Bitcoin Forum
November 08, 2024, 12:41:58 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: How CoinPal avoided PayPal fraud  (Read 16525 times)
mndrix (OP)
Michael Hendricks
VIP
Sr. Member
*
Offline Offline

Activity: 447
Merit: 258


View Profile
July 17, 2012, 06:59:31 PM
Merited by LoyceV (5)
 #1

As most of you know, I operated CoinPal before it was closed in April 2011.  I had planned to reopen it, but plans have changed.  I still own, follow and advocate Bitcoin.  Nothing has changed there.  About once a month, I receive an email asking "How did you avoid scammers on CoinPal?"  I decided to post about it so the entire community can benefit (and give myself a URL to point to).

Background

CoinPal allowed one to purchase Bitcoins with PayPal funds.  PayPal payments can be reversed easily but Bitcoin payments are permanent.  This asymmetry made CoinPal a constant target for PayPal fraud.  After I experienced my first wave of fraud, from which I learned many lessons, CoinPal lost less than 0.9% of revenue to fraud losses.

Fraudulent buyers exhibit certain characteristics that distinguish them from legitimate customers.  Some of these characteristics could be easily abandoned if the scammers recognized them.  They appear not to.  This kind of obscurity makes poor security.  Nevertheless, recognizing these kinds of easily abandoned practices saved CoinPal lots of money.  I won't describe any of these patterns since the scammers will simply abandon them once they're published.  Instead, I'll describe characteristics which scammers are unable to change.  These ought to remain relatively helpful over time.

Stolen accounts as currency

The most important realization is that stolen PayPal accounts or credit card numbers are a digital currency (although a poor one).  If I write a virus or phishing attack, my wages are denominated in the currency of stolen accounts.  Alternatively, I can exchange fiat currency for stolen account currency, by trading on various black market forums.

As a digital currency, stolen PayPal accounts are subject to double spending attacks.  For example, the legitimate owner may change his account password thus spending stolen funds back to himself.  Or a vendor selling PayPal credentials can sell the same credentials to multiple buyers.  Without a blockchain to rescue them, those holding this digital currency must spend it quickly before someone beats them to it.

Scammers are in a nasty hurry and can't do anything about it.  I saw this over and over again at CoinPal.  I see it at other online retailers too.  This is why CoinPal and VirWox have tiered purchase limits based on an account's age. 

Conclusion: scammers have an unusually high discount rate.  With this discount rate, the present value of a payment 7 days in the future is less than his cost of acquiring stolen credentials.

Measure Everything

Collect data on everything you can possibly measure.  Record it in your database associated with each order.  When fraud happens, compare all the data you have against known legitimate orders.  Scammers operate under different conditions than legitimate buyers and it invenitably shines through.  When they try to hide it, it causes other tell tale signs.

In the short time that CoinPal operated, I collected a couple hundred metrics about each order placed on the site.  Perhaps a dozen of those metrics proved useless.  The rest were valuable and I incorporated them into automated fraud screening.  Unfortunately, these patterns are the easily abandoned ones I mentioned above, so I won't give specifics.

Conclusion: If you can measure something about your customers, do it.  Spend plenty of time analyzing what you measured.

Legitimate Customers

You can't stop all fraud.  Some will get through your defenses.  Currency exchange profit margins are too narrow to absorb much of it, so you need a healthy legitimate customer base across whom you can distribute those costs.  As chargebacks come in, it's tempting to focus entirely on eliminating fraud.  Unfortunately, that focus inconveniences legitimate customers so much that they go elsewhere.

Early in CoinPal's history, I manually contacted every customer that wanted to purchase coins.  I bought a bunch of long distance calling credit and spent hours on the phone asking customers questions about the name of their nearest grocery store or which direction Lake Something was from their house.  I never had a chargeback from these orders, but they hated it and I hated it.  I lost many legitimate customers as soon as I emailed them asking if I could call them on the phone.  I know they were legitimate because many of them bought coins after I eliminated this process and they never charged me back.

Conclusion: a healthy customer base is as important as fraud detection.  Profit from serving them will sustain you through the scammer attacks.

