Bitcoin Forum
December 11, 2016, 12:08:43 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 [6] 7 8 9 10 11 12 13 14 15 16 17 18 19 20 »  All
  Print  
Author Topic: CoinPal beta - Buying bitcoins with PayPal  (Read 144219 times)
mgiuca
Newbie
*
Offline Offline

Activity: 25


View Profile
February 16, 2011, 04:54:04 AM
 #101

I just tried CoinPal for my first non-faucet bitcoins, and I can confirm it worked well, and very speedily (if you have a verified Paypal account). Thanks very much for setting up this service, mndrix. I hope it works out for you.

I have one major security complaint about the service, which I think you could easily fix: Once I have typed my Bitcoin address in on the first screen, it is never displayed back to me. For starters, this means I have no way to verify that the account I have typed (which I am paying real money for) is actually an account under my control.

There is a real security problem here: a man in the middle could intercept my initial request and have the funds redirected to his account, without me being able to before purchase. First, there is no SSL (HTTPS) connection, so a man in the middle attack is possible. While using SSL would help, certificates are expensive and I'm not saying you need to get one. Just that in its absence, we have to assume someone is able to view and modify the HTTP traffic as it goes between my browser and ndrix.com. Now consider this scenario:

1. At http://coinpal.ndrix.com/, I enter my email address, amount and Bitcoin address.
2. A hacker intercepts the HTTP request, and modifies the bitcoin_address field to contain his address instead of mine. He leaves my email address and BTC amount as they are, and forwards the modified request on to ndrix.com.
3. On your server, this creates a new unique ID "534fxxxx", with my email address, my requested amount, and the hacker's Bitcoin address.
4. I am redirected to http://coinpal.ndrix.com/confirm/534fxxxx, which displays the requested number of BTC and conversion rate. I click "Continue" and am redirected to http://coinpal.ndrix.com/email_verify_instructions.
4. On your server, this creates another new unique ID "285xxxx" (I'm not sure what the second unique ID is, but neither contain my Bitcoin address).
5. I receive an email titled "CoinPal email verification (order 534fxxxx)" telling me to click the link "http://coinpal.ndrix.com/continue_order/2855xxxx". It contains both of the unique IDs for this transaction, but no Bitcoin address.
6. I click through to http://coinpal.ndrix.com/continue_order/2855xxxx, which tells me the number of BTC I am about to purchase and how much it will cost. I click "Buy Now".
7. I am redirected to Paypal (now on a secure connection) and asked to log in to Paypal. My order summary includes the number of BTC I am buying and the cost in USD. It also includes the first unique ID, "Item number: 534fxxxx". Nowhere does it say which Bitcoin address the funds are going to. I log in to Paypal and click "Pay now". The funds are removed from my Paypal account.
8. After the order is confirmed, CoinPal credits the hacker's Bitcoin account!.

(Note: This did not happen to me, it is just a hypothetical scenario. Ironically, the post-payment email I received did include my Bitcoin account.)

So there is a common theme here: The bitcoin address is never displayed throughout the process. Were it displayed, I could check in the final step that I am indeed transferring bitcoin to an account under my control. The address should be displayed in all of the following places:

The email and the Paypal description are the critical ones. For either the confirm or continue_order pages on your site, the hacker could keep up his spoofing, and relay back to me the address I entered, even though on the server it is planning to send the coin to his address. Therefore, these two pages should simply display the address, and not prompt the user to verify it (as it is untrustworthy). However, it will be much harder for the hacker to spoof the email (if he does, you will send one too, and I'll know something is up), and impossible to spoof the Paypal description, given that it is under heavy SSL. Therefore, both the email AND the Paypal description should not only display the Bitcoin address, but actively encourage the user to verify that this is the same address he requested. When I am about to click "Pay now", I should be able to do a final check.

I would be (and was) wary of using this system without the address at least appearing in the Paypal item description.

