Heads-Up: Bank Fraud Alert

[teflone]

I still dont get why writing somewhere not for auctions works ?

I made the same mistake when I first read that.   Written a different way:
"Even a cash deposit to your bank account could be later reversed by the bank if it is determined the depositor was defrauded.  The bank can help prevent this from occurring by making the depositor write 'Not for auctions' on the deposit receipt."

This way if the person tells the cops they got scammed, too bad -- the receipt shows they were warned and should have known better.

ok??? 

[zer0]

Correction, a couple of months ago
http://nakedsecurity.sophos.com/2012/02/14/cryptome-org-hacked-into-serving-up-blackhole-exploit-kit/

They claim 2,863 visitors at risk, probably a lot more. Usually the kit is used for side channel targeted attacks not an open net catching everybody

Dwolla now offers an instant loan service for up to $500. Don't even need to rob people's bank accounts, just make a new account using their stolen information you bought for $10 on a crime forum and apply for credit. Spend $500 to get bitcoins and they won't know for a month anything is wrong.

[LoupGaroux]

That's an awful lot of Nigerian Princes and Romanian Hot Chicks answering the Dwolla security verification process with "Yes, this is Peggy..."

[Stephen Gornick]

Dwolla now offers an instant loan service for up to $500. Don't even need to rob people's bank accounts, just make a new account using their stolen information you bought for $10 on a crime forum and apply for credit. Spend $500 to get bitcoins and they won't know for a month anything is wrong.

Ohh ... I didn't even think of that, ya -- that's going to leave a mark.

It could actually go more than a month.   Dwolla doesn't do an ACH just because you didn't pay at the end of the month.  They just assess a fee.  It proably could go a couple months or more before they send collections to look into it.

[MysteryMiner]

I would be happy if someone will pay me back the cash bills I lost when I got drunk last night.

The identity verification is only invasion in anonymity on legitimate users, this will not stop fraud. Checked on MtGox and Paxum - they both accept photoshoped files. The bank transactions also should be made irreversible. This will protect exchanges and merchants. The losers who are unable to protect their data and computers will lose their money sooner or later anyway.

[zer0]

I would be happy if someone will pay me back the cash bills I lost when I got drunk last night.

The identity verification is only invasion in anonymity on legitimate users, this will not stop fraud. Checked on MtGox and Paxum - they both accept photoshoped files. The bank transactions also should be made irreversible. This will protect exchanges and merchants. The losers who are unable to protect their data and computers will lose their money sooner or later anyway.

I 100% agree

So far the trust system used here and at #bitcoin-otc has almost eliminated all fraud.
The new bitcoin market MPEX is also based on this system. IDs, 2 factor auth, IP tracing is all meaningless in 2012 seems GPG auth is almost invincible as the people that use it typically don't use Windows exploitable OS, don't click on obvious side channel attacks in their email box, know what they are doing and all around a good system so far.

[zer0]

Dwolla now offers an instant loan service for up to $500. Don't even need to rob people's bank accounts, just make a new account using their stolen information you bought for $10 on a crime forum and apply for credit. Spend $500 to get bitcoins and they won't know for a month anything is wrong.

Ohh ... I didn't even think of that, ya -- that's going to leave a mark.

It could actually go more than a month.   Dwolla doesn't do an ACH just because you didn't pay at the end of the month.  They just assess a fee.  It proably could go a couple months or more before they send collections to look into it.

Yeah I read they just debit your account the interest, then if nothing happens take forever to collect.
Their Dwolla "instant" system in Iowa which allows you instant funding to your dwolla account (no waiting 2-3 days) seems to enable fraudsters in whole new ways as well. Can't trust any online banking it can always be used for evil

[BitPay Business Solutions]

Dwolla just needs to get rid of the "pull" ACH funding option.  This is the most insecure money transmission ever invented by the banks.  It's awful.  All I need is a printed check from any person, and i can pull money from their account.  No PIN, no security, nothing.  It should be dropped entirely.  "push" type ACH, initiated by logging in to your online bill-pay, is much more secure.  

[Yankee (BitInstant)]

Dwolla just needs to get rid of the "pull" ACH funding option.  This is the most insecure money transmission ever invented by the banks.  It's awful.  All I need is a printed check from any person, and i can pull money from their account.  No PIN, no security, nothing.  It should be dropped entirely.  "push" type ACH, initiated by logging in to your online bill-pay, is much more secure.  

They need to get accepted into the online push/bill pay system. Alot of banks are VERY tight on who they allow to use it.

For years, Paypal was using pull. Finally, only a few years ago they were allowed to use the better system

[BitPay Business Solutions]

They need to get accepted into the online push/bill pay system. Alot of banks are VERY tight on who they allow to use it.

For years, Paypal was using pull. Finally, only a few years ago they were allowed to use the better system

This just seems so back-ass-wards.  They should allow more businesses into the push system because it allows the banks to vet them.  Accessing the pull should be the more restrictive option! 

[Yankee (BitInstant)]

They need to get accepted into the online push/bill pay system. Alot of banks are VERY tight on who they allow to use it.

For years, Paypal was using pull. Finally, only a few years ago they were allowed to use the better system

This just seems so back-ass-wards.  They should allow more businesses into the push system because it allows the banks to vet them.  Accessing the pull should be the more restrictive option! 