Fees Select Customers

This should be obvious, but it's repeatedly violated by new Bitcoin exchanges.  A legitimate customer is spending his own hard earned money, so he cares about fees.  A scammer is spending someone else's money, so he doesn't.  Increasing fees scares away profitable customers leaving you with only scammers.

A small price elasticity of demand and a high discount rate combine to explain a common fraud symptom in retail.  Fraudulent customers are far more likely to pay extra for overnight shipping.  They don't care about the money and need the goods quickly before their scam is detected.

Conclusion: High fees favor fraud.  Although scammers could avoid this characteristic by frugally spending their stolen funds, frugality demands patience which they can't afford.

Repeat Business

CoinPal averaged 1.6 orders per legitimate customer.  Many of those customers first purchased from me shortly before the site closed and never had a chance to return, so that figure is artificially low.  Many legitimate customers placed the maximum allowed order every single week until the site closed.

Scammers, however, manifest as one time buyers.  After the first purchase, their stolen funds are spent and they must switch identities.   This distinction means you can safely lower your defenses for repeat purchases.  As best I can find/remember, CoinPal never had a chargeback from a repeat customer.

This dichotomy gives vendors another means to distinguish between good and bad buyers.  For a legitimate buyer, one-time fees will be amortized over the life of his business.  A scammer, must recoup the entire fee on his first purchase.  If the fee exceeds his profit, he'll quit.

Late in CoinPal's life, I instituted automated phone verification for first time buyers.  These buyers paid an extra $0.50 to cover the cost of the service.  For legitimate customers that's $0.50 amortized over several future orders.  For scammers, it's $0.50 plus the cost and inconvenience of acquiring a working phone number per order.

Conclusion: One-time fees favor legitimate buyers.
rjk
Sr. Member
****
Offline Offline

Activity: 448
Merit: 250


1ngldh


View Profile
July 17, 2012, 07:06:05 PM
 #2

Excellent writeup, mndrix. And I can't believe that PayPal would willingly throw away business from someone such as you that was so careful and diligent about fraud.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
AngryCatfish
Member
**
Offline Offline

Activity: 104
Merit: 10



View Profile
July 17, 2012, 10:58:32 PM
 #3

Good article, hopefully it will help some out dealing with paypal hell.
BadBitcoin (James Sutton)
Donator
Sr. Member
*
Offline Offline

Activity: 452
Merit: 252



View Profile
July 18, 2012, 03:49:44 AM
Last edit: July 18, 2012, 09:05:09 AM by Maged
 #4

As most of you know, I operated CoinPal before it was closed in April 2011.  I had planned to reopen it, but plans have changed.  I still own, follow and advocate Bitcoin.  Nothing has changed there.  About once a month, I receive an email asking "How did you avoid scammers on CoinPal?"  I decided to post about it so the entire community can benefit (and give myself a URL to point to).

Background

CoinPal allowed one to purchase Bitcoins with PayPal funds.  PayPal payments can be reversed easily but Bitcoin payments are permanent.  This asymmetry made CoinPal a constant target for PayPal fraud.  After I experienced my first wave of fraud, from which I learned many lessons, CoinPal lost less than 0.9% of revenue to fraud losses.

Fraudulent buyers exhibit certain characteristics that distinguish them from legitimate customers.  Some of these characteristics could be easily abandoned if the scammers recognized them.  They appear not to.  This kind of obscurity makes poor security.  Nevertheless, recognizing these kinds of easily abandoned practices saved CoinPal lots of money.  I won't describe any of these patterns since the scammers will simply abandon them once they're published.  Instead, I'll describe characteristics which scammers are unable to change.  These ought to remain relatively helpful over time.

Stolen accounts as currency

The most important realization is that stolen PayPal accounts or credit card numbers are a digital currency (although a poor one).  If I write a virus or phishing attack, my wages are denominated in the currency of stolen accounts.  Alternatively, I can exchange fiat currency for stolen account currency, by trading on various black market forums.

