Increase buy limit for new accounts from 0.01 to 0.02 BTC #95
Comments
flix1
changed the title
|
I think that 0.05 BTC would be too high considering the amounts used during the previous scam session. Without any further protection I suspect it's not a good idea to increase buy limit. |
Yes, I believe they ranged from ~80 USD on up... As inconvenient as it is, I think we need to keep limits low for now. |
|
FYI there have been one case with 87 EUR and one with 155 EUR. Most others have been in the 400-600 EUR range. We don't know how many scammers have been, but it seems that at least one other was doing a chargebakc on Interact (CAD) which is likely not the same scammer. |
It would be good to have more public data on this. As much as it is safe to disclose.
If more agree, I will amend the proposal to increase it to 0.02. Even that little would greatly improve the economics (from 10% to 5% cost with current mempool state). |
Depending on the quantity, protection tools might be relevant. 0,05 seems rather high to me at this moment. If the new minimum is still uneconomical for scammers, I agree for now on making this decission independent from the protection tools. However, the protection tools and the minimum quantity should be considered together in the future. After a long enough period of time after the whatever protection tools are implemented, we will be able to make a much more informed decision about this limit. For example, if protection tools are succesful and widely adopted the limit could be kept to a minimum. |
Summary: Beside the SEPA stolen bank account scammer there was 1 or 2 Interac (CAD) chargebacks. Not clear if it was releated but happened in same time period, so likely a group might have been active. There have been also other suspicious cases where no chargeback happened but user used different accounts (several different German often female account owners with same onion address). They used a similar communication behaviour (broken english, aggressive unfriendly style, lose patience quickly and accused arbitrators as scammers, not providing any evidence to arbitrators,...). It might be that those are money launderer cases and not stolen accounts, which would explain why no chargebacks happened, even after 2 months. Some of those cases are still open in disputes. At least at one case the BTC buyers bank account was blocked when the seller was instructed to send back the EUR (arbitrators instructed sellers to send back the EUR in those cases). Some of those cases used Transferwise. It seems that one can fund now Transferwise by Credit Card which adds a lot of CC fraud risk. The Transferwise EUR transfer cannot be verified by name and IBAN by the seller as Transferwise uses it's own name/IBAN. I think Bisq should not allow Transferwise anymore as specially with te CC funding option it might become a preferred way for CC scammers to cash out. Not sure how Transferwise would handle such cases, likely they will swollow the damage in case of CC fraud but it might fall back to Bisq if it would be used more frequently and the seller might get reported/blacklisted by banks even if no chargeback happens. It also seems that one can get a SEPA account at Transferwise now, which would make it hard to detect that it is Transferwise (probably by the BIC it can be detected). |
|
Probably part of the scams were not chargebacked (or refunds bounced) because they were from mobile banks. It looks like those banks are not willing to request chargebacks to receiver banks. Not certain about that but there is a clear pattern. I have a very strong suspicion that what those banks are doing is kicking out clients that are somehow related to the scammer. For example closing accounts of other honest clients that also had transactions with the same honest peers that the scammer had transactions. So even if the bank is assuming the loss of the scammed victim and the seller is not chargebacked, this is very bad for Bisq because if one of the affected peers is a very active trader, that would mean the bank closes a lot of accounts from Bisq users. So we really need to prevent scams from happening regardless if there are no chargebacks and Sellers are not affected and no one in Bisq notices anything wrong. An interesting conclusion is that not all, but a significant proportion of chargebacks tend to occur rather quickly. So even if delays are not going to be implemented (as it looks like), we should somehow encourage users to wait as much as possible before confirming payment with new traders (unless they have good reasons to be comfortable confirming fast). |
|
@flix1 (Bisq provides a free place for traders to trade. Bisq will not trade in lieu of its users. Bisq's job is not to handle the issues (past and coming) of the fiat banking system). |
|
