Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reduce maximum trade size for unsigned payment accounts #322

Closed
m52go opened this issue Mar 16, 2021 · 45 comments
Closed

Reduce maximum trade size for unsigned payment accounts #322

m52go opened this issue Mar 16, 2021 · 45 comments
Labels

Comments

@m52go
Copy link
Contributor

m52go commented Mar 16, 2021

This is a Bisq Network proposal. Please familiarize yourself with the submission and review process.

Maximum trade size for unsigned payment accounts should be addressed quickly.

The last proposal on this was open since January but bogged down and stalled by a mix of concerns. Here I want to solely address maximum trade size for unsigned accounts.

It is currently possible to trade >500 USD without signing with risky payment accounts in active markets. A year or so ago this would have been unthinkable...signing was implemented to prevent trades beyond 80 USD. This amount has now ballooned over 7x. I don't think it's an overstatement to call it a considerable risk to the project.

I think this unsigned maximum trade limit should be reduced to 0.0025 BTC. The current range for valid signing trades is 0.0025 - 0.01, so essentially I'm proposing to make the range fixed to this lower amount (unless there is a technical/other reason for this amount to be a range).

At current rates, 0.0025 BTC is still well over 100 USD. The BTC/USD rate could crash by 20,000 and 0.0025 BTC would still be close 100 USD, which has been the target for this unsigned maximum.

Hard Fork

As noted here, this change would require a hard fork. I think the gain in network security is worth it. As noted above, the change still allows for relatively generous trade sizes, and would still be reasonable in case of a BTC/USD crash.

Mining Fees

There was a point here about this change causing mining fee proportion of total trade size to increase, making trades look unattractive. I agree this is a downside, but it's more of a downside of Bisq's trade protocol that will need to be addressed in other ways.

Workarounds

Another way of achieving this without explicitly changing the limit is putting guidance in the software to encourage sellers to make smaller offers (i.e., make <0.01 offers even smaller in order to avoid 400 EUR payments from unsigned accounts, thus reducing the number of <0.01 offers on the network for unsigned buyers to take). This would avoid a hard fork, but might not be very effective unless sellers had a way of limiting their offer to being takeable by unsigned accounts only.

It would also hurt liquidity for users with signed payment accounts in the <0.01 range, which is not a great idea.

Relation to General Trade Limits

A reduction in overall trade limits should be considered too, but that will be proposed separately since it's distinct from this topic. The maximum per-trade exposure of the DAO (which is currently >100,000 USD). I mention it here because it is somewhat related and will also require a hard fork.

@sqrrm
Copy link
Member

sqrrm commented Mar 16, 2021

I agree that we need to lower the unsigned offer limit. Just changing both placing and taking requirements simultaneously would cause issues for traders with open offers for 0.01 since upgraded clients wouldn't be able to take those offers.

I think it makes sense to limit new offers to 0.0025 but still allow taking of unsigned 0.01 offers as a first step. Then in a later release the taking of 0.01 offers would be restricted to 0.0025. That's still backwards incompatible but I think the effect on users would be minimal since most 0.01 offers would be gone by the time they're no longer possible to take.

@MwithM MwithM added a:proposal https://bisq.wiki/Proposals re:parameters labels Mar 16, 2021
@Conza88
Copy link

Conza88 commented Mar 16, 2021

(1) There was talk on various forums/places about accounts not being signed (when they should have, and was a bug). Has that been addressed at all?

(2) This is going to kick the can down the road ONCE AGAIN. Why is it not possible to mark it as a fixed % of current BTC price in fiat terms?

(3) I am principally for no minimum security deposits at all (once signed), and no maximum limit either (once signed).
As part of that I would be clearly AF communicating to users who may be taking particular offers that don't have any security deposit, the risks etc. and consequences.. and getting them to confirm acceptance.

It's a voluntary contract between two people, and Bisq is the protocol.

(4) I am also for allowing DIFFERENT security deposit %'s to be set for MAKER and for TAKER...
Again, an education piece with good UX about what each means.
Then truly, if A AND B WANT TO TRADE VOLUNTAIRLY, why get in the way?

@sqrrm
Copy link
Member

sqrrm commented Mar 16, 2021

@Conza88 There was one user who had trouble getting signed. Turned out his account data had not propagated on the network so the signed wasn't able to sign. Once the user removed the account and created it new with a different salt they got signed.

