BCB

VIP

Legendary



Offline



Activity: 1064

Merit: 1002





BCJ







CTGVIPLegendaryActivity: 1064Merit: 1002BCJ Re: I entered the police station as a suspect. When I left the officer loved Bitcoin January 09, 2013, 02:19:06 PM #9 Great Story but I think this begs a larger question.



This man in the middle (MIM) attack seems to be quite common recently.



An attacker finds an unsuspecting buyer of say iphones or Justin Beiber tickers.



The buyer unknowingly sends their fiat to an unsuspecting bitcoin seller.



The attacker has already created an order for bitcoin with the unsuspecting bitcoin seller.



Once the unsuspecting buyer send the fiat to the bitcoin seller the bitcoins are sent to the attacker



and the buyer and the seller are left to figure out what has happened.



What are bitcoin businesses doing to combat this attack?



Thx.

Mike Hearn



Offline



Activity: 1526

Merit: 1008







LegendaryActivity: 1526Merit: 1008 Re: I entered the police station as a suspect. When I left the officer loved Bitcoin January 09, 2013, 02:23:19 PM #10 The police officer sounds like a cool guy, but you have NOT solved the problem.



You need to start verifying the identities of depositors and people withdrawing money from your exchange like Mt Gox and other operations do. Not only is this your protection against being an exit from the fiat system for criminals, but the law may sometimes require it too (depending on thresholds, etc).



Whilst the police officer was obviously nice to you, don't take it personally if they come back and charge you with something. You clearly know there's abuse of your service and you will be expected to stamp it out. ID verification is the way to do that, so get on it.

Luno



Offline



Activity: 504

Merit: 250







Sr. MemberActivity: 504Merit: 250 Re: I entered the police station as a suspect. When I left the officer loved Bitcoin January 09, 2013, 03:00:20 PM #13 Good work fimp. If you, or anyone else in our part of the bitcoin world, don't get off as easily on another occasion, I will stand up for you with my real life identity and be a character witness if they are credible as you are off cause.



So the scammer used Bitcoinnordic credentials but changed you business Bitcoin address for his own?



Maybe Bitcoin need a server certification system to verify registered addresses as genuine for businesses. Browser integrated so there is a warning on the page if a sellers address is unknown? Phishing would still be possible though.



Akka



Offline



Activity: 1204

Merit: 1001









LegendaryActivity: 1204Merit: 1001 Re: I entered the police station as a suspect. When I left the officer loved Bitcoin January 09, 2013, 03:27:04 PM #15 Quote from: fimp on January 09, 2013, 03:15:18 PM Quote from: Mike Hearn on January 09, 2013, 02:23:19 PM The police officer sounds like a cool guy, but you have NOT solved the problem.



You need to start verifying the identities of depositors and people withdrawing money from your exchange like Mt Gox and other operations do. Not only is this your protection against being an exit from the fiat system for criminals, but the law may sometimes require it too (depending on thresholds, etc).



Whilst the police officer was obviously nice to you, don't take it personally if they come back and charge you with something. You clearly know there's abuse of your service and you will be expected to stamp it out. ID verification is the way to do that, so get on it.

Months ago I started requiring ID of bank transfer depositors I suspect of being fraudalent. But even if I required this from everyone it wouldn't be a foolproof way to avoid this specific type of scam.



If the "seller" successfully convinces the buyer that he needs to provide identification documents to get his iPhone then we're still vulnerable. I agree it would very likely make the risk of this happening smaller.

Months ago I started requiring ID of bank transfer depositors I suspect of being fraudalent. But even if I required this from everyone it wouldn't be a foolproof way to avoid this specific type of scam.If the "seller" successfully convinces the buyer that he needs to provide identification documents to get his iPhone then we're still vulnerable. I agree it would very likely make the risk of this happening smaller.

Wouldn't the save way just be to require everyone to have Bitcoin Nordic or something similar in the purpose (or how ever it is called in English) field of every transaction.



everybody would wonder, why he has to put Bitcoin Nordic in there for his iPhone.



