Hi @erizo, hi @riclas,
thanks for your input and discussion.
I agree that the idea to enable the direct ID check was a bad one and I want to repair that as soon as possible, but we need to find a good replacement.
I also agree that the selfie can easily be tricked and sending any kind of IDs is risky.
For SEPA it seems that the risk for fraudulent chargeback (no stolen account) is very low. For ClearXchange though it seems to be a considerable risk.
So lets make 4 categories:
- no risk: altcoins, okpay
- very low risk: perfectmoney, swish, cash deposit, US cash by mail
- low risk (stolen account): Sepa, all other bank transfers
- mid riks (fraudulent chargeback): ClearXchange
In the worst case we can remove ClearXchange but it is the main payment method for USD. So that would be pretty bad. The fraudulent charge back could be brought to court and if there would be a pot for such legal expenses then even small amounts would get executed to make fraud attempts less attractive.
So the main challenge is still the stolen bank account scam:
With SEPA it seems that charge back requires mostly to get accepted by the seller (though there are reports where they reversed the payment without asking). Again with going to court and fight for the right we would have good chances. It is not the sellers problem if banks and their customers are not taking care of security. I think the seller don’t need to accept a chargeback (can you confirm that @riclas?).
I am not sure how the legal situation here is and if courts would argue that Bisq need to provide some KYC or the like. I doubt, but might be at least in some countries the case. I read that there a counties where P2P transactions require that he peers do an ID check (in contradiction to the laws regarding confidentiality and custody of sensitive data).
We plan to investigate possibilities in how we can provide a decentralized reputation system but that will take time and effort and it is not clear if it will work.
Any reputation system can be gamed so we should not build on that in the first place but only take it as additional "nice to have" and make also clear that it is not a strong security feature (it often gives wrong impression of security).
3rd Party ID check:
That might be a realistic option. That people are using an out of system 3rd party services where they do a KYC and get a certificate. With that they can proof in Bisq that they are verified without connecting trades to that company who hold the ID data. I doubt that many of our users want to do that but that might be at least a secure option which does not violate privacy of the trades (though of course doing any KYC is something problematic).
There would be logistic problems as well:
Who pays for it?
The user? - Even more hurdle. And it is probably not cheap.
Bisq? Bisq is not a company but only provide software that users can exchange directly.
So that option does also not sound as a way to go.
Time based or number of trade based restrictions:
It can be assumed that a stolen bank account will be discovered in 1-2 months at least, hopefully faster. So if a user used a bank account we can be relatively sure that after 1 or 2 months the risk that it was a stolen bank account is very low.
But of course we dont want to restrict the users to not be able to make trades until that time has passed.
Trade limits will also not help much but hurt usability.
We can assume that a scammer once he has access to a stolen account start trying to cash out. So the older the account the less likely it is a scammers account.
We can add a creation data field to the payment account.
When creating an offer the date and hash of the account data is included in the offer so takers can see the age of the account and later verify the date with the hash.
The maker can also define the min. account age he requires from takers.
In the trade process when the account data are exchanged the hash is verified and if it would have been faked (date is part of the hashed data) the trade fails.
I think that is a realistic option which gives some level of security for at least those who have used Bisq for longer than a month and does not burt usability for those
Also implementation is not terrible much effort.
So we would still need something to cover those who are relatively new.
We could use social media or keybase.io but not sure how much security that really provides and if people want to use it.
The buyer could be requested to post a predefined message on a social media account and the seller can check if that was posted (can be some random number to protect privacy).
So the seller has the assurance that the buyer is in possession of the social media account (need to match the name which might be not the case for some/many of our users) and the age of the account can usually easily be seen.
If the hacker has also the social media account that will not help of course. Does anyone has an idea about the likelihood of that?
That option would only be required if the age of the account is less then a month or so. And of course can be optional but would carry more risk if nothing provided and the user is new.
Adding support for exchanging the social media link would be also not a big effort to implement.
What do you think about that option?
Additionally we could limit trade amounts for those who are new and dont want to provide a social media account. But not sure as the scammer could run multiple Bisq apps and the limit does not help much. Probably we have to accept that some risks stay open and sellers who are willing to take that risk have to be aware and get it probably compensated with a better price.