I guess it would be possible to use the current bisq price feed to set a limit in USD, problem is that some offers would then move out of range as BTC prices move up, and the amounts are locked in the offer since they're attached to a fee transaction. If we can get the no fee tx protocol going it should be possible to make offers in fiat amounts rather than BTC as well (ie. flexible BTC amounts) since the offer is only funded once taken.

Security deposit is discussed in #323

@chimp1984
Copy link

Another option to deal with it and which makes it easier to deal with future price increases (e.g. if BTC goes to 200k we will have more such events) is to deploy a filter fields with the limit and to show a popup to makers who have offers which are above that limit. Once that limit is deployed such offers cannot be taken anymore. To shoothen the process we can add a data to that limit change when it becomes active, so makers have a few days time to react and only at activation time the new limit is a strictly enforced protocol parameter.

We will need an option to change those offers trade amount which can work technically as we only want to decrease of trade amount (as reserved for funds don't allow increase). So we can add a feature to support decrease of the trade amount in edit offer, but not increase.

@sqrrm
Copy link
Member

sqrrm commented Mar 16, 2021

@chimp1984 I think it's more transparent to add this in code rather than as a filter. Best would probably be as a DAO parameter but that would take a while to implement. My suggested changes would allow for immediate deployment in the coming release with cutoff tomorrow and the follow up on limitation in the release after.

@pazza83
Copy link

pazza83 commented Mar 17, 2021

I worry about the negative user experience impact decreasing the trade size for unsigned accounts will have.

My assumptions are:

  • Unsigned accounts accounts will likely be accounts of new users
  • New users are more likely to 'take' offers rather than 'make offers' at least initially
  • Taking offers requires 3 transactions (roughly 3 times mining fees)
  • New users are coming from environments where they have not had to consider mining fees for trading. Either they have traded on centralized exchanges where mining fees are not a factor in trading or they have not previously traded. This makes them less time sensitive and less mining / mempool aware.

Based on the table below average sats/vb fees result in a fee of approximately $8.33 per transaction. This would be result in a $25 for taking an offer of 0.0025 BTC (currently $140). Therefore as a percentage of the trade amount this is 17.9% of trade amount.

Now assuming the maker of the offer is also going to have to pay $8.33 mining fees to make the offer. I would expect a premium of 20% would be about average.

So now a new user will be spending $25 + premium of $28 to acquire $140 worth of BTC.

These fees totaled represent 34.3% of the trade amount.

I think this will make new buyers give up on Bisq before they become signed.

fees
Ref: https://privacypros.io/tools/bitcoin-fee-estimator/

To run the numbers with the current trade limit of 0.01 BTC for comparison.

$25 for taking an offer of 0.01 BTC (currently $560). Therefore as a percentage of the trade amount this is 4.5% of trade amount.

Buyer premium of approx. 10%

So with 0.01 BTC a new user will be spending $25 + premium of $56 to acquire $560 worth of BTC.

These fees totaled represent 14.5% of the trade amount.

This is still high but a lot more workable.

I share the concerns with risks associated with increased prices for 0.01 BTC, is there a way of reducing these risks in a way other than decreasing limits for account signing?

Maybe there could be other ways to achieve account signing eg:

New users take offers of fixed price of $100 or equivalent from bonded sellers, thus reducing the need for security deposit, BTC transfer can be done without multi-sig requirements.

Following this trade the 30 day timer would start reducing the ability of fraudster that has temporary access someone else's account.

The above could even be done outside of the signing system, and another level eg pre-signing introduced before a trader can do any trades?

@pazza83
Copy link

pazza83 commented Mar 17, 2021

Just to share some anecdotal experiences from my limited experience on https://bisq.wiki/Keybase-Buy_Bitcoin for small amounts of BTC.

  • New users looking to buy 0.007 BTC are generally happy to complete the trade based on quoted prices
  • New users looking to buy of <0.0035 BTC are 50/50 happy to complete the trade based on quoted prices (bearing in mind it is only the seller in this instance that has to pay mining fees). If buyer had to pay for the 3 transactions in the Bisq trade protocol it would be even less than 50/50.

@chimp1984
Copy link

@pazza83 FYI #324

@RefundAgent
Copy link

RefundAgent commented Mar 17, 2021

Euro should not be subject to these limits, since SCA as part of PSD2 is being rapidly implemented in the Euro-area with most countries being fully compliant and the rest following in rapid succession: https://okaythis.com/blog/sca-deadlines-across-europe

The consensus within Bisq is that traders are extremely sensitive already to the trading fees (average about 0.4%). One should thus be very cautious to increase the relative mining fees, which in the example of @pazza83 are 4.5-14.5% for new traders even now.

