FastCash4Bitcoins Support Thread

[xioustic]

I need some feedback. I had intended each sales order to be independent of any outside access.  No email (expect in unresolvable problems) and no accounts.  Maximum security.  There is no user side data to hack, spoof, or impersonate.  No social engineering possible and even if an order is compromised the attacker only has read access to the data.    That may not be realistic.  Roughly 2% of sales required their order number either due to seller never being provided it (connectivity issues) or it being lost or written down incorrectly.

What do you think.  Is having no notifications and lookups a bad idea?

I see 5 possible resolutions:
Option A)
Change nothing.  Sellers should be more responsible.  Major problem with this is http isn't a guaranteed service.  Loss of connectivity could result in seller never getting order #.  There is never any risk to funds.  If user never saw order # then they couldn't have seen the deposit address and the order will just expire unfunded.

Option B)
Assign order # before sales form is submitted.  Will require changing the code somewhat and seems clunky but it would work.  User error is still an issue but it rules out the connectivity issues in A.  

Option C)
Email user their order # and a link to status page on order creation.  Less respect for privacy but the email message would be spartan and non descriptive.  "Order # 99999 has been created.  View status here:"

Option D)
Provide  lookup form for Order #.  The issue is in making it deterministic.  If users is validated by the lookup form, order id would be sent to user.

Option E)
Your idea.

I personally like it the way is, but coupled with my suggestion below, there should be some way to look up the status of the order. This promotes maximum anonymity (which I think is ideal, but RISKY for you, something you'll need to weigh in with your comfort level).

Keep it so the funding address is given at the same time the Order # is given so the customer can't claim he was given one but not the other. If http fails, then the order is never fulfilled and should be pruned after 2 weeks or so. Key: Display the order # in the html BEFORE the payment address so that if http connection is lost midway through, they still cannot risk their funds by being derpy and sending them even though the page had not fully loaded and they'll never get their order #. Details first, payment second.

Maybe make including an e-mail address OPTIONAL, and if they choose to provide that information you could e-mail them the Order # and link. This would provide a combination of nearly all your options and incorporate the benefits of each.

What do you think about Order #? They are obviously sequential which makes brute forcing them easier.  I never consider usernames to be a secure piece of information but a sequence does make attacking weak passwords significantly easier.  Would it be better to have a Order ID which is not sequential and instead is a hash* of the order details (i.e. Order ID: KJYXLQ).

I think this would be good. Having the Order #s the way they are now makes it easy to remember, but much less secure and much more prone to some sort of tinkering. I'd recommend hashing it with a salt... So Order # 10321 = hash(str(10321)+"lolthisistangiblecryptosalt"). This is simple, but it would be ideal to shrink the hash down to nothing more than 16 characters. 10 would be more ideal. Less opens you to the risk of brute forcing again. This makes it manageable for the customer to keep track of.

[J.Socal]

So did you find out if a ID and debit or credit card is needed to cash a BOA cashiers check @ BOA?I know a ID is needed,but what about a credit or debit card issued by a bank?

[TangibleCryptography]

So did you find out if a ID and debit or credit card is needed to cash a BOA cashiers check @ BOA?I know a ID is needed,but what about a credit or debit card issued by a bank?

My local branch manager told me that Bank Of America has never asked for debit/credit card.  For customers without an account ID is all that is needed and you can't use the drive up teller (need to come inside).   Customers without an account can't cash checks which have a third party endorsements (i.e. we can't issue a check to John Doe and then John Doe sign it over to you and you attempt to cash it without having an account).

Our checks are protected by Positive Pay.  All checks we issue are pre-authorized by providing the check number, payee, and amount to Bank Of America.  Any check not matching a pre-authorization is denied.  If you payout check is lost or stolen in the mail there is no risk of it being modified and fraudulently cashed.

[TangibleCryptography]

Update:
Dwolla account reloaded. 

[J.Socal]

Ok tried it to see how it works.Just waiting for that test order to expire,so I can do my real order.

[TangibleCryptography]

Ok tried it to see how it works.Just waiting for that test order to expire,so I can do my real order.

You don't need to wait for test order to expire.  Just make another order or another 10 orders.   Each order is completely independent.  If you don't fund it then it will expire.

