Tag Archive for: KYC

Decentralized Identity – Know Your Customer (Kyc)

/in


It is a well-established fact that credential theft is the most common attack vector cybercriminals use to defraud consumers. In fact, globally financial institutions spend hundreds of billions of dollars a year on anti-money laundering compliance and technology solutions that help protect and authenticate consumer identity (I.e., identity proofing, biometrics, and multi-factor authentication to name a few).

Creating and implementing effective customer identity verification processes is essential to reducing the risk of fraudulent transactions and ensuring regulatory compliance.

One such approach is to share information among banks and governments through a multi-step model called Know Your Customer (KYC) – which may involve a central database maintained by a consortium of banks like Swift whereby consumer data is used to verify their identity and identify any potential risks of doing business with them. self-sovereign identity (SSI) is a new decentralized identity model that can help banks to solve the existing challenges of sharing KYC information securely and cost-effectively.

With decentralized KYC, the customer can be issued a KYC verifiable credential that can be cryptographically verified and stored on the customer’s mobile wallet. Verifiable credentials are trustworthy, tamper-proof, and machine-verifiable digital identity documents. The verifiable credentials can be issued by KYC providers and verified by other service providers for authenticity and ownership. The customer may proactively trigger issuance of such credentials or as part of an existing KYC process. KYC verifiable credentials provide a strong benefit to all involved – a seamless customer experience, as well as a simplified and more cost-effective processes for banks and service providers.

A lot of progress has been made in recent years in the field of self-sovereign identity:

  • Ratification of standards like W3C VC, and DID
  • European Blockchain Services Infrastructure (EBSI) framework matured with POCs and pilot projects under way
  • eIDAS 2.0 close to being released
  • British Columbia Government launches VON (Verifiable Organizations Network)
  • Increased number of SSI networks all around the world

eIDAS 2.0…

Source…

KYC registering agency gets cyber vulnerability alert

/in


A team of cyber security researchers red-flagged last Wednesday a critical security issue in Sebi-registered KYC registering agency CDSL Ventures Limited (CVL), which it claimed, could be exploited for unauthorised access to sensitive personal and financial data of investors.

CVL is a wholly owned subsidiary of India’s largest securities depository Central Depository Services Limited. It facilitates centralised storing and safeguarding of investor information, provides fully digitised KYC services to market intermediaries and holds information of over 4 crore investors.

The vulnerability was fixed on Tuesday — a week after it was reported to CDSL, National Critical Information Infrastructure Protection Centre (NCIIPC) under National Technical Research Organisation, and CERT-In under the Ministry of Electronics and Information Technology (MEITY).

“Our researchers detected an authorisation vulnerability in one of the APIs (application programme interface) which allowed anyone capable of launching a malicious attack to retrieve extremely sensitive personal and financial information of around 4.39 crore investors who have obtained market securities KYC since 2005,” said Himanshu Pathak, founder of Chandigarh-based cyber security consultancy startup CyberX9.

When contacted, a CDSL spokesperson said in an email on Tuesday: “CDSL would like to clarify that there has been no security issue or data breach at CDSL. However, CVL has received a vulnerability alert on the website of CVL which has since been mitigated. There has been no data breach at CVL.” Emails seeking comment to SEBI, NCIIPC and CERT-In remained unanswered.

Investor KYC for market securities involves extended personal and financial data points — name, addresses, gender,
marital status, PAN, email, annual income, net worth, Demat account number, broker details, client ID etc, all of which were accessible at least until October 25 due to the authorisation vulnerability.

Access to KYC data can potentially enable malicious actors to launch customised attacks aimed at financial fraud, identity theft, extortion, impersonation etc. At another level, this dataset can also be used to disrupt the stock market through…

Source…