Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Self certification of bank account details using ID verified digital certificates #79

Closed
mpolavieja opened this issue Apr 25, 2019 · 31 comments
Labels
a:proposal https://bisq.wiki/Proposals re:features was:stalled

Comments

@mpolavieja
Copy link

mpolavieja commented Apr 25, 2019

This is a Bisq Network proposal. Please familiarize yourself with the submission and review process.

Introduction

This is a proposal related with this other one "Certification for ownership of a bank account" #23, but instead of basing the certification of ownership on performing a series of comprobation procedures through trusted intermediaries (arbitrators or validators) the system would rely on each user providing proof of ownership of his bank account data by signing it with a digital certificate in which the ID of the owner has been verified externally to Bisq.

Ideally, we should use digital certificates attested by a decentralized ID infrastructure (see here, here or here) but as there is none still deployed we can only rely on centralized issued digital certificates (private or government issuers). Therefore, if we rely on government infrastructure is just for convenience, as the core idea is not based on any centralized / government infrastructure but on open source digital signature standards.

Moreover, there is a reasonable chance that the development could be ported without much effort from centralized to decentralized, as today's centralized infrastructures are already using open source cryptographic standards such as ECDSA or SHA256.

Goal

Given that fiat bank accounts require providing personal information, the main goal of this proposal is to prevent the fraudulent impersonation of fiat bank account details within Bisq network, and at the same allowing honest users to override account age trading limitations (i.e. delays and max trade sizes), or to directly jump to a specific higher trusted level if a rating system is implemented.

This procedure is optional and does not need trusted intermediaries within Bisq nor any centralized storage of ID personal data.

There is no KYC service provider involved. In this case the equivalent to the KYC provider would be the digital certificate issuers, who will not know nor need to know absolutely anything about Bisq.

Assumptions:

  • It is unlikely that a scammer has managed to steal both access to a bank account and to the private keys of a digital certificate.

  • There is a significant Bisq user base that has easy access or already has an ID validated digital certificate

  • Standard Digital Certificates won´t provide significant additional information than the information the user is already providing on his bank account details. Maybe national ID number which anyway is already rather easy to find publicly once you know the name and last name of the user. It is important to note that if the digital certificate is to be used also for encrypting and signing emails and the user provides his real email in the certificate generation process for that purpose, then his email address will be part of the Digital Certificate. In this respect I ask for feedback from the community to review their certificates to see what kind of additional information is included.

Implementation overview

Initial caveat: If the implementation of this optional feature is considered incompatible with Bisq core principles by the Bisq community, it could be derived onto a second layer that interacts with Bisq liquidity network, where a Bisq node could allow other traders to interact only with him (using a Bisq fork or other Bisq protocol compatible app in that second layer) under the condition of having his bank details signed as outlined in this proposal.

There is already a rather widespread standard in Europe called Advanced Electronic Signature (AdES) that is legally and technically regulated by the European Union. The definition of AdES is: “It is the electronic signature that allows to identify the signatory and to detect any subsequent changes of the signed data, which is linked to the signatory in a unique way and to the data to which it refers and which has been created by means that the signatory can maintain under its exclusive control”.

AdES signatures are not legally equivalent to handwritten signature but shall not be rejected by the mere fact that they are electronic (i.e. if legally challenged, the signer bears the burden of the proof). Qualified Electronic Signatures (QES) are legally fully equivalent to handwritten signatures (i.e. if challenged, it is the challenger who bears the burden of the proof), and the additional requirement in comparison with AdES is that they also require a specialized hardware for each signature, such as the chips embedded on some National ID cards, which requires a hardware chip reader that almost no one has. So QES are not yet a practical path, AdES should be good enough. In the event we decide AdES is not good enough (i.e. weak personal identificatiojn procedure or 2FA not mandatory for signing), maybe this proposal won´t be feasible until better standards are available.

Because AdES based certificates must be accepted as legally valid on all EU member states, this would cover most SEPA countries, therefore it would cover a very significant proportion of SEPA Bisq EUR-BTC trading volume. It could even cover all SEPA countries if Bisq accepts AdES signatures of Bank account details from non EU countries such as Switzerland if Swiss users have an AdES compliant certificate. It could be also considered if this AdES digital certificates would be also valid outside Europe (US, Venezuela, Brazil, etc)

There are several formats of AdES, for internal use probably XAdES (based on XML) could be best, if we want it human readable another option is PAdES (final result is a pdf file). For more general details see https://en.wikipedia.org/wiki/Advanced_electronic_signature For detailed technical information, there are available libraries and technical support for the AdES standards:

The AdES standard requires that the Certification Authority verifies the Identity of the user, but it does not necessarily require a physical verification nor a 2FA procedure for signing, so if for Bisq we require one or both of those requisites, then we should filter and therefore maintain a whitelist to exclude certification authorities that do not require what we want. For example, Spanish government digital certificates required physical ID verification until June 2017 and do not require 2FA for signing. The european union based on its AML regulations allows each country to establish remote identification procedures for AdES and QES digital certificates. See Spain´s example here: https://www.sepblac.es/wp-content/uploads/2018/02/Autorizacion_video_identificacion.pdf)

In Spain, the government digital certificate issuer recently launched an Android application that allows to obtain a certificate by remote ID verification (through streaming video I believe, the details on how they verify ID within the android app are not available at this moment on issuer website).

