Nash's management of customer information

Recently, there have been many incidents of theft of customer information held by exchanges(BlockFi, Coincheck).

What measures does Nash take against these?

Following policies such as ISO 27000, security audits and probably by not saving private user data at all :joy:. KYC is done by external companies so Nash doesn’t hold private data.

2 Likes

As Kemoyin said, Nash doesn’t store KYC themselfs.
It is managed and stored by Jumio.
Nash holds a key to this data to see, but there are restrictions in place, so its not like they have easy unlimited access whenever they want without security checks.

This KYC company is also trusted by some banks, Airbnb and easyjet.

6 Likes

Anyway, it is always good to keep thinking/asking about possible weak links in the system. Inherently there will always be 1…

Regarding this subject, yesterday I bought some BTC via a dutch provider (bitonic) and transferred it to NASH. Since we have stricter laws in NL (AML5), I had to provide relevant ID information.They had the ability to use a verification app (like NASH) which could read the NFC chip of your passport using an iPhone. Although a bit of a “black box” since I have no clue what info is pulled from the chip: this was a super user friendly way to verify. If deemed viable and safe, this could maybe a part of the NASH verification process in the future?

No more unreadable or stored ID copies and waiting for verification!

Wtf? So the nfc chip in ID’S/passports contains all data unsecured? Thats new for me…

was new to me as well… Some info: (in dutch)

2 Likes
  1. Nash has a strict rule that forbids SMS 2FA.
  2. Nash marketing and communications team (the ones that access admin in support tasks) has fit-for-purpose machines that have compliance enforced by yours truly. As an example they can’t even install browser extensions on those machines. Our platform for those employees is based on the pixelbook and includes verified hardware encryption from boot to login. To access Nash systems they need physical encryption keys - think “hardware wallets” but for access. Even better, since it also requires password and we can revoke individual keys.
  3. Ah, and as commented by @Konijntje we don’t store user data ourselves, but only access keys - that are rate limited.

Sincerely BlockFi report of access due to SIM swap makes it sound like their security profile is not in the same league by a long shot.

8 Likes

Thank you for the detailed description. I’m very relieved.