Why leaks of credit card data and ID scans really shouldn’t exist anymore

Every day, hackers steal credit card data, ID scans and other private information from websites to sell on the darknet. The worst consequences could have been prevented long ago. After all, with cryptocurrencies and identity tokens, the tools are already there. But the will of consumer protectors and governments is lacking.

Some things are a stupid idea, and yet most people do it. For example, paying on the Internet with a credit card, although virtual currencies would also be possible. Cryptocurrencies have already replaced many FIAT services in the finance industry, loans for example. BlockFi is such a provider, read more about it at http://www.bitcoinp2ploans.com/en/blockfi/.

CryptocurrenciesA post by security analysts at Cyble shows just how dangerous it is to give an Internet site your credit card information. The team has been browsing the darknet markets and came across a hacker offering the credit card details of 80,000 people for sale. The cards are from France, the U.S., Australia, the U.K., Canada, Singapore and India. According to Ciscomag, the card data is sold for $5 per card, to be paid in cryptocurrencies. Read more about Cryptocurrencies here: https://overpool.network/the-six-segments-of-the-crypto-market/.

It is commonplace for websites to be hacked and data stolen. Sometimes it’s because there’s a zero-day exploit, for WordPress, Shopify or some other content management system; sometimes website owners have forgotten to apply a necessary update. Data on the Internet is rarely truly secure, especially not for small online stores. Not everyone is Amazon or Ebay.

Credit card data is more or less the worst-case scenario of a data leak. Under certain circumstances, someone can go shopping with them online or on site, while the people affected only find out about it in the credit card statement. While most credit card providers will charge the payments back, as a customer you have the expense and the cost is ultimately socialized through cash withdrawals, unpaid bills from a store or credit card payment fees in such a way that the customer suffers at the indirect end as well.

Credit card data theft can be prevented quite easily: One should not pay by credit card on the Internet. The same probably applies to one’s account number, which one submits to a website, for example, with a direct debit and probably also an instant bank transfer. PayPal should be relatively harmless here, but goes along with the fact that a US corporation sells your private data to umpteen third parties.

If consumer advocates and the government were serious about data protection, it should become standard that EVERY online store also accepts cryptocurrencies. After all, cryptocurrencies are one of very few payment methods that do not create dangerous data like credit card or IBAN numbers, nor do they involve private data being stored and sold. Consumer protection should actively warn against online stores where you cannot pay with crypto.

Postal addresses and copies of IDs

But it’s not just credit card data that is regularly leaked. Cyble’s blog is a chamber of horrors, after visiting which one would like to unplug the Internet.

For instance, the distributors of REvil ransomware have recently started threatening to leak captured data more and more often. Read more at https://lifars.com/2021/05/revil-ransomware-gang-warns-stolen-apple-blueprint-leak/. For example, at the online fashion store Plaza Collection, they have obtained a lot of data about employees, customers and suppliers, including ID cards. Furthermore, Cyble found 100,000 IDs of Indians for sale in a darkentmarket and was able to confirm their authenticity by sampling leaked examples. And just a few days earlier, a leak occurred at a Taiwan government site, where the data of 20 million citizens was stolen. And all of these are just cases from a few weeks ago.

If you give your address data to your online store, sooner or later it will be leaked. That’s more or less inevitable. The fact that many people use packing stations for this reason is as understandable as it is sensible.

However, it gets nasty when you have to entrust your ID to a website. Anyone who regularly visits crypto sites knows the procedure. It’s unpleasant and unsettling every time you want to use a site, but it’s also unavoidable. But after all, crypto platforms are known to be digital fortresses. In the event of a hack, credentials are the least of the problems to begin with, because there are usually many millions of dollars worth of cryptocurrency keys lying around on the servers. There is no industry where securing your own server is as important as it is here. Therefore, I would almost be more worried about established financial service providers, sales platforms or other sites – such as gambling or domains – having an ID document from me.

The fact that you have to scan an ID at all to verify yourself is an infinitely outdated technology. Many exchanges try to help themselves by requiring you to hold up a piece of paper with a date and code to the camera when you take a selfie of yourself and your ID. But even that is rather piecemeal, like trying to improve a fax instead of writing an email. The only real solution would be to do away with scans of IDs.

Tokens instead of badges

blockchainYou could use blockchains and tokens instead of ID scans. There are many ideas for a digital, blockchain-based identity, often based on a token. Consensys (https://consensys.net/) gives an overview of systems around Ethereum on the company blog, and the city government of the Swiss town of Zug is already experimenting with uPort’s solution. Here, an address on Ethereum is linked to an identity, which can also be verified. This way, people can identify themselves without showing their ID. Something similar is being tried by Civic and many other startups.

  • The model is not difficult in itself: You have a token – or an address – for which you have the exclusive private key.
  • A third party that you trust, as well as your business partners – this can also be a government – confirms that you are the owner of this token. It could also be distributed when an ID card is issued.
  • Afterwards, one can log in with the token. In some circumstances, the third party could be involved in the process, for example, to verify that the token is actually tied to the person in question, either through a short video chat or an SMS.
  • This would make it unnecessary for other companies to store our ID copies.

Under certain circumstances, the process could also be extended to postal addresses: You develop an address token, and when you transfer it to the merchant, he can pick up the address once from a partner. This way, it would not be necessary for him to store it on his own server.

While the address token is still a thing of the future – and perhaps least burning as a problem – solutions for tokenizing identity documents are already well underway and, given the recurring data leaks, are a pressing issue. The fact that governments and financial industry advocacy groups are not pushing more vigorously for binding solutions and standards here is an enormous oversight, and one that everyone whose ID is eventually sold on the darknet will suffer for.

The situation is even more pathetic when it comes to payment. Credit cards and direct debits are offered almost everywhere, even though the dangers of these methods have been proven again and again. Hardly anywhere, on the other hand, is the safest and most private form of payment – cryptocurrencies – accepted. That this is the case can only be seen as a failure of consumer protection and data privacy. The solution has been there for a long time. It should be ensured that it is finally used.