Can I trust MtGox with my passport?

by Stubborn Mule on 12 June 2013 · 11 comments

Liberty Reserve logoIn March 2013, the US Financial Crimes Enforcement Network (“FinCen”) published a statement saying that companies which facilitate buying and selling of “virtual” currencies like Bitcoin constitute “money service businesses” and are subject to reporting obligations designed to prevent money laundering and other financial crimes.

A couple of months later, the seizure by US authorities of Liberty Reserve has shaken money service businesses around the world, whether they deal in “real” or “virtual” currencies.

Two days later, the largest Bitcoin exchange, MtGox, tightened their anti-money laundering (AML) controls, posting the following statement on its website:

Attention Users: From May 30th 2013 all withdrawals and deposits in fiat [real] currency will require account verification. However withdrawals and deposits in Bitcoin (BTC) do not require verification.

What MtGox is attempting to do here is meet one of the most fundamental requirements of AML legislation around the world: know your customer. It is so fundamental that it too earns its own three-letter abbreviation, KYC.

So, how does an online business like MtGox verify the identity of its customers? After all, you can’t walk into the local MtGox branch with a fist full of paperwork. Instead, you must upload a scan of “proof of identity” (passport, national ID card or driver’s licence) and “proof of residency” (a utility bill or tax return).

MtGox are not alone in this approach. More and more online money service businesses are attempting to get on the right side of AML rules by performing verification in this way.

Here in Australia, there are still some Bitcoin brokers which do no verification whatsoever, including BitInnovate (who helped me buy my first Bitcoin) and OmniCoins. Australia’s AML regulator, AUSTRAC publishes a list of  “designated services”, which make business subject to reporting obligations including customer verification. The list includes

exchanging one currency (whether Australian or not) for another (whether Australian or not), where the exchange is provided in the course of carrying on a currency exchange business

So I strongly suspect that all local Bitcoin brokers too will soon be demanding scans of your driving licence and electricity bill.

But is the MtGox approach to customer verification a good idea? I don’t think so. I believe it is a bad idea for MtGox and a bad idea for their customers.

It is a bad idea for MtGox because scans of fake identity documents are very easy to come by. For example, one vendor at the online black market Silk Road offers custom UK passport scans with the name and photo of your choice, complete with a scan of a matching utility bill.

It’s a bad idea for the customer too, because it exposes them to increased risk of identity theft. Although my intentions were not criminal, I chose BitInnovate when I bought Bitcoin precisely because I did not have to provide any personal documents. How well do you know MtGox or any other online money service? How confident are you that they will be able to keep their copies of your documents secure? Securing data is hard. Every other week it seems that there are stories of hackers gaining access to supposedly secure password databases. I have no doubt that scans of identity documents will also find their way into the wrong hands.

So what is the alternative?

Third party identity management.

Using a passport or driver’s licence scan is effectively outsourcing identity verification to the passport office or motor registry respectively. Before the days of high quality scanning and printing, these documents were difficult to forge. A better solution is to retain the idea of outsourcing, but adapt the mechanism to today’s technology.

Here’s how it could work.

A number of organisations would establish themselves as third party identity managers. These organisations should be widely trusted and, ideally, have existing experience in identity verification. Obvious examples are banks and government agencies such as the passport office.

Then if I wanted to open an account with MtGox, its website would provide a list of identity managers it trusted. Scrolling through the list, I may discover that my bank is on the list. Perfect! When I first opened an account with my bank I went through an identity verification (IDV) check (ideally, this would have been done in person and, even better, the bank would have some way to authenticate my passport or driver’s licence*), so my bank can vouch for my identity. I can then click on the “verify” link and I am redirected to my bank’s website. Being a cautious fellow, I check the extended validation certificate, so I know it really is my bank. I then log into my bank using multi-factor authentication. My bank now knows it’s really me and it presents me with a screen saying that MtGox has asked for my identity to be validated and, in the process, has requested some of the personal data my bank has on file. The page lists the requested item: name, address, email address and nationality. I click “authorise” and find myself redirected to MtGox and a screen saying “identity successfully verified”.