Other AdES private certification authorities make remote verification ID procedures, and also require 2FA for signing, such as those adhered to https://cloudsignatureconsortium.org/.

Description and UI overview

When setting up a bank account in Bisq, the user would have the option to sign his account details with the digital certificate installed on his computer. The name inputted in the Bank account details must match exactly with the name of the digital certificate. The process would follow these steps:

  1. Bisq would make a call to the operating system to prompt the user to select a digital certificate
  2. User signs the payload data (his name and IBAN number)
  3. Bisq would have to check that the certificate is still valid and not revoked (TOR might require doing this through a relay), and that it belongs to Bisq minimum standards. IMO Bisq should just require AdES, because maintaining an ad-hoc whitelist would add complexity and possibly centralization.
  4. Bisq would verify that the name in the payload and the Bank details match (this could be done separately for name and surname).
  5. If names don't match, a pop up message should be shown to warn the user that names do not match and the signing process fails
  6. If names match, then Bisq stores the payload data and the digital signature together with the public key of the certificate.

When a trading peer opens a trade with that self-certified user, the process would be as follows:

  1. If the certificate is valid (not revoked and complies with the required standard), a “verify signature” option would be enabled within the user profile contextual menu
  2. The trading peer then could click that option and Bisq would verify the signature and payload data against the name specified in the bank account details and if successful would show a pop up with the message “Name specified in the bank details fully matches the name on user´s digital certificate”
  3. The pop-up contains a button that would make a call to the operating system to show the user certificate so it could be manually reviewed and verified by the trading peer.

Those 3 steps above could be abstracted away by showing a green / red signature icon if Bisq is able to do all the verification above in the background. The same way a closed / green lock works on the navigation bar of a browser when https is working.

Attack Vectors

If a scammer manages to fully compromise a computer, it is likely that he could obtain access to both user bank accounts and user digital certificate. Digital certificates that require 2FA from a different device for signing could be rather resilient to this attack.

Possible digital certificate providers

Apart from governments and specialised private certification authorities, in some countries such as Norway, Sweden or Finland Banks provide AdES compliant digital certificates to their clients. See the following links:

Private certification authorities that issue AdES compliant digital certificates at a reasonable cost that I have found are the following:

Note: National ID cards with embedded cryptographic chips require a hardware reader and might require to additionally get a Digital Certificate from a certification authority (maybe at a cost) depending on the country. RFID chips on passports are a memory that carries the passport’s data (name, high resolution picture, etc) but is not capable to perform cryptographic functions such as signing.

Feedback request to Bisq community

For me it is a bit difficult to find out in which countries digital certificates to interact with the government are free for private individuals. If you guys are so kind to provide me the following data from your country:

  • Cost: free / if not, yearly cost
  • Name of the Issuer and website
  • Type of Issuer: Government / Bank / other private certification authority
  • 2FA for signing: Yes / No
  • Allows remote ID verification?

I will collect it and update it in the following table:

Country Cost Type of Issuer 2FA Name or website of Issuer Remote ID verification
Austria Free Government No? ?
Spain Free Government No www.fnmt.es Yes
Sweden Free Bank Yes? Any bank adhered to BankID
Germany
France
Portugal
@meapistol
Copy link

meapistol commented Apr 25, 2019

Sweden:
Cost: free
Name of the Issuer and website: You get it from most banks, e. g. https://www.nordea.se/privat/produkter/mobilbank-internetbank/bank-id.html.
Type of Issuer: Bank
2FA for signing: I could not test the computer BankID. They have a mobile BankID. There is at least a company making 2FA for BankID (https://e-identitet.se/tjanster/inloggningsmetoder/signering-med-bankid/)

You get the BankID from your own bank in which you login using your mobile BankID or a special hardware device. To initially be able to log into your bank you have to go to the bank physically (at least in my bank) and get a one-time password or a special hardware device.

It is virtually impossible to steal a bank-account in Sweden since a BankID is needed both for logging in and for doing a fiat transfer.

