Visual Proofs Are Not a Sound Wallet Verification Method
Depending on the jurisdiction, the implementation of its Travel Rule could extend to self-hosted wallets. If applicable to self-hosted wallets, virtual asset service providers (VASPs) may need to verify wallet address ownership before a transaction can be initiated.
Wallet addresses are typically verified by a screenshot, video, a Satoshi Test or a digital signature. VASPs will conduct a verification process to ensure that the displayed address aligns with the address intended to be used for the transaction. If the addresses match, the transaction will proceed as planned.
With the evolution of AI and similar technologies, blockchain analytics companies have noted that visual proofs have become increasingly unreliable as a form of wallet verification since they are so easily manipulated.
What Is an Example of a Visual Proof?
Visual proofs, referred to as unattended verification by the EBA, can be in the form of a screenshot or a video clip provided by the wallet user showing the address they intend to use for sending or receiving their crypto assets. This proof is then sent to the user’s VASP, who verifies that the address shown in the image or video matches the desired withdrawal address.
Why Are Visual Proofs Unreliable?
While visual proofs are the most straightforward method for self-hosted wallet owners to verify their wallets, they are the least reliable option due to their susceptibility to manipulation.
A visual proof - be it an image or video can be tampered with using basic photo editing programs. With the rapid development of AI-powered software, it has become even easier to simulate a fake proof.
What Other Options Do Customers and VASPs Have?
Apart from visual proofs, there are 3 other options that dominate the market. Each option has its pros and cons, but they are all more reliable than visual proofs and virtually impossible to tamper with.
Address Ownership Proof Protocol (AOPP)
Address Ownership Proof Protocol (AOPP) is a safe and fully automated method for the user and the VASP. It offers a safer alternative to the screenshot option and requires less effort and know-how than manual signing. By avoiding address reuse and drastically improving the user experience, and maximum security, this method ensures enhanced security.
Additionally, it boasts rapid verification capabilities, allowing for wallet ownership confirmation within seconds, and it adheres to GDPR requirements, ensuring compliance with regulatory standards.
A message or QR code (for mobile devices) is shared with the wallet user by the VASP. The wallet user clicks to demonstrate ownership of the address. This message is automatically returned to the VASP without interference from a third party.
Manual Signing
This method offers a cryptographically secure means of proving ownership and can be seamlessly automated by the VASP.
The withdrawal process begins as the wallet user submits the desired address to the VASP. The VASP then provides the wallet user with a message to be signed using the selected wallet address. The user copies and pastes this message into their wallet software and proceeds to sign it using the private key linked to the chosen wallet address.
After signing the message, the user forwards it to the VASP, who then verifies the signed message and, upon successful validation, executes the transaction, thereby facilitating a secure and authenticated withdrawal process.
Read more about manual signing.
The Satoshi Test
The VASP can automate the process and mitigate the risk associated with visual proofs. Automating the process on the VASP's side reduces the potential for fraudulent activities, providing a more reliable means of verification. However, a common pitfall with the Satoshi Test is the mining fees are not returned to the address owner.
To verify ownership of an address, a VASP initiates a process where a predefined amount of crypto assets, typically around the value of USD 1, is sent from the wallet owner's address to the VASP within a specific timeframe. If the transfer is successful, it serves as evidence of address ownership. However, failure to complete the transaction within the specified timeframe renders the proof invalid.
Read more about the Satoshi Test.
21 Travel Rule boasts 4 wallet verification methods, allowing VASPs to select their preferred method, minimising the risk of false proofs while still providing their clients with verification method options to fit their self-hosted wallet's signing capabilities.