To KYC or not to KYC (in reference to ICOs)

in #bitcoin7 years ago (edited)

What is KYC in the first place



Those who know this may just skip this section and head to the KYC issues and and my guidance section way below.

KYC is an abbreviation for Know Your Customer. Business need to know their customers both for their own needs as well to fulfill government regulations.

In the past the customers and businesses were much closer (the banker lived in the same neighborhood or knew the customer well personally). As the businesses grew and expanded their base, new customers were acquired at rapid pace, but these new customers were no longer located in close proximity. It became very difficult to know enough about the customer and this often led to frauds, Money Laundering and other issues and when required by law the businesses were unable to provide necessary information to law to trace their customers as most of the information they had on paper for the rogue customers was not relevant or incorrect (the rogue customer was just impersonating someone or using fake information to represent her[/him]self).

To resolve this issue regulations were put in place and now almost all businesses are required to know their customers well. Knowing a customer means having data about him that can accurately identify the person either nationally or in terms of ICO, globally (a much tougher task).

A lot of information on KYC can be found in the below article (just in case my rant above did not make any sense) -
https://en.wikipedia.org/wiki/Know_your_customer

KYC data is very important for you as it holds the keys to your complete digital life and consequently has ramifications to your real life. A lot of people dont understand the seriousness of this. People having access to your KYC data can impersonate you, swindle you out of money easily, attempt to login into all the accounts you have and this is not limited to ICO website accounts alone. The intent of this article is to highlight this same point and how you can play it as safe as possible.

Before you read any further, create one email ID only for ICOs, if you have not already done this. This email should not be used for anything else at all, other than ICOs. In worst case hackers will get access to only this one email and the ICOs associated with it.

What kind of information about customers is collected during KYC



The most critical information is a document that uniquely identifies you across the globe. The passport is the the most widely (and in almost all cases the only) accepted document for global participants of the ICO. Another important document is is a proof of address (again from a verified source like driving license, utility bill etc).

I have detailed almost all information that ICOs need to complete a KYC towards the end of my article ICO investment Series # 4 - Registering for ICOs.

At what stage of ICO is KYC done



I have seen 4 possible stages where KYC is done.

  • During registering for ICO
  • As part of whitelisting process
  • Only if you are successfully whitelisted.
  • Once you are ready to withdraw your tokens from ICO or access them on ICO website itself (like in exchanges where tokens are used for exchange fees, so if you use the exchange, you needn't even bothering withdrawing the tokens).

For customers it is best that KYC is done as late as possible in the ICO cycle. The reason is simple. What if you did not get whitelisted and KYC was done during registration or as part of whitelisting process? You have not only wasted precious personal time submitted all the KYC details but also left personal and private sensitive information with ICO team (no guarantee they will safeguard it or use it properly later).

Finally should you KYC or not?



If you decided to participate in an ICO and their norms mandate KYC, then you are left with little choice in this matter. I outline below some real issues that have happened and provide some guidelines which you may use to help you decide if you should KYC. In the end i will also briefly talk about using blockchain itself for KYC.

Some real issues



The issues per se are not due to KYC process. The data needed for KYC is often very personal, private and highly sensitive as it uniquely identifies you and puts a lot of faith and power into the hands of the custodians of the KYC data. If ICOs do not have in place enough security around the KYC data they are collecting during KYC, then they are jeopardizing the customers and compromising the trust they have placed with the ICO.

Incident # 1 - Data stolen from an ICO trying to bring digital consultation to the blockchain


  • Important customer data was stolen from an ICO that i was part of. Not sure what all hackers got away with, but they definitely have customers full name, email ID and I guess password. I am not very sure whether passport copies, government issued identity document copies and other critical information also made it into the hands of the hackers (if i remember correctly the data was stolen before a complete KYC was to be captured by a 3rd party). I was one of those whose data made it to the hackers.
    • A few questions that come to my mind on this are:
      • Did the ICO store my password in clear text?
      • Was it an insider job who had access to the password decryption tools?
      • Why had, an ICO collecting upwards of 20-30 million USD, not take basic precautions?
    • Below i outline how I was impacted post this breach of customer data
      • Unfortunately i was using a common password across ICOs. Difficult to make and remember 100s of passwords. I am still trying to change this habit. If you cant think up a new password for every ICO, website you have membership to, then it is better not to participate. Better to safeguard what you have then lose all just to make a quick buck.
      • Since hackers now have my complete details, they are running all kinds of tools to break into my accounts. This ranges from my email, ICOs that i am part of and god only knows what else that I may not even be aware of.
      • I have become easy target for their phishing emails. I have to review each email multiple times before i click anything to ensure it is not from a scammer.
      • I have had to change my password in at least 50 places.
      • Worst i now live in constant fear as the data the hackers have is all correct about me and i can't change any of that
        • My email is in use for last 20 years, changing it is like an unfathomable task, though i do plan on it sometime.
        • I dont intend to change my name
        • Not easy changing my passport or its details that they have
        • I use the same email (unfortunately same password) for upteen shopping sites. I dont mind hackers buying things in my name, but the shopping sites have my complete profile details including the things i have bought and also all my addresses and in many cases my credit card details. I have had to change my password in more than a dozen sites.
        • I have no idea how many more places i have used the email and worse still maybe same password and i dont know what i will do when hackers get to those sites before me.
        • If i know hackers well, they share their exploits in their dark websites and god alone knows how many of them are running tools to break into just one of my account. They break one and rest all becomes easy.
        • In the end the issue is draining me out mentally and emotionally and to some extent psychologically leave alone the damage it can do to me financially and worst socially (as impersonating me and using my personal information just got easier).

