Waow, it’s so sad you need to have this brainstorming just because the banking system is designed the wrong way. Satoshi invented a trustless system and so should remain Bisq.
Here are some comments:
-
The beauty of Bisq is its privacy so you need to keep that as the first criteria. Using social media as 2FA really sounds like a poor workaround compared with the overall greatness of Bisq.
-
Relying on the seller to do KYC would be really bad. As a buyer, I would never send my ID to a seller even if it gets watermarked. Also, a scammer can easily Photoshop/GIMP a selfie and trick a forensic analysis (such as http://fotoforensics.com/) by scanning a printed version of an edited picture + editing the metatags. If you really want to go with KYC, I think @leo idea to have the user rely on a specialized KYC service of its choice is the least worst (the other party would judge if the chosen service is reliable or not).
-
I don’t understand how a decentralized reputation system can work. Darknets is the home of scammers so I think it’s not that hard to create a good reputation using fake transactions
I realize this topic is about stolen bank accounts but I hope it is less a risk now that we are in 2018 and 2FA is mandatory for all EU banks at least. In fact, I am more concerned about triangular scams (such as the one described at Are there scams in Bisq?) which is very common on localbitcoins. I understand the current protection on Bisq is to limit the amount sent via SEPA based on age but I have 4 banks and only 1 of them let me see the sending IBAN when I receive a SEPA (the 3 others just give me the name of the sender). So a triangular scammer could very well have a fake IBAN age the necessary time (so he can buy any amount) and have its victim sending me the SEPA and I would have no way to control… Also, storing a hash of the IBAN’s in Bisq might be a leak of privacy if you consider that a Belgian IBAN has only 16 characters from which only 7 numeric characters are random (16 - 2 for “BE” - 5 for the branch which is a shortlist - 2 for the validation code). That makes a short list to bruteforce with John the Ripper.
Fortunately, Bisq is not used by scammers yet but I don’t see why it won’t happen if nothing changes. Maybe you should consider pausing the fiat reversible methods until they get reliable. In the meanwhile you could focus on new solutions such as cash deposited via ATM and enhance the crypto to crypto trades (by using the blockchain for step3 for example, see Why not use blockchain for step 3?).
It is just a personal opinion and I am sorry if I sound harsh, especially because I only criticize but I don’t bring new ideas. I had a good thought about it but I couldn’t find anything really good. I just think that Bisq is the best solution out there so we all need to protect it.