I’ve been giving some more thought to how to protect against these situations and one key thing that I think is missing is a trade acceptance phase where the maker and taker get to agree to the terms. In this way the maker has the ability to stop frequent traders that are looking to exploit and pile on available offers only to turn around and chargeback. Currently the maker is at the mercy of the taker because once the offer is accepted, the taker will transfer funds and the parties have to go into arbitration and deal with the legacy banking networks to resolve (time consuming and risky for frequent traders).
Ideally, once the taker accepts an offer the maker would get some limited amount of time to accept the taker by having access to their name and account information as well as other metrics on their history (if possible in the future). If maker declines the offer goes back to active status as it was before. The allotted time can be carved out of the current window ex. 1 day to accept, 3 days to complete transaction.
To make this even more useful a secure chat like the one used by the arbitrators would be very helpful in confirming the understanding of the terms of the trade, originating/destination accounts, timing, any variations on the terms, etc.
Did I see this on the bisq roadmap already or am I mistaken? If not, what is the appropriate place to discuss this on slack? @ManfredKarrer@christoph
I would strongly consider disabling Zelle too as i’m reading articles about people getting scammed there as well. It’s only a matter of time before the scammers move to that platform on Bisq.
Either that or enable a long lockout trade window ASAP. Anyone know how long it takes for a cash deposit or bank wire to be irreversible? I’m reading it can be reversed up to 48 hours or more
We had only 1 chargeback case with Zelle 1 year ago and that was probably not a pro-scammer but a housewife getting angry with the husband trading to much with her account.
It was a risky move to add Venmo and CashApp and we have now learned that it was a mistake. All other payment methods have worked good enough so far. Of course none are 100% safe but the costs for a scammer is much higher. With Venmo and Cahsapp the costs for creating an account is close to zero. With banks and other payment methods it’s harder and a scammer cannot create easily 100 fake accounts as well they cannot issue so easily a chargeback request.
Delayed payout was considered and even implemented in earlier phases but we removed it because it would have killed usability and it would require a very long period to get real security against chargebacks. Banks can do chargebacks up to about 6 months… Nobody would use a platform where your BTC get locked for 6 months.
So to summarize:
The chargeback problem on Bisq was close zero so far (1 case with Zelle with 300 USD one year ago). Just with with those 2 new payment methods we got so far 5 reported cases (1 victim, luckily no other reports so far) and we have seen that those payment methods are just too risky for Bisq. They are limited to that what they advertised: Just for family and friends.
Using all the other payment methods seem to work good enough. Of course there is always risk included, but that would be in case of F2F trade as well (you can got robbed and the risk might be much more severe).
Using centralized exchanges have other sorts of risk:
Your funds are not safe: remember MtGox and all the others…
Zero privacy (same like banks)
Identity theft risk. You trust them that your data (passport,etc) doesn’t get stolen. If so, the hacker would know where you live and how many BTC you have. Pretty serious risk.
Banks and Fiat sucks and as long the world has not moved completely over to BTC we have to live and deal with that problem.
Try to earn money in Cryptocurrencies and try to spend it. So we accelerate the transition.
Yes seems the user has not removed it. But nobody cannot take the offer. We might make a new release where those payment methods get removed completely but we want to wait a few days before…
What are your thoughts about implementing cash in mail as a service? Maybe capping the max at $1k USD or less so the likelihood of a criminal showing up at the buyer’s address is low.
I agree with you that merchant adoption is the key to any cryptocurrencies survival, but getting adoption has been slow going so far. We are years away from any critical mass, and that’s excluding scaling issues which is a whole other can of worms that we don’t need to debate in this thread.
There is a thread about cash in mail. Main problem is that it is very hard to provide clear evidence in case of a dispute. Beside that it is slow, expensive, insecure and in some countries illegal.
That’s true, and i’m not trying to be snarky/trolling/flaming or whatever, but isn’t cash in mail just the other side of the coin as Zelle/Venmo/CashApp. With an infinite chargeback period there is no recourse for the BTC seller if the buyer charges back at a later date, so the ability to dispute is a moot point.
With cash in mail the risk is equally high just for the other party.
How about this! Sorry i’m just spitballing ideas here because I really want Bisq to work but the chargeback issue is going to be untenable for your American users (which i’m assuming is a huge portion of your userbase). And saying “there haven’t been any chargebacks on Zelle” is not acceptable because that logic is exactly what got us into the Venmo CashApp trouble, as I recall reading “we’ve had 1 year and 10,000+ transactions without a chargeback so Venmo/CashApp are Ok”. We are literally making the exact same mistake with Zelle. It’s only a matter of time as you grow in popularity.