Note - The ICO gave those affected some paltry few coins worth less than $20 as compensation. What about the issues that arose out of this data breach? Who pays for those? Unfortunately as the state is today where ICOs dont need to comply to any regulations / laws, the customers end up footing the bill for the damages coming out of stolen data.

Incident # 2 - Data stolen from one large ICO (by telegram numbers) trying to be AirBNB of blockchain.



I understand that their email address databased was hacked. The ICO may have tracked the offenders (or not). What can customers do? The founders are probably at the other end of globe, in different country with different regulations, where you may have no say. Also all ICOs are private companies (they dont go public like others go when they issue equity on exchanges). As token holder you have no rights. There is very little you can do to bring the ICO breaching your data to books. You just have to suck it up and move on.

Incident # 3 - Data stolen from one ICO aiming to be the B2B marketplace that provides affordable and secure financial services to the unbanked.

In this case the CEO came forward and admitted the issue and put things on hold until things were sorted. They also tried to help those impacted is what i believe, though no surety on this. In one article i read that their KYC system was leaking user data.

Incident # 4 (not about KYC data, but shows the vulnerability)

One ICO launching the blockchain 4.0 reported that some hackers (and most feel it could be insider job), got away with millions of customer funds fraudulently collected in the name of ICO token launch. The token launch was delayed and a lot of drama ensued. The company was very open and upfront about everything and compensated the customers who lost money in the ICO. I only bring this mention here, to highlight how fragile the whole process is and at the end customer is the only person out there trying to protect customer data and funds.

The above 4 are some incidents that i was either involved or read about. How many more like this happened is anyones guess given the lack or rules and regulations for ICOs. All this makes safe guarding your data your own issue. I am sure you grasp the gravity of KYC data now, if not before.

Some guidelines to follow when deciding if your must provide the KYC data


Below are some key questions to ask of the ICO and their answers will form the guidelines for you.

  • How legitimate does the ICO collecting KYC data sound. If you have any doubt on its legitimacy then just take to your heels. Giving them your KYC data is more dangerous than giving them your money.
  • Question why ICO needs KYC data early, even before they whitelist you. Try your best to be in ICOs doing KYC in the end. It saves everyone time. ICOs do KYC first, so they are sure that those investing money wont fail KYC later (or maybe it is the rule of law to do KYC early), either ways this does not help customers at all. So ask ICOs to break KYC into parts. Collect the bare minimum info first (name, email ID, country and residence). Rest all data along with proofs only if you get whitelisted.
  • How is the KYC process being initiated. Best is that a trusted 3rd party, large enough to have incentives not to steal customer data. Strict rules for offenders under the law. The 3rd party must be governed by law to protect customer data.
  • Try to avoid ICOs where unknown 3rd parties are storing your KYC data. This is a huge red flag. What stops one of the employees to just copy entire hard disk and take it home? Who is guaranteeing security and safety of data and under what laws?
  • Where is ICO storing your KYC data. Best is secured location, with all encryptions in place. No data must be stored in clear text. Since KYC information will not be used often other than whitelisting and issuing tokens, the encryption overheads in terms of processing time should not be an issue. Even if hacker got access to data, they should not be able to unscramble the encrypted data in their lifetime.
  • How will ICOs safeguard your KYC data in future (post the ICO). Best is for them to delete it permanently. That way even those who did not participate in ICO token sale after doing KYC (for variously possible reasons), can sleep easy.

Recommendation for using blockchain for KYC

Since ICOs are all on the blockchain which is huge on cryptography, would it not be best that all KYC data is encrypted on the blockchain. The data belongs to the rightful owners (customers / users / ICO participants) and encrypted using their digital keys. Some mechanism in place so that only needed information can be shared with those who need to know it. Since information will not be leaving the blockchain, i hope stealing it will be difficult. There are many ICOs that are trying to store private user information on the blockchain and not sure which or all can be used for KYC. In future ICOs may tie up with one of these and see if it solves all these security issues arising out of sharing, storing and distributing KYC data of customers. Some that come to my mind are:

  • Civic
  • Selfkey
  • uPort
  • Valid
  • Traceto (this is still in ICO stage as on Apr 27 2017), but from KYC experience perspective they seem far ahead in the race.

If any of the above are not suited for KYC data on blockchain then let me know through comments.

I believe there are some specific projects trying to do just KYC on blockchain. If no one is doing it, then i may just get together with my tech friends and do it. I feel this is a critical issue that needs to be resolved if customers are to trust ICOs and their KYC processes.

Disclaimer - I am only sharing my limited knowledge and for the sake of
knowledge alone. This is in no way an investment advice or legal or taxation
counsel. I am not qualified to provide any of these. This is also not a
recommendation or encouragement to invest in cryptocurrencies or ICOs