And if you get transactions with the words Ebay in it this is clearly a warning sign. Wouldn't the save way just be to require everyone to have Bitcoin Nordic or something similar in the purpose (or how ever it is called in English) field of every transaction.everybody would wonder, why he has to put Bitcoin Nordic in there for his iPhone.And if you get transactions with the words Ebay in it this is clearly a warning sign. All previous versions of currency will no longer be supported as of this update

jonitas



Offline



Activity: 57

Merit: 0







NewbieActivity: 57Merit: 0 Re: I entered the police station as a suspect. When I left the officer loved Bitcoin January 09, 2013, 03:38:13 PM #16 Quote from: Mike Hearn on January 09, 2013, 02:23:19 PM You need to start verifying the identities of depositors and people withdrawing money from your exchange like Mt Gox and other operations do. Not only is this your protection against being an exit from the fiat system for criminals, but the law may sometimes require it too (depending on thresholds, etc).



Why would you do that?! You're just selling a virtual product. We're not obliged in any way to verify where the money people use to pay comes from. Can you imagine a hairdresser asking for your ID because the money you pay with might be stolen?



What law would require you to do this? It's not like your selling a financial product or service, since bitcoin isn't yet officially considered a currency, you're just selling an ordinary product like an e-book. Why would you do that?! You're just selling a virtual product. We're not obliged in any way to verify where the money people use to pay comes from. Can you imagine a hairdresser asking for your ID because the money you pay with might be stolen?What law would require you to do this? It's not like your selling a financial product or service, since bitcoin isn't yet officially considered a currency, you're just selling an ordinary product like an e-book.

BCB

VIP

Legendary



Offline



Activity: 1064

Merit: 1002





BCJ







CTGVIPLegendaryActivity: 1064Merit: 1002BCJ Re: I entered the police station as a suspect. When I left the officer loved Bitcoin January 09, 2013, 03:44:15 PM #17 jonitas



The problem is FRAUD.



We all grip about the ID and personal info required to use FIAT systems.



Bitcoin is all about anonymity and speed.



The problem is where bitcoin and fiat meet. So much so that bitcoin business are now requiring verification not unlike fiat systems.



However, when we can earn bitcoin, receive our paycheck in bitcoin, pay our rent and bills and taxes in bitcoin and no longer have a need for moving fiat into and out of the system this will all go away.



Unfortunately until that time comes bitcoin remains a scammers paradise and bitcoin businesses will have to work very hard to combat this as the attacks become more sophisticated.





Mike Hearn



Offline



Activity: 1526

Merit: 1008







LegendaryActivity: 1526Merit: 1008 Re: I entered the police station as a suspect. When I left the officer loved Bitcoin January 09, 2013, 03:52:12 PM #18 Come on. This isn't even a fiat vs bitcoin problem, it's just a fundamental problem with money systems. Anyone who thinks Bitcoin is immune to this kind of attack needs to think again.



How does this attack work? It confuses the victim into thinking they are paying one person for one thing, when they are actually paying someone else for something different. In this case, the "something different" is Bitcoins delivered to the attackers address because (if you don't verify ID) that means the attacker can't be easily traced, but it could easily be many other types of good.



Bitcoin is not immune to this problem. In fact we are anticipating such attacks to become common in future, the mechanism being malware that waits until you make a payment and then swaps the addresses you see on screen for addresses owned by the virus writer. Even if you have a second factor auth system, you think you're paying the merchant, but the money actually goes somewhere else.



This is why we're doing the payment protocol work - the eventual end goal is to phase out the use of (end user visible) addresses, so most payments go to human-meaningful identities like amazon.com instead of 1AbCd.... - in combination with a second factor it solves the identity confusion attack by ensuring you always know who you're paying.



If you don't fix this, Bitcoin Nordic will get blacklisted by the banks again just like you did last time. You NEED to ensure that people depositing money understand what they are doing and who they are paying. But that is hard - hence the emphasis on being able to identify who the perpetrators are. Perhaps you should require the wire transfer description to contain "PURCHASE OF BITCOIN VIRTUAL CURRENCY. NOT FOR SALE OF GOODS" or something else that might tip users off to what's going on.

DeathAndTaxes

Legendary



Offline



Activity: 1218

Merit: 1007





Gerald Davis







DonatorLegendaryActivity: 1218Merit: 1007Gerald Davis Re: I entered the police station as a suspect. When I left the officer loved Bitcoin January 09, 2013, 04:05:24 PM #19



What makes this issue so much tougher to fight is merchants are held hostage to third parties (i.e. banks, payment processors, credit card issuers, and service providers) who don't provide adequate tools to prevent fraud. When the merchant doesn't prevent fraud (with nonexistent tools) it becomes the merchants fault. Wow what a great system.



