New requirement for payment accounts with charge back risk

Hi @erizo, hi @riclas,

thanks for your input and discussion.

I agree that the idea to enable the direct ID check was a bad one and I want to repair that as soon as possible, but we need to find a good replacement.
I also agree that the selfie can easily be tricked and sending any kind of IDs is risky.

For SEPA it seems that the risk for fraudulent chargeback (no stolen account) is very low. For ClearXchange though it seems to be a considerable risk.
So lets make 4 categories:

• no risk: altcoins, okpay
• very low risk: perfectmoney, swish, cash deposit, US cash by mail
• low risk (stolen account): Sepa, all other bank transfers
• mid riks (fraudulent chargeback): ClearXchange

In the worst case we can remove ClearXchange but it is the main payment method for USD. So that would be pretty bad. The fraudulent charge back could be brought to court and if there would be a pot for such legal expenses then even small amounts would get executed to make fraud attempts less attractive.

So the main challenge is still the stolen bank account scam:
With SEPA it seems that charge back requires mostly to get accepted by the seller (though there are reports where they reversed the payment without asking). Again with going to court and fight for the right we would have good chances. It is not the sellers problem if banks and their customers are not taking care of security. I think the seller don’t need to accept a chargeback (can you confirm that @riclas?).
I am not sure how the legal situation here is and if courts would argue that Bisq need to provide some KYC or the like. I doubt, but might be at least in some countries the case. I read that there a counties where P2P transactions require that he peers do an ID check (in contradiction to the laws regarding confidentiality and custody of sensitive data).

Regarding reputation:
We plan to investigate possibilities in how we can provide a decentralized reputation system but that will take time and effort and it is not clear if it will work.
Any reputation system can be gamed so we should not build on that in the first place but only take it as additional “nice to have” and make also clear that it is not a strong security feature (it often gives wrong impression of security).

3rd Party ID check:
That might be a realistic option. That people are using an out of system 3rd party services where they do a KYC and get a certificate. With that they can proof in Bisq that they are verified without connecting trades to that company who hold the ID data. I doubt that many of our users want to do that but that might be at least a secure option which does not violate privacy of the trades (though of course doing any KYC is something problematic).
There would be logistic problems as well:
Who pays for it?
The user? - Even more hurdle. And it is probably not cheap.
Bisq? Bisq is not a company but only provide software that users can exchange directly.
So that option does also not sound as a way to go.

Time based or number of trade based restrictions:
It can be assumed that a stolen bank account will be discovered in 1-2 months at least, hopefully faster. So if a user used a bank account we can be relatively sure that after 1 or 2 months the risk that it was a stolen bank account is very low.
But of course we dont want to restrict the users to not be able to make trades until that time has passed.
Trade limits will also not help much but hurt usability.

We can assume that a scammer once he has access to a stolen account start trying to cash out. So the older the account the less likely it is a scammers account.
We can add a creation data field to the payment account.
When creating an offer the date and hash of the account data is included in the offer so takers can see the age of the account and later verify the date with the hash.
The maker can also define the min. account age he requires from takers.
In the trade process when the account data are exchanged the hash is verified and if it would have been faked (date is part of the hashed data) the trade fails.

I think that is a realistic option which gives some level of security for at least those who have used Bisq for longer than a month and does not burt usability for those
Also implementation is not terrible much effort.

So we would still need something to cover those who are relatively new.
We could use social media or keybase.io but not sure how much security that really provides and if people want to use it.
The buyer could be requested to post a predefined message on a social media account and the seller can check if that was posted (can be some random number to protect privacy).
So the seller has the assurance that the buyer is in possession of the social media account (need to match the name which might be not the case for some/many of our users) and the age of the account can usually easily be seen.
If the hacker has also the social media account that will not help of course. Does anyone has an idea about the likelihood of that?
That option would only be required if the age of the account is less then a month or so. And of course can be optional but would carry more risk if nothing provided and the user is new.
Adding support for exchanging the social media link would be also not a big effort to implement.
What do you think about that option?

Additionally we could limit trade amounts for those who are new and dont want to provide a social media account. But not sure as the scammer could run multiple Bisq apps and the limit does not help much. Probably we have to accept that some risks stay open and sellers who are willing to take that risk have to be aware and get it probably compensated with a better price.

Of course instead the social media account thing we could offer others like WoT or the like but need to be easily accessible for the peer… Bitrated might be another candidate…

Correct. However, the seller should be aware he can be criminally charged (wrongfully) if he receives funds from a stolen bank account.

