Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implementation of protection tools: strengthening Account Age by requiring payments from 2 Bank Accounts #93

Closed
m52go opened this issue May 21, 2019 · 85 comments
Assignees

Comments

@m52go
Copy link
Contributor

m52go commented May 21, 2019

This is a Bisq Network proposal. Please familiarize yourself with the submission and review process.

This proposal is designed to protect users against scammers using stolen bank accounts. To protect against scammers using stolen identities and money launderers, we are evaluating the idea of adding another step in the trading process where a buyer can assure the seller using various verification mechanisms (like those in #83) before the sellers' payment details are ever shown to the buyer. As this change would require more considerable development work, we leave it out of this proposal.

We strongly believe P2P chat is a critical part of achieving protection against both types of scams, so we highly recommend implementing that as soon as possible—details below.

Introduction

This is a proposal for trade protection mechanisms from @mpolavieja and myself, and as it is the number 1 development priority outlined in #91 by @ManfredKarrer, we would like to discuss it with the community before writing a tech spec.

We tried to integrate the most robust ideas from previous proposals #77, #78, and #83, and leave some of the more significant mechanisms for future implementation (see note above).

As we think it is important to move forward quickly, if you clearly don’t approve this approach please just down-vote it and write a short comment on why you don’t like it, we kindly ask not to propose alternatives within the comments for this proposal (please submit a different proposal). If you like the core idea of this approach but you want to suggest improvements, changes or corrections, please comment.

Goal

The goal of this proposal is to strengthen the account age concept, as it has been already proven that it does not deter scammers as it was initially expected. Keeping it unchanged would be irresponsible so we have to either downgrade it to a local scope parameter or strengthen it if we want to maintain its network (global) scope.

The strengthening is based on the very basic concept that payment accounts would begin to age only if certain conditions are fulfilled. These additional conditions should not be interpreted as a reputation system. They are just about account age, and despite the added conditions, account age will still mean just that: Account Age, and nothing more. As such, it is not any bullet-proof protection mechanism, so due diligence of each trading peer will still always be required.

Moreover, this protection measure is fully compatible with other local/P2P protection developments, such as not revealing seller payment account data to the buyer until the seller has somehow verified the buyer (see proposals #90, #83 and #79), negative reputation system (see #27) or a LinkedIn-like relationship (see @flix1's proposals, like here).

Assumptions

  • New users are incentivized to trigger their account age above zero, so they can enjoy higher trading limits.

  • It is unlikely that a scammer manages to control two different bank accounts from different banks from the user.

  • This proposal does not provide prevention measures from a scammer stealing or buying IDs and opening several bank accounts, following the rules and doing real fiat trades in order to gain account age and become a user that can trigger account age for other users. However, this proposal provides a procedure to immediately abort corruption of the account age parameter once the illicit activity is detected.

UX impact overview

Most trades would not be affected at all by this implementation. For new users there is a one-off UX drawback. With respect to the current UX experience this implementation would involve the following changes on UX/UI:

  • A new user would need to set up 2 accounts and point to a secondary bank account within his main account configuration, if he wants his limits to go up.

  • A new user would have to understand that he needs to make a trade with an old user in order to begin to gain higher trading limits.

  • Old users need to understand that when a new user wants to trigger their account age with them, the payment is split in two and they have to verify both payments (same name, different banks).

  • Once it is triggered, the account age parameter would work the same way is working now from UX pov (we need to internally handle a subtle exception for accounts created between 1-March-2019 and the date this implementation is deployed)

A procedure for banning and blacklisting users needs to be implemented. The UX of this procedure is similar to that of current disputes with arbitrators.

Implementation overview

This implementation applies to all bank account payment methods and it is based on payment accounts beginning to age only if certain conditions are fulfilled. For this purpose we need users that perform the role of “age triggering”. For a payment account to become age triggering for other accounts is just a matter of time and not being banned (i.e. not being accused of scamming). Users don’t have to learn or understand how their payment accounts achieve that status. It is a passive role. It is new users who are incentivized to reach them.

This proposal could be improved by optionally offering different conditions to trigger account age, or by additionally requiring more conditions to trigger account age. Ideally, those additional conditions should be verifiable by third parties. As a first step, we strongly believe that the trader P2P chat should be implemented along with this proposal so sellers can freely decide how to verify users, and that would be a really helpful feedback on what verification methods should we implement.

Account age would be calculated and displayed individually for each payment account, but when a payment account is banned, all “brother” fiat payment methods from the parent onion address will be also banned.

A bootstrapping procedure to enable a curated list of triggering users could be done, but it is not completely necessary as we could assume users older than 1-March-2019 as triggering users. If something goes wrong, the banning procedure should kick in.

All the terms used in this proposal are technical terms (triggering user, triggering account age, etc) in order to be as specific as possible. Those terms are not necessarily intended to be used for the UI.

Account age calculation procedure

When enforcing the trading limits or interacting with any trading peer, the Bisq client would check the following:

  • The onion address of the peer is not banned.
  • The onion address of the peer´s triggering user is not in the blacklist
  • The user is older than 1-March-2019 or the user carries Triggering User witness data that fulfills the necessary age conditions (i.e. older than 1-March-2019 or greater than 6 months from 1-Sept-2019).

