Regulatory Compliance, Encryption and Safety: How do you protect yourself?

[ObservantOne]

Okay guys, I just had a thought, and it wasn't pretty.

Every transaction that we have completed on the exchange, given they are regulatory compliant, is reported to the government: the amount you spent and how much XRP you got in return. The government isn't exactly up to date on operating systems and protections for their computers. What happens when a bad-guy happens to get access to that information through some hole in the GOVT's defenses, finds your information, gets your address and cases you?

Have you heard of the $5 wrench attack? Someone who knows that you have X amount of XRP can take that information, case your house or where you work, abduct you and beat you with a wrench until you tell them the information they want.

You have your XRP stored on something like the Ledger Nano S, and you have it set up with your PIN, and hopefully a passphrase.

Ledger has added the capability to use a Passphrase or "Duress Pin" to create a hidden wallet with some spare change in it. This passphrase is given to the attacker in order to let them have access to the hidden wallet (what we would see as a security/sacrificial wallet) that has very little XRP in it. Hopefully they don't beat you further in an attempt to get you to reveal more.

 

My point: through regulatory compliance, our personal information regarding our investments is pretty much in a very worrisome predicament, where the GOVT forces you to disclose this information and could potentially be readily available to a substantially sophisticated attack on the database that stores this information.

How do we protect ourselves from this scenario? 

I really wish there was a way to make these things private, without it being disclosed on our taxes! If the govt knows what you have, and you just pay your fair share of taxes, nobody else should even know what you  have. Especially when it comes to something as potentially explosive as XRP.

 

What are your thoughts?

 

[KrakenPeppers]

Why would an attacker basically hold someone against there will, seriously assault them and commit untold other offences for a POSSIBLE large pay off from cryptocurrency .. when they could do the exact same thing for cash / jewellery ect today without the need extract all that encrypted information to begin with

[KrakenPeppers]

I'm not saying it couldn't happen, but they would want to be targeting an average joe with a large account to make the chances of success and escape higher and payoff worthwhile ..

 

I'm more concerned about identity theft with all the documents and photos used to sign up on sites ..

 

[Guest]

2 hours ago, ObservantOne said:

Ledger has added the capability to use a Passphrase or "Duress Pin" to create a hidden wallet with some spare change in it. This passphrase is given to the attacker in order to let them have access to the hidden wallet (what we would see as a security/sacrificial wallet) that has very little XRP in it.

wow did not know this, this is excellent

[wiredless1]

4 hours ago, zerpdigger said:

This passphrase is given to the attacker in order to let them have access

If an exchange "unmasks" a wallet's contents to its owner, are owner's transactions logged in the blockchain sequencing? I think the answer is "yes". If true, then a "pseudo-owner" transaction is also logged. A $5 wrench attack becomes a 32bit hammer detective when the false owner moves the valuables to their preferred account. A trail is established once a transaction hits the networks, isn't it? 
If I were the thief, I'd want to "D.B. Cooperize" (famous, never found airline hijacker) my getaway, right? How do I add anonymity  to that which, as you say, governments monitor? I would want to become an investor with a "flash dash" rather than one stuck with confirmations and time constrained crumbs replicated on the nodes of the network. Right?
If I were the real owner, I would want to leave crumbs. The assumption of being known by regulatory agencies (globally) is at the heart of the BTC / XRP debate, isn't it? 
I'm not a code cruncher but from another assumption standpoint, if XRP's transaction capabilities have been proven to now equal the speed of a present VISA transaction, couldn't a "proof of ownership escrow" (honeypot PO2E) model be incorporated into the execution of the transaction?  A wallet + x +y model, with x being a dynamic user defined "911" string that resides in a separate space and y being a "subpoena key" (smart contract?) that identifies any entity demanding access (by legislative right or "wrench demand"). My assumption is that speed is going to constantly improve over time so the overhead needed to complete the added feature is negligible to the transaction settlement.  Having an "x+y" model wouldn't prevent the theft necessasrily but it could it prevent its anonymity? 
A second approach would be to initiate an ICO, with XRP as its base, that serves as crypto's "Lloyds of London" insurance against theft. A policy for specified perils, if you will. Proof of the theft would need to be determined for a claim to be asserted but this might be much easier than the two step approach to protecting the asset at the "wrench end".
Okay, so much for the brainstorm. Back to my morning coffee. Just some fun food for thought....

