Trading Exploit - Interac E-transfer Payments from Stolen Bank Accounts

Hi everyone,

There’s an exploit which affects, at minimum, fiat recipients in Bisq trades that utilize Interac e-Transfer. The scenario where it works looks like this:

1. Seller (who is honest) begins trade with buyer (who is dishonest)
2. Buyer sends trade amount to seller, from stolen bank account; stolen bank account may easily have Interac e-transfer name modified to match name on Bisq trading account (you may verify this with your own bank)
3. Seller sees name matches, assumes everything is okay, accepts buyer’s deposit, and releases their BTC. With this BTC release, the buyer has succeeded in their scam.
4. Payment reversal on seller’s bank account begins either when bank suspects fraud, or when the owner of the bank account that the buyer hijacked reports funds missing.

This is an exploit. It is effectively at the expense of Bisq’s crypto-side liquidity. Given that all the attacker needs in stolen credentials, it’s probably not limited to Interac E-transfer. I will provide suggestions on how I think it could be mitigated, and eventually fixed.

The only way to completely prevent this, that I can see, is by removing the incentive that a dishonest party might have to attempt this kind of fraud.

Edit: these must be combined to be effective.

1. Raise security deposit cap to at least 100%. A mediator rewarding the full 100% collateral amount is for when a buyer is left with the seller’s BTC, but the seller no longer has the buyer’s fiat.
   (Modularity, as always, is preferable. Users should be able to choose the terms of the locking period. Some may only want to do ~24h, some might want to do less. Options are valuable.)
2. After seller releases BTC, keep holding security deposits for some time.
   (up to a week, considering weekends/holidays where some banks’ legacy fraud detection systems might not catch fraud; one cannot verify what each bank’s fraud detection system is like. the more vagueness a user prepares for, the better.)

Until this issue can be fixed with an upgraded trading scheme, it may be advisable to give users a simple, but obvious warning to wait an appreciable period of time after accepting a fiat payment before they release their crypto to the buyer.
To compliment this warning, Bisq should consider lengthening the trade period window, or resetting it after the buyer or seller has confirmed that fiat payment has been sent/received, so that sellers are guaranteed the time needed to wait for flags to be raised. If some don’t listen and they get taken advantage of, there should be no room for doubt that it’s not the fault of Bisq.

It would also be beneficial, especially given this exploit, to allow makers to reject a taker. It’s less risky to sell BTC to a signed account that’s been around for awhile; one may not want to take on the risk of selling to someone who isn’t signed.
Buyers signed for any length of time, using a bank account that’s registered in their name, would be leaving a paper trail if they were to change other bank accounts’ Interac names to the one on their signed Bisq account; the payoff (~>$3k) definitely isn’t worth the risk of jail time.

Unfortunately, trust must still fall on the arbitrator to act honestly on quality evidence. That may, at the moment, simply be the state-of-the-art, if fiat is to be involved.
In the future, technology such as Chainlink DECO may be used to produce proof of an honest seller’s payment being returned to the bank account from which the buyer sent payment, which may circumvent the need for arbitration entirely and make fiat-facing aspects of Bisq fully automated, sans development. This would be quite an achievement.

If my ideas are not acted on, I encourage your creativity in addressing this issue with the seriousness it deserves. It’s an exploit, through-and-through.

As an addendum, I’m in the middle of a failed trade (post-mediation) with someone whose bank account I could not accept money from during the trade.
I accepted deposits in other trades shortly before and after, but obviously, my trading partner cannot verify that; I’m guessing he doesn’t know who to trust.
I suspect they were a victim of this problem.
They are neither accepting the mediation, or responding to me; it feels fairly obvious that they don’t dismiss the notion that their account got frozen because I somehow tried to scam them. They have a right to suspect this—but given that I know it isn’t the case (and i don’t think was even possible, given the circumstances), and know what the real issue might’ve been, it’s frustrating.

This issue needs to come to light, to prevent friction like this in the future.

Thank you for this report.
The suggestion you put forward, about changing the dynamics of the current trade protocol to accommodate for a larger/flexible trading period, will most likely not be taken into account by the dev team for Bisq1, and in general, if a payment is particularly prone to chargeback risk, it will either be removed from Bisq or its period extended, rather than locking the deposits for an amount of time after the BTC release.

I will forward this issue to the relevant room at bisq.chat

Regarding your pending support ticket, they are definitely annoying in general, I suppose that as long as proof can be produced you just need to wait for the resolution to complete.

Solution 1 does not prevent a chargeback, since chargebacks are done after the security deposit is released, so it doesn’t matter how high it is.
Solution 2 is worth to be considered though.

I don’t see how this issue affects exclusively to Interac E-transfer. Do you mean that buyers could change the name of their bank account once is stolen? Because if they can’t that’s why account signing was developed, to make it less appealing to try a chargeback from a stolen account, since first trades will be only for 0.01BTC.

Has a chargeback occurred to you or are you describing something that could happen?

Thanks.

Both of those solutions should be combined for sufficient effect; forgive the vagueness. If a buyer succeeds at this scam, the seller must be awarded a sum of value equal to the BTC they released.

It may not only affect Interac E-transfer—perhaps all fiat payment methods. I can only verify that it happens with Interac, because it happened to me in a transaction that utilized it.

Interac seems to hold onto the client’s name at their side; this is the name that appears on the E-transfer. It can be changed at any financial institution that leaves the modification of this name open to the user; I suspect some don’t. I use a credit union, and it allows me to.

okay, I can report that this possible scam has never been put in action until now, given the report from our mediators, which means it is probably not worth changing the code for, but it’s still possible to ask a mediator to extend the release time in those cases buyer pays late-ish

This issue had happened to me in an incident a few months ago.
I started mediation then, and it’s still ongoing; the bank hasn’t closed their investigation yet.
They still haven’t detracted any money from my account, but they say they will. The complications that arise from this issue lead to long, winding roads of pain.

Edit 1h later: It should be noted that at the beginning of that mediation period, I had no idea what was going on.
I knew only two things: I knew that I had just taken in a high volume of trades, and I knew that I wasn’t able to deposit any transfers. I assumed that I’d either tripped some daily deposit limit, or that I’d accepted money from an account on a bank blacklist. I wasn’t sure.
I never would have imagined that the buyer had malicious intentions; it was someone I had traded and faced no issues with previously.

The only reason I picked up on what was actually happening was because I was wise enough to record my conversation with the bank manager after I was called in to meet with him. They presented this meeting as though they had determined that I, as in me had committed fraud; it felt like an interrogation tactic.
He only mentioned once what was really going on—“account takeover” was the term he used—and it was at the height of my uncertainty, only a few minutes after a hoity-toity teller flat-out asserted I’d committed fraud.
“Account takeover”.
I missed it completely at the time.

Point of all this being, I imagine this problem has happened many times to many other Bisq users, and they don’t even realize it.
Combining a bank’s vagueness on what the actual issue is in a fraud case with the crypto scene’s general distrust of banks, we get a scenario where this kind of problem can uniquely go unnoticed for a long time.
The bank—who is an easy, and deserving target of criticism—takes all the blame for the seemingly surreal chargeback, and the scammer walks.

This issue had happened to me in an incident a few months ago. I started mediation then, and it’s still ongoing; the bank hasn’t closed their investigation yet. They still haven’t detracted any money from my account, but they say they will. The complications that arise from this issue lead to long, winding roads of pain.

Hi are you able to provide me with your trade ID for this trade. You can send me a private message in Matrix if you prefer. My Matrix user name is: @pazza83:matrix.org

I spoke with the other mediator about this issue and we are both not aware of any successful chargebacks from Interac E-transfer Payment. I think there was once occasion were a user reported their peer had tried a chargeback but their bank refused it. As they reported in to the mediators the user that attempted the chargeback was also lost their security deposit and purchased trade amount for their scam attempt.

I imagine this problem has happened many times to many other Bisq users, and they don’t even realize it.

Can you explain why the Bisq users would not be aware of this. Would the bank not provide them the information about the payments they were querying?