I entered the police station as a suspect. When I left the officer loved Bitcoin

[fimp]

I was called in by the police today. Someone is creating ads for iPhones online and gives potential buyers the account information for Bitcoin Nordic. I then send Bitcoins to the iPhone "seller" without knowing I'm taking part in a scam and that he will never send the iPhone.

I've heard of other Bitcoin sellers experiencing this sort of scam, and I've received stolen money from phished bank accounts earlier and had two accounts closed, but this was my first time with this kind of trick.

The police suspected me because the fiat trail ends on Bitcoin Nordic's bank account. But I explained Bitcoin and I explained my business and they now consider me a witness instead of a suspect.

The police officer told me he spends a lot of time dealing with cases of credit card chargeback fraud. After I told him that kind of scam is impossible to do with Bitcoin, he told me several times that Bitcoin sounded really neat.

"Bitcoin. Because the government says it's neat."

[1714178040]

1714178040

[1714178040]

1714178040

[1714178040]

1714178040

[1714178040]

1714178040

[1714178040]

1714178040

[1714178040]

1714178040

[Kris]

 

[bitsource]

Good approach to an otherwise sticky situation. Just confirmes scammers are everywhere - so are opportunities to turn a negative into a positive. Good show!!

[hazek]

"Bitcoin. Because the government says it's neat."

 Hahahahaha 

[Jan]

Well done fimp

[greyhawk]

The police officer told me he spends a lot of time dealing with cases of credit card chargeback fraud. After I told him that kind of scam is impossible to do with Bitcoin, he told me several times that Bitcoin sounded really neat.

Did he smile and nod a lot?

[fimp]

The police officer told me he spends a lot of time dealing with cases of credit card chargeback fraud. After I told him that kind of scam is impossible to do with Bitcoin, he told me several times that Bitcoin sounded really neat.

Did he smile and nod a lot?

Not really. He was trying to get his head around Bitcoin.

[shade]

this is what I call success story

[BCB]

Great Story but I think this begs a larger question.

This man in the middle (MIM) attack seems to be quite common recently.

An attacker finds an unsuspecting buyer  of say iphones or Justin Beiber tickers.

The buyer unknowingly sends their fiat to an unsuspecting bitcoin seller.

The attacker has already created an order for bitcoin with the unsuspecting bitcoin seller.

Once the unsuspecting buyer send the fiat to the bitcoin seller the bitcoins are sent to the attacker

and the buyer and the seller are left to figure out what has happened.

What are bitcoin businesses doing to combat this attack?

Thx.

[Mike Hearn]

The police officer sounds like a cool guy, but you have NOT solved the problem.

You need to start verifying the identities of depositors and people withdrawing money from your exchange like Mt Gox and other operations do. Not only is this your protection against being an exit from the fiat system for criminals, but the law may sometimes require it too (depending on thresholds, etc).

Whilst the police officer was obviously nice to you, don't take it personally if they come back and charge you with something. You clearly know there's abuse of your service and you will be expected to stamp it out. ID verification is the way to do that, so get on it.

[chmod755]

"Bitcoin. Because the government says it's neat."

"Bitcoin. Because a police officer says it's neat."

P.S.: You should ask him to join #bitcoin-police

[TangibleCryptography]

This man in the middle (MIM) attack seems to be quite common recently.

[snip description of MIM for brevity]

What are bitcoin businesses doing to combat this attack?

I thought the solution was simple.  Only deal with irreversible (or very hard to reverse) deposit methods.  I expect Dwolla to get caught up in a lot of this type of "indirect" fraud.  So far it seems to be mostly two bit scams.  Just wait until organized crime gets involved (as in millions or tens of millions in fraudulent transactions).

[Luno]

Good work fimp. If you, or anyone else in our part of the bitcoin world, don't get off as easily on another occasion, I will stand up for you with my real life identity and be a character witness if they are credible as you are off cause.

So the scammer used Bitcoinnordic credentials but changed you business Bitcoin address for his own?

Maybe Bitcoin need a server certification system to verify registered addresses as genuine for businesses. Browser integrated so there is a warning on the page if a sellers address is unknown? Phishing would still be possible though.

[fimp]

The police officer sounds like a cool guy, but you have NOT solved the problem.

You need to start verifying the identities of depositors and people withdrawing money from your exchange like Mt Gox and other operations do. Not only is this your protection against being an exit from the fiat system for criminals, but the law may sometimes require it too (depending on thresholds, etc).