As a digital currency, stolen PayPal accounts are subject to double spending attacks.  For example, the legitimate owner may change his account password thus spending stolen funds back to himself.  Or a vendor selling PayPal credentials can sell the same credentials to multiple buyers.  Without a blockchain to rescue them, those holding this digital currency must spend it quickly before someone beats them to it.

Scammers are in a nasty hurry and can't do anything about it.  I saw this over and over again at CoinPal.  I see it at other online retailers too.  This is why CoinPal and VirWox have tiered purchase limits based on an account's age. 

Conclusion: scammers have an unusually high discount rate.  With this discount rate, the present value of a payment 7 days in the future is less than his cost of acquiring stolen credentials.

Measure Everything

Collect data on everything you can possibly measure.  Record it in your database associated with each order.  When fraud happens, compare all the data you have against known legitimate orders.  Scammers operate under different conditions than legitimate buyers and it invenitably shines through.  When they try to hide it, it causes other tell tale signs.

In the short time that CoinPal operated, I collected a couple hundred metrics about each order placed on the site.  Perhaps a dozen of those metrics proved useless.  The rest were valuable and I incorporated them into automated fraud screening.  Unfortunately, these patterns are the easily abandoned ones I mentioned above, so I won't give specifics.

Conclusion: If you can measure something about your customers, do it.  Spend plenty of time analyzing what you measured.

Legitimate Customers

You can't stop all fraud.  Some will get through your defenses.  Currency exchange profit margins are too narrow to absorb much of it, so you need a healthy legitimate customer base across whom you can distribute those costs.  As chargebacks come in, it's tempting to focus entirely on eliminating fraud.  Unfortunately, that focus inconveniences legitimate customers so much that they go elsewhere.

Early in CoinPal's history, I manually contacted every customer that wanted to purchase coins.  I bought a bunch of long distance calling credit and spent hours on the phone asking customers questions about the name of their nearest grocery store or which direction Lake Something was from their house.  I never had a chargeback from these orders, but they hated it and I hated it.  I lost many legitimate customers as soon as I emailed them asking if I could call them on the phone.  I know they were legitimate because many of them bought coins after I eliminated this process and they never charged me back.

Conclusion: a healthy customer base is as important as fraud detection.  Profit from serving them will sustain you through the scammer attacks.

Fees Select Customers

This should be obvious, but it's repeatedly violated by new Bitcoin exchanges.  A legitimate customer is spending his own hard earned money, so he cares about fees.  A scammer is spending someone else's money, so he doesn't.  Increasing fees scares away profitable customers leaving you with only scammers.

A small price elasticity of demand and a high discount rate combine to explain a common fraud symptom in retail.  Fraudulent customers are far more likely to pay extra for overnight shipping.  They don't care about the money and need the goods quickly before their scam is detected.

Conclusion: High fees favor fraud.  Although scammers could avoid this characteristic by frugally spending their stolen funds, frugality demands patience which they can't afford.

Repeat Business

CoinPal averaged 1.6 orders per legitimate customer.  Many of those customers first purchased from me shortly before the site closed and never had a chance to return, so that figure is artificially low.  Many legitimate customers placed the maximum allowed order every single week until the site closed.

Scammers, however, manifest as one time buyers.  After the first purchase, their stolen funds are spent and they must switch identities.   This distinction means you can safely lower your defenses for repeat purchases.  As best I can find/remember, CoinPal never had a chargeback from a repeat customer.

This dichotomy gives vendors another means to distinguish between good and bad buyers.  For a legitimate buyer, one-time fees will be amortized over the life of his business.  A scammer, must recoup the entire fee on his first purchase.  If the fee exceeds his profit, he'll quit.

Late in CoinPal's life, I instituted automated phone verification for first time buyers.  These buyers paid an extra $0.50 to cover the cost of the service.  For legitimate customers that's $0.50 amortized over several future orders.  For scammers, it's $0.50 plus the cost and inconvenience of acquiring a working phone number per order.