If all of the above are fulfilled, the account age of the peer is calculated by verifying the witness data of the peer (witness data would also include the necessary data from the triggering user).

If any of the above conditions is not fulfilled the account age of the trading peer would return 0. Note that if the onion address of the triggering user is in the blacklist, all its “sons” (“brothers” and “cousins” from the alleged scammer account) are automatically under suspicion and de facto included in the blacklist.

Account age triggering procedure

The following prerequisites are needed:

  • An option should be added to payment accounts to select a secondary payment account from the other accounts configured by the user. The name and last name must be the same for the two payments methods and Banks must be different. This would be an “age triggering account”.

  • The buyer must use a “triggering account” if he wants his account age to be triggered.

Unlike it is implemented now, account age of risky fiat payment methods would remain at 0 until the user conducts a trade as a BTC buyer with fiat that fulfills the following:

  1. The buyer is not banned.
  2. Seller’s account is not banned (it wouldn’t even be shown as old for the buyer).
  3. Seller’s account has not reached its maximum of triggered payment accounts.
  4. Triggering User of the seller account is not in the blacklist
  5. Seller’s account age is older than 1-March-2019. From 1-Sept-2019 we would require the seller to be older than 1-March-2019 OR more than 6 months old and having successfully overcome this procedure.
  6. The seller is instructed that the payment is coming from 2 different accounts and that he should not confirm until he receives the 2 payments.
  7. The verification of names and different banks would be manually performed by the seller.
  8. The seller finally confirms the payments.

If all the above are fulfilled, the account age witness of the buyer would be generated using both the private key of the buyer and the seller and including the account age witness of the seller (from now on Triggering User).

If the buyer was in the blacklist as a suspicious “cousin” and he successfully overcomes the above procedure, he will be removed from the blacklist. However, for these cases the seller could require more details from the buyer, the P2P chat for traders would be very helpful here.

To avoid strong disruption on the network (i.e. too many “cousins” being suspicious), each triggering payment account can trigger account age for a maximum of 3 new payment accounts. A maximum of 1 per week (if it is possible to implement)

We suggest a longer time limit of 21 days for this type of initial trades, so the seller can gain a bit more comfort that if chargeback occurs at least he is not going to lose his BTC and the victim will recover his money. This could be lowered in the future if additional verification methods are added.

Blacklisting and Banning Procedures

As stated in the Introduction section, the account age parameter is not bullet-proof so we cannot implement this proposal without a blacklisting procedure. This procedure is a must.

Arbitrators would manage a ban list for permanent bans and a blacklist for suspicious triggering users. In the future blacklisting could be done without arbitrators as well.

For now, the procedure would be as follows:

  • The seller selects the conflictive trade and clicks the dispute button to initiate the procedure. Now the dispute option has to be also enabled for settled trades.

  • The user explains to the arbitrator, and if the arbitrator thinks the complaint is legit, he asks the buyer to send back the BTC if he has received the money back.

  • If the buyer does not respond, or if his answers are suspicious, then the arbitrator includes the onion address of the buyer in the ban list so he cannot trade anymore. The onion address of triggering user of the buyer is included in the blacklist so he cannot trigger account age for any new user. If the triggering user was already in the blacklist, then he would be totally banned from all activity.

  • By including the triggering user, all “cousin” payment accounts are de facto temporarily blacklisted so they need to overcome a new age triggering process to get removed from the blacklist.

As a general rule, the banning / blacklisting procedure has to be categorical. The arbitrator shall not hesitate to ban the buyer if the seller provides enough proof of the chargeback. Only if the arbitrator suspects that the seller tries to unfairly slander the buyer he should refrain from banning. Internal guidelines for the arbitrators will be prepared.

@m52go
Copy link
Contributor Author

m52go commented May 21, 2019

Given the number of proposals now out for protection mechanisms, should we have a call to discuss where we stand, and what this particular one is all about? I can see it being confusing for people to provide feedback just as it is.

How about next Tuesday, 28 May? Time TBD but would have to be at or before 5pm CET.

Feel free to read through this proposal, ask questions, etc. and we can talk through everything then to determine a way forward.

@mpolavieja
Copy link

mpolavieja commented May 21, 2019

Next tuesday at 5 PM is ok with me.

  • This proposal does not provide prevention measures from a scammer stealing or buying IDs and opening several bank accounts, following the rules and doing real fiat trades in order to gain account age and become a user that can trigger account age for other users. However, this proposal provides a procedure to immediately abort corruption of the account age parameter once the illicit activity is detected.

This assumption is subject to the idea of adding a pre-trade step where the buyer and the seller can communicate through the p2p chat, which would help fighting stolen/bought IDs and money launderers

@sqrrm
Copy link
Member

sqrrm commented May 21, 2019

Over all I approve. I think focusing on getting this done makes sense and perhaps continue other discussions on other features in parallel.