I’m not sure how much of a solution this is… I’m guessing scammers can sit on stolen bank account info for a month until they can use Bisq. Unless that info is being widely distributed, and then they need to act fast. It definitely is a step.

There’s another solution some services use that i’m not sure how good it could be: The taker should transfer a small amount (1€ e.g.) and after several days that bank account would be “verified”. Scammed people might not even notice or care about these small transactions though.

I think something like bitrated should definitely be integrated at some point.

I was thinking of that as well but it will not work if you don’t have a trusted party who receives that payment (like arbitrator) as the peer can be a sock puppet and then the payment was just fake. To do that in every trade would be a usability killer.
I don’t want that the arbitrator get any more power as he already has. So I don’t see a way how we could use that.

You mean he get into trouble but finally at court he is not at risk as he can proof the trade. So it is “just” inconvenient. Right?

yes. as long as it is not a repeated occurrence you just have to go to the police and answer their questions as the defendant of some case.

Can’t we have inside the app a metric that computes some sort of risk per offer? Like taking into account the age of the account, the number of trades with that payment method, whether or not the user has disclosed his e-mail address (in case it is not mandatory), the size of the trade, the security deposit, etc.

Additionally, users may for example link their social network profiles to their account, and these links will be displayed when making an offer. This is of course not desirable by some, although their full name is revealed during a trade. For example, when someone accepts my trade, I like to google that person out of interest to see what else they are busy with. In this way, someone trading with me can easily find my home page, which is public info anyway and maybe gain more confidence I’m not a scammer (or maybe lose confidence, you never know) :). So linking that directly to your Bisq account will make the information more easily accessible to the other peer, who can just click a link and start checking. Of course, social networking profiles may be faked by scammers, though it’s more work for them…

But anyway, coming back to the metric, it will take into account whether you provided those links, home page, etc and will give you one unified metric, which is, again, computed per offer and it’s not just about reputation, but about risk.

Also your Bisq age can be included by, for example, linking your Bisq forum username for traders to check how far back you were involved in the project and whether you have contributed content, or just bumped posts.

Thanks @mike!

I am not sure if nr. of trades and trade size will add much security. Nr. of trades can easily be faked with self trades. Beside that there is no easy way I am aware of how to verify it as the trades are only visible between the peers.

A unified indicator might be nice but I fear it will be to inflexible.

I was wondering to use 3 icons for 3 features we will support.
2 are optional but if none is provided users should consider the trade with a new user as higher risk.

1. Age of payment account. If less than one month the users should provide additional security features (social media account and/or email). We could display it in 3 levels. < 1 Month=red, < 2 months=yellow/orange, > 2 months green
   Age of account is automatically setup and will be verified in the trade process.
   Maker can require min. age in the create offer screen. 3 options: < 1 month, < 2 month, > 2 month.

2. Social media account (can be anything like Twitter, G+, FB, Reddit, btctalk forum, Bisq forum, PGP WoT, Bitrated, keybase.io,…). If the users provides a link to his profile it will be indicated in the offer with an icon. Maker can require that he wants from taker to have a link provided.
   The social media account need to match the name of the trader (might be a problem as most will not use their real names, but otherwise it has not much value IMO - does anyone has other idea/opinion?).
   The buyer need to post a predefined message (trade id or derived msg, not revealing btc or bisq trade to protect privacy) on the provided social media account and the seller can verify that as well as check the age of the account (need to be min. 1 months old).

3. Email address: Again indicated with an icon. Maker defines if he provides and requires email.

We warn people in a popup and a link to a wiki page about risks when getting in touch with a peer (e.g. id theft, phishing, malware,…)

What do you think about that?

If people agree I will start to make a more detailed plan how and what to implement.

Hello everyone. The introduction of a social network account would be a very good idea, but with a nuance: it should work as 2FA. The buyer would put a code in the transaction and in his account of the social network. No additional communication will ensure identity better than that, therefore email and other communications should be banned as a standard to avoid social engineering scams.

On the other hand, you say that SEPA transfers are low risk, but there is an additional nuance: if only 2FA banks are allowed (with a system similar to the one I propose), I think this type of transaction would be classified as very low risk.

I say this because the social network application and other verifications could be implemented based on the risk associated with the type of payment.

After further discussions I think it is enough to make one message on the social media account and with that the users can proof to have access. The link to that message will be then stored to the users account and transferred in the trade process to the peer who can check it. So it is not needed to do it at each trade. The social media account need to match the name (not exactly but enough to be unlikely a made up account - e.g. mkarrer is ok for Manfred Karrerm but mk or manfredk not.
Alternatively platforms like keybase or Bitrated can be used. There the link to the profile is sufficient. The profile need to match the name.
Also it is only required to do it if the payment account is new (< 1 or 2 months).
In future we could even do the verification of that posted message automatically (like keybase is doing it), at least with a few mainstream channels like twitter it should be not too much effort (though will have some detail challenges as we want to use Tor and those mostly use cloudflare which blocks tor with captchas…).

