Congrats to your project.
I see a few problems and would be interested how you want to solve those:
- How do you prevent fake accounts (wrong bank accounts nr). I could create an account, buy BTC and the seller lose time and need to start a dispute. I cannot steal money but I can create damage to the company and the sellers. I know thats not a high risk yet but need to be considered if you get more successful (competitors attack).
- If the seller use a stolen bank account or do a chargeback after a few days the BTC are paid out and the FIAT gets reversed. How do you deal with that? Blocking that user does not bring the Fiat back.
- How do you prevent against spam orders?
- How do you prove a bank transfer took place? A scammer could setup a proxy and show you a bank session with manipulated data.
- You use reputation which is might help but has its weaknesses - sybil attacks and long-con (
https://en.wikipedia.org/wiki/The_Long_Con). So someone can become a gold member but then make a big scam (Bank chargeback). If the user comes from countries with a weak legal environment, the bank account data will not help much to fight against the scammer.
- Many of the above problems are related to the fact that anyone can create fake accounts without costs (consider VPN and other tricks so normal IP checks and the like will not help against real scammers). How do you prevent sock puppet accounts?
- If the BTC price change a lot in the timeframe of the trade, the seller is motivated to not fulfill the trade (if loss in the panetly is lower then loss in volatility). LocalBitcoin suffers a lot from those "Future trade" scams. How do you protect against that?
- The privacy of the traders are leaked to your company as with the Bank account you know their real life ID. What if you get an order from law encorfement to hand out all the user data?
- I did not see any information about the people behind the exchange. It seems you are a company but its missing any information about the legal entity.
- How do you estimate the risk to be considered as exchange which needs permission from regulation authority and to fulfill the KYC/AML requirements? Do you know the story of Bitcoin24.de which was operating completely without any legal base and then got tons of problems (though they held the money and BTC)? I wish you that you don't run into some similar problems. As long you are not well known nobody cares, but as soon you get success you get on their radar.
- How do you collect the penaly money in case of a dispute if the user refuse to pay that? If you take it from the deposit payment, that money will be missing to pay back to the honest trader, so the honest trader would get back less.
Sorry if the above sounds too critical but those are the questions I needed to answer myself for my project (Bitsquare.io) and I did not find easy solutions (and satisfying answers to all), though I would love to.
Very nice questions. I asked myself and them some of these too.
- I think they consider SEPA irreversible, and I thought that too, but I've found they aren't
http://www.reddit.com/r/Bitcoin/comments/1hosog/psa_sepa_transfers_can_be_charged_back_quite/.
- What they offer is a web for easily operate with multisignatures, a bid/ask market and a escrow service. They need to prove that they can do the escrow part right. I don't know if they have a proxy-scam detection, but if they had I don't think they would share it because hackers could take advantage of it. I've been thinking that maybe this web will be just the draft copy of another one where you can choose who will be offering the escrow service.
- In some way, it's user's responsibility to protect against SPAM. They can choose the level of users they're trading with. And at first levels you can't do more than one transaction at time.
- All anonymous internet services are needing sock puppet's protection.
- The people running the exchange are still anonymous (or they think they are)
. They're anonymous because they know what they offer it's something banks don't like and neither the government. This solves so much about leaking information or KYC/AML requirements. And they don't hold any user's money so, as mycellium's new payment system, it would be hard or impossible for the authorities to legally justify these requirements. And multisignatures protects users about trusting someone they don't know, and you only have to deposit bitcoins into multisig addressess once you have a trade accepted, so you'll only loose this trade's money in case the web collapses.
- There's no penalty money, if you do something wrong you just loose reputation. They only get comissions, and in beta period it's 0%.
In response to k99
MultiSigna has created a wide protocol to deal with the problems you mention. In fact, the development of this protocol is by far what most time has led in the development of MultiSigna. Covers all casuistry (we hope!) but is impossible to reproduce here.
Mantas aptly describes some of our features (thanks a lot!)
Just a little clarification, there are two penalties if a user is considered guilty.
- An expenses note is generated and the user can not trade in the MultiSigna market until it has been paid. However, what is really sought is not the collection of the expenses note, it is to disable the conflictive users as soon as possible.
- The user is penalized with a negative point and that has different consequences depending on the number of negative points that the user reaches.
But if there is a conflict there is always the risk that MultiSigna, the Bank, Paypal, VISA or, at the end, a judge not decide in your favor even if you are absolutely right. Perfection does not exist in the world of duality. Or zero risk, either.
You will not find the absolute security in MultiSigna, nor anywhere else. Whenever there is the human factor, there is a possibility of error or corruption. The question is to minimize it.
Some try it by regulators, corruptible by definition, where the small always lose and the big commit their crimes with impunity and even protected by law.
Others by security measures, that sooner or later fail. When not are themselves who make them fail!
We do it by providing all the transparency that we can in to the process and dividing the risk among so many multisignature addresses as pairs of buyer/seller are generated in our market.
In MultiSigna you can monitor the status of the order from your user account from the begining to the end, and control the inputs and outputs before signing any bitcoin transaction.
The bitcoins are deposited in a multisignature address at the time the buy/sale order is accepted and not before. That means that in a normal transaction, they are there just 24 hours.
In cases like Bitstamp or Bter it is not even possible to determine whether millionaire thefts were perpetrated from inside or outside the exchange itself! Nor that it can not happen again!
And here they are, with thousands of users trading as if nothing had happened!
No one wonders that when Bitstamp facilitates you a bitcoin address for you to transfer your bitcoins they do not send you an email with the address, they just show it to you on the website?
No one thinks that:
- It is an address that only they control?
- In case they deny it, nobody will prove that that direction where you transferred your bitcoin is theirs?
- In case of bankrupcy or theft, you can loose your bitcoins and your fiat?
As for the problems inherent to fiat transfers, they are not our responsibility, nor can we do anything. The reversal of payments in SEPA transfers while possible, is not something neither usual nor easy. On the other hand It is common to all forms of payment other than cash payment. But, as mentioned, perfection does not exist and the payment in cash has many other risks, in addition to being much more uncomfortable.
In response MedUSA
Obviously, if you're not willing to provide a bank account number (not necessarily yours...), it is impossible that you can trade in MultiSigna. Although everything has a solution and, at times, is very simple. It is as easy as opening a specific account for trading in MultiSigna by keeping the bulk of your savings in another bank account.
...account from what Christine Lagarde says she wants 10% or more... and that is available whenever they want, for all government agencies that rob us with one excuse or another
