Bitcoin Forum
December 10, 2016, 03:25:15 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Organised "Finney" attacks.  (Read 1810 times)
MatthewLM
Legendary
*
Offline Offline

Activity: 1092



View Profile WWW
March 20, 2012, 12:13:05 AM
 #1

I've been told that accepting 0 confirmation payments in bitcoin is a dangerous idea. There are people who say that there are ways to reduce the risk to virtually zero and others that say it will likely become a problem especially for high-value transactions. There is some disagreement from what I can gather.

I've read about the Finney attack where an attacker creates a block with a transaction to them-self and makes a fake transaction to the payee. The attacker then broadcasts the block with the transaction to them-self after getting away with the goods.

Some say this is not feasible because the attacker has to wait for a block and get the timing just right. But have people considered the threat of organised crime? Many people could pool mining resources together and place multiple attacks into single blocks, am I correct? Worse, miners could sell the right to place malicious transactions into their blocks, allowing scammers to simply buy into these attacks. They wait for confirmation from the miners that the block is ready and will go live in x amount of minutes (Some of the time it will therefore lose out to other miners). With collusion and organisation the Finney attack could be much much worse.

Is this correct?

Bitcoin Extra Wallet | Peercoin Android Wallet
BTC: 1D5A1q5d192j5gYuWiP3CSE5fcaaZxe6E9  PPC: PH7fVn1Xs7nkUFmdwCX2ZRYfLPCSwGxAq9
1481340315
Hero Member
*
Offline Offline

Posts: 1481340315

View Profile Personal Message (Offline)

Ignore
1481340315
Reply with quote  #2

1481340315
Report to moderator
1481340315
Hero Member
*
Offline Offline

Posts: 1481340315

View Profile Personal Message (Offline)

Ignore
1481340315
Reply with quote  #2

1481340315
Report to moderator
1481340315
Hero Member
*
Offline Offline

Posts: 1481340315

View Profile Personal Message (Offline)

Ignore
1481340315
Reply with quote  #2

1481340315
Report to moderator
There are several different types of Bitcoin clients. The most secure are full nodes like Bitcoin-Qt, which will follow the rules of the network no matter what miners do. Even if every miner decided to create 1000 bitcoins per block, full nodes would stick to the rules and reject those blocks.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481340315
Hero Member
*
Offline Offline

Posts: 1481340315

View Profile Personal Message (Offline)

Ignore
1481340315
Reply with quote  #2

1481340315
Report to moderator
1481340315
Hero Member
*
Offline Offline

Posts: 1481340315

View Profile Personal Message (Offline)

Ignore
1481340315
Reply with quote  #2

1481340315
Report to moderator
1481340315
Hero Member
*
Offline Offline

Posts: 1481340315

View Profile Personal Message (Offline)

Ignore
1481340315
Reply with quote  #2

1481340315
Report to moderator
Gavin Andresen
Legendary
*
qt
Offline Offline

Activity: 1652


Chief Scientist


View Profile WWW
March 20, 2012, 12:27:48 AM
 #2

Is this correct?
Yes.

How often do you get the chance to work on a potentially world-changing project?
Stephen Gornick
Legendary
*
Offline Offline

Activity: 2002



View Profile
March 20, 2012, 04:23:21 AM
 #3

I've been told that accepting 0 confirmation payments in bitcoin is a dangerous idea. There are people who say that there are ways to reduce the risk to virtually zero and others that say it will likely become a problem especially for high-value transactions. There is some disagreement from what I can gather.

There are two separate attacks regarding 0 confirmation -- one is the race attack and the other the Finney attack.  First on the race attack:

Almost everyone agrees that there is some risk where a merchant accepts as "paid" on 0/unconfirmed due to the race attack .  To protect against this attack the merchant can configure the client properly (no incoming connections, and explicitly have it be well connected to all the larger miners) and to weigh the risks versus the rewards.    When the attacker is not successful, the store ends up having made a valid, profitable sale and the would-be scammer ends up purchasing goods that might not otherwise have been wanted.   The attacker isn't going to be making 50 purchases at Home Depot in anticipation that at least one of those might be a successful double spend attempt.  So the risk of a race attack double spend should not stop a Home Depot from accepting on 0/unconfirmed.

Now lets say instead you have a machine that gives out quarters at the laundromat and charges a 1% fee.  Now for this it might be profitable to attempt to do double spend race attacks over and over even if an attempt is only successful 1 out of every 50 attempts.   The merchant in this instance is vulnerable to the race attack.

That 1 out of 50 success metric was a fabricated estimate.  Because bitcoins are not used much in retail yet there is no history of actual attacks available nor have any simulated attacks or other tests been performed to determine what this ratio would be against the way mining operates nowadays.

In both examples above, the merchant can self-insure against the risk by making the double spending tactic unprofitable in the long run (e.g., by charging more than 1% fee in the laundry vending machine example.)

With collusion and organisation the Finney attack could be much much worse.

Is this correct?

Every second that the miner holds onto that solved block is another second that the other miners have available to solve and announce a block at that same height.  Now picture the scammer with the shopping cart at Home Depot waiting for the text from the miner.  The scammer gets the green light, sprints to the cashier and hurriedly asks for checkout to be completed as quickly as possible.  Once the mined block with the double-spend arrives, in a minute or three later, the merchant will know a fraudulent double-spend just occurred.  Will the scammer even have made it out of the parking lot?  The planning and timing would have to be very well executed for this to be successful.

Then consider the other example above -- the vending machine at the laundry.  The merchant can limit the potential haul the scammer by simply limiting the amount that can be withdrawn per block. If $40 is the most that can be stolen the laundromat is probably not going to be the scammer's choice as to which merchant to hit.