Some further feedback:
  • There is nowhere on the site that says that I am paying in US dollars, until I get through to Paypal. You should prefix all the "$" signs with "US".
  • The confirmation email contains the text "If you did not place an order with CoinPal, it's likely that your PayPal and email accounts have been hacked. Check PayPal for unauthorized transactions and change passwords promptly." I don't follow this logic. Anybody who knows my email address could have typed it into the order page and caused me to receive that email. It isn't a security risk, as it wasn't triggered from my Paypal account. There should be no problem unless I actually go through with it. So the message should read "If you did not place an order with CoinPal, you should ignore this email." (Unless there is some other cause for alarm?)
  • I am a bit confused as to why the transaction has two separate IDs. What is the purpose of having both the 534fxxxx and the 2855xxxx IDs?

I hope you can use this feedback to improve this great service.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481458123
Hero Member
*
Offline Offline

Posts: 1481458123

View Profile Personal Message (Offline)

Ignore
1481458123
Reply with quote  #2

1481458123
Report to moderator
1481458123
Hero Member
*
Offline Offline

Posts: 1481458123

View Profile Personal Message (Offline)

Ignore
1481458123
Reply with quote  #2

1481458123
Report to moderator
Quip
Jr. Member
*
Offline Offline

Activity: 56


View Profile
February 16, 2011, 05:05:04 AM
 #102

<shameless plug>
If you only need a few BTC I am selling them on my website with no email verification or convenience fees.
</shameless plug>

1NEEFwHjXDhbLZ2RxM6qSDnNDByNZYCSKf

LVBX is down indefinitely, so use CoinPal. Sorry.
mndrix
Michael Hendricks
VIP
Sr. Member
*
Offline Offline

Activity: 447


View Profile
February 16, 2011, 03:14:40 PM
 #103

So there is a common theme here: The bitcoin address is never displayed throughout the process. Were it displayed, I could check in the final step that I am indeed transferring bitcoin to an account under my control.

Thanks for the detailed feedback.  I'll see about showing the Bitcoin address on the PayPal checkout page.  I agree that it's useful information to see there.


Quote
There is nowhere on the site that says that I am paying in US dollars, until I get through to Paypal. You should prefix all the "$" signs with "US".

Good point.  I'll change this shortly.

Quote
The confirmation email contains the text "If you did not place an order with CoinPal, it's likely that your PayPal and email accounts have been hacked. Check PayPal for unauthorized transactions and change passwords promptly." I don't follow this logic. Anybody who knows my email address could have typed it into the order page and caused me to receive that email. It isn't a security risk, as it wasn't triggered from my Paypal account. There should be no problem unless I actually go through with it. So the message should read "If you did not place an order with CoinPal, you should ignore this email." (Unless there is some other cause for alarm?)

Past experience shows that someone unexpectedly receiving a verification email almost certainly has her PayPal account stolen.  This particular wording has caught two fraudulent transactions so far.  Considering those benefits, I'll probably leave the wording as is.

Quote
I am a bit confused as to why the transaction has two separate IDs. What is the purpose of having both the 534fxxxx and the 2855xxxx IDs?

If both URLs have the same ID, an attacker wouldn't need to receive the verification email since he could just copy and paste the first ID into the second URL.  This email verification step has stopped a couple more fraudulent transactions.

Thanks again for the excellent feedback.
mndrix
Michael Hendricks
VIP
Sr. Member
*
Offline Offline

Activity: 447


View Profile
February 16, 2011, 05:45:28 PM
 #104

I just fixed a bug which caused some first time customers to be told they had exceeded their weekly purchase limit even though they had never placed an order before.  Sorry for the trouble.
Littleshop
Legendary
*
Offline Offline

Activity: 1316



View Profile WWW
February 16, 2011, 06:12:05 PM
 #105

I just did a purchase.  I have noscript running under firefox and I had to allow your site or receive a cross site scripting error.  

My coins were deposited quickly (3 mins).  After 25 mins I had 5/unconfirmed.

After 30 mins it was 7/confirmed.

Thanks!

mndrix
Michael Hendricks
VIP
Sr. Member
*
Offline Offline

Activity: 447


View Profile
February 16, 2011, 07:07:11 PM
 #106

I just did a purchase.  I have noscript running under firefox and I had to allow your site or receive a cross site scripting error.  

I'll look into it.  Thanks for the report.

Quote
Thanks!