I find the 'Account age calculation procedure' section rather difficult to understand, if it's possible to simplify it that would be a good thing.

The whole banning concept relies on someone having the ability to trigger bans. It would be nice to be able to not have such a single point of authority, but it's hard to see how decentralizing this decision would work considering the urgent time frame of stopping an account from continues scamming. The bans would mainly be on account(agewitsesses) rather than onion addresses I assume since it's possible to move accounts between onion addresses.

A graph to explain who is considered suspicious or not might help to clarify the intricate relationships between scamming brothers, parents and cousins. Such a mischievous family.

@mpolavieja
Copy link

mpolavieja commented May 21, 2019

'Account age calculation procedure' section rather difficult to understand

That´s because it is written having edge cases in mind and thinking from the point of view of the Bisq client that has to verify everything by itself. This procedure basically means that payment accounts only begin to age from the date when an old enough user has confirmed a trade with 2 payments from different banks.

The whole banning concept relies on someone having the ability to trigger bans.It would be nice to be able to not have such a single point of authority

Fully agree. Steve and I initially thought of proposing a decentralized system. We have worked through it quite in depth and we think it is certainly possible but it would be much longer to implement and since it would be based on bonding BSQ we thought to better leave it out and wait until the trading protocol also upgrades.

The mischievous family :

image

  • When a chargeback occurs in a payment account, all payment accounts of that user (“brother” accounts) are permanently banned

  • The payment accounts triggered by the same Triggering User (“cousin” accounts) are temporarily blacklisted and need to verify again

@flix1
Copy link
Member

flix1 commented May 22, 2019

Agree with having a call to discuss all proposals. Next tuesday at 5 PM is ok.

My main concerns with this as with similar proposals are:

1. Don't break what does work to fix what doesn't.
If 99.9% of trades so far have been honest... don't make all of them more difficult or block new users to prevent 0.1% of scams.

2. Keep it voluntary.
Don't assume that changes will work as intended. Consider the possibility of being wrong. Add it as an optional feature that people will voluntarily use if it adds value and ignore it if it does not work.

3. Don't ignore impact on UX and onboarding.
Scalability matters. Bisq as it is right now is no more than a beta. We need to plan for Bisq with 1000x more users. If onboarding takes weeks it will never scale.

4. KEEP IT SIMPLE!
If it takes more than 5 minutes to explain to users how it works and what it does... it will go to that special place in hell reserved for overengineered features.

Many of these mechanisms could even be built on top of Bisq instead of in Bisq.
For example for #90 you can go to a lot of trouble to integrate direct chat... or just include a field for an e-mail address in the contract...

@mpolavieja
Copy link

mpolavieja commented May 22, 2019

  1. Keep it voluntary.

A way to keep it voluntary would be to keep internally the current account age for trading limits (or maybe allowing to gain just one step after one month). But the account age shown to other users would work as suggested in this proposal. So it would be up to the other users the decision to trade or not with 0 account age users. Again direct communication between traders would be very interesting here as an old user could be comfortable to trade with a 0 account user if both privately agree for whatever reasons (for example local whitelisting methods when implemented).

If 99.9% of trades so far have been honest....

My view on that is that there is a high chance that scammers are not coming to Bisq because of low liquidity. And unfortunately the harm of just a few dishonest trades, even if just every once in a while, could be very big.

The good thing of your suggestion of implementing the measures proposed here as optional, is that if we keep for long enough, we might have a reasonable feedback of what works and what doesn't work.

@mpolavieja
Copy link

mpolavieja commented May 22, 2019

Regarding the banning procedure, I strongly believe it should be implemented in any case. Now with arbitrators and in the future decentralized once arbitrators are gone. @flix1, what´s your opinion on this?

@flix1
Copy link
Member

flix1 commented May 22, 2019

Regarding the banning procedure, I think it should be implemented in any case. Now with arbitrators and in the future decentralized once arbitrators are gone.

I prefer decentralized solutions such as p2p blacklists to banning. However banning is simpler and as long as we have arbitrators it makes more sense. So I agree with banning for now.

However when arbitrators are gone it will be too dangerous to have a centralized authority (DAO role?) with the power to ban users. It would be an obvious single point of attack for any regulator that wants to impose censorship.

It would also be dangerous to allow users to report/ban as this mechanism creates perverse incentives in a competitive market. A user who wants to corner a market could easily game this feature.

So long term we need to come up with something better.

Researching cell systems is probably a good start:
https://en.m.wikipedia.org/wiki/Clandestine_cell_system
https://en.m.wikipedia.org/wiki/Cellular_organizational_structure

@mpolavieja
Copy link

mpolavieja commented May 22, 2019

A user who wants to corner a market could easily game this feature

The basic idea is that the BTC buyer could defend by challenging the seller through a predefined trade with highest possible security deposits (or with BSQ bonding), and involving a randomly selected triggering user. The accusation would put the Buyer on a temporary blacklist which would downgrade its account age to 0. If the buyer is able to make the 2 payments again, he would be removed from the blacklist (the Seller would lose the bond if applicable). If the buyer fails to overcome the challenge, he would lose the security deposit / bond and would be permanentely banned. The seller could have his account age rejected to 0 or even be banned if his accusations are succesfully challenged more than 1 or 2 times. The DAO wouldn't be involved.