MtGox is now more confident of my true identity than they would be with scanned documents and I have kept to a minimum the amount of information I need to provide to MtGox: no more than is required to meet their AML obligations.

This authentication protocol is a relatively straightforward enhancement to the “OAuth” protocol used by sites like Twitter and Facebook today. OAuth itself is subject to some controversy, and it may be better to create a new standard specifically for high trust identity management applications like this, but the tools exist to put identity management on a much safer footing.

* Today, unfortunately, banks and other private sector entities are not readily able to authenticate passports or driver’s licences. Once government agencies are able to provide this service, the options for third party identity management will be even greater.

 

Possibly Related Posts (automatically generated):

{ 11 comments… read them below or add one }

1 IC June 13, 2013 at 7:55 am

Regulators want to clamp down on ML not only because of AML objectives but because this is an easy way for the banking system to shut out competitors. Impose onerous barriers to entry and you get less competition. We’ve seen this recently in Australia where some banking organisations have publicly called out Google and Apple as potential targets for banking regulators should they decide to set up alternate payment systems. Yes banks dislike regulation but will acquiesce if if shuts out real competitive forces from the system. And at least in Australia it looks like the regulator has a preference for keeping banking a relatively closed shop.

2 WisdomTooth June 13, 2013 at 11:36 am

Bitcoin, Namecoin, Devcoin, Litecoin, Ixcoin, PPCoin, Terracoin, Feathercoin… whadde?? Can you shed some light on this, Stub?

I reckon Facebook and Google are more likely to be trusted identity verifiers than banks, and banks to outsource identity verification to them. It’s a technology business, not a financial one. I’ll wager this will sprout first in the startup space, and then be phagocytosed by the big techos.

There you go, Stub, there’s a business idea you can pursue or invest in, with a captive client. Count me in, if you do ;)

3 WisdomTooth June 13, 2013 at 11:49 am

Btw, this went a fair distance over my head. I can’t think of many people, if any, to explain it better than you, Stub:

http://alternatecryptocurrency.blogspot.com.au/2012/05/why-do-people-mine-alternate-coins.html

4 Stubborn Mule June 13, 2013 at 5:34 pm

@IC you are a cynical fellow!

@WisdomTooth I did think about Google and Facebook as authenticators, but right now I don’t think they quite fit the bill. They do implement the technology side well (variants of OAuth), but today the only authentication that Google or Facebook can really provide is that you have control of the email address used to open the Gmail or Facebook account. Neither of them do verification of your name, address, country of residence, etc. It might be old-fashioned, but I think that effective initial verification still requires a face-to-face meeting (which is done, for example, when you apply for a passport) and Facebook and Google will never be able to do this. One possible approach would be if, say, the passport office were to provide identity authentication services, then Facebook and Google could use that service to identify you and once that is done, they can then provide authentication of your identity to other site.

5 Stubborn Mule June 14, 2013 at 9:08 am

@IC thinking about this a bit more, I think that there are plenty of barriers to entry to banking other than AML legislation and if banks were given the option to eliminate all AML obligations at the wave of a wand, they would jump at the chance.

6 WisdomTooth June 14, 2013 at 11:00 am

Not so sure, Stub, big corporations like regulation just as much as dealers like prohibition. They can use it to keep upstarts at bay, and nab at each other’s share of the pie. It’s called regulatory competition in the .gov parlance, and is particularly true of principle-based regulation, in which they can not only point their fingers but also set the bar ;)

7 Stubborn Mule June 14, 2013 at 11:13 am

@WisdomTooth I don’t disagree with the general point, but in this specific case, I’m just drawing on my own observations of how painful banks seem to find getting AML requirements right.

8 IC June 14, 2013 at 6:25 pm

Agree SM. NB the qualifier “not only” in my rather cynical comment.

