New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tools to prevent man-in-the-middle-attack #373
Comments
All communication between traders is end to end encrypted, signed and routed over Tor (hidden services), so getting on top of the application side security also Tors security and location privacy. The data for receiving the Fiat (bank account) and all the other trade data (btc address, amount, price,...) are also put into a JSON contract which get hashed and added to the MultiSif deposit transaction (using OP_RETURN). So the moment of depositing into the MS is timestamping the contract. If you would add an interactive step before a take offer request gets accepted, the trade would slow down a lot when both users are not online and I don't see a reason why it should be needed (as I think that MITM is not possible). Enabling communication possibilities has more risks and drawbacks then benefits IMO. Regarding fraud with stolen bank acoounts: Yes that is a risk which is mitigated primarily by the low trade limits with payment methods where chargeback is possible (banks). If it turns out that this is not enough we will add a lock time to the payout tx so the arbitrator has longer a possibility to step in if chargeback happen. |
I was only referring to social MITM attacks, where the buyer (i.e. the man-in-the-middle) manipulates the the victim into sending money to the seller. I am an active trader dealing with SEPA transfers since nine months, and this issue is a problem. I'm afraid that if bitsquare will be less equipped than (centralized) competitors, the scammers will flock to bitsquare as soon as it catches on. Ultimately rendering the platform unusable for sellers (buyers are not affected). Longer lock times are not effective in this case, since senders can't easily contact buyers to prevent the release of BTC (they only know buyer's bank account, name, and country). |
Can you explain such an attack more specifically? How does such a social MITM attack work in praxis? |
Sure. One of the more popular ones is calling people at random, saying they are from Microsoft, and making them believe they have a virus on their PC that urgently needs to be fixed. They guide the victim behind their PC, convinces them of the threat, and end up taking over the PC remotely. After having rendered the service of so-called fixing the PC, their service has to be paid for. Typical amounts are €150 or €200. In the meanwhile, another member of the team searches for buying the corresponding amount of BTC at LocalBitcoins.com or Paxful.com (and in the future, bitsquare). Once a seller is found, they make sure the victim will transfer money by bank to the BTC seller. On demand, they will provide ID of the victim, and/or a screenshot of the transaction being made (from a screen on the remote computer), etc. This makes it hard for the seller to distinguish that the sender of the money is not the same person as the buyer he is dealing with. It can be done, but it requires social interaction with the buyer and knowledge about how they operate. Part of the victims will file a police report and contact their bank. Their bank contacts my bank, who takes action. Over the past half year, I had my bank account blocked once. Also, I have been summoned by the police for questioning. Of course, the seller can prove he didn't know what was going on. However, to keep up plausible deniability it requires the seller to take measures to prevent selling to unknown buyers. And this is where I see a risk for bitsquare. If bitsquare becomes a popular marketplace for buying BTC anonymously (at least, anonymously until the deal is done), it will quickly become the preferred marketplace of the scammers in question. This will drive out the sellers who don't want to function as money mules for them. Although I do think that plausible deniability is defensible in court, if this happens often enough a seller will run out of banks for bank accounts -- because banks will close accounts of those who act as money mules once several people complain about being scammed. Hence, if bitsquare doesn't allow social interaction to be used to determine if buyers are legitimate, I am afraid it will fail as the anonymity of the scammers is protected, while that of the seller is not. The best solution to this problem should be found in making sure the sender of the money is aware what he is buying (i.e. BTC). I think that's the real challenge. More info about this type of scams: |
Thanks a lot for that info. One solution could be to use optional bank account verification: Which bank transfer types are usually used for those scams? SEPA? There have been a few other ideas how to prevent scammers but all those add usability drawbacks like the account verification as well as privacy concerns. Also its quite a bit of extra effort, so postponed to the point when we see that this becomes a real problem. Finally I hope that most people move to use OKPay or othere payment methods which are less problematic as banks. How does LocalBitcoins or Paxful deal with that issue? But I still dont see why the locktime at the payout should not be sufficient protection. |
The idea of a small initial transfer to verify bank accounts would work. It would create a sufficient delay, indeed. I cannot say much about which countries are more popular. SEPA is very convenient for the scammers, since every victim in the EU can send SEPA payments. I don't have knowledge concerning other payment types regarding this. From my personal experience (mostly on Paxful), I'd say Germany and the Netherlands are countries favored by the scammers. Platforms like LBC and Paxful can't do much about this type of scamming other than warn users. I can say that Paxful always has been very co-operative with me once I suspected to be dealing with a scammer (ruling in my favor when disputing a trade already done, immediately blocking the account of the scammer, providing the scammers' IP address). Other than that, they can't do much else. The locktime doesn't help if contact between the victim and the seller cannot be established within the time of locking. I've never seen a chargeback happen. I have seen twice that the victim managed to cancel the transfer with his bank (after I informed or confirmed the victim that he had been scammed), if it's not processed yet. Depending on the bank, there is a window of a few hours to do that. |
What about requesting to the buyer to write a "payment reason/motive" on the SEPA transfer, something like: "purchase of Bitcoin" The scammer can't easily force the cheated user to write those kind of things on the SEPA transfer without giving him an hint that there is something strange happening. |
@AndreKoster: @HostFat: |
I mean the [email](or [nickname]) of the seller. The phrase needs to be something that the scammer can't easily make up, like: Or it will be impossible to make them (the possible victims) think that they are (the scammers) the true Microsoft support. |
