Can I trust MtGox with my passport?

Liberty Reserve logoIn March 2013, the US Financial Crimes Enforcement Network (“FinCen”) published a statement saying that companies which facilitate buying and selling of “virtual” currencies like Bitcoin constitute “money service businesses” and are subject to reporting obligations designed to prevent money laundering and other financial crimes.

A couple of months later, the seizure by US authorities of Liberty Reserve has shaken money service businesses around the world, whether they deal in “real” or “virtual” currencies.

Two days later, the largest Bitcoin exchange, MtGox, tightened their anti-money laundering (AML) controls, posting the following statement on its website:

Attention Users: From May 30th 2013 all withdrawals and deposits in fiat [real] currency will require account verification. However withdrawals and deposits in Bitcoin (BTC) do not require verification.

What MtGox is attempting to do here is meet one of the most fundamental requirements of AML legislation around the world: know your customer. It is so fundamental that it too earns its own three-letter abbreviation, KYC.

So, how does an online business like MtGox verify the identity of its customers? After all, you can’t walk into the local MtGox branch with a fist full of paperwork. Instead, you must upload a scan of “proof of identity” (passport, national ID card or driver’s licence) and “proof of residency” (a utility bill or tax return).

MtGox are not alone in this approach. More and more online money service businesses are attempting to get on the right side of AML rules by performing verification in this way.

Here in Australia, there are still some Bitcoin brokers which do no verification whatsoever, including BitInnovate (who helped me buy my first Bitcoin) and OmniCoins. Australia’s AML regulator, AUSTRAC publishes a list of  “designated services”, which make business subject to reporting obligations including customer verification. The list includes

exchanging one currency (whether Australian or not) for another (whether Australian or not), where the exchange is provided in the course of carrying on a currency exchange business

So I strongly suspect that all local Bitcoin brokers too will soon be demanding scans of your driving licence and electricity bill.

But is the MtGox approach to customer verification a good idea? I don’t think so. I believe it is a bad idea for MtGox and a bad idea for their customers.

It is a bad idea for MtGox because scans of fake identity documents are very easy to come by. For example, one vendor at the online black market Silk Road offers custom UK passport scans with the name and photo of your choice, complete with a scan of a matching utility bill.

It’s a bad idea for the customer too, because it exposes them to increased risk of identity theft. Although my intentions were not criminal, I chose BitInnovate when I bought Bitcoin precisely because I did not have to provide any personal documents. How well do you know MtGox or any other online money service? How confident are you that they will be able to keep their copies of your documents secure? Securing data is hard. Every other week it seems that there are stories of hackers gaining access to supposedly secure password databases. I have no doubt that scans of identity documents will also find their way into the wrong hands.

So what is the alternative?

Third party identity management.

Using a passport or driver’s licence scan is effectively outsourcing identity verification to the passport office or motor registry respectively. Before the days of high quality scanning and printing, these documents were difficult to forge. A better solution is to retain the idea of outsourcing, but adapt the mechanism to today’s technology.

Here’s how it could work.

A number of organisations would establish themselves as third party identity managers. These organisations should be widely trusted and, ideally, have existing experience in identity verification. Obvious examples are banks and government agencies such as the passport office.

Then if I wanted to open an account with MtGox, its website would provide a list of identity managers it trusted. Scrolling through the list, I may discover that my bank is on the list. Perfect! When I first opened an account with my bank I went through an identity verification (IDV) check (ideally, this would have been done in person and, even better, the bank would have some way to authenticate my passport or driver’s licence*), so my bank can vouch for my identity. I can then click on the “verify” link and I am redirected to my bank’s website. Being a cautious fellow, I check the extended validation certificate, so I know it really is my bank. I then log into my bank using multi-factor authentication. My bank now knows it’s really me and it presents me with a screen saying that MtGox has asked for my identity to be validated and, in the process, has requested some of the personal data my bank has on file. The page lists the requested item: name, address, email address and nationality. I click “authorise” and find myself redirected to MtGox and a screen saying “identity successfully verified”.

