New requirement for payment accounts with charge back risk

A bit of background and context:
We had our first and only bank charge back case (via ClearXchange) a week ago and we needed to find a way to improve the protection of Bitcoin sellers against such fraudsters.
We hoped that the limited trade amount is sufficient to keep scammers out, but as we have seen now this assumption does not hold (it was a 300 USD trade - so a relatively small amount).
We don’t have much background information about the case but it might be that the scammer has cashed out a stolen bank account for more then 6 weeks and also reached the monthly transfer limit of the bank which might be about 15k USD! It seems he used mainly other platforms and not Bisq as we did not got reported any other case. That it took so long until the fraud got discovered (if it was a stolen bank account case, which is not entirely clear) shows another problem we underestimated. We though if such cases happen they get quickly discovered and then the account frozen.

By using bank transfers we inherit the poor security model of the banking system. If they would require by default 2FA getting access to a foreign bank account would be much harder and if they would provide by default notifications of any movement in the account such crime would get discovered very quickly. But banks are busy to jump on the Blockchain train instead of applying basic IT security best practices…

It is unfortunate that we rely on banks to some extent but there are not good alternatives out for Fiat transfers. So we have to deal with that model.
With that case we saw an urgent need to provide better protection for the BTC seller otherwise the scammers will use Bisq for cashing out their stolen bank accounts more frequently.

There was also quite often the request from users that they want an option to be able to contact the other peer.
It seemed that many professional traders (who are used to trade on LocalBitcoins) did not use Bisq because they felt that they don’t get enough protection against those charge back risks.

Any bank transfer carry that risk, specially in case of a stolen bank account. Most banks ask for permission to do the charge back but some don’t and simply make a reversal without your agreement (we heard of cases even with SEPA, ClearXchange did not ask in the above case).
ClearXchange seems to be even worse and as they stated to the scammed seller that ClearXchange should only be used in the context of “Family and friends”. It seems they allow charge back even without any proof of crime involved (it was called a disputed reversal not a fraudulent).
That is why we highly recommend any BTC seller using ClearXchange to make a ID check with the other peer.
We considered as well to remove ClearXchange as it seems to have a high charge back risk, but as it is one of the very few practical payment methods in the US we decided to keep it for now.

Doing a ID check should avoid the stolen bank account scams completely (assuming the ID check is done properly) and in case of a charge back initiated without valid reason the seller should start legal actions against the scammer. He has at least the identity checked so he can be sure it was not a stolen bank account scam and in Bisq there is the trade contract which got digitally signed by both traders and it’s hash is in the block chain. So the trader cannot dispute in court to not have agreed to the trade.

To enable direct contact for performing the P2P ID check we added a mandatory email field to those accounts which carry some charge back risk.
Those are:

• Sepa
• National bank transfer (as well as transfer with same bank and transfer with with specific bank)
• ClearXchange
• Faster Payment
• Chase Quick Pay
• InteracETransfer

All the other payment methods are considered to have no risk for charge back (OKPay, Altcoins) or a very low risk (Swish, PerfectMoney, Cash Deposit, US Money Order, Alipay).

We needed an easy solution to implement a protection for the new v.0.5.0 release to mitigate that problem. The solution with using an email field was such.
To implement more sophisticated solutions is on the road map but will take a few months and it is not clear yet how it will look like - but just to be clear:
There will never be a centralized KYC style registration, that would render Bisq pointless. So to not create any central entity for collecting and verifying users identity and connecting that to trades is an absolute requirement for any option we are looking at.

Rough direction what we want to look at are:

• Decentralized reputation system
• P2P verification (like now with the email address but better integrated like e.g. using the in-app chat system)
• Optional 3rd party verification (no connection to trades or Bisq so privacy protection of trades is kept). User would get a certificate and could use that in Bisq. Would help to avoid the need for repeated P2P based ID checks.
• Different trade limits based on reputation/nr. of trades
• Long term locked up security deposits

There is a difficulty to give maximum control to the users and to keep usability acceptable.
Like for the current case with the email fields we could also have made it optional and allowing the user to specify in which cases they accept or require that P2P ID check and what exactly they require or are willing to accept, different for buyer or take role. But you see in that sentence already how complicate it can get and how many options it will contain. Communicating that well in the UI and the offer book will be challenge - a challenge for what we don’t have resources at the moment.
But in future that should be improved and should make it more acceptable for different users with different levels of risk acceptance and what they are willing to expose on privacy to the other peer as well as on extra effort for the ID check.

