{"id":12201,"date":"2024-04-02T12:51:34","date_gmt":"2024-04-02T09:51:34","guid":{"rendered":"https:\/\/forklog.com\/en\/opinion-kyc-is-no-upgrade-but-a-security-hole\/"},"modified":"2024-04-02T12:51:34","modified_gmt":"2024-04-02T09:51:34","slug":"opinion-kyc-is-no-upgrade-but-a-security-hole","status":"publish","type":"post","link":"https:\/\/u1f987.com\/en\/opinion-kyc-is-no-upgrade-but-a-security-hole\/","title":{"rendered":"Opinion: KYC is no upgrade, but a security hole"},"content":{"rendered":"

In March 2024, the European Parliament\u2019s lead committees approved<\/a> a ban on anonymous transfers of digital assets. The new laws will take effect in three years if adopted by the EU Council and the Parliament.<\/p>\n

<\/p>\n

The team at 50x.com<\/a> argues that blanket user identification will undermine the safety of personal data. Together with the exchange\u2019s developers, we examine why KYC<\/span> does not guarantee the security of services, and where to trade cryptocurrencies without verification.<\/p>\n

What problems KYC creates<\/h2>\n

In May 2023, hardware-wallet maker Ledger unveiled a service to recover private keys via a KYC procedure. Using Ledger Recover, the device splits a seed phrase into three encrypted fragments and sends them to external custodians.\u00a0<\/p>\n

Ledger chief Pascal Gauthier said there was demand for such a service from novice investors:<\/p>\n

\n“The main problem with implementing self-custody of cryptocurrencies is precisely the ability to recover the seed phrase. Most users today either do not own their private keys or put them at risk by using less secure and more complex methods of non-custodial storage and protection of the seed phrase.”<\/em><\/cite><\/p><\/blockquote>\n

The community\u2019s response to Ledger Recover was mixed. For instance, 1inch co-founder Anton Bukov pointed to a breach of the hardware wallet\u2019s security model, which \u201cshould not have an API<\/span> for revealing the seed phrase\u201d.<\/p>\n

Ledger co-founder and former CEO Eric Larchev\u00eaque acknowledged that the government could summon the custodians of encrypted seed fragments to court and gain access to bitcoin.<\/p>\n

\n“This is precisely the vulnerability of services with verification: if you show your passport to restore access to your account, attackers can do the same.<\/em><\/p>\n

KYC and crypto are a toxic mix. They are poorly compatible with each other, both in spirit and purely technically. In TradFi<\/span>, with documents people prove their connection to assets, for example for inheritance of funds or to challenge an illegal transaction.\u00a0<\/em><\/p>\n

In the blockchain nothing can be rolled back. If a hacker breaks into your account, the withdrawal transaction will remain on the network forever. In practice, KYC gives more room for theft rather than the return of assets,” \u2014 note representatives of 50x.com.<\/em>
<\/cite><\/p><\/blockquote>\n

They say a heavy reliance on third parties is why many view verification negatively:<\/p>\n

\n“People with a lot of crypto experience don\u2019t like KYC. Not because they want to evade taxes or launder money. They know that by handing data to an exchange, users lose control over it. How do services store personal information? You cannot know for sure.<\/em><\/p>\n

Ledger is a telling example. In 2020, the email addresses, names and phone numbers of a million people <\/em>leaked<\/em> into the public domain. After that, clients began receiving messages with threats of physical violence. Scammers are still sending them phishing emails.”<\/em><\/cite><\/p><\/blockquote>\n

Crypto exchanges claim that KYC improves the security of client assets: in the event of suspicious activity, platforms will have more ways to identify the account owner.<\/p>\n

In practice, however, staff often check documents inadequately, and users find ways to bypass KYC.\u00a0<\/p>\n

For example, last year on-chain sleuth ZachXBT completed verification on Gate.io under the name Kim Jong-Un and with the email notlazarus<\/span>.<\/p>\n

\n

When stolen funds go to a crypto exchange people like to assume that there is a real person with a real identity tied to an account<\/p>\n

To disprove this I was able to create an account on @gate_io<\/a> and KYC as \u201cKim Jong-Un\u201d with the email \u201cnotlazarus\u201d and within minutes I was verified pic.twitter.com\/oCZLK4hBh9<\/a><\/p>\n

\u2014 ZachXBT (@zachxbt) May 9, 2023<\/a><\/p><\/blockquote>\n