MtGox is now more confident of my true identity than they would be with scanned documents and I have kept to a minimum the amount of information I need to provide to MtGox: no more than is required to meet their AML obligations.

This authentication protocol is a relatively straightforward enhancement to the “OAuth” protocol used by sites like Twitter and Facebook today. OAuth itself is subject to some controversy, and it may be better to create a new standard specifically for high trust identity management applications like this, but the tools exist to put identity management on a much safer footing.

* Today, unfortunately, banks and other private sector entities are not readily able to authenticate passports or driver’s licences. Once government agencies are able to provide this service, the options for third party identity management will be even greater.

 

Possibly Related Posts (automatically generated):

11 thoughts on “Can I trust MtGox with my passport?

  1. IC

    Regulators want to clamp down on ML not only because of AML objectives but because this is an easy way for the banking system to shut out competitors. Impose onerous barriers to entry and you get less competition. We’ve seen this recently in Australia where some banking organisations have publicly called out Google and Apple as potential targets for banking regulators should they decide to set up alternate payment systems. Yes banks dislike regulation but will acquiesce if if shuts out real competitive forces from the system. And at least in Australia it looks like the regulator has a preference for keeping banking a relatively closed shop.

  2. WisdomTooth

    Bitcoin, Namecoin, Devcoin, Litecoin, Ixcoin, PPCoin, Terracoin, Feathercoin… whadde?? Can you shed some light on this, Stub?

    I reckon Facebook and Google are more likely to be trusted identity verifiers than banks, and banks to outsource identity verification to them. It’s a technology business, not a financial one. I’ll wager this will sprout first in the startup space, and then be phagocytosed by the big techos.

    There you go, Stub, there’s a business idea you can pursue or invest in, with a captive client. Count me in, if you do ;)

  3. Stubborn Mule Post author

    @IC you are a cynical fellow!

    @WisdomTooth I did think about Google and Facebook as authenticators, but right now I don’t think they quite fit the bill. They do implement the technology side well (variants of OAuth), but today the only authentication that Google or Facebook can really provide is that you have control of the email address used to open the Gmail or Facebook account. Neither of them do verification of your name, address, country of residence, etc. It might be old-fashioned, but I think that effective initial verification still requires a face-to-face meeting (which is done, for example, when you apply for a passport) and Facebook and Google will never be able to do this. One possible approach would be if, say, the passport office were to provide identity authentication services, then Facebook and Google could use that service to identify you and once that is done, they can then provide authentication of your identity to other site.

  4. Stubborn Mule Post author

    @IC thinking about this a bit more, I think that there are plenty of barriers to entry to banking other than AML legislation and if banks were given the option to eliminate all AML obligations at the wave of a wand, they would jump at the chance.

  5. WisdomTooth

    Not so sure, Stub, big corporations like regulation just as much as dealers like prohibition. They can use it to keep upstarts at bay, and nab at each other’s share of the pie. It’s called regulatory competition in the .gov parlance, and is particularly true of principle-based regulation, in which they can not only point their fingers but also set the bar ;)

  6. Stubborn Mule Post author

    @WisdomTooth I don’t disagree with the general point, but in this specific case, I’m just drawing on my own observations of how painful banks seem to find getting AML requirements right.