My new idea since Cash in Mail seems to not be favorable for you is…Insurance. You have 10,000+ transactions and a certain amount of chargeback fraud, so you have a decent enough sample size to pull data, AND you also have a really cool system where you can set % price differentials for an order.
Let’s say you have a new onion address that hasn’t made a trade before and takes the offer for a seller that listed in the order book 1% below market price.
Instead of seeing that 1% price, the brand new buyer sees 3%, and that 2% juice will go into an insurance fund multisig wallet.
Now you can offer the Bisq Guarantee! If some asshole charges you back 6-months from now. Show the arbitrator the bank statement with the chargeback and we will pay you out the BTC you lost from the insurance fund.
You can even double dip and offer an opt-in charge for the Seller. “for $20 we will insure this transaction so that if you get chargebacked at ANY point in the future you are covered”.
Food for thought imo,
but I think this kind of proposal should only be implemented strictly on a volontary basis.
Those who want can use the insurance (ie participate/subscribe), those who don’t want are not obliged.
And there would be also the problem to initiate the insurance fund (but maybe this is not a great problem).
And it should probably also be implemented in a decentralized way. Would require some work probably here.
Offering an insurance maybe also presents some legal issues ?
Thank you. Hopefully , they will give me back my funds/ transfer it to my bank at the end of the 180 days investigation period. Has been a bad experience for me but just a lesson in the land of crypto.
It would be good to have the following added:
Reputation System - Based on past trades
Collateral Deposit - Option for User to deposit at least 2X their average trading size and this should be
locked up for 6 months - 1 year. Display this badge next to the trader. If they have no intention of scamming the trader will get back their collateral Deposit at the end of the period. Chargebacks should not be possible then.
I think the low incident rate is encouraging but can be attributed to the community still being small and focused. Unfortunately, fraudsters travel in packs and when they find a vulnerability they will exploit it in a viral fashion before the window closes. I think there are a number of important suggestions on how to enhance the functionality to protect the growing community. I hope some of these make it to the slack channel and on a prioritized list of some sort for future releases in the short run.
I think a well designed opt-in reputation system could work. As always the devil is in the details. It should be as decentralized as possible and it should resist sybil attacks. Trade history is very helpful to validating a user’s reputation: a new account with a 100 small trades in the last week is much less trustworthy than one with 100 trades of all different sizes spread over the last two years. Obviously not foolproof but scammers tend to be lazy and impatient.
The idea of charge back insurance is an interesting one. I suggest a decentralized market-based system. Individuals could act as insurers. How much they charge traders who want to be insured would be up to them, as would the amount of information they required. Insurance claims would require the claimant to prove charge back, with arbitration if required. I’m not sure how you prevent people from gaming the system by scamming themselves then making an insurance claim, though.
I don’t know if it is smart to spend dev resources on trying to slightly improve this situation for short term.
Manfred is mostly working on the DAO now, as I understand, and with the DAO we will have a good way to battle chargebacks, as well as many other features. Maybe this project should focus more on the long run, I don’t know, that sounds smarter to me.
Legal / court option is 99.9% certain to be a waste of time and effort. It’d cost me at LEAST $5,000 just to retain an attorney to get started, plus however many hours worth of my own time. So even if I “won” I’d still be at a net loss.
Scammers know this - which is why they continue to operate with impunity. They know nobody will take the time and effort to go after them, because it wouldn’t be worth it to spend $5k to chase after $2k.
Anyway, I like the insurance fund idea, since kyc is probably not happening here.
Learn from Visa and the credit card system, evolve into a decentralized contract.
An insurance system was considered in early days but insurance fraud will be a serious problem. Sounds too much like trying to fix a problem with a bigger problem. Though I am open for a serious proposal.
Regarding the other suggestions:
All those have been considered and discussed many times but they all are problematic. Here a summary:
Reputation:
We don’t want to introduce centralized elements with a centralized reputation system
Nobody has built so far a decentralized reputation system. It is a hard problem.
Reputation requires identity. If identity creation is easy/cheap sybill attacks are an issue (see Venmo, Cashapp where it is too easy to create an account).
Identity and privacy don’t work well together. Any meaningful identity (even not real life but based on past behavior/trades) damages your privacy.
Reputation give wrong impression of security. Sybil and long con attacks are always a problem
Reputation can work if the trade is asymmetric, e.g. on marketplaces like Ebay where sellers have more to lose as they are interested on repeated interactions and need to build up a good reputation which becomes valuable. But also that is not secure. See exit scams on dark markets. Bisq is P2P not a asymmetric market of sellers.
Reputation will make it harder for new users as they get interpreted as low trusted by default.