This is the very basic concept. The full idea deals with quite a few nuances and edge cases.

But since this proposal is already difficult, I suggest to discuss this after a decission on this proposal is made, or in a separate thread if you agree.

@m52go
Copy link
Contributor Author

m52go commented May 22, 2019

We forgot to include that the arbitrator would always ask the accused to return the BTC if he has received the money back.

@mpolavieja are you referring to this? I think it might already be in the proposal in the "Blacklisting and Banning Procedures" section:

The user explains to the arbitrator, and if the arbitrator thinks the complaint is legit, he asks the buyer to send back the BTC if he has received the money back.

@cadayton
Copy link

My bank is very curious about my transactions using Zelle. On just about every trade I'm get called asking what the transaction was for. I have a dedicated bank that I only use for Bisq. With the new account age process, it looks like I'll need to go shopping for another bank and payment type. My fear is the bank(s) will get wise to what I'm doing and suspend the account. If I have to establish a new bank account then, I'm back to square one with the accounting aging process. I bet you can read my mind if this ever happens.

The bonding process sounds good to me. I'd more willing to put my BTC/BSQ at risk if I don't honestly complete the trade contract. The bonding process would be less headache for the end user than that which is being proposed.

I'm finding it difficult to trust Bisq to be there when I need it to conduct trading. There always some weird issue that comes up that is blocking for one reason another at the perfectly wrong time. It is not always a Bisq issue that is getting in the way. I'm just saying this so know my experience and that you don't forget to put on your customer shoes and look at the solution from a customer who wants to use Bisq for active trading (not Hodling). Bisq is still the best P2P solution, it just needs to attractive more active traders.

@ghost
Copy link

ghost commented May 23, 2019

The fiat banking system is treating its users like childs and burglars, with tons of regulation/protection/limits/delays etc. With bankers experts knowing better than users what is good for them and what is not good for them.
Some people which are annoyed being treated this way try to escape and go in the crypto world. Because crypto world should be free etc.
And there, guess what, we are frenetically rebuilding a carbon-copy micro-banking system will all kind of protections/limits/delays etc, where users will also be exactly treated as childs and burglars. And where we, experts, have plenty of ideas about what is good/not good for them.
Because of 1 or 2 scammers, every user will be asked 2 proof of accounts.
Because of 1 or 2 scammers, every user will be treated as a child and will have super small trading limits (which increase dramatically the fee ratio (which not even profits to Bisq), which increase the number of moves and alerts the banks, etc).
This Lépine contest of measures is in fact a usability killer contest.
There is no measure without side effects, that simply does not exist. Sometimes cascading.
Our fiat/crypto users will die cured.

I monitor the EUR/BTC, USD/BTC numbers daily. Everybody participating to this discussion should do that. The decrease is really worrisome. We are really hurting hard our poor customers and of course some go away.
Instead of knocking out our customers under a pile of measures we should stop forgetting the initial way people search with crypto : freedom + responsability.
Offering them the exact reverse is completely missing our core target. Crypto customer profile is a guy searching for a place to trade conveniently, freely, with privacy, at very first. He is not searching for a mother to take him by the hand or bury him under her petticoats. Customers searching for that have it already with the existing banking system.
We'll alas probably pay it and see it in the numbers.
Bisq profitability with fiat/crypto trading is an horizon that we ourselves methodically push further every day.

@mpolavieja
Copy link

mpolavieja commented May 23, 2019

You could say the exact same thing about any software or service that enforces 2FA / multisig. We must not confuse basic security standards with KYC. This proposal is about 2FA, and if possible it will be implemented as optional, so we will see if users use it or not.

@flix1
Copy link
Member

flix1 commented May 23, 2019

This Lépine contest of measures is in fact a usability killer contest.

I monitor the EUR/BTC, USD/BTC numbers daily. Everybody participating to this discussion should do that. The decrease is really worrisome.

Instead of knocking out our customers under a pile of measures we should stop forgetting the initial way people search with crypto : freedom + responsability.

@HarryMacfinned I agree with a lot of what you are saying. We should not be making decisions for users like a company or bank. That's the whole point of being decentralized.

Our role should be to build tools that allow users to protect themselves. Not to be in charge of protecting them.

@mpolavieja
Copy link

mpolavieja commented May 23, 2019

With the new account age process, it looks like I'll need to go shopping for another bank and payment type

@cadayton It could be an overkill to set up a new account just for making the first secondary initial payment. It shouldn't be a problem to use any other bank account you already have to make that one single payment. Unless you want to use that secondary account as a Bisq back-up in case your bank closes your main account for whatever reason. The secondary account would age the same than the main account so you could keep trading with the same limits with the secondary account.

Furthermore, at the beginning of the proposal it is suggested to introduce a pre-trade step where users could freely and privately agree on how they want to conduct the trade (not necessarily requiring a second bank account). However, the technical feasibility of adding pre-trade step needs to be assessed carefully as it could be rather complex.

