Crypto Exchanges and ICOs Can Do Better at Securing User Data

Crime, FinTech, Opinion | January 23, 2019 By:

Recently, big news of yet another data breach made the rounds — reportedly, personally identifying data from thousands of users from multiple major crypto exchanges has been available for sale since at least July of last year. This isn’t an abstract dataset we’re talking about. This includes photos of users holding sensitive documents like passports and driver’s licenses. Should exchanges and ICOs do more to keep users’ sensitive data safe? This issue is a systemic one, and it goes well beyond the crypto world.

Data breaches are treated like natural disasters

We hear about major data breaches almost every day now; literally, as I sat down to write this article, I spotted a new report in Bloomberg about how the investment firm BlackRock had been targeted. But as the main onboarding points for cryptocurrency, it’s incredibly important for the future of our industry that exchanges and ICOs take a proactive approach to security.

Someone has to because, frankly, the “sh*t happens” approach to cybersecurity — or, as the SEC’s John Reed Stark puts it in the Bloomberg piece, “Firms can’t avoid breaches entirely, but they can react to them in a way that rebuilds trust” — isn’t cutting it. Imagine hiring a bodyguard to look after you, only to find out that instead of providing threat assessments and personal security, they just sit on your couch and say “give me a shout if someone hurts you.”

It’s infuriating, but it’s also increasingly common for security experts to think of these breaches as simply a fact of life, the cost of doing business online. I say we can and should do better. Data breaches aren’t random Acts of God; they’re predictable occurrences that use technology and strategies we know about, and with the right systems in place, these events can be tracked and prevented before they cause damage.

Black data markets are a flourishing, growing industry

As our CTO Chris Forrester put it on Medium, since the genesis of the web, consumers have had their online data reviewed, abstracted, and transmitted to an enormous amount of third parties. This data (your data) is the core component of many operational businesses and how they target services to consumers. Without access to this data, most major tech firms are not only flying blind, they have no workable business model to speak of, and so we can reasonably predict there will be exponentially more data stored, collected, and shared in the coming years, ranging from biometrics to IoT.

The current data cycle looks like this:

  • Major breaches occur on a regular basis¹

  • These breaches reveal personal information to malicious third parties²

  • The breaches continue, becoming so ingrained in the web culture that large companies that control a majority of specific sectors become targets³

  • The tools used to perform these breaches, as they are successful in their design, are repackaged and resold within dark markets, are refined, resulting in further breaches

A continuing spiral of this practice creates a situation of distrust towards legitimate product platforms, but since there are no viable alternatives to those platforms or to the practice itself, the result is simply unrest and increased regulation that is always a step behind in the proverbial game. This increases costs towards service providers and exposes everyone to data breaches. Consequently, the black data markets keep growing and evolving.

The solution is hiding in plain sight

The world’s most valuable resource is no longer oil, but data, according to The Economist. This means our data isn’t going to become less valuable, and attacks are going to ramp up in both number and severity.

Is privacy dead then? Not so fast. It’s appropriate that blockchain can offer new ways to build a more secure, more reliable future for transacting online.

Working together with exchanges, KYC providers (generally major banks, financial services firms, and government entities) could act as data validators in a blockchain system. My company, Shyft, is building a network that can perform this specific function. In our network, these data validators are known as Trust Anchors. Rather than simply broadcasting users’ personal data to the blockchain, these Trust Anchors share relevant metadata about the data on an as-needed basis, assuming user consent for the sharing of that metadata is present.

So what would that look like? Let’s imagine that you’re trying to get an account on a major crypto exchange, and this exchange is hooked up to a network like Shyft. All most exchanges really need to know is:

  • Are you a resident of a country where it’s legal to purchase/trade crypto?

  • Are you over 18?

  • Are you on an existing blacklist?

Note that there’s a whole lot of personally identifying information (PII) that they don’t need; nevertheless, many sites currently end up hosting a ton of it. On a system like Shyft, the exchange could (given the expressed user consent) ping a relevant Trust Anchor (in this case, let’s say it’s the user’s bank) to confirm these three exact criteria, and they would be able to do so by attesting to the truth of each statement.

We can have nice things. Thanks to cryptography, there are ways to balance privacy without making data useless for compliance, product improvements and other legitimate uses of data. In other words, your data doesn’t have to be collected and shared in ways susceptible to yet another cybersecurity breach.

We need a proactive approach to security: It’s not enough to hide behind thicker walls.

More can be done than just putting a network of data validators “on the blockchain.” With some element of central authority added to a network, it becomes much simpler to ward off 51% attacks and other forms of crypto-specific attacks.

Without mechanisms in place to be able to monitor for attack patterns and warn Trust Anchors about likely malicious users, you’re only a fluctuating amount of computing power away from someone being able to spoof a Trust Anchor and wreak all sorts of havoc. It’s time to accept that some level of oversight — and specific technology solutions as well as governance models — would be a small price to pay for greatly improved security.

We need a proactive approach to security. It’s easy to say privacy is dead, and that there’s no alternative to sitting around and waiting to be hacked. There is an alternative, and if we fail to implement it, “privacy is dead” will become a self-fulfilling prophecy. In today’s information economy, rebooting trust and putting the right consent and security systems in place might not be easy, but it must be done. We must act now.


¹ The 17 biggest data breaches of the 21st century: Security practitioners weigh in on the 17 worst data breaches in recent memory.

² Data Thieves: The Motivations of Cyber Threat Actors and Their Use and Monetization of Stolen Data

³ Facebook: ‘Malicious actors’ used its tools to discover identities and collect data on a massive global scale:

Bruce Silcoff has a track record of incubating game-changing technologies — including more than 30 years of experience in fintech, data, private equity, CPG marketing, and customer loyalty. As Shyft’s CEO, Bruce leads the company’s ambitious vision to establish a scalable, blockchain-based data sharing protocol to handle identity and reputation data.