The main reason why I think that the mandatory email is not making a big trouble privacy-wise is that with bank transfers you are exposing already your full name and bank account number to the peer. To give additionally the email address (only the trade peer see it) does not make anything worse in regard to privacy. Of course the extra work for the ID check is something we need to address.

We can need your help!
Anyone is very welcome to help us to work on the concepts how such features for increasing security and improving usability while keeping privacy protection can be designed and implemented.
Just be warned: Decentralized reputation is not an easy task and so far I know nobody has solved that in a satisfying way. Web of Trust (WoT) is probably the best solution so far but everyone knows how little it is used and how bad usability is with it.
OpenBazaar had it on their road map for a long time but as far I am informed (not well) they gave up on it.
So those are not easy challenges and will not get solved in a few weeks, but hopefully in a few months.

What happens if the users don’t fulfill the ID checks or request too much:
The arbitrator (me) will be tolerant and will not take the security deposit if not a clear misbehavior was the case. People are also better as their fame is (at least Bisq traders).
The huge majority have been very cooperative and there have been zero real disputes so far. So I expect that there will not be too many problems with that.
Lets see how that develops and fix issues if they arise. Being flexible and practical has been proven in the past as a very important feature, more important than defining every detail of theoretical possibilities…

Trader’s reputation probably should be given by all the arbitrators individually. As when the trader picks an arbitrator, he is showing that he trusts him/her to keep the trading honest, therefor the user trusts that, the higher the ranking other trader has with the arbitrator, more likely it is that it will end up without problems on his part, otherwise he wouldn’t have trusted the arbitrator in the first place. I guess that in a way, Bisq provides sections of trust, divided by the arbitrators themselves.

I would prefer to keep the role of the arbitrators as limited as possible. We will even introduce another level (mediators) so arbitrators who holds the 3rd key only come into place at very rare cases.

Thanks for the detailed post.

I think bitrated might be helpful for P2P ID check an in general. I wish they had third party integration already.

Good point! Maybe we can cooperate…

Thanks for this post, quite clear for a very delicate issue.

Hi, I love bisq, but this change is very problematic.

Giving a copy of the identity card to an exchange is bad, but giving a copy to a stranger on each purchase can result in an illegal capture of personal identity data; Data that are also linked to operating bank accounts. It’s crazy.

At least Bisq could establish some regulations that prohibit a seller from asking for copies of the identity card and limit their identity requests to documents that may be sufficient to verify the identity of the buyers but that are not as sensitive as electricity bills and other things like that.

That is a valid concern.
Basically we keep it open o the peers how and if they do the check (they can use social media accounts as well or just so a video call and not send scans).
But you are right that opens up new risks.
Do you have any idea how to deal with that?

Mid term we will deliver more sophisticated solutions but short term we need some protection against charge back scammers which is fast and easy to implement.

We will try to add some more concrete instructions what users should do. Any input is highly appreciated as we plan a new release soon and could add that.

I propose to make it visible in the offerbook if a trader will request ID verification. This way one can still choose. This doesn’t solve any problems but gives a choice.

This gives freedom to the traders and takes away responsibility from Bisq.

On the other hand there’s still the risk of bad reputation in case of scams.

But if the request for identity cards is generalized, that will be crazy. Someone with bad intentions could dedicate themselves to a small BTC trade simply to capture copies of identity cards linked to bank accounts, that is worth a lot of money on the black market. We have to think of something not linked to data as sensitive as the identity card.

For example telephone bill where the same name appears in the bank account, this could be enough and is not so delicate.

Optionally the seller could ask the buyer to send a sms from that number I think this would work and would be quite safe.

Yes good point and idea with the tel. bill. i will wait to get a bit more response and will change the text in the popup.

As said earlier to add more sophisticated solutions (e.g. make it optional and visible in offer book) will require more work and cannot be deployed quickly. We will work on that but we need now a fast solution which is safe enough and practical to implement.

I suggest to reduce the max limit on purchases by bank transfer even further, maybe as low as 0.05 BTC. Then, increase the limit on a per user basis as the user builds up a (positive) reputation (perhaps 0.01 BTC higher limit for each successful trade). This will favor a few power-users over time, but that’s ok as they might be trading on a professional basis and able to provide better prices which is better for the community.

One more suggestion; voluntary charge-back “insurance”. Basically, each time users start trades using one of the riskier methods permit to pay an optional fee. This fee is deposited into a fund, which can be tapped when a user is scammed e.g. through charge-backs (but only if the user paid the fee).

This might be work to implement, e.g. who controls the “insurance” fund and not without its own issues, e.g. how prove you were scammed and not instead trying to scam the “insurance” fund?