@mpolavieja
Copy link

mpolavieja commented May 23, 2019

And as a more general comment, regarding the UX of having a network level account age parameter, I think that if we don´t have that (or what we have is not reliable enough) we all agree that a decentralized local whitelisting should be implemented. Comparing those two alternatives it is not clear at all that the decentralizaed UX is better as you would have to repeat whatever process you deem necessary with every single new trader and it could lead to fragmented and siloed liquidity.

The account age procedure suggested here is just a one-off hassle, so it is probably more balanced towards UX than to security than the fully decentralized approach.

Our role should be to build tools that allow users to protect themselves. Not to be in charge of protecting them.

Ok @flix1, but we should be careful not to annoy users with too many options. Users come to Bisq to trade not to figure out security. As an example think about the simplicity of hardware wallets vs. the complexity of glacier. Because as for now Bisq is not only a protocol but also a front/end UI, we need to find a balance between "HW approach" and "Glacier approach" (i.e. a balance between UX and security).

@sqrrm
Copy link
Member

sqrrm commented May 23, 2019

I like having this as an option among other protection tools. For a normal user that wants to just buy some BTC and don't care about continuous trading this could be an easy way in with limited risk of having their bank accounts closed or otherwise bothered by their masters.

For those that don't have multiple bank accounts or have other limitations we should think of other methods as well. Using BSQ bonds is a really neat thought but I think it's still too early for that.

In case I'm wrong and we decide to add BSQ bonding as a way to perform the initial trade there are quite some work to be done. We have already thought a bit about using bonding as a trade protocol, it's rather complicated and I'm convinced it's too early for that now. For just one trade it would be more feasible, but the bond would still have to be locked up for at least 1.5 DAO cycles (1.5 months) to allow time for it to be confiscated. Perhaps this could be a way to towards the bonded trade protocol.

@mpolavieja
Copy link

mpolavieja commented May 23, 2019

I think that BSQ bonding is a great idea but as you say BSQ and the DAO are not mature enough and bonding BSQ is also a barrier of entry for onboarding UX, which is one the main drawbacks also raised for this proposal. Moreover, involving the DAO on confiscating as a standard procedure sounds to me as an extremely difficult decision to make.

So if we want to move forward and unlock the current situation with the trading limits, I suggest to focus the discussion on approving, modifying or rejecting this proposal.

In that respect, should we first make a final decission on finally approving the priorities proposed at #91?

@m52go
Copy link
Contributor Author

m52go commented May 23, 2019

And as a more general comment, regarding the UX of having a network level account age parameter, I think that if we don´t have that (or what we have is not reliable enough) we all agree that a decentralized local whitelisting should be implemented. Comparing those two alternatives it is not clear at all that the decentralizaed UX is better as you would have to repeat whatever process you deem necessary with every single new trader and it could lead to fragmented and siloed liquidity.

This, in my mind, is the critical decision we will need to collectively make: peer-to-peer with repetition or network-wide with convenience.

[I scheduled a call to discuss this stuff for Tuesday at 17 CET: https://github.com/bisq-network/growth/issues/132]

At this point, I think we've got adequate ideas that indicate how each one would practically turn out for users.

To address cadayton's points: if we stick with the network-wide approach proposed here, perhaps we broaden the measures required to start account aging to some of those included in #83 (particularly method 2, which I just updated to not require PGP anymore) so users aren't required to open/use a second bank account.

@m52go
Copy link
Contributor Author

m52go commented May 23, 2019

Another piece in this puzzle I think we should consider is payment methods themselves. Remember that cash-based payment methods will not require any of this mess.

Maybe we should consider adding new payment methods:

  1. bank wires (no chargeback risk, can be done online, compatible with verification methods including street address which can be very strong)
  2. online gift cards (cursory research indicates these can be purchased online and delivered by email...buyer could prove purchase with TLSNotary; doesn't seem like chargebacks would be an issue)
  3. cashier's checks (buyer doesn't lose money if check doesn't reach seller, unlike money order; downside is you have to send these in-person)

(2) is particularly interesting as it seems almost as good as cash, provable, and relatively quick/convenient...it may be able to get by without any onerous requirements.

Note that I haven't thoroughly researched any of the items above...I guess my point here is that the proposed measures (in some form) may be necessary for the payment methods they're intended for. Perhaps new payment methods can get by without needing them.

@mpolavieja
Copy link

mpolavieja commented May 23, 2019

Overall, we need to find a balance between on-boarding UX and protecting already on-board traders, specially active traders. Active traders are both the strength and the Achilles heel of Bisq. Active users are the ones that have a huge chance of getting hit by scammers.

If we get a scammer every once in a while, it will most likely hit active traders who always post offers, so only a few scamming events would lead to lose a lot of liquidity if active trader's accounts are slowly but relentlessly getting closed. Moreover, as active traders are very easy to spot by banks, even if the account of the active trader is not closed, all the accounts that have traded with him from the same sender bank of the scammer are at high risk of being closed (this has already happened with some banks).

Users that initially join with the clear idea of active trading might be careful since the beginning. But users that become active without planning might be risky if Bisq does not easily take them through a secure path, specially considering that most Bisq users are honest which might very easily lead to relax security as most trades are settled without any problem at all.

@mpolavieja
Copy link

mpolavieja commented May 24, 2019

Regarding optionality and the pre-trade stage this is another possibility:

  • Bisq could enforce the highest possible security deposit for the buyer on buy offers posted by zero age payment accounts.
  • When trading with zero age accounts, the Seller Triggering Account would be exempt from trading fees (shouldn´t we incentivize a little bit the process of triggering?)

Then, the Seller Triggering Account could require zero age account buyers one of the following:

  1. Nothing, the account age of the buyer would be triggered by confirming a normal payment. But for allowing this, we should enforce some delay for the BTC release for trades with zero age buyers (see below) and limit the number of trades that new accounts can do during the first month.
  2. To choose a 2FA verification method before the trade. Buyer would have to select an option from a closed list. In order to select the 2 bank payment option buyer must have the appropriate account configuration. The chosen verification method of the buyer would be part of the trading contract. If the buyer pays but does not verify as agreed, the seller should return the money and open a dispute.
  3. Not accepting to trade at all with buyers whose age account is below X days (X could range between 0 and 180 days, setting it to 1 would only exclude 0 age accounts).

Option 3 is important for very active traders or market makers. Bisq's liquidity network needs those type of users to be very careful from whom they receive bank payments.

For Option 1 it would be best to enable a delay for releasing the BTC such as the following proposed by @ManfredKarrer in #77:

Maybe there is still a way to add the payout delay without big effort:
To use the timelock function on the tx level again (as it was in earlier trade protocol) but to make it more simple so that it does not require an extra handshake cycle. It still would be a kind of hard fork but maybe we find some way to mitigate that to cause less harm.
Idea is to just add the timelock in case the buyer is considered risky. Based on the risk level the timelck can be defined from 0 blocks to 4300 blocks (about 1 month). It can be determined at take offer time and without haveing thought in depth about it I do not see a big problem in implementing that. Usability would be the same, just require an info that the btc are released but not usable until the timelock is over. Hope it would not turn out as well in too much UX confusion when looking deeper....

@angkorfilms
Copy link

angkorfilms commented May 28, 2019

Agree with most of the comments...

  1. Keep it simple and clean (minimalist)... unless you want Bisq to be a programmer-only platform.
  2. Keep it decentralized. What's the point of having this great technology by Satoshi yet going against it with a centralized authority to ban/blacklist users? Let users themselves be the ones protecting themselves, just give them the tools to do it. I don't think LocalBitcoins is perfect, but it's pretty simple and user-friendly... not to mention intuitive. I'd suggest taking a lot of its features (specially when it comes to trust) as references.
  3. 2FA... totally.
  4. The biggest issue for "Onboarding" even if you have the greatest marketing of all times is, so far, Trust. There is no clear way to trust users. mpolavieja said "99,9% of Bisq users are honest and all trades settled rather quickly"... oh well, easier said than trusted. If I'm not wrong, the user base is still tiny. Again, not as a programmer, just as the regular user I am, I find it very difficult to start a transaction on Bisq, because I have no idea whether the trader I end up choosing will run away with my money after it's sent. Showing the user's age, transaction history (anonymously), comments and ratings by other users would definitely make a difference. You do business with someone for three reasons: a) you know the person b) you know someone who knows the person (referral) or c) you just want to take the risk (e.g. going into a new restaurant you've never been to or heard of before).

@reipichu
Copy link

3. cashier's checks (buyer doesn't lose money if check doesn't reach seller, unlike money order; downside is you have to send these in-person)

In my country, cashier's checks are treated exactly like paper money. If you lose them then you lose the money. The withdrawal from the account is made immediately upon requesting the check from the teller. Just FYI.

@ripcurlx
Copy link

If we are not going to use the icon to represent other things such as 2 account verification, I agree with Steve that the clock icon is best suited as it objectively represents the idea of account age, leaving trust to the interpretation of the user. Maybe not as UI friendly but it is more neutral and less slippery from a "legal" point of view.

The problem with the clock icon is, that we want to communicate three states with it:

  • account is signed
  • account is signed and limits where lifted
  • account is signed and can sign other accounts

This states are not always connect to time (only for our first account signing implementation), but also depend on the kind of account signing. So it might be a little bit misleading in the end.

I do agree that we need to take care not to communicate too much trust as there won't be a system where we could guarantee that you won't be scammed (a trusted account could also be stolen later).

I will think about a different icon or no icon at all (as suggested by @flix1) to prevent this misunderstanding of trust.

@ripcurlx
Copy link

Maybe we should use different icons for these states:
icons

@mpolavieja @m52go what do you think?

@mpolavieja
Copy link

I still like the most the clock in different colors. I suggest a yellow clock for the first state, a white or gray clock for the second state, and a green clock for the third state (maybe substiting the clock hands by a checkmark that exceeds the clock circumference). Something like this (but not as ugly as this):

image

From a onboarding UX perspective, probably the most important thing is to easily spot accounts that have the ability to sign, so new users can find them and get signed by them. IMO the green color will do most of the communication.