Insurance:
Not clear how to implement it in a decentralized, trustless way (nobody must hold/control the funds, otherwise you get legally serious troubles)
Easy to trick by self trades (make chargeback to yourself, claim insurance)
Adds costs (people already complain about tiny fees)
Adds complexity and entry barrier
Insurance can lead to less care of users (cross check payment details at receive)
Maybe the DAO will enable insurance as it has the bonding feature which is superior to MultiSig as there is no key holder you need to trust. The trust will be in the DAO stakehodlers. Serious, well detailed and though out proposals are welcome!
Delayed payout:
Was implemented but removed because it would be a usability killer. Who wants to buy BTC when you get the BTC only after 3-6 months paid out?
Unclear how long chargeback can happen. Seems like 6 months is common.
Fund for legal steps:
We could start a fund (donations) for legal costs for those who are willing to go to court against the scammers and the Bank/Payment processor. I am aware that this has little chances of success and probably very high costs as well risks to backfire on Bisq. But it shows who unsatisfying the existing legal system is.
Surity bonds:
Bonding in BSQ will work like that:
You send an amount of BSQ to yourself with a special OP_RETURN data which marks that tx as lockin tx. You cannot spend that received amount beside using it in an unlock tx. Once you want to unlock your bond you make another tx to yourself with another special OP_RETURN data which marks that tx as unlock tx. You still cannot spend that received amount before the unlock period is expired which will be defined in the OP_RETURN at the lockin tx and which can be e.g. 3 months (measured in blocks). Only after the time is over you can spend your BSQ like any other BSQ. If anyone makes a confiscation request with clear proof the stakeholder have the ability to confiscate your locked BSQ (or as long they are in the unlock period). The confiscated BSQ are burned and thus distributed to all stakeholders.
The benefit over MultiSig is that you don’t need another keyholder (or group of keyholders) which carries centralisation and security risks. With BSQ bonding you need to trust the super majority of BSQ stakeholders that they act honest.
With BSQ bonding it will be possible that anyone lock up an arbitrary amount of BSQ and can use that as bond against chargeback risk.
E.g. If a buyer locks up 1000 BSQ (assume that is 1000 USD) he can provide security for a trade with 1000 USD against chargeback. If the buyer would make a chargeback his bond gets confiscated so the seller can be sure that the buyer is acting honest.
After the trade is completed the bond gets unlocked but it still stays for e.g. 6 months locked to cover open chargeback risk. After that time the bond is accessible to the buyer again.
Open problems with that model are: BSQ volatility, very long unlock period might lead to too high bond requirements, management of open trades and locked bond amount is complex, completed trade need to be part of the contact to trigger unlock tx,… many open questions to solve though I am optimistic that it can work and that it gives real security. Well thought our proposals are welcome!
Conclusion:
No reason for panic. Don’t compare Venmo/CashApp with Zelle, SEPA, etc…
It was a mistake to add Venmo in the first place, it turned out it is not better than Paypal and it was always clear that Paypal has no place in Bisq. Of course all banks and payment processors have chargeback risks but the costs and success rate are very different, thus the incentives for scammers to use it against Bisq users is much lower.
Scammers cannot easily create multiple fake Zelle accounts (as far I am aware) or multiple fake SEPA accounts and if they succeed they only get a relative small amount compared what they could get on LocalBitcoins due to the limited trade amounts.
The stolen bank account scams are of course another beast but that should be mitigated with the account age witness and luckily we never had such a case so far.
Luckily there have been so far no more reports from chargebacks beside the ones from @ElGuapoAmigo. Hopefully that stays like that and hopefully Venmo and Cashapp has at least a min. security mechanism to not let known scammers continue after victims have reported them about the scammer.
I understand now also the “security” model of Paypal/Venmo better. They have a huge security problem with stolen accounts. Normally the scammer withdraws the funds and with their policy to allow easy chargeback the scammer cannot get away easilywith the stolen funds. This policy somehow fixes they poor security against account hacks though makes it completely useless for not high trusted interactions, thus they state in their ToS that it must be only used between friends and family. I am surprised that so many people are really using it. Is there really such a demand for sending money between family members and friends?
So what payment methods are sufficiently secure (“hard”)? It seems to me there are
SEPA (nice if you are in the Eurozone)
SWIFT (expensive)
cash deposit (maybe, according to stories on LBC some banks will reverse)
various obscure online wallets probably owned by Russian criminals
Unfortunately in most countries banks will reverse a transfer if you tell a simple lie (“I was hacked” or even “I entered the wrong numbers by mistake”). This situation seems to severely limit the potential growth of bisq.
Criminals want to repeat their scam of they have the option to cash out large amounts. large amounts are not possible in Bisq and repeating the scam require that they they ask several time the bank a lie. I doubt that many banks are so irresponsible to not flag such clients and start investigations. With SEPA in most countries you have to agree to a chargeback.