perhaps allow larger sums for banks in countries that always have to do 2FA to send money? doing a chargeback for one of these banks is VERY difficult(impossible?) because they know that YOU approved of the transaction. |
|
@flix1 Is the proposal with 0.05 BTC or 0.02 BTC? If 0.02 can you change the title and introdution to avoid confusion for voting? |
flix1
changed the title
|
I've changed the proposal to an increase to 0.02 as suggested. Am I correct in thinking that this will be acceptable to most? If so please change your 👎 to 👍 @ManfredKarrer @outis151 |
|
I'm still hesitant to this increase but won't resist if it's implemented. |
|
I'm not convinced the benefit will be worth the risk. With the price of bitcoin over 8000 USD, 0.02 BTC is worth enough to be a problem, in my opinion. |
|
The last scammer made it's minimum scam at ~0.01BTC=~80$ ... and we have currently a limit at 0.01BTC. Life is a risky thing. |
|
I am also a bit more concerned again. If BTC price goes up to 15k then 0.02 is 300 USD - that would not be far away from the average of 400-600 EUR the scammer used. I think losing a few users because of the small amount is less damage as if the scammer returns. |
|
@ManfredKarrer these limits should maybe be expressed in a more stable unit or otherwise made to auto-adjust. |
|
@Giszmo They are considered a teproary fix until the new protection tools are deployed. But yes to derive it from trade price would be good but then its harder to communicate as the amout will change all the time... |
|
It looks like the DAO approved this proposal in Cycle 2. |
|
Ok, we need to assign a developer in order to make the change. @sqrrm @devinbileck @ripcurlx ? |
|
Finally I'm back (more or less) - I'll submit a PR for testing in the next couple of minutes. Just need to do some developer testing locally first. |
|
I think we use DAO voting too lightly. It should be the last resort if there is no consensus found in discussions. People who vote should be aware of their responsibility. This proposal is a good example where a small change can have very severe consequences. If BTC price goes to > 15k (0.02 BTC = 300 USD) it might be enough to attract the scammer to come back. Who will handle the mess then? It took me 3 weeks fulltime and brought me close to burnout when I did it. I am not sure if anyone will play that role if that would happen again. Not talking about the reputation damage if we get scammed again and the increase of risks that regulators might see that as reason to focus on Bisq. And we have to take care to not inherit the bad properties from democratic voting where those who vote will not be responsible to deal with the mess they create. Also it need to be made very clear that those who vote know exactly what they vote on (read and follow the proposals). Just my 5 cents. |
|
I fully agree that we need to develop culture for DAO voting. It is a big challenge. Regarding this limit, I personally think that is should be lowered again once the protection measures are in place and working properly. Specially if we see that the protection measures are working well and the UX impact is minimal. |
I agree. This issue was probably not important enough to vote on. Especially given the overall agreement a vote was unnecessary. Call it a test. It's only Cycle 2 and we are still learning. |
|
Yes sure we are all learning... sorry for my alarming tone, the stressful event is not so far back in my memory ;-). I think we should have a consensus about what it means when a generic proposal gets accepted. I had never intended that it means a binding result but more a signal to contributors to put priority on that. If it would be a binding result we need to increase the threshold and quorum to a level like the param changes. Now generic proposals require only 5000 BSQ quorum and 50%. In comparision a param change proposal requires 100 000 BSQ and 75%. That was intentional to give a low barrier for community requests and a high barrier for automated parameter changes. Some param might be less critical but basically all those should be considered very carefully to change, thats why I set those values high. So if the community wants to treat generic proposals as binding then I will make a proposal for increasing quorum and threshold to those of param proposals. I hope we don't need to do that as that would convert the low barrier proposal type to a high barrier one. Another issue with binding would be that nobody can force a contributor to work on something, also not the DAO stakeholders. And generally I think voting really has to be seen as management work not as expression of opinion. The best attitude for voting IMO is like you see yourself as single decision maker and be the responsible person for the result of your vote. But of course in pseudonymous voting people tend to hide in the crowd and that can lead to overall bad decisions. Our current democracies are very good example how badly voting works. Voting was not the core of the original concept of democracy but the last means if no consensus could be found and then the dictatorship of the majority was used to find a result. The main goal of democracy was to find consensus in public discourse. |