@HostFat |
@ManfredKarrer @HostFat The SEPA bank account verification could also be made optional. Then you can let sellers choose themselves if they demand a verified account or not. |
@ManfredKarrer Then the buyer will see this request while he is watching all the offers, he will choose to comply or not. (by choosing other offers ...) |
I think to add too early too much "pro-active" protection might confuse users too much and decrease usability and adoption. |
There is time, indeed. It will only become an issue once bitsquare becomes significantly used. Regarding the deactivation of certain taker countries, how is determined in which country a taker resides? If this happens by IP address, it's no good, since scammers usually work via VPN, and can be virtually in any European country irrespective of the country they target. The main problem with the locking up BTC for a week is that even one week is not that long a time if a victim needs to a) realize he was scammed b) decide to take action c) report to the police d) have the police or bank trace the seller and e) have the seller raise a dispute on the (done) deal to seize the deposit. From personal experience I know the police takes weeks to get into action. Banks work much faster, but they don't share information. Hence, it's very unlikely the seller will get a signal in time about a specific deal. In the one case my bank account was blocked, this happened 9 days after the transfer -- and this was within the same country and with the victim and me having accounts at one and the same bank. If it then already took 9 days, how long a lock time is needed if two different bank are involved and if these are in two different countries? |
Re countries: When you setup your SEPA account you can define which countries you accept. Another user with a SEPA account from a country not in your list cannot take that offer. Of course he could ly about his country but if you as seller define that you don't accept buyers form Germany and you receive the bank transfer form a german bank than you should call the arbitrator and not confirm as it was not as defined in the trade contract. Re locking up BTC: |
Another idea after discussions with @HostFat: In nearly all banks (but not all) you can see the bank account and name from the fiat sender, so if we require that the seller confirms that the name and bank account data matches 100% with that what he received we should be fine. The scammer usually dont know the bank details and prob. even not the name of the victim. All what we need is displaying the buyers name and bank account data in the fiat receipt confirmation popup as well as an extra checkbox where he explicitely need to confirm he has checked that the buyers name and bank account data delivered from Bitsquare matches that what he seen at his bank. In doubt he should open a dispute. What do you think? I sm y assumption correct that the scammer does not have knowledge to the victims bank account nr.? |
It can work, but the scammer can even try to social engineering the victim and asking him his details, and then try to buy an offer on Bitsquare with the information of the victim. It's less easier, but I still think that your idea of putting even something like "Payment to Manfred Karrer (gdgk78dsf)" in the reason/motive of the SEPA is a good idea. |
@ManfredKarrer The scammer does have knowledge of the victims bank account number in the case of the Microsoft-virus-scam. The scammer sets up a remote control of the victim's computer, and follows the victim when he's making the transfer. I've received cam screenshots made at the time of submitting the transfer, of which victims later told me that they never made any -- they were made off the remote screen by the scammer. @HostFat Regarding references, it would be best if the victim gets a hint from the reference that it does not refer to the scam service he thinks he bought. In that respect, a reference like "Bitcoin purchase gdgk78dsf" would be perfect. To evade evil banks, Bitcoin could be replaced by Bitsquare, or even Yellow tulips, as long as it doesn't make any sense in relation to a fake service rendered. Hence, just gdgk78dsf is too weak, as the scammers could still claim it to be their invoice reference. The amount scammers typically go for is 300 euro, with 150 the minimum, and max. 350. |
My first idea was something like this: gdgk78dsf Send to Manfred Karrer the JUMP YELLOW OUT LIQUID GOL [REFERENCE-ORDER-ID] Send to [BUYER-NAME] the [5/6 random words] |
@AndreKoster @HostFat Though if we use a special pattern it will become easy for banks to track Bitsquare trades. |
@ManfredKarrer |
The scam mentioned above is global and has been in use for over 10 years. I have been called here in Australia - usually by someone with an Indian accent - on numerous occasions. We can't protect computer users from their own stupidity. If they think their ISP or Microsoft is going to call them at random they really have a low IQ. The best defence (apart from just hanging up) is to say you're busy, ask for a phone number and offer to call them back. The verifed bank account using a small initial transfer has been utilized by Paypal since its inception, but they had a user base of millions of repeat users on eBay and could justify the effort. It also doesn't work unless you live in one location/country and intend to stay there. |
I think it is not that much harder to get a victims bank details when asking for money, claiming it is simply to know that you payed so that they don't need to call you back. |
This is perhaps out of scope (at least, technically), but important for the future success of bitsquare: How can a seller of BTC pre-empt man-in-the-middle-attacks?
With a MITM attack the buyer of the BTC is not the same person as the actual sender of the money. However, the sender knows the name and bank account of the seller. The sender is usually scammed by the buyer into sending money to the seller. Often, the sender realizes later he is scammed, and assumes the seller is part of the scam. This may lead to the sellers' bank account being blocked and a police investigation. Hence, seller need ways to be able to pre-empt such attacks.
The seller needs to be able to assess if the buyer is the same person as the sender of the money. For this, offer terms should be shown to a candidate buyer before the trade starts. And there needs to be a way for the seller to communicate with the buyer about the fulfilment of the offer terms.
A possible solution would be adding a free text to an offer (to display offer terms) and chat functionality. Both the offer terms and the chat history can then be used by the arbiter in case of dispute.
The text was updated successfully, but these errors were encountered: