[bisq-network/proposals] N-factor counterparty confidence mechanisms (#83)

Steve Jain notifications at github.com
Tue May 7 22:40:02 UTC 2019

> _This is a Bisq Network proposal. Please familiarize yourself with the [submission and review process](https://docs.bisq.network/proposals.html)._

<!-- Please do not remove the text above. -->

Here I offer some ideas to bolster bitcoin seller confidence through 2 techniques:

* verify buyer identity though multiple methods _for each trade_ before any money can be sent to seller
* mark/sign payment accounts which fail this verification step, and immediately blackball them from trading

The fundamental concept is to (continually) seek to prove a trader is bad, rather than seek to prove (once) that a trader is good.

I think such a system would be less risky for the network in the long-term, because it would be built on _distrust_ instead of _trust_, without reliance on a single trust chain where integrity can be tainted with a single mistake. A downside here is that it makes individual traders responsible for establishing a counterparty's integrity on their own, _for each trade_, but as you'll see below, I think the proposed methods are relatively simple, quick, private, and (when used in combination) robust.

Because only "negative reputation" can be earned (i.e., in this concept, signed accounts are very BAD), there would be no way for a scammer to "game the system" aside from resorting to extraordinary measures to pass verification for _every single trade_ he does.

## Objective

Prevent buyer from sending payment until seller is confident about the buyer's identity, so that if/when payment is sent, chances are high it was initiated from the rightful account owner.

## Disclaimer

These ideas are meant more as a starting point for discussion and further ideas than a solid solution ready to implement.

_Some of these ideas are rather off-the-wall._

## Concept

Currently, once deposit transactions are confirmed, the buyer goes right to sending payment.

But what if the buyer was forced to identify himself before he could send payment? 

Identity is virtually impossible to prove online, so this proposal offers a handful of methods a buyer could use to _increase confidence_ in the seller that he's not bluffing—it's never possible to be 100% sure, but maybe we can get to 90% or 95% certainty by combining 2 or 3 or even 4 methods at a time.

So we offer multiple identity verification methods a buyer can use to boost a seller's confidence. The buyer pre-determines which of these verification methods he's comfortable with proving when he creates his payment account, and upon entering a trade, the seller can challenge the buyer to prove his identity using any of those methods the buyer previously selected. 

The more methods a buyer employs & verifies for an account, the more confident a seller can be in trading with him.

Payment details should be hidden from the buyer until the seller indicates he is confident about the buyer's identity. I'll discuss other technical considerations below...I'm hoping they aren't too significant.

## Identity Verification Methods

These are merely the methods I've come up with so far. I hope there are more...please share if you have other ideas, and also please voice any concerns about the viability of each one.

Keep in mind that no single method is good enough to stand on its own, so we seek to establish high confidence by combining a number of methods that (together) would make it highly unlikely that the buyer is a scammer.

Putting the burden of proof on the buyer every time he makes a trade with a new peer magnifies the value of account age—in the off chance a scammer is able to do all the tedious, hacky work necessary to successfully thwart 2 or 3 identity verification methods _once_, he would have to ensure all aspects of his false identity remain intact again and again for every trade, for weeks, months, etc...and the minute he fails just 1 check, his payment account is toast.

On the other hand, there's virtually no reason for an honest trader to ever fail an identity check, and most checks below are quite simple and quick.

As you review the suggested methods below, keep in mind that not every user will want to employ every method below, and not every method makes sense for every payment type either.

Each of these methods would probably require a peer-to-peer chat mechanism be built in to Bisq.

**1. Buyer sends seller small payment from second bank account**

_Seller matches full name on payment from second bank account with full name on primary bank account_

Upon closer inspection, PayPal probably won't work, as a scammer could simply sign up for PayPal using the exact same primary bank account—PayPal doesn't seem to show the receiver which payment method was used for the transaction.

Sending money through a service like MoneyGram could also work, because they would require ID. But it's probably a hassle to do this for most people since it would require going somewhere in-person.

* Verifies: full name
* Usage: all payment methods where full name is required
* Integrity: derived from KYC procedures of the secondary bank
* Ease: probably high, as a transfer can be done online, quickly, with little effort
* Downside: scammer with stolen identity can make another bank account to thwart this measure
* Privacy: good, as no new personal details are uncovered aside from secondary bank account details

**2. Sign string using PGP key posted on public websites**

_Seller verifies buyer's PGP fingerprint exists on public websites (ideally more than one of the following: buyer's blog, twitter, github, keybase, etc), and challenges buyer to sign string (e.g., trade id) with corresponding private key_

* Verifies: full name (assuming websites with fingerprint include user's full name)
* Usage: all payment methods where full name is required
* Integrity: derived from difficulty of a hacker infiltrating all a user's sites and posting a fingerprint for a public key that's older than the Bisq payment account, and/or the difficulty of establishing a whole new (convincing) web presence for a person from scratch
* Ease: high, once Bisq buyer generates GPG keypair and posts it on his site/social profiles
* Downside: users would need to know/learn basic GPG functions, but all commands are simple enough for a short doc/video
* Privacy: good, as no non-public information is disclosed, and posting fingerprints is something many people do and is not a conspicuous activity