I know, the whole ACH protocal is so archaic. The ACH bylaws are moronic and the whole syste, was built without any cognitive oversight whatsoever.

It was more like 'Heres alot of money, build a system you think will work and we will use it. Have a nice day'

Oh jolly,

[bitcoinBull]

They need to get accepted into the online push/bill pay system. Alot of banks are VERY tight on who they allow to use it.

For years, Paypal was using pull. Finally, only a few years ago they were allowed to use the better system

This just seems so back-ass-wards.  They should allow more businesses into the push system because it allows the banks to vet them.  Accessing the pull should be the more restrictive option! 

I ran into this problem last year. Talked to managers at several different branches (Chase) who kept insisting it was impossible for me to push ACH and that what I actually wanted to do was pay the fee for a domestic wire transfer. Turned out that I had to set up a business account, and pay an additional monthly fee for the ability to initiate ACH transactions.

Dwolla just needs to get rid of the "pull" ACH funding option.  This is the most insecure money transmission ever invented by the banks.  It's awful.  All I need is a printed check from any person, and i can pull money from their account.  No PIN, no security, nothing.  It should be dropped entirely.  "push" type ACH, initiated by logging in to your online bill-pay, is much more secure. 

I don't think this is true. You need the bank login/pw to confirm the Dwolla verification deposits. Anyway, eCheck fraud isn't the problem. Bitcoin exchanges are facing this type of online bank fraud (deposit verification + ACH pull) because the bank account log-ins that can do ACH push (like payroll accounts) are defrauded more directly through reloadable debit cards or money mules (http://krebsonsecurity.com/2012/04/thieves-replacing-money-mules-with-prepaid-cards/).

[coinuser4000]

I would be happy if someone will pay me back the cash bills I lost when I got drunk last night.

The identity verification is only invasion in anonymity on legitimate users, this will not stop fraud. Checked on MtGox and Paxum - they both accept photoshoped files. The bank transactions also should be made irreversible. This will protect exchanges and merchants. The losers who are unable to protect their data and computers will lose their money sooner or later anyway.

I totally agree with this guy.

Government regulation almost NEVER prevents criminals from perpetrating crimes. Criminals will always find a way around the rules. All it does is infringe on the rights and privacy of law-abiding citizens. It's the sad truth, new rules don't protect anyone.

[Keyur @ Camp BX]

Dwolla has stepped up their procedures to counter the latest attack.  Here is a summary of new steps:


--------------------------------------

Starting today, users sending money to your account will need to meet and/or maintain:

1) Connect a social network
2) Have a bank deposit 30 days old
3) Enable a DWOLLA hub page
4) Have a verified account
(i.e. Social Security and/or Photo Verified)

We are working hard to make sure this policy does not affect your most frequent, loyal, and responsible customers.

Thanks for being a part of Dwolla. We hope our new changes will protect customers and merchants alike. Please let us know if you have any questions.

All the best,
Dwolla

--------------------------------------



Discussion at this thread by Charlie: https://bitcointalk.org/index.php?topic=76866.0

[Stephen Gornick]

Starting today, users sending money to your account will need to meet and/or maintain:

1) Connect a social network
2) Have a bank deposit 30 days old
3) Enable a DWOLLA hub page
4) Have a verified account
(i.e. Social Security and/or Photo Verified)

The users SENDING MONEY need to enable a DWOLLA hub page?  What?

That must be a mistake on Dwolla's end in writing this message.

Either way, this change is going to leave a mark for those using Dwolla with Bitcoin exchanges.

[RaggedMonk]

Starting today, users sending money to your account will need to meet and/or maintain:

1) Connect a social network
2) Have a bank deposit 30 days old
3) Enable a DWOLLA hub page
4) Have a verified account
(i.e. Social Security and/or Photo Verified)

The users SENDING MONEY need to enable a DWOLLA hub page?  What?

That must be a mistake on Dwolla's end in writing this message.

Either way, this change is going to leave a mark for those using Dwolla with Bitcoin exchanges.

Nope,  I emailed Dwolla support, and all four are required to send funds to certain merchants, such as MtGox.

The fact that they are upselling their service as part of the verification process is disgusting, and (along with needing to be connected to my facebook) the reason I am cancelling my account.

[Aggro]

Starting today, users sending money to your account will need to meet and/or maintain:

1) Connect a social network
2) Have a bank deposit 30 days old
3) Enable a DWOLLA hub page
4) Have a verified account
(i.e. Social Security and/or Photo Verified)

The users SENDING MONEY need to enable a DWOLLA hub page?  What?

That must be a mistake on Dwolla's end in writing this message.

Either way, this change is going to leave a mark for those using Dwolla with Bitcoin exchanges.

Nope,  I emailed Dwolla support, and all four are required to send funds to certain merchants, such as MtGox.

The fact that they are upselling their service as part of the verification process is disgusting, and (along with needing to be connected to my facebook) the reason I am cancelling my account.

Wow ... if all four are required, this is the end of dwolla as a funding option for bitcoin.

[bb113]

Why didn't the people affected get a notified of this?

[Stephen Gornick]

Why didn't the people affected get a notified of this?

We'll likely each learn about this the next time we try to send a Dwolla payment to a bitcoin exchange.

[bb113]

So they are going to charge a quarter then ask for this info?