@pazza83
Copy link

pazza83 commented Mar 19, 2021

@pazza83
Copy link

pazza83 commented Mar 21, 2021

I am disappointed this was not discussed further.

@Conza88
Copy link

Conza88 commented Mar 21, 2021

Is this ACTUALLY a problem?

Where is the data?

How many unsigned amounts over this ended up falling/getting escalated?!

Or is this theoretical fear based on "what if"?

And consequences are reducing liquidity even further!?

@ripcurlx
Copy link

As it seems to be this change needs more discussion going forward please leave a 👍 if bisq-network/bisq#5318 should be reverted for the v1.6.0 release and on master.

@ripcurlx
Copy link

Euro should not be subject to these limits, since SCA as part of PSD2 is being rapidly implemented in the Euro-area with most countries being fully compliant and the rest following in rapid succession: https://okaythis.com/blog/sca-deadlines-across-europe

The consensus within Bisq is that traders are extremely sensitive already to the trading fees (average about 0.4%). One should thus be very cautious to increase the relative mining fees, which in the example of @pazza83 are 4.5-14.5% for new traders even now.

I can confirm that within Austria of the four banks I'm using all of them have 2FA with a mobile app already in place.

@m52go
Copy link
Contributor Author

m52go commented Mar 21, 2021

Nothing about this proposal is theoretical...allowing trades larger than 100 USD without safeguards was a problem in the past which almost crippled the network. I don't remember the exact figures but I believe some of the chargebacks in early 2019 were for smaller 300-400 USD amounts. The result: all new users were barred from buying more than 0.01 BTC at a time for 6+ months of 2019. Talk about rough onboarding.

The fact that a similar sort of crisis hasn't happened yet (in the past couple of months since the BTC price pop) is just a matter of sheer dumb luck.

Ideas to improve the current mechanism should be devised and discussed, but it doesn't make sense to hold off on this change since no firm ideas to improve the status quo are close to being rolled out.

@pazza83
Copy link

pazza83 commented Mar 21, 2021

I see it as a principle that changes should be made through following Bisq's project management process

I think the hast to implement a fix has meant that the process has not been followed as it should have.

I think more discussion is needed regardless of outcome.

@m52go
Copy link
Contributor Author

m52go commented Mar 21, 2021

This topic has been under discussion since January and it's been almost a week here.

It's a matter of network security, and given the risks at hand, I don't think any of the objections so far warrant avoiding this change in the upcoming release. Short-term fluctuations in growth and adoption won't matter if a few bad actors do chargebacks and undermine confidence for all new and prospective users.

Also this is not a project, so that project management process isn't really relevant.

@Conza88
Copy link

Conza88 commented Mar 21, 2021

What payment methods does this effect specifically?

All that require signing?

@m52go
Copy link
Contributor Author

m52go commented Mar 21, 2021

All that require signing?

Yes.

@pazza83
Copy link

pazza83 commented Mar 21, 2021

This topic has been under discussion since January and it's been almost a week here.

Yes, but no consensus was reached on #295 and from my perspective no consensus was reached on this thread. I was surprised when I saw it was being implemented: bisq-network/bisq#5318

I was not aware the process was different for proposals. I assumed a rough consensus would still be needed.

It's a matter of network security, and given the risks at hand, I don't think any of the objections so far warrant avoiding this change in the upcoming release. Short-term fluctuations in growth and adoption won't matter if a few bad actors do chargebacks and undermine confidence for all new and prospective users.

There has to be a balance between network security and accessibility. My thoughts are a 0.0025 BTC limit for all payment methods that require signing pushes this balance too far and has a negative impact on users.

Maybe we should consider which payment methods are more at risk from fraud and decrease their limits rather than apply to all methods that require signing.

@BtcContributor
Copy link

BtcContributor commented Mar 21, 2021

Or maybe we could choose something in the middle between 0.0025 and 0.01.
For example, 0.005 I think it could be a good compromise.

@cocaesprit
Copy link

cocaesprit commented Mar 21, 2021

I don't think limiting trade amount is the solution. After all a signed account states that the peer successfully traded ONE time (at least). To me this doesn't seem like a proper measure of a peer's reliability, a scammer could get signed before and chargeback later.