Also, it does not discourage or prevent charge-backs from happening, only alleviates possible risks to the innocent party.

To the point of sharing ID cards: we should suggest to the users that they watermark any personally identifying document so that they are unusable.

Regarding the rest: I’ve had problems with hackers getting fake IDs and even coercing people into taking selfies with their IDs, without knowing what for.
I suggest that the best policy is to ask for an ID and a utility bill. This way you at least take away the possibility of fraud by identity hacking. Coercing is still possible.

Another suggestion: almost all banks working with SEPA transfers use the double security factor: to make a transfer you must enter the security code sent by the bank to the telephone. This makes stealing your bank account impossible, unless the thief also steals your mobile phone.

Consequently a basic security standard in Bisq is that the SEPA transfer are authenticated by double security factor.
After making the transfer you can send the seller a photo of the mobile with the sms, the key sent is already useless.

Thanks for all the inputs!

@in-cred-u-lous
Regarding limit per trades:
Something along that line is considered but will require more time.

Regarding insurance:
That was also on the table but I fear it just opens up a new problem: Insurance fraud.
Also it de-incentivizes people to care about security, same what happened to credit card and banks. As you know you get bailed out by the company you dont care so much. Cost will be socialized to others.

@riclas:
I fear watermarking is nothing an average user is used to do. Which tool you need for that? Are there some online tools?
erizo mentioned the risk of identity fraud and I think that is very real.
I would also prefer to find alternatives which provide sufficient security and reduce exposure to the minimum.
In the one charge back case we had a normal email contact would have been already enough (assuming it was a stolen bank account case what is not clear still).

What is the usual way how traders on LBTC are doing an id check?

@erizo:
Unfortunately not all banks (specially German banks are still in the 90s) have 2FA.
We cannot proof that users have enabled it or that their bank is supporting it. We might create a blacklist of banks which are not supporting it and mark those as high risk or dont allow those, but that is a lot of work and would need continues updates. There are 1000s of banks. We need to cover also globally the banks not only SEPA.
To send a photo with the pin does not give much security, can be photoshopped easily.

I agree identity theft is a very real risk, hence why i suggest watermarking at least. You can do it easily in several different ways, users will be most familiar with using word i think.

on LBTC: the platform provides ID document verification, traders request a selfie holding the ID or a utility bill for second verification. All attached images on the site are automatically watermarked by LBTC.

P.S.: german banks not having 2FA might explain why most of the frauds I have been used for were from Germany…

SEPA can chargeback even 6 months later. ;-(

What is your suggestion how we should deal with it? We need to do something to protect sellers otherwise we become a honeypot for scammers. And it must not cause not too much effort as we can’t wait 3 months to solve that.

That’s a great idea.

@anon10998290, @riclas , @erizo, @in-cred-u-lous:

I thought further on the issue…
What about that:
When making an offer you can decide to support direct contact by email. If so you require for your offer that the taker delivers his email address and u need to provide it as well. But it is optional and the email is stored in the account for re-use. You can define at per-offer base. The email will get exchanged int he trade process like the other account data.
The offers in the offer book will have displayed an icon to indicate that direct contact is required for that offer.

Additionally we could provide a tool for uploading a selfie with one’s id card holding next to the face. This photo gets watermarked and a bit distorted and we add some graphical elements (e.g. the Bisq logo) in a way which makes the image worthless for identity theft. Additionally we can render the trade ID over the image in the moment before it gets exchanged with the peer. So the image the peer receives is tagged with that trade. The image will only be exchanged with the peer not with the arbitrator, though the arbitrator could request it from the peers if needed and if they agree to deliver it.
The user only needs to upload the photo to the app (stays local of course) and the app renders the modified image and stores it in the account. The id card need to be a governmental issued one like passport of national id card.
Again in the offer the maker can define if they require an id card image or not. If so, the id cards get exchanged in the trade process same as the bank detail data.
And the offer in the offer book gets marked with an icon indicating the id card requirement.

Of course that all is only for those payment methods which have charge back risks.

What do you think? Do you see open risks with faking the selfie? I think with the photo it gets harder but of course it is not 100% safe. But a seller who wants more security can always require the email contact and can do the id check as they find sufficiently secure.
We can define that min. requirement for such a p2p id check and if a peer requests too much the peer can reject and the arbitrator would refund both in such a case.

I think that would give people enough option between privacy/convenience and security to choose from.
It is a bit of effort to implement so I am not sure how fast we can deliver that. But I wanted to get feedback first. mMaybe someone has a better idea or see some flaws in it…