Name and message of SEPA really important?

Hello everybody !

I’m new here, and firstly, THANKS for making a project that really addresses what I was beginning to hate about bitcoin.

Sorry if this has been discussed, haven’t had the time to read a lot of post.

I’m confirming some SEPA payments and for some of them the name and message doesn’t match exactly, like in the following examples:

D Strangelove != D. Strangelove

lienh != alienhand

Now, should I just go ahead and confirm the payment (actually did that for one of them) ?

Well, it is up to you. These things are just there for your safety to insure that the person that sent you money is really the person who took your offer. (This is a prevention for some types of scams)

If you are confident it is just a typo, then you can go ahead and ignore it and in a way do a favor to the other trader and not get into a dispute (that costs you nothing but some time for it get sorted).

If you don’t, then no one will blame you and you are in a way making the network more secure.
And if the difference between the texts are obvious then you might even get a security deposit of the other trader for your troubles.

@alexej996 I am still a bit insecure about this subject. On another thread is was suggested that if money was deposited from a fraudulent account, there was potential for a bank to freeze my bank account and ask questions :grimacing: !!!

If you or anybody else who is fully in the know regarding this has a bit of time, it would help a lot if the support board had a pin about the types of exploits scammers use, the risks involved and how to avoid. I can then judge for myself when a typo is a typo or a risk.

If this is a more measurable metric @christoph , maybe the software could make the call before payment is confirmed by requiring you to type in the depositers name, exactly as it appears on your bank statement.

I’m also confused…

How does this scam really work ?
If the scammer has the ability to make a SEPA transfer (directly through controlling the victims computer, or indirectly through some kind of social engineering trick) he probably has the ability to write whatever he wants in the message field.
He can’t change the name of the account holder of course, but why would he want to ?

Also, what really happens in such a situation ?
They freeze my account and I have to use cash for a week until things get sorted out ?
Or could it be worse ?

This is really nothing to worry about in practice, as I don’t think this ever actually happened.
It is just that Bisq sees no cost in asking for this information as the receiver already sees them and can increase security in certain types of attack.

I don’t think that anyone really went too much into this, as it really doesn’t ever happen, but there is no cost of adding this and it does make it harder for the attacker. I believe that the idea rests on the example where someone uses social engineering to ask a victim for payment for some fake service. This message field, other then helping the seller to differentiate between trades, could perhaps raise a red flag for the victim that something fishy is going on and that he is not really paying for the said service. Attacker would also need the victims name for this, so that could be another way to make it harder for him.

I don’t really know about this that much, but I believe that there is an Gihub issue about this that you could search for.

You explain it well.
And you are right, the attacker needs to know the name before the transfer takes place, hadn’t thought about that…