I would really like to use non-KYC P2P exchanges like Bisq or HodlHodl more than I do at this moment. But I have still doubts about the security of the trading process there - so I currently use P2P only for very small amounts.

My main doubt is the following:

If there is a conflict between the seller (the person who sells Bitcoin or other cryptocurrencies) and the buyer (who will normally do a fiat transaction to the seller, such as a bank transfer), how does the escrower/mediator/arbitrator cope with the problem of a fake payment proof - i.e. manipulated PDFs of receipts, and fake/manipulated screenshots?

This could affect both buyers and sellers:

- If I sell Bitcoin, and the buyer doesn't send the money, but sends a fake "proof of payment" to the escrower. In the case of Bisq, if the mediator/arbitrator accepts the "proof", I'll not only lose my coins but also my security deposit.
- If I buy Bitcoin, send the money, but the seller says he hasn't received it, I would send a proof of payment - but the seller can say I could have faked it.

I know screenshot/PDF manipulation is not absolutely trivial, but a pro scammer should be able to do it convincingly.

The only way I guess the buyer could really prove he sent the money is if the bank/payment service provided a digitally signed document as receipt. But it seems this is not an established practice (at least, none of the banks/payment processors I operated with offered that.)

Several years ago I have seen a software project (I forgot the name and link, sorry) aiming to cope with this problem and enabling people to prove they visited a certain website, which could be used to prove that they downloaded a receipt. But I didn't hear again about that project and even for me it seems there could be some high technical hurdles for that, and it even would provide new possibilities to "fake" proofs.

Are my doubts unfunded and there are good solutions for that or is this still a problem?

(If somebody has experience with the problem and wants to share it with me but doesn't want to publish it in the form of a post fearing scammers could use it, send me a PM if you want )

This has its risks, it doesn't avoid a professional selective scammer (one who lets several accounts "grow" over time) scamming a newbie. So it should never be the last step.

That's actually a good idea. The scammer could, of course, set up a fake bank website on his computer, but he has to manipulate his browser code and take care always that everything's right. It would be already more difficult to do. I don't know if manipulated browsers of this kind, however, are already circulating (e.g. in darknet forums).

In this case however the arbitrator could require the trader to download a fresh browser, e.g. from the Mozilla website, and do the login with this one. This would already be extremely difficult to fake, above all if you'd require to download the installer from a mirror, for example - the best effort would be if the arbitrator provides the mirror himself. Maybe DNS manipulation may be still possible.

So I think this method - as long as the honest party would agree to do it - is quite good actually.

It would be interesting if this practice is being used at P2P exchanges (again, I also accept PMs about this).

Edit: It could also be an idea to require the login process/screenshot fast, i.e. agree a time with both parties, and then they must provide the proof in 5 minutes - e.g. a screenshot with an additional element which prevents it to be pre-fabricated, even if it's only a open text document where the date and time and a word proposed by the arbitrator.

Know that no one has advantage over anyone, both buyers and sellers has the same advantage and the buyer or the seller can be scammed if care is not taken. d5000 meant that the buyer can try to convince that the seller is trying to scam, but instead, providing a fake receipt that he made the payment but no coin received. Anyone can want to scam, be it the buyer or the seller because their are different tactics in scam, but if the buyer and seller follow the right procedure, there are ways to know the person that wants to scam. Scammers can think they are perfect and try all possible ways to scam, but likely even from the statement of account, it is possible to know the fake and the original. But I understood you too, in reality, where the scam usually happen is when the coin is released from escrow, especially if deceived by fake bank credit alert message. If the right ways are followed, I do not think the scammers will not be known easily.

Charles-Tim has already explained what I meant: In the case the process isn't working smoothly, an arbitrator will try to resolve the dispute. The problem is there's no way the seller can prove that he did not receive the money. This opens possibilities to both the buyer and the seller to try their luck with fake "proofs of payment" or, in the case of the seller, a screenshot indicating he didn't receive any money, taken before the transfer took place and faking the timestamp.

I also disagree that the buyer has more risk. The seller has, apart from the "fake document scam", the risk that the buyer is operating from a hacked bank/e-wallet account, which will lead to chargebacks. (Bisq however took some measures to avoid this, like a hash of the bank account number/IBAN and Account Signing.)

It is also easier for KYC-embracing platforms like Localbitcoins to prevent several scam techniques, as you would have to resort to complicated identity theft techniques to fool their verification mechanism. (However, in several cases outside of the crypto world, video-ident has also already been fooled by scammers.)

This is where I have my doubts. Deepfake technology does already exist even for videos (which is computationally much more power-hungry than a screenshot manipulation). So I'd not be surprised if there is software with AI components to fake a document.

Providing these documents in a short time, and/or provide a video where you log in into your bank account, could increase security; screen sharing like proposed by @virginorange as a last resort (if both parties submit their receipts/screenshots in time and the "scammer party" has convincingly faked the document) may be extremely difficult to fake.

Still searching for other ideas.

All those reasons for avoiding P2P out of fear of beieng scammed sound convincing.

But from experience I can tell scamming has to be pretty rare, since I was not scammed once and my sample size is reasonable large.

If somebody is scared of being scammed on Bisq, I can provide a couple of onion addresses from people that traded with in the past.