I am not sure yet if the 2FA check of banks can realistically be implemented. We would need a database before and I fear that will be difficult to render (too many banks).
Maybe we can add a blacklist of banks known to not have 2FA, should be the minority anyway…

Btw:
Only the buyer is the risk so the seller does not need to provide anything.

So lets look at some detail use cases:

Case 1 Maker is buyer:

1. Check if users payment account is older than 1 (or 2) months.
   1a: Yes older: Nothing is required.
   1b: No, new account: He gets displayed a message to add optionally a social media account and post a predefined text (e.g. hash of his account data + secret). That need to be done only the first time.
   Lets skip the email address exchange, it is probably not needed and might cause more problems as it solves.

The taker can see in the offer book that the account is old or new and if new, he sees an icon for “social media 2FA” and/or email. Colors signal risk (red, orange, green…)

The taker gets in the trade process before he confirms receipt the link to the social media message (if provided) and the message what should be there. So he checks if that matches. If so all is ok, if not he should call the arbitrator.
Repeated trades with same user dont need to re-check again.

Case 2: Maker is the seller:
He get asked if he requires social media account check if the taker/buyer has a new account.
We add the decision to the offer and it will be displayed in the offer. Only traders can take the offer who have an old account or who have a new account and have set up their social media 2FA. If they have not yet they get instructed to do so if they want to take that offer.

For ClearXChange the email address is anyway exchanged as it is used as the account ID. We display a popup with warnings that the seller should get in touch with the buyer and verify if the owner of the email is the same as the one of the account.
We include a warning regarding phishing, id theft, malware and social engineering. If users demand thing what is not allowed (e.g. ID card) the peer should open a dispute.
The account age check and optional social media 2FA is the same as above.
The email contact is just additional and optional and as it is anyway exchanged no extra loss of privacy. People are doing it anyway to check the peer by email. So we only make it more clearly defined.

I think that is an acceptable solution to maintain usability and provide some additional level of security which adds hopefully too much friction for scammers to use Bisq.
Of course it will never give 100% security but that will not be possible anyway even KYC could be tricked.

What do you think?

Sounds great!. It will definitely work.

What social networks would be allowed? Facebook, Whatsapp, LinkedIn, Twitter …?

My proposal to use 2FA banks is not based on a database: the user must indicate in each SEPA transaction an https help page showing the use of 2FA by that bank.

Would leave it fairly open. In doubt if it is a not known/strange platform the arbitrator can check.

Yes I remember. I just think that it add a bit too much effort for people to find that page. But who knows maybe someone find a database or at least a blacklist of the banks who never upgraded their IT since 20 years.

I like these ideas to help minimise various risks, especially age of payment account.

About the social media account, just a concern about the linking a message to put into bisq.
What if people dont want bisq/bitcoin related text on their profile?
My only social media account (google+) that is tied to my real name is not public.
What i would do is probably supply a link to my main google+ profile and then put the trade id as a public post.
When the trade is over delete it. If others want to use what you mentioned, thats fine too.

People should take into account age of social media account and also should know the profile name can usually be changed easily. So its not bullet proof, hopefully better than nothing and not create false trust.

Agree, email should be optional, i havnt had a need for it yet.

keybase & bitrated sound interesting but dont know much about them.
internal Web of trust & ratings would be great but sounds complicated.

There will be no texts related to bitcoin. That’s the good thing about the system. The social network will function as a 2FA system:

[…] He gets displayed a message to add optionally a social media account and post a predefined text (e.g. hash of his account data + secret). That need to be done only the first time.

I did not have in mind that. Just a random string (hash). so maybe some are confused… but thats it. alternatively we could hide it in a url like pastebin with no content…

Yes we will keep working on that but its not trivial in a p2p environment with privacy protection.

Hi All

I wonder if verification of the account by social networks could allow a new payment system: ATM account income. It is very common in Localbitcoins. I understand that with the current system would be a payment method with risk of suffering the “man in the middle” scam, but with the social network check would be safer for the buyer and no risk of return for the seller.

What you mean specifically? Something like Halcash?

It is posisible enter cash into an account, through an ATM, for instance:

It is only necessary to know the account number, no identification is required.

Does that work with any ATm in Spain or only certain banks/atms? Do you know if that is available in other countries as well?