KYC Could Be Exposed To Malicious Attackers With Poorly-Secured Web Designs
A security analyst at the crypto startup MyCrypto called Harry Denley has recently been investigating a crypto startup that seemed to be somehow shady. According to Decrypt, the website looked shady for many different reasons. In the end, the site was exposing KYC information from its users.
Crypto Startup Exposes KYC Documents
One of the first red flags that warned Denley was the fact that the team photos that were posted on the website were simply fake. The CMO, who had Rizwan Gras as a name, used a picture of a college professor called Jonathan Schiff.
At the same time, the website was built using WordPress rather than a sophisticated backend. This is why the firm made publicly available 15,000 KYC data. According to Denley, there were passports, IDs and driving licenses from many different countries, including Venezuela, Italy, Russia, Ukraine, and South Korea, among others.
On the matter, he commented:
“These types of documents are important. If passed to the wrong hands and combined with other data, people can use these to damage you in various ways: they can steal your identity, steal your money, destroy your credit rating, destroy your reputation and cause major problems in your life.”
According to some reports, there was a hacker that claimed to have obtained a large number of documents from major exchanges such as Kraken or Binance. He was offering these documents for $1,000 on the internet.
At the same time, Denley explains that a poor backend does not talk well about a blockchain startup that was founded by experts in management, businesses, and logistics.
During a conversation with Decrypt, he said that if the engineer leaves a specific directory open, any user could have access to these documents by plugging it a generic URL. Nowadays, KYC and AML policies are the standard. Those who fail to comply with KYC and AML regulations could be fined up to $10 million.
Nowadays, there are new offerings that are conducted on exchanges such as Binance or HUobi. According to Denley, these Initial Exchange Offerings (IEO) are executed in cooperation with firms such as Chainalysis or Refinitiv.
In general, ICOs and STOs manage the KYC issues themselves, which makes it more difficult for them to be compliant with these issues. Instead, IECs rely on other platforms to be compliant with these regulations.