Enhancing GoodDollar Stamp Security

Objective

To identify the most effective method to mitigate the risk of users obtaining multiple stamps on different wallets using the same biometric data, by enhancing the revocation process across our database, the Ceramic network, and the Ethereum Attestation Service (EAS).

Background

Current System: Stores a biometric vector and wallet address. Uses a clustering algorithm to detect matches and prevent multiple stamps per user.
Vulnerability: Users can revoke access to their wallet, and after a 7-day cooldown, access a new wallet, potentially obtaining stamps for multiple wallets with the same biometric data.

Attack Vector

A user obtains a stamp on one wallet, revokes this wallet after some time, and then associates their biometrics with a new wallet after the cooldown period, thus circumventing the one-stamp-per-user rule.

Proposed Solutions

Comprehensive Revocation Across Data Stores
Verification During Stamp Scoring by Scoring Service

1. Comprehensive Revocation Across Data Stores

Description On revocation of a GoodDollar account by the user, the system:

Updates our internal database to remove the associated credential.
Removes the credential from the Ethereum Attestation Service (EAS) onchain.
Adds an entry to a revoke list on the Ceramic network.

Considerations

Scalability: Complex due to synchronization across three data stores but robust in tracking and verification.
Security: Comprehensive removal and tracking of credentials, reducing misuse.
Implementation Complexity: High, requiring careful management of data consistency.
User Experience: Automated but might require user notifications about different platforms' status.

Risks . Complexity in synchronizing data across different systems.

Maintenance and operational overhead.

2. Verification During Stamp Scoring by Scoring Service

Description Implement a check within our scoring service that verifies if the GoodDollar stamp being scored is associated with a currently active wallet. This check is conducted against our database and EAS.

Considerations

Scalability: Efficient, as it focuses on real-time verification during the scoring process.
Security: Quick prevention of duplicate stamps, but limited historical tracking.
Implementation Complexity: Lower, as it integrates into the existing scoring process.
User Experience: Potentially more seamless, with checks performed in the background during stamp scoring.

Risks

Dependence on real-time verification accuracy.
Possible system delays impacting stamp scoring.

Evaluation Criteria

Scalability: Ability to handle increasing user numbers and data volume.
Security: Effectiveness in preventing and detecting fraudulent stamp issuance.
Implementation Feasibility: Resource and time requirements for development.
User Experience: Impact on the stamp issuance process and overall user journey.
Data Integrity and Auditability: Maintenance of accurate and consistent records across multiple data stores.

Next Steps

[x] Technical Assessment: Evaluate requirements for integration with our database, EAS, and Ceramic.
[ ] Stakeholder Consultation: Gather input from technical teams and user experience specialists.
[x] Analysis and Decision: Review results and choose the most viable solution.

Conclusion

This SPIKE is focused on addressing a specific security concern in the GoodDollar stamp system, exploring two distinct approaches to prevent users from obtaining multiple stamps with the same biometric data on different wallets. The aim is to balance scalability, security, and user experience while maintaining data integrity across our database, Ceramic network, and the Ethereum Attestation Service.

Timebox: One day

From the GoodDollar facetec documentation:

You can register to GoodDollar without any face verification test, but once you want to claim (daily UBI) you have to go through such a process. It is worth noting here that obviously biometric information is sensitive. We care a lot about our members’ sensitive information, which is why it is saved anonymously without any link to your GoodDollar profile.

The first test checks if the user’s face matches an existing one in the database. The second test checks if the user passed “liveness” which minimises fraud based on static images, pre-recorded videos or masks. If the user passed both tests than with high probability we can assume that they are both unique and a living human being. Then their facial attributes are added to the database. Any attempt to register again with the same face would fail.

The facial attributes are saved anonymously without any link to the user’s GoodDollar profile, blockchain address nor to their record in our own database that we use to communicate GoodDollar’s updates and news.

The user is the sole owner of their facial record identifier in our database, and once they decide to delete their account they send us the identifier and we delete their record. So any attacker able to grab this database would not be able to link the faces to any privately identifying information — and nor can the GoodDollar own team. It is important to note that the key to biometrics is “liveness”, as long as the verifying party verifies the sample has arrived from a live person getting hold of the sample itself should pose no security risk.

According to their description the face recognition and liveness test cannot by linked back to a good dollar user id or address.

Problems and Solutions

Listening for deactivation event - run a scheduled job that checks the address of each account that owns a good dollar stamp const isVerified = await sdk.isAddressVerified("0x66582D24FEaD72555adaC681Cc621caCbB208324") if isVerified is false we remove points for their stamp and rescore. The difficulty here will be creating the bot that makes this check. It will have to make a request for each Gooddollar stamp every time the job is executed. Another option is to create a listener that responds to when a user deactivates their account. Both are not the easiest tasks.
Revocation, if deactivated account is found
- Database: mark stamp as duplicate and remove points, rescore(afaik first time doing this without user action)
- Ceramic - user is owner of the stream, we shouldn't be able to remove the stamp without action on their part, so we would need to trigger an action the next time the user loads the passport application
- EAS options
  1. Revoke the passport and re-score attestations. We would need to pay for each bulk revocation tx and build a system to initiate the tx, or manually run the revocation each week/month. The big thing here is that we will need to revoke the user's entire passport and score attestation. We can't just revoke the gooddollar stamp
  2. Start issuing attestations with an expiration date, then wait until attestations expire. No action needed on our part assuming problem 1 is solved, but allows the user to mint multiple attestations for a good dollar stamp.

passportxyz / passport