9 `Polino June 21, 2013 at 3:04 am

Linda Support has joined the room
Linda Support
Welcome to Mt.Gox Live Chat Support
Jus******
withdrawal btc
Linda Support
Hello, This is Linda from Mtgox chat support. How may I assist you today?
Jus******
HI< PLS ADVICE WHY CAN'T I WITHDRAW BTC to my wallet
Linda Support
Not to worry, I will try my best to help you.
Linda Support
Could you please provide the account number or account username to proceed further?
Jus******
M@ *******
Linda Support
Thank you for the information.
Linda Support
May I place you on hold while I check your records?
Jus******
Waiting
Linda Support
Thank you for being on hold.
Linda Support
We are sorry to inform you that our AML team flagged off your account for verification.
Linda Support
We will check this further and will keep you updated on this.
Jus******
what does it mean? i see on my site the accoun is verified
Linda Support
Your account has been flagged for AML 2 verification.
Jus******
it was always verified, I had withdraw BTC many times in the past
Linda Support
Yes, On checking I can see that your account has been flagged for AML 2 verification.
Linda Support
Not to worry, I will have this checked and will keep you updated on this as soon as possible.
Jus******
who has flagged for verification and based on which instruction?
Jus******
I see on your site the rule that no verifications required for BTC withdrawal
Linda Support
Due to financial policy changes we need the documents for further validation of the account
Linda Support
We need these documents for verification at our banking end as well
Jus******
could you pls send me refference to this policy?
Linda Support
These are recent changes that we made as per the updates provided by our bank
Linda Support
Please reply if you are still working with us.
Jus******
and? can I see this changed policy? and why this is necessary if I only withdraw my BTC?
Jus******
I am not asking for cash
Linda Support
Could you please let me know what happens when you try to withdraw BTC/
Jus******
"Your account is currently pending review, please visithttps://mtgox.com/forms/verification"
Linda Support
Sorry wrong window.
Linda Support
I understand that you are unable to make any withdrawals
Linda Support
Kindly complete the trusted status process to get full access to the account
Jus******
true
Jus******
I have verified status already half year working with you, I am not going to deal with amounth more than 50K
Jus******
i don't need trusted status
Jus******
in al your rues is written that I don't need trusted status to withdraw BTC
Linda Support
I am sorry to inform you that as your account is flagged for trusted status verification, you will not be able to withdraw BTC.
Linda Support
Please verify your account to trusted status in order to withdraw BTC.
Jus******
what is the base of this status? why?
Jus******
pls refer to rule or instruction
Linda Support
This is a new update provide by our bank and you will have to have your account verified to trusted status.
Linda Support
Please reply if you are still working with us.
Jus******
I could accept this explanation in case I am asking for cash, but what is the link between bank and BTC? I pay you money from my account and want BTC to my wallet.
Jus******
Bank can't rule this
Jus******
this was in initial condition why everybody worked with BTC
Jus******
you don't keep your promisses
Jus******
what you are sayin is not written at your site, i don't trust this explanation
Linda Support
We will forward this to our AML team and will keep you updated as soon as possible.
Linda Support
Thank you for contacting Mtgox chat support.
Jus******
are you sure that banks nowadays regulate BTCs?

10 Magnus June 24, 2013 at 5:42 pm

A really perceptive article, the model you describe is already in place at http://www.miiCard.com where we leverage the trust already established between you and your bank.

Really importantly, when the user asserts their identity with miiCard they do NOT need to expose their sensitive data. Also, we don’t use document scans or background data checks to estimate identity.

We already work in the BitCoin space with TradeHill – we only have coverage across about 10 countries – and in some of those only partial coverage but, we’re getting there.

11 Andy March 12, 2014 at 9:50 pm

Isn’t It Ironic: Mt.Gox Hacker Demands Ransom From Exchange Users To Not Reveal Their Personal Data
-http://www.zerohedge.com/news/2014-03-11/isnt-it-ironic-mtgox-hacker-demands-ransom-exchange-users-not-reveal-their-personal-

Hackers Hit Mt. Gox Exchange’s CEO, Claim To Publish Evidence Of Fraud
-http://www.forbes.com/sites/andygreenberg/2014/03/09/hackers-hit-mt-gox-exchanges-ceo-claim-to-publish-evidence-of-fraud/

Leave a Comment

 

Previous post:

Next post: