-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Self certification of bank account details using ID verified digital certificates #79
Comments
Sweden: You get the BankID from your own bank in which you login using your mobile BankID or a special hardware device. To initially be able to log into your bank you have to go to the bank physically (at least in my bank) and get a one-time password or a special hardware device. It is virtually impossible to steal a bank-account in Sweden since a BankID is needed both for logging in and for doing a fiat transfer. |
Thanks @meapistol Do you know how is the ID verification process? Physical or remote? |
A quick comment about potential use of digital certificates amongst Bisq users. I think there is a growing share of the population using them, at least in Europe. People in general don´t really care much about security, but do care about convenience. It is clear that we all use paper less and less. Digital certificates are convenient for not having to print a document, sign it with a pen, and then scan it or make a picture. That´s a really UX hassle. With a digital certificate you can just sign a pdf with a couple of clicks and you are done. It is significantly more convenient so that it might foster adoption. |
Thanks @mpolavieja for the high quality proposal! You set new standards ;-) |
@mpolavieja apologies but although I have installed bisq in my computer, I haven't used it yet. I thought that no verification of an account was needed as bisq's software behaved as a escrow account. Given this, bitcoins do not move to the buyer until the seller doesn't confirm arrival of fiat, is that correct? So given this, why would anyone have any incentive to put any ohter account to charge the acquisition of bitcoins? Apologies, I'm pretty sure the explanation is very basic, but I must admit I'm very ignorant of how it must be used. |
That's correct, but the transfered fiat money can be recharged later if the bank account was stolen. So the certification step would make it very hard for scammers to use the stolen bank account in the first place. |
@ripcurlx Understood many thanks, I'll keep reading then :) |
Ok @mpolavieja I understood it, it is no doubt a significant improvement, congrats for a great idea! |
This would be an optional procedure to override BTC delayed payments for new accounts. BTC delayed payments for new accounts are needed to deterr fiat bank account thieves. A honest user can override this delay by this self verification process. |
Regarding the use of digital certificates, in Spain there are 11 million persons using digital certificates (see http://www.ine.es/jaxi/Datos.htm?path=/t25/p450/a2010/&file=08028.px). I guess a significant share of those users is due to the fact that it is mandatory for business to use it for relationship with public administrations. One other use of this self-certification would be to make easy onboarding for users that do not have any BTC at all, by allowing self-verified buyers to make low amount buying offers without security deposit and seller paying for all mining fees. If the buyer doesn´t finalize the transaction, his (hashed) identity would be banned for X months in Bisq (this would require mantaining a blacklist of hashed identities). Obviously, for this cases we need sellers that are willing to bear the risk of losing all mining fees of these kind of transactions for the sake of onboarding completely new BTC adopters. |
BankIDs are used in Sweden to login to many sites, including the tax office. They are also widely used to sign loan agreements over the internet (seldom a good idea). Similar solutions exist in Norway, Finland and Denmark where it is widely used. |
Did not undertand this very well, sorry |
@mpolavieja I meant that if you receive fiat (not involving Bisq) from a non-2FA bank you have the risk the account was stolen. If you receive fiat from the same bank selling BTC over Bisq you have a much less risk, if the Bisq account data was signed by a digital certificate and the tradeID is in the bank message. |
As I continue researching, it looks like the trend for id verification for digital certificates could go towards streaming video on mobile devices. This is allowed and regulated by the EU laws, specifically by the AML5 regulations (article 13.1.a). There are companies specialized in this like https://www.electronicid.eu/ Opposed to smart national ID cards that need a specific reader, it makes sense the trend goes this way because most people in Europe have a smartphone. So if it is decided to implement this self-verification proposal, it should be implemented only if we think those remote mobile identification procedures are trustworthy enough. |
Mobile BankID is highly convenient and trustworthy but, according to a friend of mine, one needs to have a deal with a company to use it. This will make it impossible to use with Bisq which cannot make deals. |
Indeed, I worked as a business developer for a Company that developed a
similar onboarding solution and you need a supplier of electronic signature
to store such videos, hash them etc... I know a few in Spain but I guess
that would be an important point of failure
El jue., 9 may. 2019 6:02, Mats-Erik Pistol <[email protected]>
escribió:
… Mobile BankID is highly convenient and trustworthy but, according to a
friend of mine, one needs to have a deal with a company
<https://tinyurl.com/yxudglyw> to use it. This will make it impossible to
use with Bisq which cannot make deals.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#79 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABR56K4YSM2XYCNXNWIWDXLPUOO3RANCNFSM4HIKUFUA>
.
|
Are we sure that how BankID works is by issuing a digital certificate? If not, then BankID doesn´t work for this proposal. If yes, once the user gets the certificate from BankID, can´t he use it to sign wherever or whatever he wants without the BankID or the bank being involved at all? |
Not with the system I was familiar with. The procedure worked for that only
purpose, for example, to onboard with a bank. Once you did, it would be
useful only for any process with that bank, but not for any other. This was
on a mobile phone though, so there might have been limitations to provide a
more comprenhensive solution, I'm afraid I'm not familiar enough with the
technicalities and legalities of it.
…On Thu, 9 May 2019 at 10:53, mpolavieja ***@***.***> wrote:
But once the user gets the certificate from BankID, can´t he use it to
sign wherever or whatever he wants without the BankID or the bank being
involved at all?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#79 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABR56K5FVHSGTUOZTMJCCVLPUPRABANCNFSM4HIKUFUA>
.
|
There are solutions out there that are similar to google authenticator by requesting a code on your mobile each time you sign in. Those are considered legally electronic signatures, but the user is not provided with a digital certificate. Those kind of solutions are not reusable for this proposal. |
This would be a good solution for users who have access to these type of certificates, so long as the certificates do not reveal too much more unnecessary information, as you mentioned. An important requirement that I don't see in the proposal (sorry if I missed it) is that Bisq would need to validate the chain of trust to the signing certificate authority, to ensure that the certificate is not self-signed or forged. This means we would need to integrate the CA certificates into the client and have a process for adding or revoking new CA certificates. It would be very important to make sure that our system for doing so is secure, because if a scammer can get a fake CA certificate under their control into the Bisq CA store then they would be able to scam traders for even larger amounts, since the seller would have a false sense of security. |
This should be done through an API call to the Operating System. The Operating System already has a CA trust chain within its digital certificate repository. |
Closed as stalled |
I would prefer to open that proposal again. I think it is one of the strongest ideas for additional security features. |
Please note that government issued Digital Certificates allow for remote ID verification to issue the digital certificates. As far as I have researched the way that remote ID is done seems secure enough, but if this is implemented we should be aware that we are relying on remote ID verification. I would add that physical ID verification is not super strong either, at least in Spain. You go to any public office, show your passport or national ID card to a public worker and then he gives you the code to activate the certificate. He might not even check the photo in your ID at all. So if we deem physical ID verification as secure, probably remote ID verification is at least as secure as physical verification. |
Do you know how the remote ID verification is done? |
There used to be a link at the spanish government issuer (FNMT), but I am unable to find it now, sorry. The European regulation eIDAS allows for it in article 24, but I haven't find any specific implentation apart from the FNMT one that I am not able to find now (maybe it was a project and they decided not to do it). The process, as far as I remember, was required to be with secure streaming video and audio between a person from the issuer and the client. Sorry I am not able to give a good answer at this time. I´ll try to get more reliable info. |
If I'm understanding correctly the topic, I used to have a customer that sold these ID solutions and it consisted of a camera that opened (for example from a website of a bank) and took a picture of you with your ID (front side). The video ran an OCR of your ID and recorded it in a backend so that in case of trouble there could be further verification by authorities or whoever it may concern. The entire process was hashed and signed by a certified 3rd party so that there was certainty that whatever was stored in the backend had not been tampered with |
@acrual There are quite a bunch of remote KYC solutions out there, some of them used by banks. But for government issued digital certificates I have not found yet a specific implementation example. |
Hi @mpolavieja thanks for the proposal. I am doing some housekeeping on the proposals. Please can you take steps to move this forward or alternatively close the proposal. |
Closing as stalled. Ideas look promising and might be a direction that is taken in the future to enhance fiat account security. |
Ok, sorry for not reacting. I just saw the message. |
Introduction
This is a proposal related with this other one "Certification for ownership of a bank account" #23, but instead of basing the certification of ownership on performing a series of comprobation procedures through trusted intermediaries (arbitrators or validators) the system would rely on each user providing proof of ownership of his bank account data by signing it with a digital certificate in which the ID of the owner has been verified externally to Bisq.
Ideally, we should use digital certificates attested by a decentralized ID infrastructure (see here, here or here) but as there is none still deployed we can only rely on centralized issued digital certificates (private or government issuers). Therefore, if we rely on government infrastructure is just for convenience, as the core idea is not based on any centralized / government infrastructure but on open source digital signature standards.
Moreover, there is a reasonable chance that the development could be ported without much effort from centralized to decentralized, as today's centralized infrastructures are already using open source cryptographic standards such as ECDSA or SHA256.
Goal
Given that fiat bank accounts require providing personal information, the main goal of this proposal is to prevent the fraudulent impersonation of fiat bank account details within Bisq network, and at the same allowing honest users to override account age trading limitations (i.e. delays and max trade sizes), or to directly jump to a specific higher trusted level if a rating system is implemented.
This procedure is optional and does not need trusted intermediaries within Bisq nor any centralized storage of ID personal data.
There is no KYC service provider involved. In this case the equivalent to the KYC provider would be the digital certificate issuers, who will not know nor need to know absolutely anything about Bisq.
Assumptions:
It is unlikely that a scammer has managed to steal both access to a bank account and to the private keys of a digital certificate.