For example if I receive a bank wire the bank "could" provide me the phone number on the account. Or for privacy reasons provide me a bank phone number and extension, which when I dial gets relayed to the account number on the account. I get a wire, I do a call back verification and find out "WTF? You wired me money for an iPod cause a guy on craigslist told you too?". I hit the (currently nonexistent) return button, indicate fraud, and the wire gets returned to customer with any fees PAID BY THE IDIOT CUSTOMER not the innocent merchant!



Another thing which "could" be done is change the way bank wires are originated. Customer enters the routing and account number and the bank website (because banks are sharing this info) displays the business name, contact information, and a custom message from the business

Quote



[ ] I (account holders name) verify this is the person I am intending to send funds to. I understand Bank Wires are irreversible.



SECURITY WARNING: This deposit only account is used to fund irreversible currency purchases. If you have been told to wire funds for any other reasons IMMEDIATELY STOP. You may be a victim of fraud. Please visit https://companyname.com/fraud for more information.[ ] I (account holders name) verify this is the person I am intending to send funds to. I understand Bank Wires are irreversible.





Even better since accounts are just numbers and can be up to 30 digits long (ACH or IBAN) Banks could allow businesses to generate a single use address with a custom message (i.e. internal order number, account number, purpose of transaction, warnings, etc). Funds sent to the single use account number get swept to the business main checking account. Once used once any funds sent there get bounced back as undelivered.



None of this is science fiction. It could be done today, hell it could have been done 20 years ago. However banks have no reason to improve security. They don't lose anything. That is the problem with monopolies. From the banks point of view security is currently "good enough". Real security is expensive and the banks are paying for the costs of inadequate security. It is just like credit cards (although to a lesser extent) the current model removes all responsibility from the customer AND banks and places it on the merchant (who is the least equipped to prevent fraud).



How does Bitcoin change that? Well one being an open network it allows the development of the security tools banks never will. The other aspect that changes is it makes the customer responsible for their own action. Instead of merchants being given an impossible task to prevent all fraud (with incomplete information) and paying all the cost the responsibility is shared and real tools can be developed to protect both customers and merchants. Mike has some good points but there is one fundamental difference with Bitcoin. It can't be reversed, it can't be frozen, it can't be suspended.What makes this issue so much tougher to fight is merchants are held hostage to third parties (i.e. banks, payment processors, credit card issuers, and service providers) who don't provide adequate tools to prevent fraud. When the merchant doesn't prevent fraud (with nonexistent tools) it becomes the merchants fault. Wow what a great system.For example if I receive a bank wire the bank "could" provide me the phone number on the account. Or for privacy reasons provide me a bank phone number and extension, which when I dial gets relayed to the account number on the account. I get a wire, I do a call back verification and find out "WTF? You wired me money for an iPod cause a guy on craigslist told you too?". I hit the (currently nonexistent) return button, indicate fraud, and the wire gets returned to customer with any fees PAID BY THE IDIOT CUSTOMER not the innocent merchant!Another thing which "could" be done is change the way bank wires are originated. Customer enters the routing and account number and the bank website (because banks are sharing this info) displays the business name, contact information, and a custom message from the businessEven better since accounts are just numbers and can be up to 30 digits long (ACH or IBAN) Banks could allow businesses to generate a single use address with a custom message (i.e. internal order number, account number, purpose of transaction, warnings, etc). Funds sent to the single use account number get swept to the business main checking account. Once used once any funds sent there get bounced back as undelivered.None of this is science fiction. It could be done today, hell it could have been done 20 years ago.Real security is expensive and the banks are paying for the costs of inadequate security. It is just like credit cards (although to a lesser extent) the current model removes all responsibility from the customer AND banks and places it on the merchant (who is the least equipped to prevent fraud).How does Bitcoin change that? Well one being an open network it allows the development of the security tools banks never will. The other aspect that changes is it makes the customer responsible for their own action. Instead of merchants being given an impossible task to prevent all fraud (with incomplete information) and paying all the cost the responsibility is shared and real tools can be developed to protect both customers and merchants.