David G.W. Birch, Contributor
May 11, 2021
Iago Was Right: It’s Better They Steal Your Money Than Your Identity
As Iago famously says in Shakespeare's Othello, "who steals my purse steals trash; 'tis something, nothing" before going to on to state that "he that filches from me my good name robs me of that which not enriches him, and makes me poor indeed."
If only this were the case, but in our modern world it is abundantly clear that filching peoples' good names in fact greatly enriches the filchers as well as impoverishing their victims.
Iago’s speech came to mind when I read that Faruk Fatih Özer, founder of the now-defunct Turkish crypto exchange Thodex, who vanished in April along with $2 billion in cryptocurrencies from the exchange, had fled not only with customers' cryptocurrencies, but also with their identities. As David Gerard so eloquently phrased it, Özer paid the most "painstaking attention" to money-laundering compliance and took Know-Your-Customer (KYC) data for hundreds of thousands of users with him. This data included scans of the customers' national ID cards, once again proving that digitising identity is no substitute for digital identity.
Mr. Özer is now apparently in Albania. According to the latest press reports , he is hiding with the manager of a food products supplier company. Turkey has arrested 62 people trying to track him down and is seeking to extradite him. Who knows, they may succeed. But I don't doubt that Albanian organised crime groups are already making use of the scans of the Turkish citizens' ID cards to get up to no good.
Now, of course, the reason why Mr. Özer had customers' personally identifiable information (PII) in such vast quantities was because regulators had forced him to obtain it. So maybe it should be up to the regulators to fix the problem! But what are they going to do? What will happen to all of the people whose identities were stolen in this way? Are they all going to be given new identities in a vast national witness protection programme while their old identities are cancelled? Will the authorities give everyone a new name and a new number, cancel their old ID cards and send them new ones?
Well, of course not. Insane customer-due-diligence (CDD) demands continually force us to hand over our sensitive personal information to every Tom, Dick and Faruk on the internet while doing nothing to help us when our personal information is inevitably compromised as it must be when it's sprayed around the web at the behest of regulators.
I hate giving away free advice, but here's what should happen...
Me: hello crypto exchange, I'd like to open an account.
Exchange: ok, please log in to your bank.
Bank: Hello Dave, someone wants to know who you are. Can I tell them?
Me: yes, but don't give them any personal information.
Bank: ok exchange, here is an unforgeable cryptographic message that contains unique ID for this customer 1H3XBZQ29J to confirm that they are a real person that we have already performed due diligence on, they are over 18 and they are resident in this country.
Exchange: cool, thanks bank, here's $5 for your trouble and hey welcome on board 1H3XBZQ29J.
Now, no-one at the exchange knows who 1H3XBZQ29J is so when the exchange gets hacked, as is generally the case, or is the subject of a massive fraud by employees, your personal information is not compromised. Simple. If transaction analysis shows that 1H3XBZQ29J is sending vast sums of money to some shady businessman or a corrupt politician, then law enforcement officers can apply to a judge for a warrant, take it to the bank and say "hey, who is 1H3XBZQ29J" and the bank will tell them "it's Dave Birch."
Names and Numbers
We don’t want to do away with CDD but we don’t need personal information to support the legitimate needs of law enforcement. The US Office of Foreign Assets Control (OFAC), which carries out economic- and trade-based sanctions is currently out shopping for tools to track virtual currency transactions, such as those involving Bitcoin, to help build cases against individuals, entities or organisations that might appear on the “Specially Designated Nationals List” and I don’t see why that couldn’t be extended to include a “Specially Designated Cryptographic Identifier List” so that law enforcement officers could tell an exchange “sorry but 1H3XBZQ29J is on the sanctions list, so you can't do business with them any more.”
The key point here is that national security, law enforcement and the world of commerce have not been compromised because the exchange does not know who 1H3XBZQ29J is. There is no reason for the exchange to know who I am, so long as they know that someone knows who I am. A regulated financial institution knows who 1H3XBZQ29J is and that's good enough.
By the way, using names as identifiers for the purposes of due diligence seems pretty pointless anyway. Anyone can change their name to anything, because names are attributes not identifiers. In the UK for example, hundreds of convicted sex offenders have paid £15 to change their names by deed poll so that they don't show up on searches of criminal registers. This only goes to reinforce my prejudice that there's no earthly reason to store a person's name in registers of anything. A register should be a place to store things that are unique, that uniquely identify a legal entity such as a person: some biometrics, for example, or some unique cryptographic key that has been previously authenticated by them. A name should be treated as nothing more than a mildly interesting attribute: it does not identify anyone.
So, back to the question. Is it better to have the crooks steal your money or your identity?
Think about it. You wake up in the morning and due to a North Korean cyberattack all of your bank accounts are reset to zero. What do you do? Apart from pointlessly e-mailing your congressman to complain about their shortsightedness in not developing a digital identity infrastructure, you would just use a credit card or get a loan from the bank, borrow some money from friends or apply to the government cyberattack relief program and carry on about your business.
But now suppose instead that you wake up and the Earth had passed through the tail of a mysterious comment and your identity is gone. Now you are absolutely screwed. You go to the bank to get some money and you can't prove who you are, so they won't give you any. Now you may have a little money for a few days, but when your cash runs out you are on your own.
To paraphrase the Fabulous Furry Freak Brothers (there’s one for my teenage audience to puzzle over), identity will get you through times of no money better than money will get you through times of no identity.
© 2020 Forbes Media LLC. All Rights Reserved
This Forbes article was legally licensed through AdvisorStream.