Conclusion: One-time fees favor legitimate buyers.


none of those measures prevents a good scammer from getting through, however I do see what you mean about attrition, also paypals anti-fraud department is extremely good, stolen accounts are almost always flagged even if they use an IP in the same city.
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
July 18, 2012, 04:05:46 AM
 #5

I think you sold me my first bitcoins at 0.26 each.  I bought like 500 coins, and actually did appreciate the phone call.  If I remember correctly, you wondered why I was interested in buying them, and I replied something along the lines of "I dunno, I think these are cool and just want to own a few to try them out.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
Matthew N. Wright
Untrustworthy
Hero Member
*****
Offline Offline

Activity: 588
Merit: 500


Hero VIP ultra official trusted super staff puppet


View Profile
July 18, 2012, 04:11:58 AM
 #6

I think you sold me my first bitcoins at 0.26 each.  I bought like 500 coins, and actually did appreciate the phone call.  If I remember correctly, you wondered why I was interested in buying them, and I replied something along the lines of "I dunno, I think these are cool and just want to own a few to try them out.

lol. Talk about nostalgia. It's hard to think of Casascius as not knowing what bitcoins were.

notme
Legendary
*
Offline Offline

Activity: 1904
Merit: 1002


View Profile
July 18, 2012, 04:26:26 AM
 #7

What was your plan to avoid having your account frozen again?

https://www.bitcoin.org/bitcoin.pdf
While no idea is perfect, some ideas are useful.
mndrix (OP)
Michael Hendricks
VIP
Sr. Member
*
Offline Offline

Activity: 447
Merit: 258


View Profile
July 18, 2012, 05:56:43 PM
 #8

also paypals anti-fraud department is extremely good, stolen accounts are almost always flagged even if they use an IP in the same city.

PayPal's anti-fraud measures are decent and I relied on them as an initial filter.  However, I caught many fraudulent orders that PayPal missed.  Their system is optimized for physical goods.  They do automatic chargebacks on digital goods disputes, so they have little incentive to improve there.
mndrix (OP)
Michael Hendricks
VIP
Sr. Member
*
Offline Offline

Activity: 447
Merit: 258


View Profile
July 18, 2012, 06:01:23 PM
 #9

What was your plan to avoid having your account frozen again?

Not to use PayPal again Smiley  I had planned to accept credit card payments instead.  Over the last year, other ideas have consistently seemed more fruitful so I'm not pursuing credit cards anymore.
notme
Legendary
*
Offline Offline

Activity: 1904
Merit: 1002


View Profile
July 18, 2012, 06:04:18 PM
 #10

What was your plan to avoid having your account frozen again?

Not to use PayPal again Smiley  I had planned to accept credit card payments instead.  Over the last year, other ideas have consistently seemed more fruitful so I'm not pursuing credit cards anymore.

Ah.  Good plan Smiley.

https://www.bitcoin.org/bitcoin.pdf
While no idea is perfect, some ideas are useful.
dacoinminster
Legendary
*
Offline Offline

Activity: 1260
Merit: 1031


Rational Exuberance


View Profile WWW
July 18, 2012, 07:19:02 PM
 #11

Not to use PayPal again Smiley  I had planned to accept credit card payments instead.  Over the last year, other ideas have consistently seemed more fruitful so I'm not pursuing credit cards anymore.

Any chance we can get you to share what you're up to lately? Bitcoin-related, I hope?

mndrix (OP)
Michael Hendricks
VIP
Sr. Member
*
Offline Offline

Activity: 447
Merit: 258


View Profile
July 18, 2012, 07:53:21 PM
 #12

Any chance we can get you to share what you're up to lately? Bitcoin-related, I hope?

Unfortunately, I've spent most of the last year on non-Bitcoin projects.  I've spent only a little time each month on my next Bitcoin project.  It's something others have tried and failed.  I'd rather not announce any specifics in case I meet the same fate.  Better to show than tell, I figure.
red123
Sr. Member
****
Offline Offline

Activity: 244
Merit: 250



View Profile
August 05, 2012, 10:44:02 AM
 #13

also paypals anti-fraud department is extremely good, stolen accounts are almost always flagged even if they use an IP in the same city.

