By Bruce Silcoff, CEO, Shyft Network International
Major data breaches at crypto exchanges have become far too common. Reportedly, personally identifying data from thousands of users from multiple major crypto exchanges has been available for sale since at least July of last year. This isn’t an abstract dataset we’re talking about. This includes photos of users holding sensitive documents like passports and driver’s licenses. Should exchanges and ICOs do more to keep users’ sensitive data safe? This issue is a systemic one, and it goes well beyond the crypto world.
Data breaches are predictable
We hear about major data breaches almost every day now; literally, as I sat down to write this article, I spotted a new report in Bloomberg about how the investment firm BlackRock had been successfully attacked. But as the main onboarding points for cryptocurrency, it’s incredibly important for the future of our industry that exchanges take a proactive approach to security.
The current thinking with regards to cybersecurity — or, as the SEC’s John Reed Stark puts it in the Bloomberg piece, “Firms can’t avoid breaches entirely, but they can react to them in a way that rebuilds trust” — isn’t cutting it. Imagine hiring a bodyguard to look after you, only to find out that instead of providing threat assessments and personal security, they just stand by and say “give me a shout if someone hurts you.”
It’s infuriating, but it’s standard for security experts to think of these breaches as simply a fact of life, the cost of doing business online. I say we can and should do better.
Data breaches aren’t random Acts of God. They’re predictable occurrences that use technology and strategies we know about, and with the right systems in place, these events can be tracked and prevented before they can cause damage.
Black data markets
As our CTO Chris Forrester has stated, since the genesis of the web, consumers have had their online data reviewed, abstracted, and transmitted to an enormous amount of third parties. This data (your data) is the core component of many businesses and how they target services to consumers. Without access to this data, most major tech firms are not only flying blind, they have no workable business model to speak of, so we can reasonably predict there will be exponentially more data stored, collected, and shared in the coming years, for areas ranging from biometrics to IoT.
The current data cycle looks like this:
- Major breaches occur on a regular basis.
- These breaches reveal personal information to malicious third parties.
- The breaches continue, becoming so ingrained in the web culture that large companies that control a majority of specific sectors become targets.
- The tools used to perform these breaches, as they are successful in their design, are repackaged and resold within dark markets, are refined, resulting in further breaches.
A continuing spiral of this practice creates a situation of distrust towards legitimate product platforms, but since there are no viable alternatives to those platforms or to the practice itself, the result is simply unrest and increased regulation that is always a step behind in the proverbial game. This increases costs towards service providers and exposes everyone to data breaches. Consequently, the black data markets keep growing and evolving.
We need a proactive approach to security. It’s easy to say privacy is dead, and that there’s no alternative to sitting around and waiting to be hacked. There is an alternative, and if we fail to implement it, “privacy is dead” will become a self-fulfilling prophecy.
Old problems, new solutions
The world’s most valuable resource is no longer oil; it’s data. This means our data isn’t going to become less attractive to malicious actors anytime soon, and attacks are going to ramp up in both number and severity.
Is privacy dead, then? Not so fast. It’s appropriate that blockchain can offer new ways to build a more secure, more reliable future for transacting online.
Working together with exchanges, KYC providers (generally major banks, financial services firms, and government entities) could act as data validators in a blockchain system. My company, Shyft, is building a network that can perform this specific function. In our network, these data validators are known as Trust Anchors. Rather than simply broadcasting users’ personal data to the blockchain, these Trust Anchors share relevant metadata about the data on an as-needed basis, assuming user consent for the sharing of that metadata is present.
So what would that look like? Let’s imagine that you’re trying to get an account on a major crypto exchange, and this exchange is hooked up to a network like Shyft. All most exchanges really need to know is:
- Are you a resident of a country where it’s legal to purchase/trade crypto?
- Are you over 18?
- Are you on an existing blacklist?
Note that there’s a whole lot of personally identifying information (PII) that they don’t need; nevertheless, many sites currently end up hosting a ton of it. On a system like Shyft, the exchange could (given the expressed user consent) ping a relevant Trust Anchor (in this case, let’s say it’s the user’s bank) to confirm these three exact criteria, and they would be able to do so by attesting to the truth of each statement.
If this trusted entity confirms that you meet all three, there’s no need to broadcast, for example, your exact street address or any other contact information.
That means that in the case where the network is compromised and an attacker gets hold of the metadata, it can’t be used to identify anyone in particular. All the PII would strictly be stored off-chain in enterprise-level data centers — not impossible to break into, but certainly much more prohibitively difficult than anything a crypto exchange can feasibly offer.
There are ways to balance privacy without making data useless for compliance, product improvements and other legitimate uses of data. The cryptographic tools that can provide security features to dwarf those of current systems already exist.
In other words, despite common assertions to the contrary, your data doesn’t have to be collected and shared in ways susceptible to yet another cybersecurity breach.
Time to be proactive
More can be done than just putting a network of data validators “on the blockchain.” With some element of central authority added to a network, it becomes much simpler to ward off 51% attacks and other forms of crypto-specific attacks.
Without mechanisms in place to be able to monitor for attack patterns and warn Trust Anchors about likely malicious users, you’re only a fluctuating amount of computing power away from someone being able to spoof a Trust Anchor and wreak all sorts of havoc. It’s time to accept that some level of built-in oversight — and specific technology solutions as well as governance models — would be a small price to pay for greatly improved security.
In today’s information economy, rebooting trust and putting the right consent and security systems in place might not be easy, but it must be done. We must act now.