@mpolavieja
Copy link
Author

Thanks @meapistol Do you know how is the ID verification process? Physical or remote?

@mpolavieja
Copy link
Author

mpolavieja commented Apr 25, 2019

A quick comment about potential use of digital certificates amongst Bisq users. I think there is a growing share of the population using them, at least in Europe. People in general don´t really care much about security, but do care about convenience.

It is clear that we all use paper less and less. Digital certificates are convenient for not having to print a document, sign it with a pen, and then scan it or make a picture. That´s a really UX hassle.

With a digital certificate you can just sign a pdf with a couple of clicks and you are done. It is significantly more convenient so that it might foster adoption.

@ManfredKarrer
Copy link
Contributor

Thanks @mpolavieja for the high quality proposal! You set new standards ;-)

@acrual
Copy link

acrual commented Apr 26, 2019

@mpolavieja apologies but although I have installed bisq in my computer, I haven't used it yet. I thought that no verification of an account was needed as bisq's software behaved as a escrow account. Given this, bitcoins do not move to the buyer until the seller doesn't confirm arrival of fiat, is that correct? So given this, why would anyone have any incentive to put any ohter account to charge the acquisition of bitcoins? Apologies, I'm pretty sure the explanation is very basic, but I must admit I'm very ignorant of how it must be used.

@ripcurlx
Copy link

@mpolavieja apologies but although I have installed bisq in my computer, I haven't used it yet. I thought that no verification of an account was needed as bisq's software behaved as a escrow account. Given this, bitcoins do not move to the buyer until the seller doesn't confirm arrival of fiat, is that correct? So given this, why would anyone have any incentive to put any ohter account to charge the acquisition of bitcoins? Apologies, I'm pretty sure the explanation is very basic, but I must admit I'm very ignorant of how it must be used.

That's correct, but the transfered fiat money can be recharged later if the bank account was stolen. So the certification step would make it very hard for scammers to use the stolen bank account in the first place.

@acrual
Copy link

acrual commented Apr 26, 2019

@ripcurlx Understood many thanks, I'll keep reading then :)

@acrual
Copy link

acrual commented Apr 26, 2019

Ok @mpolavieja I understood it, it is no doubt a significant improvement, congrats for a great idea!
Is this kind of digital certitications really widespread? I happen to have one in my computer for typical administrative tasks, but I'm not sure if that many people own it.
Anything eliminating the friction to interact with bitcoin is a very welcome proposal for me. Btw, congrats to those in the bisq team for such a great project. Hope I can get to use it asap :)

@mpolavieja
Copy link
Author

This would be an optional procedure to override BTC delayed payments for new accounts. BTC delayed payments for new accounts are needed to deterr fiat bank account thieves. A honest user can override this delay by this self verification process.

@mpolavieja
Copy link
Author

Regarding the use of digital certificates, in Spain there are 11 million persons using digital certificates (see http://www.ine.es/jaxi/Datos.htm?path=/t25/p450/a2010/&file=08028.px). I guess a significant share of those users is due to the fact that it is mandatory for business to use it for relationship with public administrations.

One other use of this self-certification would be to make easy onboarding for users that do not have any BTC at all, by allowing self-verified buyers to make low amount buying offers without security deposit and seller paying for all mining fees. If the buyer doesn´t finalize the transaction, his (hashed) identity would be banned for X months in Bisq (this would require mantaining a blacklist of hashed identities). Obviously, for this cases we need sellers that are willing to bear the risk of losing all mining fees of these kind of transactions for the sake of onboarding completely new BTC adopters.

@meapistol
Copy link

meapistol commented Apr 27, 2019

BankIDs are used in Sweden to login to many sites, including the tax office. They are also widely used to sign loan agreements over the internet (seldom a good idea). Similar solutions exist in Norway, Finland and Denmark where it is widely used.
Receiving money from a European bank without 2FA it will become safer using Bisq and the tradeID than using only the bank itself if digital certificates are used to sign the Bisq account.

@mpolavieja
Copy link
Author

Receiving money from a European bank without 2FA it will become safer using Bisq and the tradeID than using only the bank itself if digital certificates are used to sign the Bisq account.

Did not undertand this very well, sorry

@meapistol
Copy link

meapistol commented Apr 27, 2019

@mpolavieja I meant that if you receive fiat (not involving Bisq) from a non-2FA bank you have the risk the account was stolen. If you receive fiat from the same bank selling BTC over Bisq you have a much less risk, if the Bisq account data was signed by a digital certificate and the tradeID is in the bank message.

