New requirement for payment accounts with charge back risk

I was under the impression that the e-mail contact was to have as little checks as possible. In your latest suggestion it seems like it is the ultimate tool when selfie with ID is not enough, which should be enough in the majority of the cases.

If passing documents through the app is possible, i don’t see a real need for the e-mail.

Rendering the trade ID isn’t useful, since it’s done by the app. Unless you want to use that as the watermark, but you could just use the Bisq logo.

this is the solution i was hoping for, since it takes from the user the burden of modifying his document and uploading it on each contact.

It is impossible to prevent a scammer from editing the image of an identification card. I could add any number, any photo and any name and add any full body photo if you need. I might even have a complete album of them.

Users are not banks or public entities that can cross data or perform forensic analysis of the images to verify whether those identifications are real or not.

Actually I think it does not work for anything. Those who can use SEPA with 2FA can now close a transaction in minutes, when we both use the same bank, and in a perfectly safe manner. Identification with each stranger will be an additional impediment, which will not give me more security, but rather greater uncertainty and might come to rethink the use of the application.

Yes I agree that the security of the photo solution is not very convincing.
What is your suggestion? If we don’t do anything we might get have more charge back cases.
I think with SEPA the charge back risk is mainly when there is a stolen bank account case. If we would have a way to proof that the buyers banks requires 2FA it might help as the likelyhood of a hacked account is much lower.
Are there lists of banks with that data? I doubt.

By the end of October 2018 all SEPA banks should work with 2FA.

http://nae.es/en/the-impact-of-the-new-european-directive-on-payment-services/

Meanwhile I think this would only really work: we will collect lists of banks that use 2FA, the users could collaborate identifying them, even if the list is not exhaustive. Only transactions with these banks will be allowed, prohibiting other account numbers.

1 Like

Wow banks finally start to implement 10 years old tech! Maybe they get a break from their attempts to understand what “Blockchain” is about and realized all what they need is applying 20 year old cryptography and 10 year old IT best practices. :wink:

Do you have any idea where we could render such a list?
Anyone who can help here?

Here is something to start with:
https://twofactorauth.org

Ps: 2FA is even 20 years old (https://arstechnica.com/information-technology/2013/05/kim-dotcom-claims-he-invented-two-factor-authentication-but-he-wasnt-first/)

3 Likes

The most simplest sistem would be for each user to provide proof that their bank works with 2FA.

For example these are three Spanish banks with which I work and who implement 2FA. It is very easy to prove it:

Code 0182 Bank: BBVA

Code 0049 Bank: Santander
https://www.bancosantander.es/en/particulares/banca-online/seguridad-online/nuestro-promiso-de-seguridad

Code 2048 Bank: Liberbank
https://www.liberbank.es/atencion-al-cliente/faqs

They are https pages where the use of 2FA in the transactions is mentioned.

Bisq would have a field where you would enter the URL (https only) of the bank page where the use of 2FA is explained. Both sides of the transaction must do so, and both must check the URLs to verify that the other party uses the bank with 2FA.

Otherwise or if the URL does not match the bank of the other party’s account, the user would open a dispute.

The email field would be suppressed to avoid social engineering scams. In addition, the bank code data of each transaction could be collected - only the code - and stored in a public repository in the cloud, without encryption, to be subjected to users scrutiny. Over time a database of reliable banks would be built and only those banks could be used

i’ve been used for several frauds from clients with 2FA, including a transfer from a client of my own bank.
you overestimate its security.

There’s a reason most financial services use photos for KYC… There is no better alternative, even if it is not full proof neither attractive to the client.

1 Like

You got scammed with stolen bank accounts which used 2FA? Or was it a fraudulent chargeback?

Most (if not all) chargebacks are for transfers from stolen bank accounts.
and I am sure the fraudulent transfer i got from my bank was done with phished 2FA credentials.

Do you know how that phishing is done? But fake pages and then quickly using the 2FA code? Or are people really that stupid to give away the 2FA code by phishing emails/calls?

We have matrix cards as 2FA and sms codes as 3FA.
what I was told is that, since it was a 100€ transfer, it only requested codes from the matrix card. the client got phished through some bank e-mail for the numbers of the matrix to collect the transfer.
So yes, people are that dumb.

1 Like

Hello everyone,

2FA may not be perfect, but it is a proportionate and adequate response to the problem. Scams are much rarer and, as Riclas says, limited to small amounts. This fraud in 2FA banks can only happen if:

1- The amount moved is small
2- The bank combines 2FA and OTP card for small amounts
3- The user has suffered Pishing
4- The user is stupid enough to send his OTP by mail

Of course are more sophisticated scams possible for example intercepting SMS and things like that, but they are not very frequent. Nothing you imagine will be perfect.

The introduction of identity card photographs into a P2P service would not secure commerce, but would become a focus of identity capture by malicious people. Data theft and identity falsification would surely be generalized in such a system. It could become very dangerous.

