[bisq-network/proposals] N-factor counterparty confidence mechanisms (#83)

Manfred Karrer notifications at github.com
Thu May 9 06:37:52 UTC 2019

To summarize our current knowledge and protection tools:

## There are 2 types of scams we are focussing:
1. Stolen bank accounts
2. Money launderer (ML) using fake ID, stolen ID or bought ID (poor guy opens bank account and hand over all data for a payment from scammer - so no ID theft)

## Protections tools:
- Security deposit
- Trade limits based on account age
- Account age witness
- Ban by filter
- Payout delay
- New signed account age witness with decentralized tree of signatures (#78)
- 2FA - payment with another bank account
- Proof ID with governmental certificate
- BSQ bond
- Requesting an ATM or bank branch withdrawal (#23)
- P2P chat
- Off-chain trade protocol base on BSQ bonds (#32)

### Security deposit
Currently in place. Adds risk for scammer if fraud gets detected his deposit is gone.

### Trade limits based on account age
Currently in place. Adds risk and friction for scammer but is not sufficient as we learned.

### Account age witness
Currently in place. Does not help if scammer is willing to wait and leave the stolen account untouched until the account age is mature.

## Filter based ban
Currently in place. Bans scammer by onion or any payment account data. Effective and fast but helps only after we detected fraud.

## Payout delay
Dropped as UX was too problematic but just found that we could still use it with a timelock based (tx level) implementation. That would reove some of the UX challenges as users don't need to deal with an extra step. Would still need more thoughts if UX issues are not problematic anymore and if it can be deployed without a hardfork of the trade protocol. 
Protects against stolen accounts as those are likely detected in a few weeks. ML is likely not detected for a long time so delay would not help. But adding friction and uncertainty for scammers might be helpful to keep them out. But of course also keeps out honest newbies ;-(.

## Decentralized reputation
Helps against stolen account scammers if fraud was detected in < 1 month. Does not help for ML case.

## 2FA
Helps against stolen accounts as it is very unlikely that the scammer has access to more than one account of the victim. Does not help against ML with fake ID but might be helpful in case of a bought ID (it is likely hard for them to approach the guy who sold his account again to open another account on same name).

## Governmental certificate
Helps against stolen accounts and stolen ID. Is also likely effective against fake ID and bought ID as it adds extra risk and friction to scammer. It also is something out of the scammers usual business so might be helpful as they might avaid doing new things which have not been done in the past.

## BSQ bond
Not much thought out yet. A simple solution would be to add a BSQ bond covering the trade amount for each trade and add the trade ID as hash to the bond so it can be verified. That would be relative easy to implement. The bond locktime need to be min 3 months to give the stakeholders enough time to make a decision. Benefit over payout delay is that it only affects the buyer.
A more sophisticated solution would be to re-use a bond but that would probably lead to the concept as envisioned in the off-chain trade protocol. It is questionable if newbie buyers are able and willing to lock up a BSQ bond in the amount they want to buy. I doubt that many want to do that. 
There is also some BSQ volatility risk.

## Requesting an ATM or bank branch withdrawal (#23)
Would protect against stolen accounts as well as ML. It is very unlikely that scammer wants to go to a bank branch as well as he likely do not have the ATM card. Getting the ATM card in case of ML will require exposing an address. I assume it adds quite a lot of risk and friction for all the ML variants.
A main problem with that idea is who is doing the PageSigner verification and the fact that PageSigner does not work with all bank pages. Beside that it adds quite a bit of inconvenience to the user.

## P2P chat
By enabling users to communicate scammers can be detected by their language and communication style. Arbitrators reported their unfriendly and impatient style. 99% of Bisq users are the total opposite. But relying on that is rather weak as scammers will learn and the seller will not be interested to have longe conversations to find out more... Would also extend trade time...

## Off-chain trade protocol base on BSQ bonds (#32)
We also should keep in mind the plans for the off-chain trade protocol. It will change a lot the overall concept of Bisq and might be beneficial as protection as well. The BSQ bond will be then mandatory so the scammer will have a 3-4 months locktime with at least the trade amount. That might be one of the most efficient tools as no scammer can know to not get detected in that time and if so the bond will be suject to confiscation from stakeholders. 
We could make the delay for the release of the bond after a completed trade depending on the risk score of the user (new account, 2FA, certificate). So new users have a bond just covering the trade amount but they cannot use it for another trade for lets say 1 month if they do not provide additional security (2FA, certificate). So a scammer would only be able to do 3 trades in 3 months, probably enough friction and risk to keep him out. Newbies still have not so much burden if they don't want to trade more. 
But of course the "have no BTC" problem for new buyers is even more problematic as they need not only the BTC to pay the deposit and tx fee but the BSQ bond. 

## Conclusion
I think against the stolen bank account scam we have some strong options. A possible strategy could be that:

1. A new buyer has to wait 30 days after his first fiat transfer before he can trader larger amounts (still in the normal trade limits). 0.01 BTC as it is now is initial limit.
2. If he provides a governmental certificate the  limit is removed (still normal trade limits)
3. If he makes a tx from 2 accounts (2FA) the limits are removed. Open questions about details (is it sufficient if authorized user signs or do he need to do it at each trade?).

I think those 2 options to get an immediate upgrade should be enough for 95% of users. To add a payout delay makes all again more complicate as seller need to agree as well as his deposit will also be delayed. I think the 2FA is a more efficient tool with lower UX costs.
All those do not help much against the ML case. Thought the economics at ML is very different. The risks for the scammer regarding losses are much higher. Also the amount of money to be transmitted is likely much higher to be profitable for the scammer. So the existing tools with secruity deposit and trade limits are maybe already quite effective. The more transactions he need to do the higher the risk that his account gets detected or flagged by the bank.
Maybe keeping trade limits low in case no additional proof have been provided (no 2FA, no certificate) might be enough? But that is still an area where another smart idea would be very welcome!

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20190508/24b7b6e8/attachment.html>

More information about the bisq-github mailing list