|
And regarding the limit. I am not sure if it can easily be changed (up or down) without causing backward compatibility issues. We forced an update when we introduced the limit, so that was an "easy" solution. To deal with backward compatibility is tricky... |
|
@ManfredKarrer wrote
1/ imo, Bisq's goal should be to provide a place for people to trade. 2/ the above being said, it is obvious that, whatever is voted, it is hard to imagine that some soldiers will come and force developers to implement what is voted :-) Developers are still the masters (and that's very ok). |
|
So it is true that regardless of the voting outcome, there is not a consensus on making this change. Out of the 9 persons that took the time to participate in this github issue: 1 person clearly against the change There is not a clear consensus about changing this limit. |
|
@mpolavieja Indeed, I would say there isn't consensus. There is obviously a general wish to up the limits and there is formal vote through the DAO saying that is the majority opinion. It seems those closer to the code and closer to dealing with the fallout of this possibly being bad decision are more skeptical in general though. We're still learning how governance works here and learning the purpose of the DAO generic proposals. Perhaps it would be better to get prior developer buy in and even an implementation before going to the DAO to vote, that would make it clearer what's being voted on. |
|
It seems that the goalposts have moved. The 0.01 BTC restriction was placed as a "short term restriction for enhanced security". It was supposed to be a temporary measure. It now seems to be the new default. I initally proposed increasing it to 0.05, but on receiving feedback here I agreed to reduce my proposal to an increase to 0.02 as a compromise. It seemed that everyone was on board with that... I continue to believe that Bisq's mission should be to provide users with security tools that they can choose to use. Responsability should be users' not Bisq's. At the very least restrictions on new users should not be permanent as they are now. Right now a user who joined in March and has been with us for 4 months still has only reduced functionality. The March 1st cut-off date cannot stay there forever. In fact I am slowly coming around to the idea that we should remove even more restrictions, including on riskier payment methods like Paypal, CashApp, Venmo, etc and just put a big disclaimer and warning sign on them making it clear that users trade at their own risk. Bisq is not a company and not in charge of telling users how they can trade. The slippery slope of assuming responsability and therefore feeling the need to limit users is real. For veteran users the 0.01 restriction is not a big deal. We are all obviously in no hurry to change it as it doesn't affect us. But we have to think of new users and growth. We are seeing ATH volume numbers in unrestricted markets (XMR, LTC, even ETH!) but EUR, USD volume is completely stalled. |
Nobody. Nobody should handle the mess. If there is someone who can handle a mess, then there is someone in charge and that person immediately becomes a target for regulators, lawsuits, user complaints, etc.. This makes me think that 2-of-3 multisig and arbitration really have to go or at least the role of the arbitrator must be so clearly defined and reduced in scope that he assumes zero responsability for any scams and only a limited responsability for mistakes. 2-of-2 multisig with no arbitration and eventually atomic swaps should be our goal. Reputation damage is a problem for the DAO. How should the DAO respond? By investing in research and development of new security tools and protocols and making them available to users. Not by restricting users. |
|
@flix1 I really understand that position of wanting to remove all restrictions. Currently I don't think it's reasonable though since the system is still depending on arbitrators and I think that would overwhelm them to the point that Bisq could no longer function. I could of course be wrong but the risk is that the whole system becomes unusable, not just for new fiat users. Once we have an option to using arbitrators that's a more reasonable point to take up for discussion. Regarding the temporary 0.01 limit, I think that hasn't changed. I took "temporary" to mean until new measures are in place to protect against scammers and they're not yet in place. Since there was such an outflow of development resources just when this happened the new measures haven't been developed yet. |
