FastCash4Bitcoins Support Thread

[casascius]

DeathAndTaxes,

Would you be willing to put up a banner on your site that says "WE ACCEPT" and then pictures of different physical bitcoins?  (Not just Casascius Coins, but pictures of the Bitcoin Banknote etc.)

The main reason has little to do with you actually accepting them, and more to do with the promoting of Bitcoin.  It allows me (or someone like me) while evangelizing Bitcoin to pull out a smartphone and say "Hey look, converting these things back to dollars in your bank account is fast and easy".

If you do this, or at least represent that you'd be friendly to being contacted by people holding physical bitcoins but knowing nothing about computers, PGP, or BTC, I'd be happy to update my "backside artwork" I distribute for bill printing to also say: "convert bitcoins to dollars: fastcash4bitcoins.com"



Also I am wondering what you'd do if someone contacted you and said "I have one of them here yellow bitcoin slips and want cash"... I presume you'd say "read me the number and we'll tell you what we'll pay you for it"?  Or in other words, what is the minimum level of sophistication you require of clients (e.g. client must send PGP-encrypted request to get service?)

[1713410393]

1713410393

[TangibleCryptography]

DeathAndTaxes,

Would you be willing to put up a banner on your site that says "WE ACCEPT" and then pictures of different physical bitcoins?  (Not just Casascius Coins, but pictures of the Bitcoin Banknote etc.)

The main reason has little to do with you actually accepting them, and more to do with the promoting of Bitcoin.  It allows me (or someone like me) while evangelizing Bitcoin to pull out a smartphone and say "Hey look, converting these things back to dollars in your bank account is fast and easy".

If you do this, or at least represent that you'd be friendly to being contacted by people holding physical bitcoins but knowing nothing about computers, PGP, or BTC, I'd be happy to update my "backside artwork" I distribute for bill printing to also say: "convert bitcoins to dollars: fastcash4bitcoins.com"



Also I am wondering what you'd do if someone contacted you and said "I have one of them here yellow bitcoin slips and want cash"... I presume you'd say "read me the number and we'll tell you what we'll pay you for it"?  Or in other words, what is the minimum level of sophistication you require of clients (e.g. client must send PGP-encrypted request to get service?)

Yeah that is something we can do, and something I have already been thinking about (private keys in general).  Currently we only accept orders via a blockchain transaction however we could add an option in the payment screen for copy & pasting a private key (or minikey).   Pretty simple to configure the site to import the private key and then perform an internal transaction and report the balance (and confirmations).

I assume having the ability to client to provide a mini private key on the webform would be sufficient to handle most use cases (other than a "traditional" blockchain transfer).

[Stephen Gornick]

Yeah that is something we can do.

If you are considering requests ... now that the site uses accounts the "Forgot Password" recovery tool would be useful.
 - https://fastcash4bitcoins.com/forgot.aspx

[TangibleCryptography]

Yeah that is something we can do.

If you are considering requests ... now that the site uses accounts the "Forgot Password" recovery tool would be useful.
 - https://fastcash4bitcoins.com/forgot.aspx

Update:
* Forgot password email enabled.
* Update password page added to account menu.

[TangibleCryptography]

DeathAndTaxes,

Would you be willing to put up a banner on your site that says "WE ACCEPT" and then pictures of different physical bitcoins?  (Not just Casascius Coins, but pictures of the Bitcoin Banknote etc.)

The main reason has little to do with you actually accepting them, and more to do with the promoting of Bitcoin.  It allows me (or someone like me) while evangelizing Bitcoin to pull out a smartphone and say "Hey look, converting these things back to dollars in your bank account is fast and easy".

If you do this, or at least represent that you'd be friendly to being contacted by people holding physical bitcoins but knowing nothing about computers, PGP, or BTC, I'd be happy to update my "backside artwork" I distribute for bill printing to also say: "convert bitcoins to dollars: fastcash4bitcoins.com"



Also I am wondering what you'd do if someone contacted you and said "I have one of them here yellow bitcoin slips and want cash"... I presume you'd say "read me the number and we'll tell you what we'll pay you for it"?  Or in other words, what is the minimum level of sophistication you require of clients (e.g. client must send PGP-encrypted request to get service?)

Yeah that is something we can do, and something I have already been thinking about (private keys in general).  Currently we only accept orders via a blockchain transaction however we could add an option in the payment screen for copy & pasting a private key (or minikey).   Pretty simple to configure the site to import the private key and then perform an internal transaction and report the balance (and confirmations).

I assume having the ability to client to provide a mini private key on the webform would be sufficient to handle most use cases (other than a "traditional" blockchain transfer).

So I was thinking on my commute this morning about how to implement this securely.  We currently use 100% cold wallets but when importing a private key it must then be spent to another address to provide double spend protection.   That requires the use of a hot wallet.  My first though it is to put a hot wallet on the site which will never keep a balance.  Instead it would receive a private key, import it, lookup the value, and then create a tx sending it the deposit address for the order in question.

