How KYC data gets exposed through shoddy web-design

Harry Denley, a security analyst at open source crypto startup MyCrypto, was investigating a US-based crypto startup (unnamed) that a colleague had alerted him to. The startup’s site, registered anonymously, looked suspect for a myriad of reasons. For a start, the team photos posted on its website were fake. Its CMO, a man called Rizwan Gray, had used a picture of a college professor called Dr. Jonathan Schiff.

But most alarmingly, the website was built on a primitive WordPress site, instead of a more sophisticated backend. As such, the startup’s entire directory of KYC data—uploaded by its 15,000 hopeful investors—was publicly available.

Amid these documents Denley saw “uniformed personnel holding their identity cards, driver’s licenses for various countries, documents containing fingerprint data for various countries, People’s Republic of Bangladesh national ID cards, more ID cards titled ‘Government of India,’ Italian passports, Russian Federation passports, Ukrainian passports, Algerian passports, Republic of Korea passports, Socialist Republic of Vietnam passports, Venezuelan passports…” The list goes on.

It is, as he pointed out in a blog post, an enormous security risk.

“These types of documents are important. If passed to the wrong hands and combined with other data, people can use these to damage you in various ways: they can steal your identity, steal your money, destroy your credit rating, destroy your reputation, and cause major problems in your life,” he wrote.

It’s true. KYC documentation is a treasure trove for hackers. Earlier this year, Decrypt  reported on a hacker who claimed to have obtained a stash of such documents from major exchanges including Binance and Kraken. He was offering them up for $1,000 each.

And, needless to say, added Denley, an exposed WordPress back-end is a bad look for a blockchain startup purportedly founded by “experts from data management, business management, logistics specialists, IT-experts etc for developing complex IT- and blockchain-solutions, supports our ICO, and further realization of the project.”

We reached out to Denley to see how much of a security risk it really was. Could a non-security researcher find the compromised docs?

“Oh absolutely anyone could,” he said. In WordPress “vanilla,” he explained, all uploads go to the same place in the directory (/wp-content/uploads/<year>/<month>). If a careless back-end engineer leaves this directory open, a user can stumble across the documents by simply plugging in that generic URL. 

Know-your-nightmare

The thing is, KYC/AML requirements are inescapable. Unless you refuse to use exchanges altogether, most places you can purchase digital tokens for cash aim to comply with these laws. In recent weeks, even anonymity stalwarts like LocalBitcoins have caved to the great regulators.

The consequences of non-compliance can be dire. The recent EU’s General Data Protection Regulation (GDPR), for instance, threatens fines of up to $10 million to money transmitters that fail to comply with know-your-customer and anti-money-laundering laws. (And that is the “less severe” option.)

But are even the scammiest of projects complying, too?

Denley thinks not. “Startups” like the one he investigated, he explained, give the illusion of compliance as a pretext for harvesting valuable KYC data. To wit, the offending site has since become defunct, and all the data has been “scrubbed”—even though the token sale was due to begin.

He says, unsurprisingly, that ICOs have always been like this.

Says Denley: “Back when ICOs were the ‘thing,’ bad actors could spin up a website, make a bitcointalk thread, push google ads, and advertise their “promises” to quickly grab funds and/or KYC documents.

“Once they collected, they either shut the op down and rehashed or ghosted the project.” he added.

The token sales you should  trust with your data, Denley says, are run on reputable exchanges. Such “initial exchange offerings”—such as those seen on Binance and Huobi—are executed in close cooperation with sophisticated analytics companies like Chainalysis and Refinitiv. Refinitiv, for instance, “screens, identifies, verifies, and monitors clients for onboarding and remediation purposes,” according to Binance. (Lest we forget, however, Binance’s aforementioned data leak.)

It’s not that WordPress is bad in and of itself. It’s that ICOs/STOs/whatever that use  it tend to handle the KYC stuff themselves, which is either prone to leaking or—more likely—a phishing scam.

So if it looks  like it’s complying with anti-money laundering laws, smells  like it’s complying with anti-money laundering laws and talks  like it’s complying with anti-money laundering laws…it might not be actually complying with anti-money laundering laws and you ought to do some due diligence.