Given the circumstances around the Fractal ID Hack, we (the Arbitrum Foundation) are actively looking to onboard alternative compliance providers, so we can provide community members with a choice. It is also worth noting that many ecosystems, not just Arbitrum, are reliant on Fractal ID and as a result are impacted by this hack.
This is can be mitigate by
Use multi-factor authentication (MFA) for all operator accounts.
Apply the principle of least privilege, limiting access rights to only what’s necessary for each role.
Enhance API security:
Implement rate limiting and more granular access controls on APIs.
Use API keys with limited scopes and rotate them regularly.
Encrypt and digitally sign API queries and responses.
Adopt a security-by-design approach:
Incorporate security considerations from the earliest stages of development.
Reduce attack surface areas through secure coding practices and continuous monitoring.
Conduct regular security audits:
Perform thorough code audits before deployment, especially for smart contracts.
Carry out regular penetration testing to identify vulnerabilities.
Implement secure data management:
Use encryption for sensitive data both at rest and in transit.
Consider implementing data compartmentalization to limit the impact of potential breaches.
Improve incident response:
Develop and regularly test an incident response plan to reduce detection and containment time.
Implement real-time monitoring and alerting systems for suspicious activities.
Enhance employee security awareness:
Provide regular security training to all employees, especially those with access to sensitive systems.
Implement strict background checks for employees with privileged access.
Use Web Application Firewalls (WAFs):
Implement WAFs to protect against common web application vulnerabilities.
Consider decentralized identity solutions:
Explore the use of decentralized identity management to reduce centralized points of failure.
Implement a bug bounty program:
Encourage responsible disclosure of vulnerabilities through a well-structured bug bounty program
Mitigation after this hack? Doesn’t exist! See for real consequences here why you must NOT fuck up the only job you had with these kind of data.
Upside? If your country still allows self-defense in 2024, better know how to open a safe quickly.
Hi,
I’ve just finished a book called UnRegulatable: Building Unstoppable Financial Systems - it will be published in September. A correctly built DAO should not need very much KYC if any. But, in many cases it will be required. In this case, I also represent KYC3, the leading boutique provider of self-hosted KYC for alternative finance. Happy to explore how we can minimize your KYC requirements and effectively cover those that remain.
We’ve had no data loss in 10 years of operation and I am a leading blockchain and crypto expert in the EU advising regulators and the EC directly, with more than 20 years fintech experience.
Looking forward to contribute.
Cheers,
Jedi
Hi @mcfly and Arbitrum community, I believe the Holonym tools will help. Zeronym is a zero-knowledge KYC protocol we have built, and it has secured 150,000 identities against data leaks by keeping credentials client side and proving them with ZK instead of revealing them in plaintext.
We released proof of clean hands to be compliant with the relevant regulatory guidelines of FATF, MiCA, GDPR, etc.
These tools should be able to satisfy most KYC requirements yet they do not store data on any centralized server so that data breaches are far less likely.