Limiting trades is a rather unelegant and superficial way to patch the problem. I believe in giving peers the power to choose which users to accept and which not.

Account age and signing status is not a bad idea, I remember entering Bisq the first time and feeling safe trading with a 200+ days-old peer, it just needs to be implemented better since Bisq needs adoption! Limiting trades amount with this kind of fees (and the other problems) will hit everybody.

Maybe educating users and highly discouraging trading at high amounts with unsigned peer is an option.

@sqrrm
Copy link
Member

sqrrm commented Mar 21, 2021

The model put in place a couple of years ago was a hard coded limit at around USD100 in BTC. This risk model hasn't changed and no new consensus has been found so it makes sense to keep this limit until we have a new consensus.

I understand that a lot of new contributors were not around and might not be aware of the previous discussions and past issues with scammers. The result of those discussions is what I as a developer use as guidance until a new consensus is found.

I will also concede that with the ongoing discussions it might have been a bit rushed to just implement and merge this change.

@m52go
Copy link
Contributor Author

m52go commented Mar 21, 2021

Another option, as mentioned in the opening post of this proposal in the "Workarounds" section, is to keep the limit high and make it extra-clear to sellers that offers in the 0.0025 - 0.01 range carry more risk. Ideally this would be accompanied by an option for sellers to specify that their offers only be take-able by signed buyers.

With the above solution, the signing trade amount could be removed entirely, leaving it up to the selling peer to determine how much risk they want to take on.

The problem is -- such a solution, and any other proposal deviating from the fundamental way things are currently done, would require time to develop and test and roll out (in addition to determining consensus for the concept in the first place).

Does the network have this time? Bisq releases tend to be monthly, so we're talking about 1 to 3+ months which means 4,000 to 12,000+ trades that will take place until a better mechanism is put in place. So until then, we leave the status quo? While BTC price continues to moon? Is this smart? I'm not sure.

@cocaesprit
Copy link

cocaesprit commented Mar 21, 2021

Well Bob enters Bisq v1.6.0, sees that the only tx he can take are ~24% up in seller's premium, he then proceeds to deinstall Bisq, forget it and never check it out 3/4 months later.

Then Alice also enters Bisq v1.6.0, sees that the only tx she can take are ~24% up in seller's premium, she's disappointed but proceeds to take the offer, but as soon as she sees the high fees which in proportion to her trade are really high, just gives up and deinstalls Bisq, forget it and never check it out 3/4 months later.

And so I guess that the 3/4 of new possible users reaching Bisq in these 3 months will just go away... in a period where Bitcoin is skyrocketing and interest is never been so high?

I do get the issue here, but it's also not smart to block novice users and traders...

@pazza83
Copy link

pazza83 commented Mar 21, 2021

Does the network have this time? Bisq releases tend to be monthly, so we're talking about 1 to 3+ months which means 4,000 to 12,000+ trades that will take place until a better mechanism is put in place. So until then, we leave the status quo? While BTC price continues to moon? Is this smart? I'm not sure.

Most of the volume for fiat on unsigned accounts go through:

  • SEPA
  • Zelle
  • Revolut

I would argue SEPA is very low risk.
Not sure about Zelle. Do you know what level of risk of chargebacks this has?
Revolut is much higher risk of chargeback due to payments being on the same platform. This is the one I would be most concerned with.

@Conza88
Copy link

Conza88 commented Mar 21, 2021

And so I guess that the 3/4 of new possible users reaching Bisq in these 3 months will just go away... in a period where Bitcoin is skyrocketing and interest is never been so high?

We could see the actual data if: @wallclockbuilder's #320 gets over the line.

@m52go
Copy link
Contributor Author

m52go commented Mar 22, 2021

Zelle is generally low risk but chargebacks are possible...it should still require signing, I think. I believe the past chargebacks were carried out with SEPA and Zelle. Seems like things may be changing soon with SEPA but I'm not aware of any such changes with Zelle.


To add some perspective: payment account security has always been problematic for new user experience. Before account signing was account aging (introduced in late 2017 I think), which required all payment account trade limits to be capped at 0.0625, wait 30 days for limits to be raised to 0.125 BTC, and then 60 days for limits to be raised to 0.25 BTC. This was for all account types, even low-risk ones, and it included seller limits too (!).