@m52go
Copy link
Contributor Author

m52go commented Aug 1, 2019

Yeah my intentions with the clock weren't so much to communicate exact status then to give the user a rough idea of the "risk level" of a particular peer, and to show additional details in the account-details tool-tip.

Perhaps we get rid of the clock and simply use a colored dot with an exponent/superscript part to indicate more specific status? Kind of like Manuel suggests above, just without a clock...there could be check marks, plus signs, question marks, etc to complement the colored dot to indicate specific account status (e.g., like Slack's status icons).

That way, the user can will know an account is relatively safe when seeing this (for example):

good-1

And they'll know to be a bit more cautious when seeing either of these:

warning-1
warning-2

These are ugly, but hopefully they demonstrate conveying the basic message from the icon, and then the user can look up more details in the account tool-tip.

Or we could just use colored dots exclusively (without superscripts) and explain in tool-tips, perhaps in red-yellow-green. We wouldn't have enough colors to indicate every precise status, but I don't think it would be a bad thing to use yellow and red for multiple risk levels.

Personally I still don't find these icons very intuitive. I mean, I get it, after the explanation, but I think it would be best to use more intuitive symbols for the UI so new users don't feel like they need to look up icons that they don't immediately recognize.

@MwithM
Copy link

MwithM commented Aug 1, 2019

Maybe we should use different icons for these states:
icons

I like this symbols, as long as the meaning of the symbols is close. Can we use this icons and colour? Colour-only icons aren't good for colour blind people.
Is it really necessary to tell the difference between the states 1 and 2? As long as an account has been signed, the only difference is the time has passed since then, which doesn't tell very much about its safety, and limits are applied automatically. The biggest difference to me is between a signed account and an account that can sign. I would use the first (in yellow) and third icon (in green) in this case.

@ripcurlx
Copy link

I'm finally back on the UI part of the account signing. After coming back to the current state I think the only thing we need to communicate on first sight is attention for accounts that are not signed and accounts that were signed but are not able to sign other accounts. So I suggest we use following:

Bildschirmfoto 2019-09-26 um 16 39 32

So although we have five states:

  • not signed
  • signed by arbitrator
  • signed by peer
  • signed by peer and limit lifted
  • signed by peer and able to sign

I would display on first glance only warning for every account that is not able to sign.
All additional information will be in the tooltip. Advanced users could also gather additional information already by evaluating the time since signing (only exception are accounts that are signed by arbitrators which could be signed three days ago, but already are able to sign other accounts).

@flix1
Copy link
Member

flix1 commented Sep 26, 2019

I very much like the idea of having multiple states and a number (time since signing). It gives users additional information and with it the ability to discriminate.

Imagine we have a coordinated scam starting on a certain month with multiple signing accounts... having the age would allow discriminating accounts signed since the scam started.

Or if the system has to be reset for whatever reason... arbitrators could sign a number of accounts to ensure a fast turnaround and users would be advised to discriminate against newer "signed by peer" accounts.

Of course no system is perfect against scams... but account signing age + account age would provide a lot of valuable reputation-like info.

(My favourite data about an account would still be nº of successfully completed trades, if it ever becomes possible).

@ripcurlx
Copy link

Fiat accounts view could look like this
Bildschirmfoto 2019-09-26 um 17 08 22

@mpolavieja
Copy link

I would display on first glance only warning for every account that is not able to sign.

I think it is a very good idea to keep it simple.

@ripcurlx
Copy link

And within each of your accounts that require signing, you will find additional information. Btw. I'm already implementing this on top of @sqrrm's work. So it kind of the real deal already 😄
Bildschirmfoto 2019-09-26 um 17 27 07

@m52go
Copy link
Contributor Author

m52go commented Sep 27, 2019

@ripcurlx this is great! Really like the simpler approach...it looks great, and doesn't leave out any details.

One very small suggestion: how about adding the exclamation/check icons to the Account signing status field in this screenshot? Perhaps as a small psychological reinforcement of days-since-signing and related symbols.

@ripcurlx
Copy link

@ripcurlx this is great! Really like the simpler approach...it looks great, and doesn't leave out any details.

One very small suggestion: how about adding the exclamation/check icons to the Account signing status field in this screenshot? Perhaps as a small psychological reinforcement of days-since-signing and related symbols.

Will add it 👍

@ripcurlx
Copy link

@m52go @mpolavieja @ManfredKarrer As it just came up while working on the account signing feature something to discuss:

ATM we have for altcoins no limit (2 BTC per offer) and for all non-risky payment methods within the first 30 days factor 0.25 (e.g. for Perfect Money 0.25 BTC) between 30 and 60 days factor 0.5 (e.g. for Perfect Money 0.5 BTC) and after 60 days factor 1 (e.g. for Perfect Money 1 BTC).