PayPal's anti-fraud measures are decent and I relied on them as an initial filter.  However, I caught many fraudulent orders that PayPal missed.  Their system is optimized for physical goods.  They do automatic chargebacks on digital goods disputes, so they have little incentive to improve there.

Exactly. some bitcoin people act as if PP has some kind of personal vendetta (besides competition) against bitcoin when that is not true at all. The fact of the matter is PP does not support digital goods, even on eBay. I have sold numerous digital goods and have been scammed on a few of them, from legitimate eBay users wnho even eventually got out of my negative feedback.
PP simply is not an advanced company, they keep it very simple and are behind the times. Things are starting to sell digitially and they need a lot more protection there. Adequate proof (beyond a reasonable doubt using logic) that would stand in a courtroom does not stand with PP. PP's definition of proof is a bit different and very limited.
PayPal
Newbie
*
Offline Offline

Activity: 19
Merit: 0



View Profile WWW
August 05, 2012, 10:47:32 AM
 #14

Well I declare! Behind the times indeed.... why I remember... um... Does 9/11 count? Embarrassed
BitBuster
Member
**
Offline Offline

Activity: 101
Merit: 10


View Profile
August 05, 2012, 03:35:21 PM
 #15

This thread should be stickied as a useful resource for anyone developing bitcoin services.
A sage, informed and useful post mndrix, thank you!


BB.
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218
Merit: 1079


Gerald Davis


View Profile
August 05, 2012, 04:34:59 PM
 #16

Exactly. some bitcoin people act as if PP has some kind of personal vendetta (besides competition) against bitcoin when that is not true at all.

That isn't exactly true.  TheBitMint (and many others) have gotten shutdown simply for selling Bitcoins and not even having fraud.  One pool offered payouts in PayPal.  No bitcoins actually exchanged hands and since the pool was paying out (i.e. funds only going to users not from them) there was no risk of chargeback or fraud.  PayPal also shut them down.

The problem with PayPal is that they are very dysfunctional.  Even if you get permission from one dept it doesn't mean that won't change later, or be counteracted by another department.  We payout using PayPal but keep the amount of funds limited on PayPal limited and are under understand that PayPal could shut us down any second without reason or recourse.  We have taken every precaution possible: only sending PayPal never receiving, a year long spotless no fraud record, business account, 2 factor authentication, paying fees (no "gifts"), advising PayPal in advance of our significant transaction volume,  prefunding our account using only ACH, providing PayPal a letter from our bank, etc.  Even with all that we might still be offering PayPal payouts in a year or shutdown in a week.
Raoul Duke
aka psy
Legendary
*
Offline Offline

Activity: 1358
Merit: 1002



View Profile
August 05, 2012, 04:44:02 PM
 #17

D&T, TheBitMint got shutdown cause the kid used one(or several) Non-Verified Paypal account(s) and when he reached the account limits he couldn't verify cause he's only 17, remember? You should remember, because you were burned on it.
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218
Merit: 1079


Gerald Davis


View Profile
August 05, 2012, 05:31:35 PM
 #18

D&T, TheBitMint got shutdown cause the kid used one(or several) Non-Verified Paypal account(s) and when he reached the account limits he couldn't verify cause he's only 17, remember? You should remember, because you were burned on it.

Indeed maybe not the best example but just pointing out that it is like PayPal only cares about limiting fraud or the risk of digital goods.  Maybe the OP and the pool (man for the life of me can't remember which one) are better examples.  Very low and no fraud and still shutdown without reason or recourse.  The OP was even told he was authorized.  He was "authorized" AND kept his fraud to a minimum something which PayPal should have rewarded and instead he got slammed.

Dysfunctional. 
Raoul Duke
aka psy
Legendary
*
Offline Offline

Activity: 1358
Merit: 1002



View Profile
August 05, 2012, 05:34:15 PM
 #19

EclipseMC, Inaba's pool, no?
kuzetsa
Sr. Member
****
Offline Offline

Activity: 369
Merit: 250


View Profile
November 25, 2012, 10:49:03 PM
 #20

Excellent writeup, mndrix...
((...snip...))

Seconded / agreed.

Though on the subject of paypal's ToS, I won't comment.
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!