**3. Post trade id on website with matching WHOIS data**

_Buyer posts trade id on website with domain name where whois details match those of Bisq payment account, and whois details haven't been updated during the life of the Bisq payment account_

* Verifies: full name
* Usage: all payment methods where full name is required
* Integrity: derived from difficulty of a hacker infiltrating a user's legitimate website, OR changing whois details for a site he owns _before_ creating the payment account in Bisq
* Ease: high, just upload a text file to server containing the trade id
* Downside: only applies to people who own domain names without privacy, as well as hosting they control
* Privacy: good, as no non-public information is disclosed

**4. Snail-mail random key to street address**

_Seller snail-mails buyer a random string to the address listed in his Bisq payment account details; if buyer can confirm receipt, street address is verified_

* Verifies: street address
* Usage: bank wires, and other payment methods where street address is required
* Integrity: derived from practical difficulty of overcoming geographic distances and intercepting snail mail
* Ease: medium, as one has to use snail-mail
* Downside: snail-mail can take a day or two, and it doesn't apply to most payment methods (Bisq doesn't work with wires at the moment)
* Privacy: good, as sender doesn't need to put return address on envelope

**5. Verify phone number through Signal**

_Buyer sends seller trade id via Signal, and seller matches Signal phone number with phone number in Bisq account details_

While Zelle is built on phone numbers, it can be used without the mobile app, so verifying that a buyer has _current_ control of the Zelle phone number can be useful (but not fool-proof).

* Verifies: phone number
* Usage: only with payment methods like Zelle which require a phone number
* Integrity: derived from difficulty of hijacking a phone number (which is relatively low, it seems)
* Ease: easy
* Downside: not terribly meaningful, but given the low effort for users, it might be a nice third factor for payment methods based on phone number
* Privacy: good, as Signal doesn't retain metadata

## Practical Example

* buyer creates sepa payment account
* in payment account details, there are additional fields for each identity verification mechanism: secondary bank account details, pgp key, website, etc.
    * buyer fills in data for verification methods he likes
*  buyer accepts offer to buy bitcoin
* after bitcoin deposit transactions are confirmed, payment account details only show to the seller
    * seller asks buyer over p2p chat to prove identity through methods listed on the buyer's payment account details
        * if successful, seller acknowledges he's comfortable with his payment details being shown to buyer, and deal carries on as normal
        * if failure, seller opens dispute and works with arbitrator to determine if buyer is a scammer. if scammer, account is signed.

Signed accounts are effectively blackballed from trading immediately (see "Quarantining signed accounts" below).

In case of a scammer, seller payment details are never revealed to buyer, so **no money is ever sent to the seller, greatly reducing the chance honest traders end up dealing with shady/stolen property.** This is huge for sellers...if banks start to think you're a shady person (which can very well happen if you receive money from just 1 shady account), you might run into major life-long disadvantages in opening new accounts, obtaining credit, etc.

## Technical Considerations

Aside from the peer-to-peer chat tool, I'm hoping these additional measures aren't a huge pain to implement.

**Peer-to-peer chat**

It would be important for trading peers to have some way to privately communicate with each other to verify the buyer's identity. This is already on the roadmap as a part of the new trade protocol, and the methods proposed above assume this mechanism is in place.

**Quarantining signed accounts**

If it's not technically possible to outright block signed payment accounts without resorting to an emergency filter message, then we can use the UI to strongly discourage trades with signed accounts from happening:

1. offers made with signed payment accounts should be clearly marked in the offers view so traders know not to take such offers
2. offer makers should immediately open a dispute if a trader with a signed payment account takes their offer

**Trade protocol**

I don't think we would need another step in the trade process to make this possible, but there would need to be a way for the seller's payment details to be hidden from the buyer until the seller acknowledges their comfort with the buyer. 

Trade periods might need an extra day or two to allow time for buyers to prove their identity.

## Concerns

**Scammer could keep making new accounts** after failure to verify identity. But he'd keep hitting the same wall, as he'd never be able to verify his identity, so it would be irrational to keep wasting time trying. And he'd be starting over with 0 account age every time, which is regarded with extra scrutiny anyway.

**Verification methods have limited potential** since many people don't administer a web server of some kind. Even though a lot of users probably don't use PGP either, I think the requirements for its usage here are simple enough (using PGP for email is daunting sometimes even for veterans, but we're not doing that here), and over time, some functionality like verifying signatures could be built right into Bisq. 

I think the PGP strategy combined with a secondary bank account transfer should be accessible for most users...ambitious, but it should be an effective tactic against the threats we face.

**Verification methods need to be carried out for every new trading peer.** Would be great if we could figure out a clever way to cache previous successful trading peers locally (beyond onion address -- by actual payment account) so verification doesn't need to be done again for 2 people who have traded before. 

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20190507/cd3e36ee/attachment-0001.html>

More information about the bisq-github mailing list