Recall that BTC was under 10,000 USD for much of 2018 and 2019, so 99.9% of new users were punished with extremely low limits for the first 1-2 months they used Bisq. UX sucked.

You might be thinking, well 0.0625 BTC @ 10,000 USD is about 625 USD, which is not far from where we are now with a 0.01 limit. Well you'd be right, which is exactly why some scammers took advantage of the aging mechanism and forced the network to impose tougher limits on buying for new users, so signing was introduced, but not before all new users were capped to buying 0.01 of 7 months of 2019. UX really sucked.

Then account signing was introduced, which imposed a 0.01 limit for new users buying with risky payment accounts, which was about 100 USD for most of the time it's been around. The aging mechanism remained in place for non-risky payment accounts. UX sucked even more.

It wasn't until recently that buying and selling limits were removed altogether for non-risky payment account types, and that selling limits were removed altogether for all payment account types.

Why do I say all this? To show that network security has always took precedence over UX. Why trade on Bisq if you can't be confident the trade will go securely? If I were selling on Bisq right now all my offers would be >0.01, no question. Even by being so conservative in the past, the network still got stung. With this background, the need is so clear to me I never expected this to be a contentious proposal.

Will new user growth be hampered? Yes of course. But I'll reiterate that I think it's better to lower limits now and drive for a better solution in the next 1-2 releases than take the chance of something happening and then scrambling to control fallout.

@Conza88
Copy link

Conza88 commented Mar 22, 2021

drive for a better solution in the next 1-2 releases than take the chance of something happening and then scrambling to control fallout.

What does scrambling to control the fallout look like? So bulk chargebacks from scammers? More support tickets? A hot fix attempt to change?

@m52go
Copy link
Contributor Author

m52go commented Mar 22, 2021

If it's anything like last time, I believe trading was blocked altogether for certain high-volume payment methods, then trading for all new risky accounts was limited to 0.01 BTC indefinitely (ended up being ~7 months), and the whole time people were wondering just what the heck was going on.

Bisq trading activity is 2x - 4x what it was in those days. And its public profile is much higher...so the FUD would be that much worse. Also it's precisely these kinds of bad headlines that put projects [even higher] on regulator radars.

What it essentially sounds like you're saying is to just chance the goodwill and reputation Bisq has built over the past 5 years. I think that is highly irresponsible and unwise.

A good thing to do, I think, is recognize this situation as a high near-term project priority, get serious about developing a better concept for payment account security, and implement that concept ASAP. The wrong thing to do, I think, is to shoot down a preventive measure without a plan and just assume everything will be ok.

@Conza88
Copy link

Conza88 commented Mar 22, 2021

Is there any 'compromise' position between the two current takes? An easier thing for all to accept short term, until next release?

@m52go
Copy link
Contributor Author

m52go commented Mar 22, 2021

I would say that if signing limits are not reduced in 1.6.0, there should at the very least be a pop-up displayed on the make-offer screen for sellers clarifying the situation so they can deal accordingly. Maybe a toggle to require that takers for particular offers be signed or unsigned could be added in an upcoming release, which would absolve the need for this signing limit entirely. @sqrrm further details such an approach here.

@BtcContributor proposed making the limit 0.005 instead.

Another possibility, as suggested by @pazza83, could involve reducing the signing trade limit for some payment methods and not others, but I'm not sure if that's technically feasible. In any case, it would further complicate the already-complicated account signing mechanism for users.

@Conza88
Copy link

Conza88 commented Mar 22, 2021

Maybe a toggle to require that takers for particular offers be signed or unsigned could be added in an upcoming release, which would absolve the need for this signing limit entirely. @sqrrm further details such an approach here.

I am continually for allowing choice to users (buyers/sellers), along with the proper education (UX) to assist in that decision making process. What the risk/rewards are, so no-one can claim to be uninformed. Whether that's informative "(i)" hover overs, or links to wiki pages.

(1) So very much on board with ability for makers to toggle whether signed or unsigned can accept their trades. Trade off between more liquidity, and less essentially.

If there was a way for it to be like editing a trade, and it's not permanent when the trade is made - that would work better e.g. I make it so signed only (no-one takes, then I go screw it - want to allow unsigned as well).

(2) Don't like the sound of more complexity etc. And think the longer term solution is as above, remove limits and allow traders the choice with informed info.

(3) Short term interim, would prefer the 'compromise' 0.005 instead of what is currently intended. If any issues arise, I think hot fix should be working towards above longer term changes. Goal should always be: how do we have to never deal with this again.