The attack profile would be very small.  I imagine most users won't use private keys so it would be a subset of our total volume.  If the server is compromised the attacker would be limited to diverting private keys until the attack is detected. 

Any alternatives?  Thoughts? ideas?

[casascius]

So I was thinking on my commute this morning about how to implement this securely.  We currently use 100% cold wallets but when importing a private key it must then be spent to another address to provide double spend protection.   That requires the use of a hot wallet.  My first though it is to put a hot wallet on the site which will never keep a balance.  Instead it would receive a private key, import it, lookup the value, and then create a tx sending it the deposit address for the order in question.

The attack profile would be very small.  I imagine most users won't use private keys so it would be a subset of our total volume.  If the server is compromised the attacker would be limited to diverting private keys until the attack is detected.  

Any alternatives?  Thoughts? ideas?

The easiest way to do this in small quantity is to just do it manually through BlockChain.info.  Simply send a transaction to an address you control and then pretend that you received the coins externally.

Despite not liking to use third party wallet services, BlockChain.info is well situated to importing a private key and sending the funds onward for a few reasons.  First, importing keys is instant - you can literally spend the funds the second you import them.  Second, the transaction that emitted is the actual transaction of sending the private key's funds directly to the destination address - there is no commingling of funds with their own, no waiting for confirmations, and typically no transaction fees.  (The outgoing transaction gets fee credit for all the confirmations that accumulated while the funds sat idle on the paper wallet, which in most cases is enough for a no-fee transaction with decent priority).  Finally, I have little problem with using a third party wallet service just for the purpose of getting my funds in and out within a single minute - it's leaving the funds there that I'm less upbeat about.

To me, the biggest foreseeable risk is that the customer has malware and ends up getting their own funds stolen by a keylogger while entering the private key on a FastCash4Bitcoins web form, and blames FastCash4Bitcoins for being culpable in some way in getting the funds stolen.  Of course, this risk exists even if they're sending the funds from their computer the normal way, the only difference being that if it gets stolen at this point, it's at least more provable (to the perspective of the customer) that you weren't at fault.  An alternative would be to take the private key over the phone, but this could get cumbersome and uninteresting especially for low dollar transactions.

Any time I pass private keys or MtGox codes between myself and others, I generally ask for half the code in an e-mail (in your case, webform) and the other half in a text message to my cell phone.  That way, someone would have to have control over both channels to be able to swipe the funds out from under me.  All that matters is that you can redeem it faster than any attacker.  By systematically discouraging complete private keys to be sent to your server, you remove an incentive for hackers to try to hack you in the first place.

[DeathAndTaxes]

Yeah I didn't think of the deniability aspect.  Those are good points.  I will look into blockchain.info.  If they have API support for importing a private key that might work.  I guess I could also import the private key directly to MtGox.  Just need to check how the confirmations can be tracked. 

If it proves popular security could be enhanced by using automated SMS to collect half of the private key.  Webform asks for the first x digits of the private key and then displays something like "Text the second half of the private key to 11011".  SMS gateway service could relay that to the backend server which combines the key.

Anyways just to be honest up front this isn't a priority right now but it is an interesting idea and will help to improve liquidity so it is something we will implement when time is available.

[Phox]

Everything is all good.
I'll continue to promote this service. I'm a very loyal customer.
 

[Stephen Gornick]

If they have API support for importing a private key that might work.

You don't need to import a private key, you simply use Blockchain.info's API to redeem the private key on behalf of your customer.  Here's the API:

I have been meaning to add this ability to the blockchain.info API for a while. You can now replace the guid in the send api (https://blockchain.info/api/api_send) with a Hex encoded private key.

https://blockchain.info/merchant/4d6c9dff493fcd2da9508e01c8b13461d37e3d8b6df1732942d3257874051362/payment?to=$address&amount=$amount

$address = destination bitcoin address.
$amount = amount to send in satoshi.

You would probably want to verify the amount of funds available to that address as if the amount is lower than the amount available, the change gets sent right back to the address it came from.

This could also be done with the Raw Transactions capability of the Bitcoin.org client v0.7 and higher, and thus eliminate any concern over sending a customer's private key to a third party service.

So you never need to import the private key, you simply spend it to the address generated for a specific transaction and that takes the place of the customer having to redeem the funds themselves first.

[TangibleCryptography]

If they have API support for importing a private key that might work.

You don't need to import a private key, you simply use Blockchain.info's API to redeem the private key on behalf of your customer.  Here's the API:

I have been meaning to add this ability to the blockchain.info API for a while. You can now replace the guid in the send api (https://blockchain.info/api/api_send) with a Hex encoded private key.

https://blockchain.info/merchant/4d6c9dff493fcd2da9508e01c8b13461d37e3d8b6df1732942d3257874051362/payment?to=$address&amount=$amount

$address = destination bitcoin address.
$amount = amount to send in satoshi.

