As most of you know, I operated CoinPal
before it was closed in April 2011
. I had planned to reopen it, but plans have changed. I still own, follow and advocate Bitcoin. Nothing has changed there. About once a month, I receive an email asking "How did you avoid scammers on CoinPal?" I decided to post about it so the entire community can benefit (and give myself a URL to point to).Background
CoinPal allowed one to purchase Bitcoins with PayPal funds. PayPal payments can be reversed easily but Bitcoin payments are permanent. This asymmetry made CoinPal a constant target for PayPal fraud. After I experienced my first wave of fraud, from which I learned many lessons, CoinPal lost less than 0.9% of revenue to fraud losses.
Fraudulent buyers exhibit certain characteristics that distinguish them from legitimate customers. Some of these characteristics could be easily abandoned if the scammers recognized them. They appear not to. This kind of obscurity makes poor security. Nevertheless, recognizing these kinds of easily abandoned practices saved CoinPal lots of money. I won't describe any of these patterns since the scammers will simply abandon them once they're published. Instead, I'll describe characteristics which scammers are unable to change. These ought to remain relatively helpful over time.Stolen accounts as currency
The most important realization is that stolen PayPal accounts or credit card numbers are a digital currency (although a poor one). If I write a virus or phishing attack, my wages are denominated in the currency of stolen accounts. Alternatively, I can exchange fiat currency for stolen account currency, by trading on various black market forums.
As a digital currency, stolen PayPal accounts are subject to double spending attacks. For example, the legitimate owner may change his account password thus spending stolen funds back to himself. Or a vendor selling PayPal credentials can sell the same credentials to multiple buyers. Without a blockchain to rescue them, those holding this digital currency must spend it quickly before someone beats them to it.
Scammers are in a nasty hurry and can't do anything about it. I saw this over and over again at CoinPal. I see it at other online retailers too. This is why CoinPal and VirWox have tiered purchase limits based on an account's age. Conclusion
: scammers have an unusually high discount rate. With this discount rate, the present value of a payment 7 days in the future is less than his cost of acquiring stolen credentials.Measure Everything
Collect data on everything you can possibly measure. Record it in your database associated with each order. When fraud happens, compare all the data you have against known legitimate orders. Scammers operate under different conditions than legitimate buyers and it invenitably shines through. When they try to hide it, it causes other tell tale signs.
In the short time that CoinPal operated, I collected a couple hundred metrics about each order placed on the site. Perhaps a dozen of those metrics proved useless. The rest were valuable and I incorporated them into automated fraud screening. Unfortunately, these patterns are the easily abandoned ones I mentioned above, so I won't give specifics.Conclusion
: If you can measure something about your customers, do it. Spend plenty of time analyzing what you measured.Legitimate Customers
You can't stop all fraud. Some will get through your defenses. Currency exchange profit margins are too narrow to absorb much of it, so you need a healthy legitimate customer base across whom you can distribute those costs. As chargebacks come in, it's tempting to focus entirely on eliminating fraud. Unfortunately, that focus inconveniences legitimate customers so much that they go elsewhere.
Early in CoinPal's history, I manually contacted every customer that wanted to purchase coins. I bought a bunch of long distance calling credit and spent hours on the phone asking customers questions about the name of their nearest grocery store or which direction Lake Something was from their house. I never had a chargeback from these orders, but they hated it and I hated it. I lost many legitimate customers as soon as I emailed them asking if I could call them on the phone. I know they were legitimate because many of them bought coins after I eliminated this process and they never charged me back.Conclusion
: a healthy customer base is as important as fraud detection. Profit from serving them will sustain you through the scammer attacks.Fees Select Customers
This should be obvious, but it's repeatedly violated by new Bitcoin exchanges. A legitimate customer is spending his own hard earned money, so he cares about fees. A scammer is spending someone else's money, so he doesn't. Increasing fees scares away profitable customers leaving you with only scammers.
A small price elasticity of demand and a high discount rate combine to explain a common fraud symptom in retail. Fraudulent customers are far more likely to pay extra for overnight shipping. They don't care about the money and need the goods quickly before their scam is detected.Conclusion
: High fees favor fraud. Although scammers could avoid this characteristic by frugally spending their stolen funds, frugality demands patience which they can't afford.Repeat Business
CoinPal averaged 1.6 orders per legitimate customer. Many of those customers first purchased from me shortly before the site closed and never had a chance to return, so that figure is artificially low. Many legitimate customers placed the maximum allowed order every single week until the site closed.
Scammers, however, manifest as one time buyers. After the first purchase, their stolen funds are spent and they must switch identities. This distinction means you can safely lower your defenses for repeat purchases. As best I can find/remember, CoinPal never had a chargeback from a repeat customer.
This dichotomy gives vendors another means to distinguish between good and bad buyers. For a legitimate buyer, one-time fees will be amortized over the life of his business. A scammer, must recoup the entire fee on his first purchase. If the fee exceeds his profit, he'll quit.
Late in CoinPal's life, I instituted automated phone verification for first time buyers. These buyers paid an extra $0.50 to cover the cost of the service. For legitimate customers that's $0.50 amortized over several future orders. For scammers, it's $0.50 plus the cost and inconvenience of acquiring a working phone number per order
: One-time fees favor legitimate buyers.