Email from Dwolla Regarding Reversals

[notme]

How is google better?

I didnt like Dwolla after that Tradehill incident. But now I they are dead for me.

I meant Google Authenticator... not Authentication.

Authenticator is an app that generates time-based passwords unique to the given site that implements it.

[1714094525]

1714094525

[1714094525]

1714094525

[RaggedMonk]

If you don't like this, cancel your account today, right now.

I just confirmed with Dwolla support that all 4 steps are now a requirement before sending money to MtGox.
- The 30 bank transfer history I have no problem with.  
- Accessing my Facebook and Social Security number is an unnecessary invasion of my privacy that I will not tolerate, and is the main reason I am cancelling my account.
- The fact that they are up-selling their new Hub Pages product is repugnant, particularly that it is a requirement before you can send money to certain people.  

If you have an account and don't want to comply with their bullshit verification, contact support and ask for it to be deleted.  They should feel some pain from this new policy.

[rjk]

Has anyone confirmed whether this affects withdrawals (from mtgox or wherever)? Is ID needed to withdraw from an exchange?

[wogaut]

Is that true for Dwolla/Intersango too?

[Etlase2]

If you have an account and don't want to comply with their bullshit verification, contact support and ask for it to be deleted.  They should feel some pain from this new policy.

except that, IIRC, your account won't actually be deleted for a very long time.

[RaggedMonk]

If you have an account and don't want to comply with their bullshit verification, contact support and ask for it to be deleted.  They should feel some pain from this new policy.

except that, IIRC, your account won't actually be deleted for a very long time.

They offered to suspend my account, I told them to permanently delete all data that they are not required by law to retain.  They still haven't responded.

[evoorhees]

Ironically, this will make Bitcoin world MORE anonymous, as more US people will now use the anonymous cash deposits at banks via BitInstant instead of Dwolla (it was already much faster... now it's more far more private as well).

[DeathAndTaxes]

1) Connect a social network

Steps like this only hurt Dwolla.  The fraudsters have dummy social network accounts set up.  I guess they may catch a dummy who starts honest then goes rouge and tries to charge back a Dwolla transaction because they would have more information on them.  Probably not though, the bank is most often going to side with the customer. 

Dwolla NEEDS two factor now.  Just fishing for REAL Dwolla accounts and using them to buy BTC is going to be a problem.  Each hack Dwolla account will be worth something so long as Dwolla is accepted by bitcoin exchanges.  Hackers are going to keep pushing Dwolla as long as they sit still.  Paypal has the advantage because they can usually take a payment back in the end.   

Dwolla has two factor, but one is a password, and one is a short, numerical pin.  SMS or Google Authentication would be a step in the right direction.

BTW that isn't two factor.

a) Something you know
b) Something you have
c) Something you are

One factor uses one of the factors, two factor uses two, and three factor uses three.  Adding more elements from the same factor doesn't significantly increase security.

[JusticeForYou]

Cash deposits at banks seems to be the way to go to maintain privacy.

This AML KYC stuff is just because LE has become lazy. If they truly suspect someone of a crime then they can goto the bank and get the video. This 'everyone' is a suspect so lets violate their privacy, needs to fail. So, every time they come up with a system, we need to come up with a 'legal' way of circumventing it.

[notme]

1) Connect a social network

Steps like this only hurt Dwolla.  The fraudsters have dummy social network accounts set up.  I guess they may catch a dummy who starts honest then goes rouge and tries to charge back a Dwolla transaction because they would have more information on them.  Probably not though, the bank is most often going to side with the customer. 

Dwolla NEEDS two factor now.  Just fishing for REAL Dwolla accounts and using them to buy BTC is going to be a problem.  Each hack Dwolla account will be worth something so long as Dwolla is accepted by bitcoin exchanges.  Hackers are going to keep pushing Dwolla as long as they sit still.  Paypal has the advantage because they can usually take a payment back in the end.   

Dwolla has two factor, but one is a password, and one is a short, numerical pin.  SMS or Google Authentication would be a step in the right direction.

BTW that isn't two factor.

a) Something you know
b) Something you have
c) Something you are

One factor uses one of the factors, two factor uses two, and three factor uses three.  Adding more elements from the same factor doesn't significantly increase security.

Thank you, you are correct.
http://en.wikipedia.org/wiki/Two-factor_authentication

[Stephen Gornick]

I just confirmed with Dwolla support that all 4 steps are now a requirement before sending money to MtGox.
- The 30 bank transfer history I have no problem with.  

There was use of Dwolla by some that never set up a bank account.  If one doesn't trust the exchanges, funds could be moved out of the exchange into Dwolla without giving them anything other than a name e-mail address (for small amounts, of course -- for larger amounts they've wanted ID for quite some time now.)

Many people were able to use Dwolla as an FDIC insured temporary holding spot after cashing out of some bitcoins.  But now, they must register with a bank and wait 30 days in order to get that money back into bitcoins.   Some of them don't even have a bank account.   (Fortunately, some reloadable debit cards will function as direct deposit for transferring cash out sooner than 30 days).

- Accessing my Facebook and Social Security number is an unnecessary invasion of my privacy that I will not tolerate, and is the main reason I am cancelling my account.

Yup -- the Facebook part is unacceptable.  The SS# I can understand, though I would think existing accounts should get grandfathered in as far as the balance that existed when this change occurred.

- The fact that they are up-selling their new Hub Pages product is repugnant, particularly that it is a requirement before you can send money to certain people.

Isn't that bizarre?   To send money to you I need to set up a hub page so that I too can receive money from others?    Why?

I wouldn't bet that was a misunderstanding by the person editing the announcement or something to that effect.

[zer0]

Facebook thing and 30 day wait won't really prevent fraud. Afterall most crimebots record every keystroke and login so the potential fraudster would already have all Dwolla/FB/everything and can just buy the SSN# from a lookup service.

Bitinstant should crowdsource trusted people to do cash in hand trades in every city and pay an affiliate fee or something No more banks or dwolla middlemen. Sort of a giant hawalla network

[Stephen Gornick]

30 day wait won't really prevent fraud.

There is logic for the 30-day wait.  It states that you must have used Dwolla to transfer funds from your bank account at least 30 days prior.  Thus if a scammer did a bank transfer without the bank account holder realizing it right away, the passing of one statement cycle increases the chances the transaction would be discovered.

This will help Dwolla with Dwolla Instant as well, as if the scammer were to have created the account and applied for the line of credit, at least the chances are that the legitimate account holder will likely learn that this account and/or credit line was created before any funds were transferred to a bitcoin exchange.

[DeathAndTaxes]

30 day wait won't really prevent fraud.

There is logic for the 30-day wait.  It states that you must have used Dwolla to transfer funds from your bank account at least 30 days prior.  Thus if a scammer did a bank transfer without the bank account holder realizing it right away, the passing of one statement cycle increases the chances the transaction would be discovered.

This will help Dwolla with Dwolla Instant as well, as if the scammer were to have created the account and applied for the line of credit, at least the chances are that the legitimate account holder will likely learn that this account and/or credit line was created before any funds were transferred to a bitcoin exchange.

It prevents a scammer from using a non-Dwolla bank account and signup up for Dwolla service but it does nothing to protect against keylogger and using a victims already established account (one w/ facebook links, and 30 day of account history).

It is feel good security.  If most of the attacks are from creating new accounts using stolen non-Dwolla enrolled bank accounts then the attackers will simply shift to stealing existing dwolla accounts.

[hongus]

I'm pulling all my money out ASAP and contacting support to delete my account as soon as the money reaches my bank account.

[zer0]

30 day wait won't really prevent fraud.

There is logic for the 30-day wait.  It states that you must have used Dwolla to transfer funds from your bank account at least 30 days prior.  Thus if a scammer did a bank transfer without the bank account holder realizing it right away, the passing of one statement cycle increases the chances the transaction would be discovered.

This will help Dwolla with Dwolla Instant as well, as if the scammer were to have created the account and applied for the line of credit, at least the chances are that the legitimate account holder will likely learn that this account and/or credit line was created before any funds were transferred to a bitcoin exchange.

True this does prevent simple new signup fraud, but still doesn't combat identity theft. Can open bank accounts remotely using somebody's stolen identity, launder other stolen funds through it to Dwolla, then apply for credit after the 30 days. Some scammers are in it for the long haul if they can pull it off.

Any money transfer system based on online banking is doomed to fraud unfortunately. Trustcash wins again

[Stephen Gornick]

If most of the attacks are from creating new accounts using stolen non-Dwolla enrolled bank accounts then the attackers will simply shift to stealing existing dwolla accounts.

Which reduces the size of Dwolla's risk exposure by several orders of magnitude, for now.  I'm guessing at $0.25 per transaction they simply cannot afford even to deal with the administrative hassle coming from the fraud transactions -- either attempted or successful, so this change is one way to automate away much of it.

[Stephen Gornick]

Any money transfer system based on online banking is doomed to fraud unfortunately.

In the U.S. they've yet to allow retail banking (consumer banking) customers do ACH push.   Add in a Yubikey requirement to allow ACH push (only with the key) and most of the problem with unauthorized transactions is solved.   The problem is banks see that switch as being too expensive, in financial terms and consumer education and support.  It is still cheaper to pass on the cost of fraud to either the customers or the merchant, and when forced to, eat a little themselves.

[zer0]

Any money transfer system based on online banking is doomed to fraud unfortunately.

In the U.S. they've yet to allow retail banking (consumer banking) customers do ACH push.   Add in a Yubikey requirement to allow ACH push (only with the key) and most of the problem with unauthorized transactions is solved.   The problem is banks see that switch as being too expensive, in financial terms and consumer education and support.  It is still cheaper to pass on the cost of fraud to either the customers or the merchant, and when forced to, eat a little themselves.

There's a gold and currency exchange office where I live where you can walk in, lay down cash and they will send risky electronic transactions for a small fee, so the receiver is guaranteed clean funds.

Yubikey and other requirements for online banking would be great but seems to me banks and credit card companies are willing to just eat the fraud if it's easy for their customers to use. Push a button send money.

[Stephen Gornick]

Ya, denying service because you won't link your Facebook account is probably something the EFF needs to jump onto before it becomes accepted practice.

 - http://www.betabeat.com/2011/12/13/as-banks-start-nosing-around-facebook-and-twitter-the-wrong-friends-might-just-sink-your-credit
 - http://www.movenbank.com