A bit of background and context:
We had our first and only bank charge back case (via ClearXchange) a week ago and we needed to find a way to improve the protection of Bitcoin sellers against such fraudsters.
We hoped that the limited trade amount is sufficient to keep scammers out, but as we have seen now this assumption does not hold (it was a 300 USD trade - so a relatively small amount).
We don't have much background information about the case but it might be that the scammer has cashed out a stolen bank account for more then 6 weeks and also reached the monthly transfer limit of the bank which might be about 15k USD! It seems he used mainly other platforms and not Bisq as we did not got reported any other case. That it took so long until the fraud got discovered (if it was a stolen bank account case, which is not entirely clear) shows another problem we underestimated. We though if such cases happen they get quickly discovered and then the account frozen.
By using bank transfers we inherit the poor security model of the banking system. If they would require by default 2FA getting access to a foreign bank account would be much harder and if they would provide by default notifications of any movement in the account such crime would get discovered very quickly. But banks are busy to jump on the Blockchain train instead of applying basic IT security best practices....
It is unfortunate that we rely on banks to some extent but there are not good alternatives out for Fiat transfers. So we have to deal with that model.
With that case we saw an urgent need to provide better protection for the BTC seller otherwise the scammers will use Bisq for cashing out their stolen bank accounts more frequently.
There was also quite often the request from users that they want an option to be able to contact the other peer.
It seemed that many professional traders (who are used to trade on LocalBitcoins) did not use Bisq because they felt that they don't get enough protection against those charge back risks.
Any bank transfer carry that risk, specially in case of a stolen bank account. Most banks ask for permission to do the charge back but some don’t and simply make a reversal without your agreement (we heard of cases even with SEPA, ClearXchange did not ask in the above case).
ClearXchange seems to be even worse and as they stated to the scammed seller that ClearXchange should only be used in the context of “Family and friends”. It seems they allow charge back even without any proof of crime involved (it was called a disputed reversal not a fraudulent).
That is why we highly recommend any BTC seller using ClearXchange to make a ID check with the other peer.
We considered as well to remove ClearXchange as it seems to have a high charge back risk, but as it is one of the very few practical payment methods in the US we decided to keep it for now.
Doing a ID check should avoid the stolen bank account scams completely (assuming the ID check is done properly) and in case of a charge back initiated without valid reason the seller should start legal actions against the scammer. He has at least the identity checked so he can be sure it was not a stolen bank account scam and in Bisq there is the trade contract which got digitally signed by both traders and it’s hash is in the block chain. So the trader cannot dispute in court to not have agreed to the trade.
To enable direct contact for performing the P2P ID check we added a mandatory email field to those accounts which carry some charge back risk.
- National bank transfer (as well as transfer with same bank and transfer with with specific bank)
- Faster Payment
- Chase Quick Pay
All the other payment methods are considered to have no risk for charge back (OKPay, Altcoins) or a very low risk (Swish, PerfectMoney, Cash Deposit, US Money Order, Alipay).
We needed an easy solution to implement a protection for the new v.0.5.0 release to mitigate that problem. The solution with using an email field was such.
To implement more sophisticated solutions is on the road map but will take a few months and it is not clear yet how it will look like - but just to be clear:
There will never be a centralized KYC style registration, that would render Bisq pointless. So to not create any central entity for collecting and verifying users identity and connecting that to trades is an absolute requirement for any option we are looking at.
Rough direction what we want to look at are:
- Decentralized reputation system
- P2P verification (like now with the email address but better integrated like e.g. using the in-app chat system)
- Optional 3rd party verification (no connection to trades or Bisq so privacy protection of trades is kept). User would get a certificate and could use that in Bisq. Would help to avoid the need for repeated P2P based ID checks.
- Different trade limits based on reputation/nr. of trades
- Long term locked up security deposits
There is a difficulty to give maximum control to the users and to keep usability acceptable.
Like for the current case with the email fields we could also have made it optional and allowing the user to specify in which cases they accept or require that P2P ID check and what exactly they require or are willing to accept, different for buyer or take role. But you see in that sentence already how complicate it can get and how many options it will contain. Communicating that well in the UI and the offer book will be challenge - a challenge for what we don’t have resources at the moment.
But in future that should be improved and should make it more acceptable for different users with different levels of risk acceptance and what they are willing to expose on privacy to the other peer as well as on extra effort for the ID check.
The main reason why I think that the mandatory email is not making a big trouble privacy-wise is that with bank transfers you are exposing already your full name and bank account number to the peer. To give additionally the email address (only the trade peer see it) does not make anything worse in regard to privacy. Of course the extra work for the ID check is something we need to address.
We can need your help!
Anyone is very welcome to help us to work on the concepts how such features for increasing security and improving usability while keeping privacy protection can be designed and implemented.
Just be warned: Decentralized reputation is not an easy task and so far I know nobody has solved that in a satisfying way. Web of Trust (WoT) is probably the best solution so far but everyone knows how little it is used and how bad usability is with it.
OpenBazaar had it on their road map for a long time but as far I am informed (not well) they gave up on it.
So those are not easy challenges and will not get solved in a few weeks, but hopefully in a few months.
What happens if the users don’t fulfill the ID checks or request too much:
The arbitrator (me) will be tolerant and will not take the security deposit if not a clear misbehavior was the case. People are also better as their fame is (at least Bisq traders).
The huge majority have been very cooperative and there have been zero real disputes so far. So I expect that there will not be too many problems with that.
Lets see how that develops and fix issues if they arise. Being flexible and practical has been proven in the past as a very important feature, more important than defining every detail of theoretical possibilities...