@mpolavieja
Copy link
Author

mpolavieja commented May 7, 2019

As I continue researching, it looks like the trend for id verification for digital certificates could go towards streaming video on mobile devices. This is allowed and regulated by the EU laws, specifically by the AML5 regulations (article 13.1.a). There are companies specialized in this like https://www.electronicid.eu/

Opposed to smart national ID cards that need a specific reader, it makes sense the trend goes this way because most people in Europe have a smartphone.

So if it is decided to implement this self-verification proposal, it should be implemented only if we think those remote mobile identification procedures are trustworthy enough.

@meapistol
Copy link

Mobile BankID is highly convenient and trustworthy but, according to a friend of mine, one needs to have a deal with a company to use it. This will make it impossible to use with Bisq which cannot make deals.

@acrual
Copy link

acrual commented May 9, 2019 via email

@mpolavieja
Copy link
Author

mpolavieja commented May 9, 2019

Are we sure that how BankID works is by issuing a digital certificate? If not, then BankID doesn´t work for this proposal. If yes, once the user gets the certificate from BankID, can´t he use it to sign wherever or whatever he wants without the BankID or the bank being involved at all?

@acrual
Copy link

acrual commented May 9, 2019 via email

@mpolavieja
Copy link
Author

There are solutions out there that are similar to google authenticator by requesting a code on your mobile each time you sign in. Those are considered legally electronic signatures, but the user is not provided with a digital certificate. Those kind of solutions are not reusable for this proposal.

@reipichu
Copy link

This would be a good solution for users who have access to these type of certificates, so long as the certificates do not reveal too much more unnecessary information, as you mentioned.

An important requirement that I don't see in the proposal (sorry if I missed it) is that Bisq would need to validate the chain of trust to the signing certificate authority, to ensure that the certificate is not self-signed or forged.

This means we would need to integrate the CA certificates into the client and have a process for adding or revoking new CA certificates. It would be very important to make sure that our system for doing so is secure, because if a scammer can get a fake CA certificate under their control into the Bisq CA store then they would be able to scam traders for even larger amounts, since the seller would have a false sense of security.

@mpolavieja
Copy link
Author

Bisq would need to validate the chain of trust to the signing certificate authority

This should be done through an API call to the Operating System. The Operating System already has a CA trust chain within its digital certificate repository.

@mpolavieja
Copy link
Author

Closed as stalled

@chimp1984
Copy link

I would prefer to open that proposal again. I think it is one of the strongest ideas for additional security features.

@mpolavieja
Copy link
Author

Please note that government issued Digital Certificates allow for remote ID verification to issue the digital certificates. As far as I have researched the way that remote ID is done seems secure enough, but if this is implemented we should be aware that we are relying on remote ID verification.

I would add that physical ID verification is not super strong either, at least in Spain. You go to any public office, show your passport or national ID card to a public worker and then he gives you the code to activate the certificate. He might not even check the photo in your ID at all.

So if we deem physical ID verification as secure, probably remote ID verification is at least as secure as physical verification.

@chimp1984
Copy link

Do you know how the remote ID verification is done?

@mpolavieja
Copy link
Author

Do you know how the remote ID verification is done?

There used to be a link at the spanish government issuer (FNMT), but I am unable to find it now, sorry. The European regulation eIDAS allows for it in article 24, but I haven't find any specific implentation apart from the FNMT one that I am not able to find now (maybe it was a project and they decided not to do it). The process, as far as I remember, was required to be with secure streaming video and audio between a person from the issuer and the client. Sorry I am not able to give a good answer at this time. I´ll try to get more reliable info.

@acrual
Copy link

acrual commented Nov 15, 2020

If I'm understanding correctly the topic, I used to have a customer that sold these ID solutions and it consisted of a camera that opened (for example from a website of a bank) and took a picture of you with your ID (front side). The video ran an OCR of your ID and recorded it in a backend so that in case of trouble there could be further verification by authorities or whoever it may concern. The entire process was hashed and signed by a certified 3rd party so that there was certainty that whatever was stored in the backend had not been tampered with

@mpolavieja
Copy link
Author

@acrual There are quite a bunch of remote KYC solutions out there, some of them used by banks. But for government issued digital certificates I have not found yet a specific implementation example.

@pazza83
Copy link

pazza83 commented May 9, 2021

Hi @mpolavieja thanks for the proposal. I am doing some housekeeping on the proposals. Please can you take steps to move this forward or alternatively close the proposal.

Ref: https://bisq.wiki/Proposals

@pazza83
Copy link

pazza83 commented May 31, 2021

Closing as stalled.

Ideas look promising and might be a direction that is taken in the future to enhance fiat account security.

@mpolavieja
Copy link
Author

Ok, sorry for not reacting. I just saw the message.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
a:proposal https://bisq.wiki/Proposals re:features was:stalled
Projects
None yet
Development

No branches or pull requests

10 participants