@m52go
Copy link
Contributor Author

m52go commented Mar 22, 2021

Short term interim, would prefer the 'compromise' 0.005 instead of what is currently intended. If any issues arise, I think hot fix should be working towards above longer term changes. Goal should always be: how do we have to never deal with this again.

Totally agree with last part -- this is something we should work toward never encountering again.

But I would be cautious about settling on a compromised reduced limit:

  • As it is, reducing this signing trade limit is a rather disruptive change that will need to be rolled out over a span of 2 releases. Is it worth the hassle if limits could still cause trouble?
  • Users would need to be re-educated about what the new limit means and how to handle it (not easy since account signing is already a convoluted topic). Is it worth the effort if the signing limit will be removed soon anyway?

Part of the initial reason for this proposal (and my desire to get it in 1.6.0) was a gut feeling that a better signing mechanism wouldn't be feasible to roll out in the short-term. It was really hard to get what we currently have conceptualized and built, and alternative approaches never materialized, so the odds of doing it now off-the-cuff seemed rather slim.

But if we can be confident that the account signing changes in this discussion can be made in the short-term, such that the signing trade limit can be removed entirely in the next 1-2 months, it might be more advisable to just do a pop-up now and leave the limits as they are.

@Conza88
Copy link

Conza88 commented Mar 22, 2021

But I would be cautious about settling on a compromised reduced limit:

  • As it is, reducing this signing trade limit is a rather disruptive change that will need to be rolled out over a span of 2 releases. Is it worth the hassle if limits could still cause trouble?
  • Users would need to be re-educated about what the new limit means and how to handle it (not easy since account signing is already a convoluted topic). Is it worth the effort if the signing limit will be removed soon anyway?

Good points. Geezus, that's drawn out. Especially around re-education, and when signing limit will be removed anyway (ideally)...
The signal to market/impression would be "wtf is going on?' 'one week this, next week that... ugh!"

Part of the initial reason for this proposal (and my desire to get it in 1.6.0) was a gut feeling that a better signing mechanism wouldn't be feasible to roll out in the short-term. It was really hard to get what we currently have conceptualized and built, and alternative approaches never materialized, so the odds of doing it now off-the-cuff seemed rather slim.

That's fair enough.

But if we can be confident that the account signing changes in this discussion can be made in the short-term, such that the signing trade limit can be removed entirely in the next 1-2 months, it might be more advisable to just do a pop-up now and leave the limits as they are.

Yep, definitely onboard with that. Pop-up or altered gives knowledge about risk/circumstance etc. awareness for those accepting risk. And limits as is, doesn't inhibit introduction of new onboarding users etc.

I guess feedback on feasibility of that taking place in next few months?

@m52go
Copy link
Contributor Author

m52go commented Mar 22, 2021

Especially around re-education, and when signing limit will be removed anyway (ideally)...
The signal to market/impression would be "wtf is going on?' 'one week this, next week that... ugh!"

Exactly, would be best to avoid such friction points, or at least consolidate them as much as possible.

I guess feedback on feasibility of that taking place in next few months?

Yes I think feedback from developers @sqrrm @jmacxx and others would be important to get an idea of if/how this could happen.

@ripcurlx
Copy link

Zelle is generally low risk but chargebacks are possible...it should still require signing, I think. I believe the past chargebacks were carried out with SEPA and Zelle. Seems like things may be changing soon with SEPA but I'm not aware of any such changes with Zelle.

As SEPA is our biggest "signed account" market and most of the EU countries will follow suit in providing 2FA (non-sms) by end of March, except UK (> 14th Sept), Belgium (> 18th May), Ireland (>1st July), Switzerland (> 15th Sept), we could remove the signing limitations for SEPA, SEPA Instant, National Bank, Same Bank and Specific Bank with release (v1.6.1) on a country basis. So signing will only be required for Zelle, Interac, Revolut, Chase Quick Pay, Popmoney, Moneybeam, Uphold and SEPA & SEPA Instant for countries that haven't implemented SCA requirements yet (current new final deadline is 14th of Sept 2021 https://www.fca.org.uk/news/statements/strong-customer-authentication-and-coronavirus).

Please 👍 if you think we should remove signed account limitations for countries that implemented SCA.