A centralized commerce service can use identity verification services (the regulations of many countries oblige that) like https://www.trulioo.com/ and many others, however the photos that each user receives so that he Will serve ?

Photo editing programs do wonders.

2 Likes

Such chargebacks should not get accepted in no case. If people are too stupid they have to learn by paying. And banks need to educate/inform them better.

@riclas: Did you also got scammed by fraudulent chargebacks? I mean those where no crime was involved but the buyer just asked the bank for getting back the money? I think in SEPA that is very hard and should be very low risk. What is your opinion/experience?

The ClearXchange chargeback might have been such as well. Maybe the husband of the account owner did a lot of trades and then the wife was upset that he spent all the money and requested a chargeback. We dont know but might be an explanation. As there was no other cases it seems it was at least not a stolen bank account case.

If it was such a fraudulent case the victim should go to court and requests his money back. There is a signed contract in the exchange process which should serve as proof. Just for small amounts like 300USD lawyer costs are too high in relation so the scammer can go away without risk.

I honestly have no way of knowing if fraudulent chargebacks were made to me. You are correct that in those cases it will be very low risk in SEPA.
I actually believed many of the chargebacks I got were just buyers trying to get both money and btc, until the police knocked on my door and accused me of being part of a ML group.

It’s safe to assume all chargebacks are phishing or fraud cases, from my experience.

2 Likes

Surely it is best to limit transactions to 2FA banks, you will see:

If a user is foolish enough to send his OTP to Phishing, he can also send his ID card. Then we will suffer, not a small scam… a big scam.

This happens, even in the banks, it is very difficult to avoid the idiots, they are very destructive.

That’s why I do not think it’s a good idea to include email in Bisq. Is to open Bisq to the world of Phishing.

Your reasoning assumes the same number of people who give out their OTP to phishing will also give (or been asked for) a selfie with their ID.
that’s why you ask for something else on the selfie, not just the ID card. some paper with trade number for example.

there needs to be a limit drawn somewhere to how much you ask from a new client, but the more restrictions you give, the less open to fraud you are.
Perfect world: people could easily use their ID card to sign the transaction.
In Europe this is possible, but most people don’t have the skills, knowledge or means to do so. It’s a pity this isn’t enforced when creating the new european IDs.

Hello everyone,

Well, all that can be falsified with the greatest ease, even with stamping, no problem. There are even tutorials on the internet for that. In Spain the identity card has a cryptographic chip, but in other countries (Italy or Portugal) have a level of sophistication similar to the membership card of a library.

If the system of selfis were operating in Bisq the scammers would have it very easy. They would have an unlimited identity capture system by selling small amounts of BTC.

Then, because they have account numbers, copies of identity cards and emails, they could start phishing on some users. They could also make ‘real’ photos of anyone, showing cards printed with the photo of that person, but with the captured data of a real identity of Bisq. The same for any invoice that appears in the photo. The redundancy of insecurity is not more security

1 Like

Not true. all of EU countries now issue chips on their ID cards. Granted, many people don’t have their new ID card yet. All EU countries need to comply with eIDAS by 2018, then we will have what we need to end this discussion.

Maybe i’m being naive, but i’m not arguing for high quality scans of ID cards. I don’t see how watermarked scans of ID cards are useful for scammers. Then again i’m not a security expert.
The history (reputation) of the seller usually takes a part in deciding if i give out my data, which is another issue on Bisq.

In the future we will all have a card with a cryptographic chip. The present is different, and these things happen:

We hope that this electronic card will be generalized soon.

It is perfectly possible to remove watermarks by editing the photo with Adobe Photoshop and The Gimp, but there is another way to steal identity without being an expert in Graphic Arts: an identity card is faked and printed with the photo of anyone. The name will be the owner of a bank account captured with Phising - for example in Bisq, now that we have to give the email - In a selfie any edition of an identity card will look good.

Then a selfie photo of that person with the fake identity card and any other easily editable document and can now give this data to a seller.

What can the seller do to verify this data? NOTHING

All he needs is a man of straw, or the same swindler sufficiently disguised.

On the other hand a seller’s reputation is not enough guarantee to give you your identity data. As I have argued a swindler could do a dozen small operations and earn an acceptable reputation while capturing identities. Much more in Bisq, where the volume of operations is very low. Perhaps in the future it will be more useful, as thousands of operations are carried out.

It may be acceptable to give your identity data to a centralized exchange, because you do it once, and the company is obliged to treat them with confidentiality, but, in my view, it is completely unacceptable in the case of strangers. In fact it is directly criminal according to the regulations of many countries. Where is the contract of confidentiality and custody of sensitive data?

For example I can buy 200 € in BTC here https://bitlish.com/, without verification. If I want to buy more, I have to give my data, but at least, I give them under contract and only once. Are not we making Bisq unpleasant in comparison?

I think the introduction of email and verification by the user is something like trying to kill flies with machine guns, only reported a scam case, and in my humble opinion, could minimize or avoid the problem with 2FA banks

1 Like