold on customer care

…and pretty soon, you start realising that banks have shifted the burden of this to:

– non-native speakers or immigrants
– anyone with mental health conditions or anxiety issues
– people who simply don’t have the time or patience (many of us)

I say this as someone who has generalised anxiety disorder and ADHD. I could deal with ID theft, since I know the fintech and ID verification space well enough to know how to even start unfucking the situation.

Many people don’t. And so they take the financial hit and move on. The reality is that a lot of fintechs/banks try to meet the bare minimum due diligence needed to open an account, and acknowledge that means there are some scammers in the mix.

They prioritise reducing barriers when signing up for an account since they care about user growth. Even if someone reports a financial crime to law enforcement, it’s so common, so white collar, and so hard to track down that even when people lose $10-100ks the best you get the paperwork and effort needed to get a police reference number and a πŸ€·πŸ½β€β™‚οΈ from police. (There’s this phrase from the British show @Line_of_duty that to me sums up the ridiculousness and futility of most financial fraud reporting to the police: “I’ll have to generate a non-crime crime reference number” πŸ₯²πŸ˜­)

Banks/fintechs typically get fined if they didn’t follow the process of following bare minimum due diligence criteria when opening accounts.

They don’t get incentivised or fined for resolving cases where fraud or ID theft actually happens. An example of this is one of the many occasions in which HSBC was fined for failing to do effective AML.

Their solution? Turn the bank account opening form 5-6 pages long with questions like “Are you a terrorist?”, “Are you associated with drug cartels?”

Ridiculous financial regs mean HSBC gets to do minimal checks on top, wring their hands, and say “But we tried and the customer lied to us! 😨”

@sytaylorΒ puts this well when he described AML as “a car that doesn’t work 99.9% of the time”

I wish I had screenshots for this form, it was circa 2015-2016 when I was opening an account with HSBC. (It doesn’t look like the form is that long or asks those questions any more.)

Rant over. I’m glad @mikulaja found some semblance of resolution, although it might unfortunately continue to haunt him in the future too. πŸ˜” (I hope it doesn’t)

Thanks to @AnaisCis for connecting us. ❀️ @NateSoffio, you might have some thoughts too on disproportionate impact πŸ€”

Actually, one more thing: @mikulaja rightfully calls out the lack of data sharing on fraud and/or a reluctance to pay for commercial tools that track this as a reason why fraudsters can get away targetting this kind of fraud at companies they know have lax policies.

Data sharing of fraudsters, and even more intrusive forms like sharing biometrics of known fraudsters (πŸ‘‹πŸ½@hare_brain) is a big priority for large banks.

But it’s also very inequitable because this kind of denylist is even more opaque than credit rating agencies with no redress

While banks are a whole lot more secretive about this kind of data sharing, one good example of this in a different sector is how bars/nightclubs often participate in secret biometric denylists of punters they’ve banned.

Maybe the people who are on the list “deserved” it. But who’s to check? You could’ve looked the bouncer the wrong way, or turned down advances from someone which led to them vengefully banning you.

Applying the same principles to banks could lead to financial exclusion πŸ˜•