@ripcurlx
Copy link

As I'm about to merge the revert of the "Lower tolerated small amount". @m52go Could you please come up with a text for the case someone is making a sell offer <= 0.01 BTC or when taking a buy offer <= 0.01 BTC of an unsigned account?

@jmacxx Would you have time to implement those popups for the v1.6.0 release?

@pazza83
Copy link

pazza83 commented Mar 23, 2021

I think a long term solution is needed.

When limits were set at 100 USD mining fees as a percentage to BTC trade amount where a lot lower.

From my perspective an initial 0.0025 max limit seems low for unsigned accounts when accounts that do not require signing can trade immediately at 0.25 BTC levels. This is a 100 fold increase. To me this seem disproportionate.

If we do nothing and BTC price doubles in 6 months the limits for unsigned accounts would be closer to 1000 USD.

If we reduce the max trade amount for unsigned accounts to 0.0025 BTC and BTC price doubles in 6 months (and mining fees stay the same or rise) the premium to buy 0.0025 BTC could rise to 50-70%.

Neither of the above options is good, but one or the other is a likely scenario.

Buyers are sensitive to price premiums. 50-70% premiums would lead to a minority of new users trading with signed accounts.

If signing is needed for accounts where there is a higher risk of chargeback we should reconsider their inclusion in Bisq, or only allow trading with them if the users are made aware of the possible risks.

Proposals to reduce network fees will really help but they might not arrive before BTC prices force one of the above scenarios.

@m52go
Copy link
Contributor Author

m52go commented Mar 23, 2021

Yes, this proposal is more intended of a stop-gap measure for the immediate future. I think the worst thing that could have been done for the 1.6.0 release is nothing.

Preventing fraud is a pretty hard problem for billion-dollar companies with tons of information, so for a fledgling peer-to-peer network predicated on privacy, I think account signing has worked rather well so far. But you're certainly right that it's not a very sustainable way forward, at least as it works right now, and I agree with everything you said.

@pazza83
Copy link

pazza83 commented Mar 28, 2021

@m52go

How about considering other ways to decrease fraud rather than lowering trade sizes.

Would it be possible to add into the protocol a 7 day period where the seller can wait before releasing funds to buyer to ensure no chargebacks etc.

This waiting period prior to singing would protect the seller from any chargebacks and buyer would still get their BTC as the agreed price albeit with a 7 day wait.

I would imagine most cases of fraud are discovered and actioned by banks / account holders within a 7 day day period.

@m52go
Copy link
Contributor Author

m52go commented Mar 29, 2021

@pazza83 I remember you proposing the idea of a longer trade period for signing trades on Keybase last week...I think it's a nice solution, in theory. I'm not sure 7 days is long enough, but however long the period is, the prospect of locking BTC for several days will probably be unattractive for both parties (especially buyers).

Still, time really is the key to proving integrity in a transaction facilitated by a single payment method, so it sounds worth exploring to me. I wonder if there is some creative approach to mitigating the downsides...such that buyers aren't scared away from having BTC locked for so long, and sellers are sufficiently motivated to make offers with reasonable premiums to justify having their deposits locked for so long.

@pazza83
Copy link

pazza83 commented Apr 2, 2021

Please 👍 if you think we should remove signed account limitations for countries that implemented SCA.

This seems to be agreed. Are any devs able to implement this? @ripcurlx would you like me to create a separate issue for this request?

@sqrrm
Copy link
Member

sqrrm commented Apr 5, 2021

@pazza83 please open a separate issue, under bisq-network/bisq to track this to avoid muddling the discussion in this issue.

@pazza83
Copy link

pazza83 commented May 16, 2021

@pazza83 please open a separate issue, under bisq-network/bisq to track this to avoid muddling the discussion in this issue.

After reviewing this and considering the comments from @RefundAgent:

Euro should not be subject to these limits, since SCA as part of PSD2 is being rapidly implemented in the Euro-area with most countries being fully compliant and the rest following in rapid succession: https://okaythis.com/blog/sca-deadlines-across-europe

I think it is not appropriate to remove Signing Requirements for SEPA.

SEPA chargebacks would still be an issue. SEPA payment scheme has provision for 'Request for Recall" for multiple reasons. More information can be found here:

EPC135-18 v2.0 Guidance on Reason Codes for SCT R-transactions.pdf

The fact that a request for recall exists means that change backs are a risk and therefore all SEPA payment methods should keep there account signing requirements.

@pazza83 pazza83 closed this as completed May 16, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

10 participants