Any risks in trading Bitcoins for cash in person?

[c789]

Let's say I find someone who wants to sell Bitcoins and I want to buy them for cash. If we both meet at a public Wifi and I watch them send the Bitcoins to my address from their wallet, and I give them cash, are there any risks associated with this?

Obviously, they could try to rob me and just take my cash, but aside from this, are there any other risks?

[1715217549]

1715217549

[1715217549]

1715217549

[1715217549]

1715217549

[1715217549]

1715217549

[drekk]

Depends on how you actually find them.
Ideally they are known forum users, traders with a good otc-rating and so on.

I believe there are some websites listing local btc-sellers. Maybe they have some rating systems, too. Although none of the above should be considered a reliable source.

Just get as much info beforehand as possible.

~drekk~

[Ivica]

Check whether cash is not fake.
And you shouldn't probably come alone or meet in non public places at night.
Also note that even, if you get kidnapped and tortured, you'll still give away your wallet and password to it and lose all the bitcoins.
But you shouldn't be afraid, unless you exchange big figures and store all bitcoins within same wallet.

to drekk: https://localbitcoins.com/ for one relies solely on email validation and/or http://bitcoin-otc.com/ rating.

[c789]

Definitely there are physical risks, but I'll be prepared for those.

But as long as I see them make the transfer, the Bitcoins will be sent to my address, right? Is there any way they can revoke a transaction?

[Stephen Gornick]

Let's say I find someone who wants to sell Bitcoins and I want to buy them for cash. If we both meet at a public Wifi and I watch them send the Bitcoins to my address from their wallet, and I give them cash, are there any risks associated with this?

Obviously, they could try to rob me and just take my cash, but aside from this, are there any other risks?

Yes. If you are on Wi-Fi and running the Bitcoin.org client, then the counterparty knows the IP address for your node.  If you are configured to allow incoming transactions, then the counterparty might have a pretty good attack vector if you have your node misconfigured for acting as a merchant.  

With proper preparation, the counterparty has a node specifically connect to yours.  Then at the time of the trade creates a payment to your address and broadcasts that transaction to your node only.  At the same time, or a fraction of a second earlier another transaction using those same coins for the payment to you is broadcast instead to well connected nodes and known miner nodes.    As a result, you may see the transaction at 0/unconfirmed and you would then think you have the funds.  But the miners will likely reject that transaction relayed by your node because a transaction they just had received had already spent the coins your node thinks it will be receiving.  

In that situation, the transaction you see will remain 0/unconfirmed, and the counterparty take the cash you handed over, never to be seen again.  

If the counterparty had bad luck and the transaction sent to you got relayed first to a miner that solves a block, that transaction would then eventually confirm but then it is just a normal trade -- you got coins and the counterparty got your cash.  When this happens then unless you were specifically monitoring the network looking for a double spend attempt, you wouldn't know that you were almost cheated. So there is little risk to a thief to keep doing this race attack until successful.

To prevent that, use the proper "merchant configuration" on your node -- which is to not allow incoming transactions (specifically -nolisten) and have it explicitly connect to a well-connected node.   There still is a small chance that you could be cheated though due to this race attack, and also a small chance of losing due to a Finney attack which the "merchant" configuration doesn't even protect you against.

Here's the double spending article on the Bitcoin wiki:

 - http://en.bitcoin.it/wiki/Double-spending

That being said, there have been no reports to-date of anyone losing funds due to an in-person trade where a double spend occurred.  It is much easier to operate a scam that defrauds the gullible than it is to execute a race attack that requires near perfect execution and a failure rate high enough that it will, over time, remain unprofitable.

[Ivica]

tl;dr If I understand it right, it's bad idea to give money for unconfirmed transaction, in case of real life exchange, it's good idea to wait some time to get confirmations and possibly have different connection (mobile phone?) to check blockchain/explorer websites whether bitcoins arrived and got confirmed (in case you buy them).
Whether, if you sell bitcoins for fiat you'd probably only care about getting away with them (fiat) safely...

[drekk]

I'd simply set up an online wallet just for this single deal to receive the BTC (like a one-time-throw-away-wallet) and check from my mobile whether or not the payment shows up at blockchain.info.

If you're really paranoid you could add something like "half the money when payment is sent, half the money after X confirmations". Though as a seller, I'd probably not agree to these terms.

[Stephen Gornick]

possibly have different connection (mobile phone?) to check blockchain/explorer websites whether bitcoins arrived

Yup, that's really the simplest way to avoid the race attack.  Check the transaction on Blockchain.info.  If it shows there and doesn't show the flag of being a possible double spend, it is pretty safe to conclude it will eventually confirm.   There still is a tiny bit of risk though, including the Finney attack, so that's where you do risk assessment.  

A thief isn't going to mess with all this to try to get your $100 in a race attack.

And if you are trading a thousand dollars worth, it might be in your best interest to wait the ten minutes or so to get one confirmation.

Is there any way they can revoke a transaction?

There's no way to "cancel", but if you accept as payment on "0/unconfirmed" there is a risk that the payment will never confirm -- so it has the same effect as being "revoked".  Again, there have been no reports of anyone losing funds to this (MyBitcoin claimed losses due to double spending but never provided transaction IDs or other blockchain evidence to back their claim so it likely never happened.)

[c789]

Good tips from everyone. Yes, I'm talking less than 300 USD. Not a king's ransom, but neither is it an insignificant amount. Thank you for your input  

Is it ok to post my City and State on this thread to see if anyone wants to meet?

[casascius]

For the present size of the Bitcoin community, an attack in person is relatively rare.  The kind of transaction you're likely to do with a stranger is maybe $100, and there's a lot better way to do meatspace scams for a prize of that size.  Someone is far more likely to pull out a knife or run off with the cash in hand, than try to double spend or whatever.

I did a couple small deals way back when, and usually such encounters would be discussions of bitcoins, showing off the mining rigs, etc.  I was presumed to be trusted, because I would just either hand them a paper wallet, or a login and password to some sort of wallet service with a printout showing the bitcoins already in the account, which was accepted at face value.

If someone I didn't know ever wanted to do a deal with me for a larger amount, I'd be more cautious, such as transacting in a bank.  But that has never happened.

[Ivica]

300 USD? Might check localbitcoins website, otherwise. If you change your mind regarding meeting people, there are ways to buy bitcoins just with some fees, like bitinstant for example.