[Guest]

3 minutes ago, wiredless1 said:

If I were the thief, I'd want to "D.B. Cooperize" (famous, never found airline hijacker) my getaway, right? How do I add anonymity  to that which, as you say, governments monitor?

and thus you elucidate the TRUE use case behind (a) mining for tokens and (b) psuedo/anonymous cryptocoins

under the guise of libertarianism/anarchism/whatever sometimes, too -- that's all a lie

the crypto world is chock full of scam/speculation/tax evasion/gambling/rip-offs/crime/drugs money, it's what fuels it... wait for the regulators/laws or features to add transparency to these ledgers... then watch the magic money "mysteriously" evaporate into thin air

[wiredless1]

1 minute ago, zerpdigger said:

then watch the magic money "mysteriously" evaporate into thin air

This is my thesis for the "flash crash" events.  Someone, some entity, needs to pay for a ...new rocket, RPG, bribe, weekend yacht, protection, etc. Haven't got the cash? Pay someone for the crash, get a percentage, buy the "goods/service/time/access". Breathe. 
Repeat.

[ObservantOne]

7 hours ago, KrakenPeppers said:

Why would an attacker basically hold someone against there will, seriously assault them and commit untold other offences for a POSSIBLE large pay off from cryptocurrency .. when they could do the exact same thing for cash / jewellery ect today without the need extract all that encrypted information to begin with

Your jewelry and cash do not have the capability to increase many times over like crypto does. The $5 wrench was a theoretical scenario, though I would venture a guess that this has actually played out many times in the past century: coercing/beating someone to get things/information out of them.

[ObservantOne]

7 hours ago, KrakenPeppers said:

I'm not saying it couldn't happen, but they would want to be targeting an average joe with a large account to make the chances of success and escape higher and payoff worthwhile ..

 

I'm more concerned about identity theft with all the documents and photos used to sign up on sites ..

 

By this logic, you should be equally worried about someone accessing the GOVT databases, as they have already, to access your purchasing records from any given exchange that you have worked with that is regulatory compliant. These records detail the amount you spent, what date, from which location, which device, your phone number, address, amount received after exchanging money, etc. 

Concerning, to say the least. 

Remember, this isn't FUD regarding our investments. This is worry regarding personal information in the hands of those that claim to lead and protect us, while doing the bare minimum to provide actual security.

[KrakenPeppers]

Your jewelry and cash do not have the capability to increase many times over like crypto does. The $5 wrench was a theoretical scenario, though I would venture a guess that this has actually played out many times in the past century: coercing/beating someone to get things/information out of them.

I understand it was theoretical, I was just referencing that in a world of 'thieves' most are not out to steal an object for the purposes of 'appprecoating' its value, it's for instant gains and those gains are usually consumed quickly.. cybercrime is definetly a threat however hostage / home invasions to gain access to crypto is in Most situations unlikely... that's all I meant.

 

But identity fraud from our stored information on sometimes untested trade sites could be more of an issue should someone spam its multi million user database with drivers licence, billing details ect on the dark web ..