Whilst the police officer was obviously nice to you, don't take it personally if they come back and charge you with something. You clearly know there's abuse of your service and you will be expected to stamp it out. ID verification is the way to do that, so get on it.

Months ago I started requiring ID of bank transfer depositors I suspect of being fraudalent. But even if I required this from everyone it wouldn't be a foolproof way to avoid this specific type of scam.

If the "seller" successfully convinces the buyer that he needs to provide identification documents to get his iPhone then we're still vulnerable. I agree it would very likely make the risk of this happening smaller.

[Akka]

The police officer sounds like a cool guy, but you have NOT solved the problem.

You need to start verifying the identities of depositors and people withdrawing money from your exchange like Mt Gox and other operations do. Not only is this your protection against being an exit from the fiat system for criminals, but the law may sometimes require it too (depending on thresholds, etc).

Whilst the police officer was obviously nice to you, don't take it personally if they come back and charge you with something. You clearly know there's abuse of your service and you will be expected to stamp it out. ID verification is the way to do that, so get on it.

Months ago I started requiring ID of bank transfer depositors I suspect of being fraudalent. But even if I required this from everyone it wouldn't be a foolproof way to avoid this specific type of scam.

If the "seller" successfully convinces the buyer that he needs to provide identification documents to get his iPhone then we're still vulnerable. I agree it would very likely make the risk of this happening smaller.

Wouldn't the save way just be to require everyone to have Bitcoin Nordic or something similar in the purpose (or how ever it is called in English) field of every transaction.

everybody would wonder, why he has to put Bitcoin Nordic in there for his iPhone.

And if you get transactions with the words Ebay in it this is clearly a warning sign.

[jonitas]

You need to start verifying the identities of depositors and people withdrawing money from your exchange like Mt Gox and other operations do. Not only is this your protection against being an exit from the fiat system for criminals, but the law may sometimes require it too (depending on thresholds, etc).

Why would you do that?! You're just selling a virtual product. We're not obliged in any way to verify where the money people use to pay comes from. Can you imagine a hairdresser asking for your ID because the money you pay with might be stolen?

What law would require you to do this? It's not like your selling a financial product or service, since bitcoin isn't yet officially considered a currency, you're just selling an ordinary product like an e-book.

[BCB]

jonitas

The problem is FRAUD.

We all grip about the ID and personal info required to use FIAT systems.

Bitcoin is all about anonymity and speed. 

The problem is where bitcoin and fiat meet.  So much so that bitcoin business are now requiring verification not unlike fiat systems.

However, when we can earn bitcoin, receive our paycheck in bitcoin, pay our rent and bills and taxes in bitcoin and no longer have a need for moving fiat into and out of the system this will all go away.

Unfortunately until that time comes bitcoin remains a scammers paradise and bitcoin businesses will have to work very hard to combat this as the attacks become more sophisticated.

[Mike Hearn]

Come on. This isn't even a fiat vs bitcoin problem, it's just a fundamental problem with money systems. Anyone who thinks Bitcoin is immune to this kind of attack needs to think again.

How does this attack work? It confuses the victim into thinking they are paying one person for one thing, when they are actually paying someone else for something different. In this case, the "something different" is Bitcoins delivered to the attackers address because (if you don't verify ID) that means the attacker can't be easily traced, but it could easily be many other types of good.

Bitcoin is not immune to this problem. In fact we are anticipating such attacks to become common in future, the mechanism being malware that waits until you make a payment and then swaps the addresses you see on screen for addresses owned by the virus writer. Even if you have a second factor auth system, you think you're paying the merchant, but the money actually goes somewhere else.

This is why we're doing the payment protocol work - the eventual end goal is to phase out the use of (end user visible) addresses, so most payments go to human-meaningful identities like amazon.com instead of 1AbCd.... - in combination with a second factor it solves the identity confusion attack by ensuring you always know who you're paying.

If you don't fix this, Bitcoin Nordic will get blacklisted by the banks again just like you did last time. You NEED to ensure that people depositing money understand what they are doing and who they are paying. But that is hard - hence the emphasis on being able to identify who the perpetrators are. Perhaps you should require the wire transfer description to contain "PURCHASE OF BITCOIN VIRTUAL CURRENCY. NOT FOR SALE OF GOODS" or something else that might tip users off to what's going on.