[J.Socal]

ok I'm gonna do the order now,hope its goes smoothly.

[J.Socal]

Status says funded deposit detected,waiting on confirmations.

[TangibleCryptography]

Ok coins sent 349 total.status says funded deposit detected,waiting on confirmations.So you think I'll have the check by sat?I chose xpress,cashiers check.

Answered in PM for privacy reasons.

[J.Socal]

coins confirmed ..

[TangibleCryptography]

Update:
Primary Account (ACH, checks, etc) & PayPal reloaded.

[runlinux]

Why U Coinz no Confirm?!?!?!

Funded but not confirmed.... ungh...

Bitcoin... It is a love / hate relationship. Mostly love.

[TangibleCryptography]

Why U Coinz no Confirm?!?!?!

Funded but not confirmed.... ungh...

Bitcoin... It is a love / hate relationship. Mostly love.

I verified the backend monitor is running correctly. 
Confirmed status requires 6 confirmations.  Tell those miners to stop being lazy and hash more blocks.

[TangibleCryptography]

Update:
Effective immediately the minimum on PayPal payouts has been lowered to $20.00

Starting Monday FastCash will be introducing "next day ACH" as a payout option.  It is a premium option with a flat fee of $10.00 (we don't see a cent from that).  Normal ACH (3-5 business days) will always remain available for no fee.  We believe this provides a cost effective alternative to bank wire when either bank wire is not possible (funding a prepaid credit card) or when there are excessive fees on incoming wires. Sales which settle (6 confirmations) by 7PM EST will be transmitted the same day for delivery the following business day.  Note: your local bank policy may introduce delays in making funds available.  It is rare but that is something neither we nor our originating bank have any control over.

The site has been up a little over a week so here are some stats
Bitcoins sold: >18,000 BTC
Sales volume: ~2,100 BTC per day
Average order size: 113.71 BTC
Most Popular payout method by number of sales: PayPal (38% of payouts).
Most Popular payout method by quantity of BTC sold: ACH (4,818.53 BTC - 26% of all BTC sold)
Payout method with largest average order: Cashier's Check (average sale of 371.23 BTC)
Highest price paid: 6.53 USD per BTC
Lowest price paid: 6.13 USD per BTC

Number of orders with problems warranting negative feedback: zero
Number of orders not paid out within 24 hours: zero

[fatigue]

Wow. Impressive.

[Stephen Gornick]

Most Popular payout method by number of sales: PayPal (38% of payouts).

I wonder if that is because the supply of Dwolla funds wasn't always sufficient?

[J.Socal]

Well so far so good,got the USPS confirmation info via FC4BTC site,looks like I'll get it sat. or monday.

[xioustic]

The site has been up a little over a week so here are some stats
Bitcoins sold: >18,000 BTC
Sales volume: ~2,100 BTC per day
Average order size: 113.71 BTC
Most Popular payout method by number of sales: PayPal (38% of payouts).
Most Popular payout method by quantity of BTC sold: ACH (4,818.53 BTC - 26% of all BTC sold)
Payout method with largest average order: Cashier's Check (average sale of 371.23 BTC)
Highest price paid: 6.53 USD per BTC
Lowest price paid: 6.13 USD per BTC

Number of orders with problems warranting negative feedback: zero
Number of orders not paid out within 24 hours: zero

Grats on this man! Definitely a fan of this service from what I've seen.

Btw, I e-mailed you earlier in the week about it; my test ACH transfer to a new (online-only) Ally Bank checking account cleared today. By my count from sending the BTC to receiving it in my account that's 6 days, 20.5hours. But given that it was started on a Friday, we can count 3 of those days as non-banking days (Saturday, Sunday, and July 4th don't count), which makes it a little under 4 days. Not too shabby for ACH!

[RandomQ]

Do you have a policy in place if paypal decides to freeze your account or put a hold on payouts that you have made?

[TangibleCryptography]

Do you have a policy in place if paypal decides to freeze your account or put a hold on payouts that you have made?

While that is unlikely Tangible Cryptography has sufficient cash reserves outside of PayPal that we will payout affected users via alternate method.   We limit the capital in our PayPal account to rolling reserve of roughly 3 days of sales volume.  Users will need to refund the PayPal payment back and then will be paid funds owed for the sale by any available method.