[ObservantOne]

33 minutes ago, wiredless1 said:

If an exchange "unmasks" a wallet's contents to its owner, are owner's transactions logged in the blockchain sequencing? I think the answer is "yes". If true, then a "pseudo-owner" transaction is also logged. A $5 wrench attack becomes a 32bit hammer detective when the false owner moves the valuables to their preferred account. A trail is established once a transaction hits the networks, isn't it? 
If I were the thief, I'd want to "D.B. Cooperize" (famous, never found airline hijacker) my getaway, right? How do I add anonymity  to that which, as you say, governments monitor? I would want to become an investor with a "flash dash" rather than one stuck with confirmations and time constrained crumbs replicated on the nodes of the network. Right?
If I were the real owner, I would want to leave crumbs. The assumption of being known by regulatory agencies (globally) is at the heart of the BTC / XRP debate, isn't it? 
I'm not a code cruncher but from another assumption standpoint, if XRP's transaction capabilities have been proven to now equal the speed of a present VISA transaction, couldn't a "proof of ownership escrow" (honeypot PO2E) model be incorporated into the execution of the transaction?  A wallet + x +y model, with x being a dynamic user defined "911" string that resides in a separate space and y being a "subpoena key" (smart contract?) that identifies any entity demanding access (by legislative right or "wrench demand"). My assumption is that speed is going to constantly improve over time so the overhead needed to complete the added feature is negligible to the transaction settlement.  Having an "x+y" model wouldn't prevent the theft necessasrily but it could it prevent its anonymity? 
A second approach would be to initiate an ICO, with XRP as its base, that serves as crypto's "Lloyds of London" insurance against theft. A policy for specified perils, if you will. Proof of the theft would need to be determined for a claim to be asserted but this might be much easier than the two step approach to protecting the asset at the "wrench end".
Okay, so much for the brainstorm. Back to my morning coffee. Just some fun food for thought....

The reasoning is that if someone were to steal your XRP by beating your brains in and hurting your family until you gave up the information, then they would move it to a "secure/preferred" account, sell that XRP for BTC, push the BTC through a scrubbing service ("burning" your BTC in exchange for a "clean" BTC), trade this BTC for some anonymous Crypto (Monero/Dash), sell said anonymous asset for fiat, launder the fiat and dilute the flow to stay under the radar. 

I am assuming that this scheme was pulled off recently on an exchange, and the exchange has only recovered ~55% of the stolen XRP.

If these thieves were to access the GOVT database looking for keywords (XRP), look up people with large amounts, target them, case them, and make off with their life-changing investment. 

My main reason for bringing up this concern is because, as civilians, we are required to give ALL of our information to the exchanges in order to be identified with the GOVT, so everyone can be regulatory compliant. We are guaranteed that our information will only be used to identify ourselves with the GOVT, without a guarantee that our information will be kept safe. Admittedly, there aren't any fool-proof, 100% secure environments in the world. It is just concerning that there isn't a level of privacy associated with our accounts, it is all public. Seems to be the reasoning behind the banks desiring a private ledger.

I don't know.

[ObservantOne]

I would say that it should be a requirement for exchanges to implement a 256bit encryption method that is a two part key: they have half of the pin, and you have half. Your information should be encrypted  and ONLY accessible when making purchases or selling. The only way to access it should be for the exchange to require you to put in your pin, use facial recognition and 3 factor authentication. Or something similar. Our information should be about as airtight, if not more-so, as our military grade encryption methods.

Given the fact that ShadowBrokers have released many hacking/monitoring tools that the NSA have developed and capitalized on, it is concerning to say the least. 

Anyone is welcome to chime in

[Hodlezerper]

On 6/23/2017 at 7:12 AM, ObservantOne said:

I would say that it should be a requirement for exchanges to implement a 256bit encryption method that is a two part key: they have half of the pin, and you have half. Your information should be encrypted  and ONLY accessible when making purchases or selling. The only way to access it should be for the exchange to require you to put in your pin, use facial recognition and 3 factor authentication. Or something similar. Our information should be about as airtight, if not more-so, as our military grade encryption methods.

Given the fact that ShadowBrokers have released many hacking/monitoring tools that the NSA have developed and capitalized on, it is concerning to say the least. 

Anyone is welcome to chime in

Make sure you're also on the database that says you own weapons...