You're welcome
wizzard0
Jr. Member
*
Offline Offline

Activity: 54



View Profile WWW
February 17, 2011, 12:23:27 AM
 #107

Quote
The confirmation email contains the text "If you did not place an order with CoinPal, it's likely that your PayPal and email accounts have been hacked. Check PayPal for unauthorized transactions and change passwords promptly." I don't follow this logic. Anybody who knows my email address could have typed it into the order page and caused me to receive that email. It isn't a security risk, as it wasn't triggered from my Paypal account. There should be no problem unless I actually go through with it. So the message should read "If you did not place an order with CoinPal, you should ignore this email." (Unless there is some other cause for alarm?)

Past experience shows that someone unexpectedly receiving a verification email almost certainly has her PayPal account stolen.  This particular wording has caught two fraudulent transactions so far.  Considering those benefits, I'll probably leave the wording as is.


Wow. Could you publish a fraud statistics at some point?

I have been told by security people at two large banks that the fraud percent for Visa is as high as 7.5-9%, do you get roughly the same numbers?
mgiuca
Newbie
*
Offline Offline

Activity: 25


View Profile
February 17, 2011, 12:58:53 AM
 #108

Past experience shows that someone unexpectedly receiving a verification email almost certainly has her PayPal account stolen.  This particular wording has caught two fraudulent transactions so far.  Considering those benefits, I'll probably leave the wording as is.
Fair enough. I guess there's no incentive to send it to someone else's email address anyway. I suppose the attack vector here is if you have compromised someone's PayPal, you need to request an email for their address, and then perhaps (somehow) read the email as it comes through -- maybe you have also compromised their Gmail or are MITMing them at a coffee shop.

If both URLs have the same ID, an attacker wouldn't need to receive the verification email since he could just copy and paste the first ID into the second URL.  This email verification step has stopped a couple more fraudulent transactions.
Of course! Silly of me not to realise that earlier.

Thanks again for the excellent feedback.
No problem. Yours seems to be the only automated service doing this (for small transactions). I think it's a valuable service so I want to make sure I can trust it (from a security point of view). You seem to have considered a lot of things.
Anonymous
Guest

February 17, 2011, 03:35:33 AM
 #109

Would there be a benefit to use two factor authentication such as sending an sms to the account holders phone with a login code ?

Someone might hack your  email but it would be unusual if they also stole your phone....

o
mgiuca
Newbie
*
Offline Offline

Activity: 25


View Profile
February 17, 2011, 05:44:45 AM
 #110

Note that they would have to simultaneously break into both your email and Paypal account. Just receiving the confirmation email doesn't let you steal money, because they can't log into your Paypal to complete the transaction.

There are thousands of online sellers who use Paypal, via an email confirmation. Selling Bitcoins is no different than selling anything else. It's perfectly secure the way it is (email and Paypal verification) without requiring a mobile phone confirmation. (Except for the man-in-the-middle problem I outlined above.)
mndrix
Michael Hendricks
VIP
Sr. Member
*
Offline Offline

Activity: 447


View Profile
February 17, 2011, 03:20:59 PM
 #111

Wow. Could you publish a fraud statistics at some point?

I have been told by security people at two large banks that the fraud percent for Visa is as high as 7.5-9%, do you get roughly the same numbers?

So far the fraud rate is about 4%.  However, the first sale is only 47 days old, so there are still 133 days before I know for sure if that payment was good.  That long time lag is the most troublesome part of accepting PayPal payments.

And people complain about waiting 30 minutes for a few confirmation blocks  Wink
mndrix
Michael Hendricks
VIP
Sr. Member
*
Offline Offline

Activity: 447


View Profile
February 17, 2011, 03:26:22 PM
 #112

Would there be a benefit to use two factor authentication such as sending an sms to the account holders phone with a login code ?

Someone might hack your  email but it would be unusual if they also stole your phone....

I think it would help.  On risky orders, I manually send SMS verifications or call the customer on the phone.  That's caught a couple fraudulent transactions.  I have code in place to do automated phone verifications for risky orders, but haven't yet decided whether it's worth the cost, so I do them manually for now.
mgiuca
Newbie
*
Offline Offline

Activity: 25


View Profile
February 19, 2011, 01:22:11 AM
 #113

Great -- I just bought some more and I can confirm that CoinPal now displays the receiving address in the PayPal confirmation screen. Thanks, mndrix. That puts all of my security concerns to rest.
gusti
Legendary
*
Offline Offline

Activity: 1102


View Profile
February 19, 2011, 01:34:33 AM
 #114

Wow. Could you publish a fraud statistics at some point?