  7. `Polino

    Linda Support has joined the room
    Linda Support
    Welcome to Mt.Gox Live Chat Support
    Jus******
    withdrawal btc
    Linda Support
    Hello, This is Linda from Mtgox chat support. How may I assist you today?
    Jus******
    HI< PLS ADVICE WHY CAN'T I WITHDRAW BTC to my wallet
    Linda Support
    Not to worry, I will try my best to help you.
    Linda Support
    Could you please provide the account number or account username to proceed further?
    Jus******
    M@ *******
    Linda Support
    Thank you for the information.
    Linda Support
    May I place you on hold while I check your records?
    Jus******
    Waiting
    Linda Support
    Thank you for being on hold.
    Linda Support
    We are sorry to inform you that our AML team flagged off your account for verification.
    Linda Support
    We will check this further and will keep you updated on this.
    Jus******
    what does it mean? i see on my site the accoun is verified
    Linda Support
    Your account has been flagged for AML 2 verification.
    Jus******
    it was always verified, I had withdraw BTC many times in the past
    Linda Support
    Yes, On checking I can see that your account has been flagged for AML 2 verification.
    Linda Support
    Not to worry, I will have this checked and will keep you updated on this as soon as possible.
    Jus******
    who has flagged for verification and based on which instruction?
    Jus******
    I see on your site the rule that no verifications required for BTC withdrawal
    Linda Support
    Due to financial policy changes we need the documents for further validation of the account
    Linda Support
    We need these documents for verification at our banking end as well
    Jus******
    could you pls send me refference to this policy?
    Linda Support
    These are recent changes that we made as per the updates provided by our bank
    Linda Support
    Please reply if you are still working with us.
    Jus******
    and? can I see this changed policy? and why this is necessary if I only withdraw my BTC?
    Jus******
    I am not asking for cash
    Linda Support
    Could you please let me know what happens when you try to withdraw BTC/
    Jus******
    "Your account is currently pending review, please visithttps://mtgox.com/forms/verification"
    Linda Support
    Sorry wrong window.
    Linda Support
    I understand that you are unable to make any withdrawals
    Linda Support
    Kindly complete the trusted status process to get full access to the account
    Jus******
    true
    Jus******
    I have verified status already half year working with you, I am not going to deal with amounth more than 50K
    Jus******
    i don't need trusted status
    Jus******
    in al your rues is written that I don't need trusted status to withdraw BTC
    Linda Support
    I am sorry to inform you that as your account is flagged for trusted status verification, you will not be able to withdraw BTC.
    Linda Support
    Please verify your account to trusted status in order to withdraw BTC.
    Jus******
    what is the base of this status? why?
    Jus******
    pls refer to rule or instruction
    Linda Support
    This is a new update provide by our bank and you will have to have your account verified to trusted status.
    Linda Support
    Please reply if you are still working with us.
    Jus******
    I could accept this explanation in case I am asking for cash, but what is the link between bank and BTC? I pay you money from my account and want BTC to my wallet.
    Jus******
    Bank can't rule this
    Jus******
    this was in initial condition why everybody worked with BTC
    Jus******
    you don't keep your promisses
    Jus******
    what you are sayin is not written at your site, i don't trust this explanation
    Linda Support
    We will forward this to our AML team and will keep you updated as soon as possible.
    Linda Support
    Thank you for contacting Mtgox chat support.
    Jus******
    are you sure that banks nowadays regulate BTCs?

  8. Magnus

    A really perceptive article, the model you describe is already in place at http://www.miiCard.com where we leverage the trust already established between you and your bank.

    Really importantly, when the user asserts their identity with miiCard they do NOT need to expose their sensitive data. Also, we don’t use document scans or background data checks to estimate identity.

    We already work in the BitCoin space with TradeHill – we only have coverage across about 10 countries – and in some of those only partial coverage but, we’re getting there.

  9. Andy

    Isn’t It Ironic: Mt.Gox Hacker Demands Ransom From Exchange Users To Not Reveal Their Personal Data
    -http://www.zerohedge.com/news/2014-03-11/isnt-it-ironic-mtgox-hacker-demands-ransom-exchange-users-not-reveal-their-personal-

    Hackers Hit Mt. Gox Exchange’s CEO, Claim To Publish Evidence Of Fraud
    -http://www.forbes.com/sites/andygreenberg/2014/03/09/hackers-hit-mt-gox-exchanges-ceo-claim-to-publish-evidence-of-fraud/

Leave a Reply