Bitcoin Forum
December 06, 2016, 08:23:34 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: BTCBuy now offering calling cards  (Read 1536 times)
coga
Full Member
***
Offline Offline

Activity: 226


www.btcbuy.info


View Profile WWW
April 25, 2012, 06:07:13 PM
 #1

www.btcbuy.info has long been a great way to buy amazon (and other!) gift cards, but today we are announcing, that we are also starting to sell wireless refills for the following carriers:

- AT&T GoPhone
- Cricket PAYgo
- Page Plus Cellular
- Simple Mobile
- T-Mobile
- Virgin Mobile

The feature is in beta, so please report the issues to support@btcbuy.info.

Fineprint: BTC Buy is not claiming to be a dealer representing any individuals, companies, or organizations. PINs come without warranties of any kind, either express or implied. Not responsible for stolen or lost PINs. Cannot issue refunds for any cell phone / wireless refill cards, unless PIN is verified to be defective

GPG key: 6F8E305690A05365B58C50A
1481012614
Hero Member
*
Offline Offline

Posts: 1481012614

View Profile Personal Message (Offline)

Ignore
1481012614
Reply with quote  #2

1481012614
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
Stephen Gornick
Legendary
*
Offline Offline

Activity: 1988



View Profile
April 26, 2012, 12:39:51 AM
 #2

Hi,

Each time for over about a year now that I've paid my mobile phone service I've grumbled about knowing that my phone bill was higher than it needed to be because my mobile provider (T-mobile) was giving part of my payment (perhaps 2% or so)  to the credit card issuer.   Every time I vowed that if such a service wasn't coming soon I'ld be tempted to see one launched myself (even inquired with GPA as to what would be involved http://www.gpa.net/products/virtual_terminal.cfm ).

Well, fortunately BTCBuy.info just came out providing exactly what I need.

My first purchase went fairly smoothly!

Some feedback.

1.) The menu option on the site says "calling cards".  I consider these to be mobile wireless prepaid cards, so calling cards doesn't seem to be the right category.  I'm not looking for minutes for long distance phone calls.
 - http://www.btcbuy.info/CallingCards.cshtml

2.) When I was to choose which card, I wasn't sure if I needed "refill" or "plan".    I have a Pay as you Go (1500 minutes talk, text and web).  Since that is a monthly price, I ended up choosing "plan" and it ended up working.  Can anything there give help as to which T-mobile plans take which payment reload options?

3.) When I was asked for my e-mail address, I was wondering if that was required.   If I wish for that to be private, I suppose I could use a throwaway e-mail address but was just curious if that was simply for customer service issues should something come up.  (and, of course, the e-mail is necessary for getting the delivery of the e-card, I later learned.)

4.) After ordering, I was shown the bitcoin address that I was to send my payment to.  After I sent it though, I didn't know what to do next?  Should I refresh the page?  Should I check my e-mail?  What?  And how many confirms will it take?

The answer was ... wait two confirmations and check my e-mail -- I will get a confirmation of payment received, and then I will get another message with the purchased e-card.

5.) Which brings me to the last, but nowhere near the least important piece of feedback,
The e-mail sent to me had the T-mobile card's 14-digit "PIN" code that I use to reload the funds to the balance for my mobile account.   That code sent to me is a negotiable bearer instrument.  Whomever has access to that code can use it (with any user that has t-mobile phone service, for this specific card item that I ordered).   As we've learned with Mt. Gox redeemable codes, Instawallet URLs, and Coinapult claim tickets, ... protection of that code is of the utmost importance.  

SMTP, which is the protocol that e-mail is transferred using, is not a secure form of communications.  That t-mobile code in my e-mail was visible from the mail server wherever  BTCBuy's mail service is hosted, and visible in all the dozen or so routes the message took between BTCBuy and my mail server.    A network sysadmin willing to commit fraud or a contract tech support person from another country even could have at any point sniffed the network traffic specifically looking for the pattern: "from: *.BTCBuy.com". With those results the bad actor gets first dibs on all mobile phone prepaid card codes purchased from BTCBuy before the buyer ever sees them.

So, please reconsider the approach .  BitInstant is planning on making a change after recently considering how Coinapult delivers bitcoins through e-mail as CoinaPult's approach is exposed to the same risk (code stolen by someone sniffing the raw SMTP traffic).

BitInstant's solution (that it is currently in the process of implementing) is to give the user a 4 to 6 digit PIN# at the time of purchase.  This special code is then necessary before the purchased e-card's code is revealed.  Here's BitInstant's description:
 - https://bitcointalk.org/index.php?topic=77194.msg858077#msg858077

Ideally, there is a flow that doesn't go through e-mail.  After sending the bitcoin payment I was hoping for a link that would be for a page that shows me the status of my transaction.  When BTCBuy considers my payment as having been completed (2 confirmations) I should then be given the code right there in the browser. [Update: Though this should only be served via SSL if the page contains sensitive information.]  Thus e-mail would only be necessary as a backup if I lost the URL.

Also, is 2 confirmations enough?  These codes are almost close enough to being hard money, where if there were an opportunity for double spending on two confirmations, this would be among the first services to be hit.  If the fulfillment is online, the purchase can be made anonymously, and the goods sold cannot be easily recovered if there is fraud detected then the transaction is not one that is suitable for 0/unconfirmed payments.  With this category specifically, even waiting for two confirmations might be insufficient.

At the same time, 2 confirmations is too long.   I wanted that code ASAP because I waited until my plan expired and am unable to make a call until I refill funds into my t-mobile account.  Optionally accepting a green address for instant credit might be something you could consider?   Or , ... perhaps you could accept also a redeemable BTC code from an exchange as that would be another way to give credit and complete the transaction instantly?

To conclude ... .AWESOME SERVICE!   I am so happy to see this come along!

Serenata
Sr. Member
****
Offline Offline

Activity: 251



View Profile WWW
April 27, 2012, 10:57:02 AM
 #3

Cool service! Thanks Smiley

Check your PGP link on the about page. It shows error 404

BitcoinX.gr - Το ελληνικό στέκι του Bitcoin

My GPG Key
Maged
Legendary
*
Offline Offline

Activity: 1260


View Profile
April 27, 2012, 04:47:18 PM
 #4

About time. I was afraid that I would have had to start something like this myself, and this is an industry that I would prefer to avoid.

However, let me clear up some misconceptions about double spends: Other than a 50% attack, all other double-spends are more likely to fail than succeed. Thus, in order for an attacker to try the attack more than once, they have to be able to re-sell the product that they accidentally got legitimately. That is why 2-confirmations are safe for any service that doesn't allow you to directly withdraw back into Bitcoins. For items that can't easily be resold at retail prices, one confirmation would be good enough. Finally, if you have mining contracts with major miners, as well as basic double-spend detection (which can now be done through Blockchain.info), you can accept with no confirmations on items that can't easily be converted back to cash.

Anyway, my point is, 2-confirmations is about the best compromise they can make. It'd be nice if they took green address transactions, though...

coga
Full Member
***
Offline Offline

Activity: 226


www.btcbuy.info


View Profile WWW
April 28, 2012, 06:55:50 PM
 #5

First off, I want to thank everyone for the feedback. This is a new thing, and I appreciate that you guys are bearing with ambiguities, those will be resolved. I wanted to address some points here:

1) I will go ahead and rename "Calling Cards" to "Wireless Refills" where possible. We would still be selling both, just didn't have time yet to get adding more carriers to the list.

By the way, important note here: we have access to a wide variety of calling cards and wireless refills, both in USA and internationally. If you are interested in purchasing PINs or direct refills for some specific carrier, please send me a message, I could get those handled on priority basis

2) Point taken about "refills" or "plans", that those are ambiguous. However, if you check on on the carrier site, those have very specific denominations, so it's nearly impossible to order wrong thing unless you deliberately choose the wrong amount. If not sure, you can always request clarification by emailing support@btcbuy.info. Nevertheless, I will make sure, that it's more clear what is what.

3) The email method of delivery was modeled after our gift card purchasing business. It is understandable, that sending your BTC  without knowing who you are dealing with is scary. But we were in business for almost a year already, and serviced many thousands of orders. Problems happened, but we always worked through them, and I don't think you will find any negative feedback about BTC Buy. If problems happen - email support@btcbuy.info, and we will respond. We are very serious about our reputation.

4) Understandably, there is no magic bullet when it goes down to security, it always comes at a cost of convenience. Again, out of many thousands of orders that we fulfilled, there has not been a single case of fraud based on email interception. This said, it does not mean it won't happen, everything happens for the first time.

I need to think a bit on what solution I could provide to security-savvy folks here. At this time, it seems to me that the best option is to allow copy/pasting PGP public key during order, and this key would later on be used for all correspondence.


GPG key: 6F8E305690A05365B58C50A
Stephen Gornick
Legendary
*
Offline Offline

Activity: 1988



View Profile
April 28, 2012, 07:17:47 PM
 #6

Again, out of many thousands of orders that we fulfilled, there has not been a single case of fraud based on email interception.

As far as why you hadn't seen it much yet is probably because the type of cards you've been selling up to now couldn't be used anonymously.  To use a card for spending one had to have a delivery address for the order paid for using the merchant gift card, for instance.  Prepaid wireless and calling cards work a little more anonymously (though even a $20 throwaway phone is tracked by cell tower, E-911 and gps even info even so it stops being truly anonymous once law enforcement was to get involved.)

coga
Full Member
***
Offline Offline

Activity: 226


www.btcbuy.info


View Profile WWW
April 28, 2012, 08:33:52 PM
 #7

One thing you can do right now to almost eliminate the risk of code interception is use gmail account. We send through gmail using SSL, so the email will most probably never be seen on the internet unencrypted

GPG key: 6F8E305690A05365B58C50A
coga
Full Member
***
Offline Offline

Activity: 226


www.btcbuy.info


View Profile WWW
November 12, 2012, 12:39:29 AM
 #8

Again, out of many thousands of orders that we fulfilled, there has not been a single case of fraud based on email interception.

As far as why you hadn't seen it much yet is probably because the type of cards you've been selling up to now couldn't be used anonymously.  To use a card for spending one had to have a delivery address for the order paid for using the merchant gift card, for instance.  Prepaid wireless and calling cards work a little more anonymously (though even a $20 throwaway phone is tracked by cell tower, E-911 and gps even info even so it stops being truly anonymous once law enforcement was to get involved.)

Stephen, that has been quite awhile, and I apologize for that. But you might want to check out a new feature on the web site: PGP encrypted emails. If you do want to make sure the PINs you are getting are protected from eavesdropping, you can now copy/paste your public key, and all the automatic correspondence coming from btcbuy.info will be PGP encrypted, including email where PINs are supplied.

GPG key: 6F8E305690A05365B58C50A
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!