[DeathAndTaxes]

Mike has some good points but there is one fundamental difference with Bitcoin.  It can't be reversed, it can't be frozen, it can't be suspended.

What makes this issue so much tougher to fight is merchants are held hostage to third parties (i.e. banks, payment processors, credit card issuers, and service providers) who don't provide adequate tools to prevent fraud.  When the merchant doesn't prevent fraud (with nonexistent tools) it becomes the merchants fault.  Wow what a great system.

For example if I receive a bank wire the bank "could" provide me the phone number on the account.  Or for privacy reasons provide me a bank phone number and extension, which when I dial gets relayed to the account number on the account.    I get a wire, I do a call back verification and find out "WTF? You wired me money for an iPod cause a guy on craigslist told you too?".  I hit the (currently nonexistent) return button, indicate fraud, and the wire gets returned to customer with any fees PAID BY THE IDIOT CUSTOMER not the innocent merchant!

Another thing which "could" be done is change the way bank wires are originated.  Customer enters the routing and account number and the bank website (because banks are sharing this info) displays the business name, contact information, and a custom message from the business

SECURITY WARNING:  This deposit only account is used to fund irreversible currency purchases. If you have been told to wire funds for any other reasons IMMEDIATELY STOP.  You may be a victim of fraud.  Please visit https://companyname.com/fraud for more information.

[ ] I (account holders name) verify this is the person I am intending to send funds to.  I understand Bank Wires are irreversible.

Even better since accounts are just numbers and can be up to 30 digits long (ACH or IBAN) Banks could allow businesses to generate a single use address with a custom message (i.e. internal order number, account number, purpose of transaction, warnings, etc).  Funds sent to the single use account number get swept to the business main checking account.  Once used once any funds sent there get bounced back as undelivered.

None of this is science fiction. It could be done today, hell it could have been done 20 years ago.  However banks have no reason to improve security.  They don't lose anything.  That is the problem with monopolies.  From the banks point of view security is currently "good enough".  Real security is expensive and the banks are paying for the costs of inadequate security.   It is just like credit cards (although to a lesser extent) the current model removes all responsibility from the customer AND banks and places it on the merchant (who is the least equipped to prevent fraud).

How does Bitcoin change that?  Well one being an open network it allows the development of the security tools banks never will.  The other aspect that changes is it makes the customer responsible for their own action.   Instead of merchants being given an impossible task to prevent all fraud (with incomplete information) and paying all the cost the responsibility is shared and real tools can be developed to protect both customers and merchants.

[Mike Hearn]

Mike has some good points but there is one fundamental difference with Bitcoin.  It can't be reversed, it can't be frozen, it can't be suspended.

Yes. That's great for the merchant. Less great for the gullible victim.

I think we need to recognize that irreversibility cuts both ways. It's a huge benefit for sellers, and it's a downside for buyers. Satoshi recognized this from the start, which is why the introduction in his paper talks about using multi-signature transactions to protect buyers. Unfortunately nobody has ever stepped up to create such a system.

Now, bias towards the seller rather than the buyer is still better than the reverse because sellers are often brands with reputations they want to protect, they aren't going anywhere so they aren't going to rip you off. Buyers tend to have no reputation and have much less to lose from trying to rip the seller off. But it's still not ideal.

As an example of how this can happen entirely within the Bitcoin system, imagine you are selling diamonds through the mail and not doing ID verification of buyers. Now the iPhone scammer goes on craigslist on says "I'm selling an expensive laptop. Send 100 coins to address 1XyZ". The victim comes along and sends the bitcoins to the address, not realizing that the address is owned by the diamond shop and on receipt of the funds, the owner of the shop puts the diamonds in the mail and sends them off.

By the time the fraud is uncovered, the fraudster is long gone, as are the diamonds and the coins.

If instead of an address people are using payment protocol messages and verified identities/dispute mediated transactions/both, you have a solution.

I get a wire, I do a call back verification and find out "WTF? You wired me money for an iPod cause a guy on craigslist told you too?".

Yes, requiring new customers to put a phone number into the bank wire so you can call them back is another possible solution. It does not apply in the case of a compromised bank account though - ID verification of coin recipients applies to both situations which is why Mt Gox and others do it.

Another thing which "could" be done is change the way bank wires are originated.  Customer enters the routing and account number and the bank website (because banks are sharing this info) displays the business name, contact information

Banks vary around the world. In Switzerland many payments are made in exactly this way. You enter an account number to send money to and the business name/address is displayed.