So, just how safe are digital financial services in the non-face-to-face era?
That’s the question Korean-language blockchain media outlet Decenter sets out to answer amid mounting concerns following several high-profile incidents, including one involving leading money transfer platform Toss.
From the Korea Herald:
“Online purchases worth 9.38 million ($7,770) were made on websites without permission of Toss account holders earlier this month using their personal data. Although initial inspections by the financial authority showed that users’ personal data were not compromised via the fintech platform itself, the incident shed light on the security of similar services, including those run by online platform operators Naver, Kakao, and NHN.
“‘After the incident, I realized that any smartphone user can fall victim to such unauthorized transactions without knowing it,’ said a 30-year-old fintech service user, adding ‘I may have to be more cautious when using mobile financial services for a while.’”
The Toss incident has so spooked authorities that South Korea’s top financial watchdog, the Financial Supervisory Service, has announced that it is reviewing the security measures of about 40 fintech companies that use similar payment technology.
BlockMedia talked with ICONLOOP about security and the MyID project. MyID uses DID technology, which means companies need not store personal data. All it does it confirm that the person logging in is the same person who logged in before.
An ICONLOOP employee told Decenter that the recent incidents involving non-face-to-face financial services demonstrate the importance of getting the first ID confirmation right. One of the recent incidents involved an individual using a forged ID to secure over KRW 100 million in fraudulent loans. Investigators say the suspect put his photo on somebody else’s driver’s license and used that ID to open a mobile phone account, which was subsequently used to secure loans through the non-face-to-face services of financial companies.
ICONLOOP said this is why financial services shouldn’t use mobile phone numbers to authenticate identification. With MyID, your ID is recorded on the blockchain only after a thorough initial verification by a bank. That is to say, a bank issues you a DID after confirming you are who you say you are. Saving the ID on the blockchain prevents tampering. And since DID doesn’t require companies to save your personal information, the solution makes mass leaks of private data through hacking highly unlikely.
Having said that, DID solutions such as MyID store data on the user’s own device, making the security of those devices critically important. Data self-sovereignty comes with responsibilities. You need to take security measures to store your data in a secure space on your mobile device. ICONLOOP told Decenter that in the coming age of data self-sovereignty, devices will grow in importance as data wallets. And since companies no longer collect and maintain your data, it’s difficult to get your data back if you lose your device.
Still, DID boasts enough advantages to make it attractive despite the added personal responsibility. You control your own data. In today’s era of centralized control over ID and personal data, you can’t see how companies are using your information. Companies often give your data to third parties without your permission, and as if that wasn’t bad enough, companies that collect lots of personal data are favorite targets of hackers. DID frees you of these concerns.
DID is also easy to use. A single ID unlocks many services.
DID is good for the companies that use them, too. Governments are growing increasingly aware of the importance of protecting personal data. The EU passed the GDPR in 2018, and even in South Korea, the government is pushing projects that strengthen data self-sovereignty. Companies that use DID lessen risks and free themselves from the financial burden of storing and protecting personal data.
ICONLOOP Communication Team Lead Minhwan Kim said:
“Recently, the need for untact solutions has increased due to the COVID-19 pandemic, which has also led to more instances where we now have to provide very basic personal information and perform identity authentication. Under these circumstances, DID is being recognized as a flow of authentification rather than an existing option, causing the demand for DID services to be accelerated.”