Physical transactions have one characteristic that online transactions don't -- physical identity of the buyer.  The cashier and/or cameras at Home Depot will be able to make out the identity of the scammer.  If what the news media shows is typical, those who attempt heist jobs that require participation and coordination of multiple criminals will rarely ever succeed without getting caught.  That miner probably would hate to see a multi-ghash mining operation get seized because the timing by one of the conspirators was a little off.

DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
March 20, 2012, 04:30:42 AM
 #4

It depends on the transaction.  Think someone will hire 200 GH/s of hashing power to Finney attack a Big Mac combo meal?
Could you accept 0-confirm BTC for fastfood?  Probably.

Think it might be worth it to Finney attack a $27 million Gold Bullion sale?
Could you accept 0-confirm BTC for high value hard to trace transactions?  Likely not.

The goal should be to maximize profits not minimize fraud.   Credit cards have >0% fraud.  Businesses accept them because the added profit > added fraud.
MatthewLM
Legendary
*
Offline Offline

Activity: 1092



View Profile WWW
March 20, 2012, 07:08:57 PM
 #5

But what about those cancer nodes? Are those avoidable?

Remember scammers aren't all going to be stupid, they will find very sophisticated ways to get the job done.

Bitcoin Extra Wallet | Peercoin Android Wallet
BTC: 1D5A1q5d192j5gYuWiP3CSE5fcaaZxe6E9  PPC: PH7fVn1Xs7nkUFmdwCX2ZRYfLPCSwGxAq9
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
March 20, 2012, 07:13:41 PM
 #6

But what about those cancer nodes? Are those avoidable?

Remember scammers aren't all going to be stupid, they will find very sophisticated ways to get the job done.

It all depends on what you are selling, how fungible it is, where you are selling and to whom.

One method to defeat cancer nodes is to build a Bitcoin network which is connected to thousands of nodes but ONLY accepted transactions relayed to it by major pools (or other trusted nodes).  Customer/attack gives you a transaction.  You submit it to a random node and wait for it to be relayed to you by multiple pools.

By not trusting the customer or the node you relayed it to you reduce the effectiveness of isolation attack.  If you are indeed isolated then you will never see the transaction and thus ask customer for alternative payment.  Just one example but for a larger operation involved in low value transactions (say McDonalds) I see 0 confirms being perfectly viable.

MatthewLM
Legendary
*
Offline Offline

Activity: 1092



View Profile WWW
March 20, 2012, 07:33:14 PM
 #7

1. Would the attacker be able to figure out what nodes the payee is connected to so that the attacker could pass the transaction that goes to the payee to these nodes so they don't relay the transaction that goes to the attacker but would relay the transaction going to the payee? Then the attacker could send the transaction going to him/herself to the majority of miners.
2. Would the payee able to connect to the majority of miners that are trusted so that the attacker would have to send the transaction that goes to the payee to these miners?
3. Would the number of nodes the payee need to connect to be in anyway limited by technology. The attacker could have access to servers capable of connecting to many nodes and the payee doesn't have this access?

Not sure if any of this thinking is in anyway correct so thank you for any answers.

Bitcoin Extra Wallet | Peercoin Android Wallet
BTC: 1D5A1q5d192j5gYuWiP3CSE5fcaaZxe6E9  PPC: PH7fVn1Xs7nkUFmdwCX2ZRYfLPCSwGxAq9
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
March 20, 2012, 08:40:33 PM
 #8

Yes, Yes, No.

On the 3rd questions, the total # of nodes doesn't matter just mining & other major nodes.  If Deepbit, Slush, MtGox, BTC Guild, and 18 other pools making up 80% of known hashing power have all seen a tx and the tx is a face to face transaction worth <1 BTC while nothing is guaranteed the likelihood of an attack is negligible.  Credit card fraud doesn't have a 0% fraud rate.  As long as the value to the business is greater than the loss due to fraud the technology is a net positive.  I believe that BTC can have a very low (as in tiny fraction of CC) fraud but still >0% and remain massively popular.

The most important thing to consider is that a one size fits all approach is likely doomed. A lot of tx could be processed 0-confirm.  Some likely shouldn't be processed even with 1 confirm (or 6 confirms).  For very large transactions it might make sense to wait for 48 confirmations.  For multi-million dollar transactions someday people may wait a day or more, or until the next checkpoint and/or purchase insurance to cover any double spend.

I would imagine most payees wouldn't try to solve this themselves.  A 0-confirm payment provider could handle the back end work with deals with say 70% of hashing power.  Pools could be paid by provider to give a "green light" on a tx and agree not to replace it with another tx.  Once payment provider has secured 51% of hashing power (would be smart to buffer a margin of safety) the provider could greenlight it to payee.   Multiple competing provides could emerge and offer a variety of plans and payment methods with pools.

MatthewLM
Legendary
*
Offline Offline

Activity: 1092



View Profile WWW
March 20, 2012, 09:33:05 PM
 #9

So the payee could pay a small fee to some service that maintains knowledge about the network and can cooperate with mining pools in exchange for greater security? If security was to be built into the client software itself then keeping up-to-date with trusted miners and pools might be an issue which is why a third party service could be useful? And this third party could take the payment passing on guaranteed payment a bit like Bit-Pay?

Bitcoin Extra Wallet | Peercoin Android Wallet
BTC: 1D5A1q5d192j5gYuWiP3CSE5fcaaZxe6E9  PPC: PH7fVn1Xs7nkUFmdwCX2ZRYfLPCSwGxAq9
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!