I have been told by security people at two large banks that the fraud percent for Visa is as high as 7.5-9%, do you get roughly the same numbers?

So far the fraud rate is about 4%.  However, the first sale is only 47 days old, so there are still 133 days before I know for sure if that payment was good.  That long time lag is the most troublesome part of accepting PayPal payments.

And people complain about waiting 30 minutes for a few confirmation blocks  Wink

If you can only accept Paypal transactions as "Mass payment", they are not reversable.
And fee is only $1 max. But Paypal account must be funded, no credit card transaction allowed.


If you don't own the private keys, you don't own the coins.
mndrix
Michael Hendricks
VIP
Sr. Member
*
Offline Offline

Activity: 447


View Profile
February 21, 2011, 03:01:14 PM
 #115

If you can only accept Paypal transactions as "Mass payment", they are not reversable.
And fee is only $1 max. But Paypal account must be funded, no credit card transaction allowed.

Thanks for the suggestion.  I've considered MassPay as a way of reducing the PayPal fees and shortening my chargeback risk timeline (from 180 days for credit cards to 45 days for PayPal).  Can you provide a link to PayPal documentation about MassPay not being reversible?  I've heard that before, but never found an official statement about it.  I suspect it's not true because scammers would then just use Mass Pay to transfer funds from stolen accounts to freshly-minted PayPal accounts where they could spend the money at their liesure.
mndrix
Michael Hendricks
VIP
Sr. Member
*
Offline Offline

Activity: 447


View Profile
February 21, 2011, 03:03:46 PM
 #116

Over the weekend, someone discovered a clever timing attack to circumvent the volume limits.  For the next couple days, while I patch the vulnerability, only beta testers can purchase coins.  I've also restocked the server's coin inventory, so beta testers who couldn't get coins yesterday can get them now.

I'll post to this thread once the site is open to the public again
gusti
Legendary
*
Offline Offline

Activity: 1102


View Profile
February 21, 2011, 03:14:10 PM
 #117

If you can only accept Paypal transactions as "Mass payment", they are not reversable.
And fee is only $1 max. But Paypal account must be funded, no credit card transaction allowed.

Thanks for the suggestion.  I've considered MassPay as a way of reducing the PayPal fees and shortening my chargeback risk timeline (from 180 days for credit cards to 45 days for PayPal).  Can you provide a link to PayPal documentation about MassPay not being reversible?  I've heard that before, but never found an official statement about it.  I suspect it's not true because scammers would then just use Mass Pay to transfer funds from stolen accounts to freshly-minted PayPal accounts where they could spend the money at their liesure.

You are absolutely right, there is no such official statement.
Only more difficult to open a dispute, but no protection on stolen accounts.

If you don't own the private keys, you don't own the coins.
mndrix
Michael Hendricks
VIP
Sr. Member
*
Offline Offline

Activity: 447


View Profile
February 22, 2011, 05:27:04 PM
 #118

I've fixed the timing attack weakness, so the service is open to the public again.
mndrix
Michael Hendricks
VIP
Sr. Member
*
Offline Offline

Activity: 447


View Profile
February 25, 2011, 06:03:43 PM
 #119

The CoinPal "opposite" service (called CoinCard) is now available.  It lets you sell Bitcoins for automatic PayPal payments.  The fee is 3% for payments under $50 and $1 + 1% for payments $50 or higher.
Scarecrow
Jr. Member
*
Offline Offline

Activity: 35



View Profile
February 25, 2011, 09:16:30 PM
 #120

Today I bought my first Bitcoins and I got them through CoinPal. Just to say that the purchasing process was quite simple and despite the need to verify my transaction, I received my Bitcoins within an hour. Based upon my first experience, I can completely recommend CoinPal.
 Grin

Faith is believing what you know isn’t true. For example, Global Warming.
Pages: « 1 2 3 4 5 [6] 7 8 9 10 11 12 13 14 15 16 17 18 19 20 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!