Fractal ID Hack - Call for New KYC/KYB Service Provider Nominations

Dear Arbitrum DAO community,

On July 14th, Fractal ID experienced a major data breach. As one of the 5,000 victims, I’m calling for immediate action.

My compromised data includes:

  • Name
  • Email addresses
  • Wallet addresses
  • Physical addresses (pro and personal)
  • Images of uploaded documents, including IDs, company’s docs…

Fractal ID can’t confirm which specific data was downloaded.

This breach exposes us to potential identity theft and fraud. We need a new, secure KYC/KYB provider ASAP.

Nomination criteria:

  1. Top-tier security measures
  2. Transparent data handling
  3. Crypto industry experience

I’m inviting everyone concerned by this issue to submit nominations with provider details, security protocols, and references.

Deadline: August 15th, 2024, 23:59pm UTC.

Let’s prioritize our community’s safety and privacy.

6 Likes

You’ll find below some unvetted services providers to kickstart some discussions prior to drafting a proposal.

  1. Chainalysis: Specializes in crypto compliance
  2. Elliptic: Offers blockchain analytics and crypto AML solutions
  3. Coinfirm: Provides AML/CTF solutions for crypto assets
  4. Jumio: Offers AI-powered identity verification and AML screening
  5. Onfido: Provides AI-based identity verification services
  6. Civic: Blockchain-based identity verification platform
  7. Sumsub: Offers KYC/AML and fraud prevention solutions
  8. Shufti Pro: Provides KYC/AML compliance services
  9. Passbase: Offers identity verification and KYC solutions
  10. Synaps: Specializes in crypto-native KYC/AML solutions

Hi @mcfly

Given the circumstances around the Fractal ID Hack, we (the Arbitrum Foundation) are actively looking to onboard alternative compliance providers, so we can provide community members with a choice. It is also worth noting that many ecosystems, not just Arbitrum, are reliant on Fractal ID and as a result are impacted by this hack.

2 Likes

This is can be mitigate by
Use multi-factor authentication (MFA) for all operator accounts.
Apply the principle of least privilege, limiting access rights to only what’s necessary for each role.
Enhance API security:

  • Implement rate limiting and more granular access controls on APIs.

  • Use API keys with limited scopes and rotate them regularly.

  • Encrypt and digitally sign API queries and responses.
    Adopt a security-by-design approach:
    Incorporate security considerations from the earliest stages of development.

  • Reduce attack surface areas through secure coding practices and continuous monitoring.
    Conduct regular security audits:

  • Perform thorough code audits before deployment, especially for smart contracts.

  • Carry out regular penetration testing to identify vulnerabilities.
    Implement secure data management:

  • Use encryption for sensitive data both at rest and in transit.

  • Consider implementing data compartmentalization to limit the impact of potential breaches.
    Improve incident response:

  • Develop and regularly test an incident response plan to reduce detection and containment time.

  • Implement real-time monitoring and alerting systems for suspicious activities.
    Enhance employee security awareness:

  • Provide regular security training to all employees, especially those with access to sensitive systems.

  • Implement strict background checks for employees with privileged access.
    Use Web Application Firewalls (WAFs):

  • Implement WAFs to protect against common web application vulnerabilities.
    Consider decentralized identity solutions:

  • Explore the use of decentralized identity management to reduce centralized points of failure.
    Implement a bug bounty program:

  • Encourage responsible disclosure of vulnerabilities through a well-structured bug bounty program

2 Likes

Mitigation after this hack? Doesn’t exist! See for real consequences here why you must NOT fuck up the only job you had with these kind of data.
Upside? If your country still allows self-defense in 2024, better know how to open a safe quickly.

2 Likes

Hi,
I’ve just finished a book called UnRegulatable: Building Unstoppable Financial Systems - it will be published in September. A correctly built DAO should not need very much KYC if any. But, in many cases it will be required. In this case, I also represent KYC3, the leading boutique provider of self-hosted KYC for alternative finance. Happy to explore how we can minimize your KYC requirements and effectively cover those that remain.
We’ve had no data loss in 10 years of operation and I am a leading blockchain and crypto expert in the EU advising regulators and the EC directly, with more than 20 years fintech experience.
Looking forward to contribute.
Cheers,
Jedi

1 Like

Hi @mcfly and Arbitrum community, I believe the Holonym tools will help. Zeronym is a zero-knowledge KYC protocol we have built, and it has secured 150,000 identities against data leaks by keeping credentials client side and proving them with ZK instead of revealing them in plaintext.

We released proof of clean hands to be compliant with the relevant regulatory guidelines of FATF, MiCA, GDPR, etc.

These tools should be able to satisfy most KYC requirements yet they do not store data on any centralized server so that data breaches are far less likely.

Hope this helps :slight_smile: happy to answer any questions!

Any progress on that?