You would probably want to verify the amount of funds available to that address as if the amount is lower than the amount available, the change gets sent right back to the address it came from.

This could also be done with the Raw Transactions capability of the Bitcoin.org client v0.7 and higher.

So you never need to import the private key, you simply spend it to the address generated for a specific transaction and that takes the place of the customer having to redeem the funds themselves first.

Smart.  Good use of the raw transaction API call.

[casascius]

This could also be done with the Raw Transactions capability of the Bitcoin.org client v0.7 and higher, and thus eliminate any concern over sending a customer's private key to a third party service.

The only thing that's missing is a lack of ability for bitcoind to find which txids belong to a specific private key.  There is no index on that, so the only way for this to work is for it to scan the whole block chain looking for such transactions.  Pieter Wuille has mentioned allowing such an index to be optionally created, but I think that mention was more recent than 0.7.

If that index existed, then the Sweepprivkey proposal I made over a year ago would be a slam dunk.  I'm hoping the index becomes an option sometime soon, because the power to pay with private keys anywhere would open up new avenues for business I don't think have been considered.

On the other hand, Blockchain.info presumably maintains that index (given that they can scrape all coins off a private key instantly).

[TangibleCryptography]

Update:  Banking system outage

There is a nationwide issue affecting Bank Of America "Direct Pay" system.  We can create bank transfers but unable to create new payee profiles.  This prevents us from sending bank transfers of first time clients.     We have been in contact with Bank support and they are working on a resolution but haven't provided an ETA.

So it may be easier to say who isn't affected:
Orders which have a status PAID are not affected.
Orders involving anything other than Bank Transfers (ACH or Bank Wire) are not affected.
Orders involving a bank account that was previously used to receive a payment from Tangible Cryptography are not affected.

The outage is limited to only first time payments involving ACH or Bank Wire only.

Our cutoff for same day processing is 4PM EST which has just passed however the hard cutoff imposed by the banking system is 5PM EST for same day bank wires and 8PM EST for ACH transactions.  We will attempt to process payments right up to both cutoffs.  In the event we are unable to process transactions today we will absorb the cost and waive the processing fees for affected orders made prior to 4PM EST.

This thread will be updated once full banking support has been restored.  

Update 17:51 EST:
Bank Transfers (ACH & Bank Wire) for first time clients are still down. Someday I really hate the banks!

[BkkCoins]

Smart.  Good use of the raw transaction API call.

I believe you can also send a single transaction using a key with Electrum with cmd line options. The code for this is quite readable, in Python, and potentially could be grafted into an online processing backend. I guess it's somewhat the same as you still use a third party server except there is several Electrum servers available.

[casascius]

If a third party could provide the index lookup to give the unspent txid's from a bitcoin address, then the transaction could be composed locally.

[Stephen Gornick]

If a third party could provide the index lookup to give the unspent txid's from a bitcoin address, then the transaction could be composed locally.

Like this?
 - http://blockchain.info/unspent?address=&address

 - http://blockchain.info/unspent?address=1BTCorgHwCg6u2YSAWKgS17qUad6kHmtQW

[casascius]

Yep exactly that. Sweet.

[TangibleCryptography]

Update:  Partial Banking System Outage

The issue with Bank Of America's "Direct Pay" system.  We can create bank transfers but unable to create profiles for new clients.   All affected orders from yesterday have had their processing fees waived.   Bank Of America Small Business services is working a resolution but is unable to provide an ETA. 

If you have previously received an ACH or Bank Wire from Tangible Cryptography we can send you payment without delay (as long as you are using the exact same account & routing number you used previously).  This includes payments issued from our older website.

The outage doesn't affect any of our other payment options including PayPal, Dwolla, and Checks.

Tangible Cryptography would like to apologize for this ongoing delay and while it is beyond our ability to control it does highlight the vulnerability of relying on a single service provider.  We will be seeking Treasury Management services from our other banking partners to provide redundancy in our payment methods.

[TangibleCryptography]

Update:  Partial Banking System Outage

Woke up this morning to never ending incompetence by Bank Of America.  Their outage in the Direct Pay system continues.  I can't fathom how you can have a mission critical application (partially) offline for over two day.  No ETA has been given.  As stated before the issue only affects the creation of new Payee profiles.  If we have previously paid you by Wire or ACH (even on the "old site") we already have a payee profile and we can payout future orders without delay.  If you have never received a Wire or ACH from us we are unable to enter you into the ACH/Wire system (and thus send you a payment) until Bank Of America resolves their issue.

The outage does not affect any of our other payment options.

[TangibleCryptography]

Friendly Holiday Reminder.



Thanksgiving Day 11/22 is a federal holiday, postal holiday, and banking holiday.
Be sure to add one day to the expected arrival time for any mail shipment or bank transfers you may have en route.

[TangibleCryptography]

FastCash4Bitcoins has too much Dwolla so we are offering a bonus.