Now we introduce for high risk payment methods (e.g. SEPA) the account signing feature. Until an account is signed it will have the limit of 0.01 BTC. 30 days after the account got signed we'll lift the 0.01 BTC limit. So @sqrrm raised the legitimate question if we want to lift the limit after 30 days using immediately factor 1 (e.g. 0.25 BTC for SEPA)?
If we would calculate the regular account aging and assume that the user created the account and immediately did a trade with a signed account the account would be more than 30 days old when the initial limit is lifted and it would be factor 0.5 (e.g. SEPA 0.125 BTC). So it might not have lots of additional security having factor 0.5 or factor 1. What do you think?

@m52go
Copy link
Contributor Author

m52go commented Sep 27, 2019

I think it depends on the verification mechanism. For account signing verified by 2 factors, I don't see any reason not to lift limits all the way after 30 days.

@mpolavieja
Copy link

I think it depends on the verification mechanism. For account signing verified by 2 factors, I don't see any reason not to lift limits all the way after 30 days.

But in this next release we are going to have only 1 verification factor (not 2FA yet), correct?

In my opinion I´ve always thought it is too harsh to have the account signed and still have the 0.01 limit for 30 days instead of at least 0.0625. I think it will be quite discouraging for new honest users. But I assume that is the consensus and it helps to have chargebacks under control since we decided not to have a delay in the payment for new accounts.

So I think that rasing it to 0.25 after 1 month is ok.

@m52go
Copy link
Contributor Author

m52go commented Sep 27, 2019

But in this next release we are going to have only 1 verification factor (not 2FA yet), correct?

I assumed the first iteration would include payments from 2 bank accounts as a verification mechanism.

Would be good to have this clarified...I looked through old posts but it's been a while since we discussed this in detail.

@ripcurlx
Copy link

But in this next release we are going to have only 1 verification factor (not 2FA yet), correct?

Yes, we'll try to finish everything off for the 1 verification factor. If everything looks fine and we would be good to go, we still can decide if we want to add the 2FA for this release as well or if it will be in v1.2.1.

@sqrrm
Copy link
Member

sqrrm commented Sep 30, 2019

@m52go @mpolavieja Currently we have the account signing by arbitrators/counterparties implemented. I suggest we leave 2FA for a later release as we want to get something live as soon as possible to allow for proper fiat trading again.

The limits haven't really been settled from what I can see. What I did so far is:

Any seller and buyers with accounts that are not high risk (low liquidity currencies):

  • Unsigned: 0.0625 BTC
  • Signed less than month ago: 0.0625 BTC
  • Signed more than a month ago: 0.125 BTC
  • Signed more than two months ago: 0.25 BTC

Buyers with high risk accounts:

  • Unsigned: 0.01 BTC
  • Signed less than month ago: 0.01 BTC
  • Signed more than a month ago: 0.0625 BTC
  • Signed more than two months ago: 0.25 BTC

I think counting time from signing is reasonable. We can change the limits but we should do it now before release or it might cause quite a bad user experience if we do it later. The reason for the asymmetry regarding buyers and sellers of high risk accounts is to keep what we currently have and not lower any limits.

Accounts will be able to sign others two months after getting signed.

Arbitrators will sign accounts created before March 1 2019 to act as root accounts for signing. Accounts signed by arbitrators will be able to sign others from day one.

@mpolavieja
Copy link

I suggest we leave 2FA for a later release as we want to get something live as soon as possible to allow for proper fiat trading again

I think it is a fair decission

Why is it 0.0625 BTC instead of 0.125 BTC for high risk accounts signed more than a month ago?

Given that 2FA is not going to be activated in this release, will it be possible for old traders to filter out trading with unsigned accounts?

@sqrrm
Copy link
Member

sqrrm commented Sep 30, 2019

For the values, I chose 0.0625 BTC since if we're having a limit it should be quite limited, otherwise we might as well go with 0.25 BTC one month after signing to avoid confusion. Not a strong opinion on that though so we can change it to 0.125 if that sounds better.

The UI will show the status of accounts in the order book. Unsigned, signed X days ago, and if they can sign other accounts.

@mpolavieja
Copy link

mpolavieja commented Oct 2, 2019

Don´t have a strong opinion either, just thought that having the account signed for more than one month, it would make sense to have 0.125 before 0.25

But if you guys really have doubts on this, and since we are dealing with protection (security) it would be wiser to stick to the lower limits and leave it like that for now, and maybe think of a different approach when 2FA is implemented.

@ripcurlx
Copy link

ripcurlx commented Oct 7, 2019

Don´t have a strong opinion either, just thought that having the account signed for more than one month, it would make sense to have 0.125 before 0.25

I think I would go directly to 0.125 not to punish the users even more. I don't think we get so much more protection by only allowing half of it.

@sqrrm
Copy link
Member

sqrrm commented Oct 9, 2019

Now changed to 0.125 (or rather, factor 0.5, which scales with the max trade amount).

@mpolavieja
Copy link

This proposal has been partially implemented. 2FA still pending.

@sqrrm
Copy link
Member

sqrrm commented Nov 10, 2019

@mpolavieja maybe we should keep the ticket open until 2fa is implemented, or is there a separate ticket for that?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

12 participants