There is a significant Bisq user base that has easy access or already has an ID validated digital certificate
Standard Digital Certificates won´t provide significant additional information than the information the user is already providing on his bank account details. Maybe national ID number which anyway is already rather easy to find publicly once you know the name and last name of the user. It is important to note that if the digital certificate is to be used also for encrypting and signing emails and the user provides his real email in the certificate generation process for that purpose, then his email address will be part of the Digital Certificate. In this respect I ask for feedback from the community to review their certificates to see what kind of additional information is included.
Implementation overview
Initial caveat: If the implementation of this optional feature is considered incompatible with Bisq core principles by the Bisq community, it could be derived onto a second layer that interacts with Bisq liquidity network, where a Bisq node could allow other traders to interact only with him (using a Bisq fork or other Bisq protocol compatible app in that second layer) under the condition of having his bank details signed as outlined in this proposal.
There is already a rather widespread standard in Europe called Advanced Electronic Signature (AdES) that is legally and technically regulated by the European Union. The definition of AdES is: “It is the electronic signature that allows to identify the signatory and to detect any subsequent changes of the signed data, which is linked to the signatory in a unique way and to the data to which it refers and which has been created by means that the signatory can maintain under its exclusive control”.
AdES signatures are not legally equivalent to handwritten signature but shall not be rejected by the mere fact that they are electronic (i.e. if legally challenged, the signer bears the burden of the proof). Qualified Electronic Signatures (QES) are legally fully equivalent to handwritten signatures (i.e. if challenged, it is the challenger who bears the burden of the proof), and the additional requirement in comparison with AdES is that they also require a specialized hardware for each signature, such as the chips embedded on some National ID cards, which requires a hardware chip reader that almost no one has. So QES are not yet a practical path, AdES should be good enough. In the event we decide AdES is not good enough (i.e. weak personal identificatiojn procedure or 2FA not mandatory for signing), maybe this proposal won´t be feasible until better standards are available.
Because AdES based certificates must be accepted as legally valid on all EU member states, this would cover most SEPA countries, therefore it would cover a very significant proportion of SEPA Bisq EUR-BTC trading volume. It could even cover all SEPA countries if Bisq accepts AdES signatures of Bank account details from non EU countries such as Switzerland if Swiss users have an AdES compliant certificate. It could be also considered if this AdES digital certificates would be also valid outside Europe (US, Venezuela, Brazil, etc)
There are several formats of AdES, for internal use probably XAdES (based on XML) could be best, if we want it human readable another option is PAdES (final result is a pdf file). For more general details see https://en.wikipedia.org/wiki/Advanced_electronic_signature For detailed technical information, there are available libraries and technical support for the AdES standards:
The AdES standard requires that the Certification Authority verifies the Identity of the user, but it does not necessarily require a physical verification nor a 2FA procedure for signing, so if for Bisq we require one or both of those requisites, then we should filter and therefore maintain a whitelist to exclude certification authorities that do not require what we want. For example, Spanish government digital certificates required physical ID verification until June 2017 and do not require 2FA for signing. The european union based on its AML regulations allows each country to establish remote identification procedures for AdES and QES digital certificates. See Spain´s example here: https://www.sepblac.es/wp-content/uploads/2018/02/Autorizacion_video_identificacion.pdf)
In Spain, the government digital certificate issuer recently launched an Android application that allows to obtain a certificate by remote ID verification (through streaming video I believe, the details on how they verify ID within the android app are not available at this moment on issuer website).
Other AdES private certification authorities make remote verification ID procedures, and also require 2FA for signing, such as those adhered to https://cloudsignatureconsortium.org/.
Description and UI overview
When setting up a bank account in Bisq, the user would have the option to sign his account details with the digital certificate installed on his computer. The name inputted in the Bank account details must match exactly with the name of the digital certificate. The process would follow these steps:
When a trading peer opens a trade with that self-certified user, the process would be as follows:
Those 3 steps above could be abstracted away by showing a green / red signature icon if Bisq is able to do all the verification above in the background. The same way a closed / green lock works on the navigation bar of a browser when https is working.
Attack Vectors
If a scammer manages to fully compromise a computer, it is likely that he could obtain access to both user bank accounts and user digital certificate. Digital certificates that require 2FA from a different device for signing could be rather resilient to this attack.
Possible digital certificate providers
Apart from governments and specialised private certification authorities, in some countries such as Norway, Sweden or Finland Banks provide AdES compliant digital certificates to their clients. See the following links:
Private certification authorities that issue AdES compliant digital certificates at a reasonable cost that I have found are the following:
Note: National ID cards with embedded cryptographic chips require a hardware reader and might require to additionally get a Digital Certificate from a certification authority (maybe at a cost) depending on the country. RFID chips on passports are a memory that carries the passport’s data (name, high resolution picture, etc) but is not capable to perform cryptographic functions such as signing.
Feedback request to Bisq community
For me it is a bit difficult to find out in which countries digital certificates to interact with the government are free for private individuals. If you guys are so kind to provide me the following data from your country:
I will collect it and update it in the following table:
The text was updated successfully, but these errors were encountered: