Bitcoin Forum
September 23, 2018, 01:34:44 PM *
News: ♦♦ New info! Bitcoin Core users absolutely must upgrade to previously-announced 0.16.3 [Torrent]. All Bitcoin users should temporarily trust confirmations slightly less. More info.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Any risks in trading Bitcoins for cash in person?  (Read 1151 times)
c789
Hero Member
*****
Offline Offline

Activity: 851
Merit: 1000



View Profile
September 17, 2012, 06:25:00 PM
 #1

Let's say I find someone who wants to sell Bitcoins and I want to buy them for cash. If we both meet at a public Wifi and I watch them send the Bitcoins to my address from their wallet, and I give them cash, are there any risks associated with this?

Obviously, they could try to rob me and just take my cash, but aside from this, are there any other risks?

Comparison of Privacy-Centric Coins: https://moneroforcash.com/monero-vs-dash-vs-zcash-vs-bitcoinmixers.php also includes Verge and Pivx
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1537709684
Hero Member
*
Offline Offline

Posts: 1537709684

View Profile Personal Message (Offline)

Ignore
1537709684
Reply with quote  #2

1537709684
Report to moderator
1537709684
Hero Member
*
Offline Offline

Posts: 1537709684

View Profile Personal Message (Offline)

Ignore
1537709684
Reply with quote  #2

1537709684
Report to moderator
drekk
Member
**
Offline Offline

Activity: 70
Merit: 10


Who shot who in the what now?


View Profile WWW
September 17, 2012, 06:35:35 PM
 #2

Depends on how you actually find them.
Ideally they are known forum users, traders with a good otc-rating and so on.

I believe there are some websites listing local btc-sellers. Maybe they have some rating systems, too. Although none of the above should be considered a reliable source.

Just get as much info beforehand as possible. Smiley

~drekk~


☛ GPG Key / Fingerprint: CDFF 083A 3056 7DD8 B5B9  6687 726C AB05 D6AE 6148
☛ Overly attached BitMinter miner // 4pmlIE9idmlvdXMgdHJvbGwgaXMgb2J2aW91cy4g4pm
Ivica
Full Member
***
Offline Offline

Activity: 218
Merit: 100


Firstbits: 19e3fc


View Profile
September 17, 2012, 06:37:12 PM
 #3

Check whether cash is not fake.
And you shouldn't probably come alone or meet in non public places at night.
Also note that even, if you get kidnapped and tortured, you'll still give away your wallet and password to it and lose all the bitcoins.
But you shouldn't be afraid, unless you exchange big figures and store all bitcoins within same wallet.

to drekk: https://localbitcoins.com/ for one relies solely on email validation and/or http://bitcoin-otc.com/ rating.

19e3fcoLTu8YVFAU1NywJ88YnHH5kF8ScP - donations are welcome.
c789
Hero Member
*****
Offline Offline

Activity: 851
Merit: 1000



View Profile
September 17, 2012, 06:41:02 PM
 #4

Definitely there are physical risks, but I'll be prepared for those.

But as long as I see them make the transfer, the Bitcoins will be sent to my address, right? Is there any way they can revoke a transaction?

Comparison of Privacy-Centric Coins: https://moneroforcash.com/monero-vs-dash-vs-zcash-vs-bitcoinmixers.php also includes Verge and Pivx
Stephen Gornick
Legendary
*
Offline Offline

Activity: 2506
Merit: 1001


View Profile
September 17, 2012, 06:49:02 PM
 #5

Let's say I find someone who wants to sell Bitcoins and I want to buy them for cash. If we both meet at a public Wifi and I watch them send the Bitcoins to my address from their wallet, and I give them cash, are there any risks associated with this?

Obviously, they could try to rob me and just take my cash, but aside from this, are there any other risks?

Yes. If you are on Wi-Fi and running the Bitcoin.org client, then the counterparty knows the IP address for your node.  If you are configured to allow incoming transactions, then the counterparty might have a pretty good attack vector if you have your node misconfigured for acting as a merchant.  

With proper preparation, the counterparty has a node specifically connect to yours.  Then at the time of the trade creates a payment to your address and broadcasts that transaction to your node only.  At the same time, or a fraction of a second earlier another transaction using those same coins for the payment to you is broadcast instead to well connected nodes and known miner nodes.    As a result, you may see the transaction at 0/unconfirmed and you would then think you have the funds.  But the miners will likely reject that transaction relayed by your node because a transaction they just had received had already spent the coins your node thinks it will be receiving.  

In that situation, the transaction you see will remain 0/unconfirmed, and the counterparty take the cash you handed over, never to be seen again.  

If the counterparty had bad luck and the transaction sent to you got relayed first to a miner that solves a block, that transaction would then eventually confirm but then it is just a normal trade -- you got coins and the counterparty got your cash.  When this happens then unless you were specifically monitoring the network looking for a double spend attempt, you wouldn't know that you were almost cheated. So there is little risk to a thief to keep doing this race attack until successful.

To prevent that, use the proper "merchant configuration" on your node -- which is to not allow incoming transactions (specifically -nolisten) and have it explicitly connect to a well-connected node.   There still is a small chance that you could be cheated though due to this race attack, and also a small chance of losing due to a Finney attack which the "merchant" configuration doesn't even protect you against.

Here's the double spending article on the Bitcoin wiki:

 - http://en.bitcoin.it/wiki/Double-spending

That being said, there have been no reports to-date of anyone losing funds due to an in-person trade where a double spend occurred.  It is much easier to operate a scam that defrauds the gullible than it is to execute a race attack that requires near perfect execution and a failure rate high enough that it will, over time, remain unprofitable.
Ivica
Full Member
***
Offline Offline

Activity: 218
Merit: 100


Firstbits: 19e3fc


View Profile
September 17, 2012, 06:53:56 PM
 #6

tl;dr If I understand it right, it's bad idea to give money for unconfirmed transaction, in case of real life exchange, it's good idea to wait some time to get confirmations and possibly have different connection (mobile phone?) to check blockchain/explorer websites whether bitcoins arrived and got confirmed (in case you buy them).
Whether, if you sell bitcoins for fiat you'd probably only care about getting away with them (fiat) safely...

19e3fcoLTu8YVFAU1NywJ88YnHH5kF8ScP - donations are welcome.
drekk
Member
**
Offline Offline

Activity: 70
Merit: 10


Who shot who in the what now?


View Profile WWW
September 17, 2012, 07:05:39 PM
 #7

I'd simply set up an online wallet just for this single deal to receive the BTC (like a one-time-throw-away-wallet) and check from my mobile whether or not the payment shows up at blockchain.info.

If you're really paranoid you could add something like "half the money when payment is sent, half the money after X confirmations". Though as a seller, I'd probably not agree to these terms. Cheesy

☛ GPG Key / Fingerprint: CDFF 083A 3056 7DD8 B5B9  6687 726C AB05 D6AE 6148
☛ Overly attached BitMinter miner // 4pmlIE9idmlvdXMgdHJvbGwgaXMgb2J2aW91cy4g4pm
Stephen Gornick
Legendary
*
Offline Offline

Activity: 2506
Merit: 1001


View Profile
September 17, 2012, 07:07:26 PM
 #8

possibly have different connection (mobile phone?) to check blockchain/explorer websites whether bitcoins arrived

Yup, that's really the simplest way to avoid the race attack.  Check the transaction on Blockchain.info.  If it shows there and doesn't show the flag of being a possible double spend, it is pretty safe to conclude it will eventually confirm.   There still is a tiny bit of risk though, including the Finney attack, so that's where you do risk assessment.  

A thief isn't going to mess with all this to try to get your $100 in a race attack.

And if you are trading a thousand dollars worth, it might be in your best interest to wait the ten minutes or so to get one confirmation.



Is there any way they can revoke a transaction?

There's no way to "cancel", but if you accept as payment on "0/unconfirmed" there is a risk that the payment will never confirm -- so it has the same effect as being "revoked".  Again, there have been no reports of anyone losing funds to this (MyBitcoin claimed losses due to double spending but never provided transaction IDs or other blockchain evidence to back their claim so it likely never happened.)
c789
Hero Member
*****
Offline Offline

Activity: 851
Merit: 1000



View Profile
September 17, 2012, 07:09:51 PM
 #9

Good tips from everyone. Yes, I'm talking less than 300 USD. Not a king's ransom, but neither is it an insignificant amount. Thank you for your input  Smiley

Is it ok to post my City and State on this thread to see if anyone wants to meet?

Comparison of Privacy-Centric Coins: https://moneroforcash.com/monero-vs-dash-vs-zcash-vs-bitcoinmixers.php also includes Verge and Pivx
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1040


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
September 17, 2012, 07:11:34 PM
 #10

For the present size of the Bitcoin community, an attack in person is relatively rare.  The kind of transaction you're likely to do with a stranger is maybe $100, and there's a lot better way to do meatspace scams for a prize of that size.  Someone is far more likely to pull out a knife or run off with the cash in hand, than try to double spend or whatever.

I did a couple small deals way back when, and usually such encounters would be discussions of bitcoins, showing off the mining rigs, etc.  I was presumed to be trusted, because I would just either hand them a paper wallet, or a login and password to some sort of wallet service with a printout showing the bitcoins already in the account, which was accepted at face value.

If someone I didn't know ever wanted to do a deal with me for a larger amount, I'd be more cautious, such as transacting in a bank.  But that has never happened.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
Ivica
Full Member
***
Offline Offline

Activity: 218
Merit: 100


Firstbits: 19e3fc


View Profile
September 17, 2012, 07:20:53 PM
 #11

300 USD? Might check localbitcoins website, otherwise. If you change your mind regarding meeting people, there are ways to buy bitcoins just with some fees, like bitinstant for example.

19e3fcoLTu8YVFAU1NywJ88YnHH5kF8ScP - donations are welcome.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!