|
The limit of 0.01 at the price levels that this measure was imposed was very low, but I understood as it was an emergency measure. |
|
Amongst the following classification: 1. Full stack exchange: It provides price quoting, execution and settlement functionalities. What is Bisq purpose? Do we all have a crystal clear idea about it? Is it the same purpose for all trading pairs and amounts? For this analysis, I think we should not conflate security, as a generic term, with settlement. If we don´t want to provide settlement at all or for specific situations, that´s ok, but then we should be very clear that settlement is fully the user´s business. But if Bisq wants to provide proper settlement, then Bisq should handle the settlement process in order to minimize settlement failures. The worst thing of all would be that Bisq, as an exchange, is fuzzy regarding settlement, or that clearly pretends to provide settlement, but in practice settlement does not work properly. In those situations I would strongly prefer to be crystal clear that settlement is not Bisq´s purpose. |
Very good question. My take: -Bisq can and should do price and quoting with as few restrictions as possible. -Bisq can and should provide execution and settlement tools for crypto-crypto. -Bisq should provide optional execution and settlement tools for fiat (ie: arbitration, mediation, escrow, security deposits, etc). -Bisq should provide optional security tools (filtering, reputation, etc). Of course devs actually building Bisq have the final word on what they want to do. But the above would be my ideal. |
|
The security model of Bisq is based on the assumption that we can avoid chargeback to a very high degree, which was true until the event in April (ignoring the Venmo and Cashapp events). If we cannot hold that secruity model by releasing certain limitations (not supporting Venmo, Cashapp, Paypal,...) or lifting the trade limitis we would be an easy target for serial scammers and people will stop using Bisq. It is an open invitation for scammers. No risk for them. Get a stolen bank account on the black market and cash it out on Bisq. So not well informed newby will get burned. Other models have a reputation system which can partly be used for secruity (weak IMO), but Bisq does not have that, so the limitations to make it economically not interesting for scammers is one of the only ways we can solve that. And those limits are easily released once the 2nd bank transfer solution is implemented as well. |
|
Ok @ManfredKarrer but those risks only apply to execution and settlement. What do you think about the idea of letting people post offers (eg: F2F) with execution and settlement outside Bisq? Initially I thought it was redundant... but apparently an uncensorable noticeboard is actually highly demanded in some countries. Think of it as a freemium business model: you can post offers for free, but if you want additional functionality (escrow, security deposits, etc) you pay. |
As I see it, leaving technical complexities aside (which is not a trivial matter at all), offering optional settlement tools or models for specific cases is equivalent to leave the settlement as a responsability of the user for those specific cases. If it has to be like that, so be it (indeed I tend to agree with that for small quantities). But then I think it has to be made very clear. We should be also aware that optionality could lead Bisq evolving to a set of tools that the user has to figure out, instead of evolving to a turnkey product to just buy and sell. To be clear, my position is that Bisq should try to minimize settlement failures for all trading pairs as a turnkey product. And I am optimistic that it can be achieved. |
|
With F2F we have that already as it is stated that the arbitrator cannot help normally. But F2F has a different security model. It is not that likely that a guy you meet in person will scam you, he takes some serious risks if he tries. The stolen bank account scammer had zero risk. |
|
I am closing this proposal as the 0,01 trade limit has been lifted on new markets, and for mature markets it seems the community is more willing to wait for the protection measures to be in place than raising the 0,01 limit. |
Please vote this proposal on the DAO.
A restriction on buying more than 0.01 BTC for users with fiat payment accounts created after March 1st 2019 was put into effect to increase security after 1 scammer issue. Such small amounts are uneconomic to trade as mining fees can represent 10%+ of traded amount.
We propose increasing this limit to 0.02 BTC.
This is still low enough to make stolen bank account fraud uneconomic (as each trade increases chance of detection for the scammer) while allowing new users to buy a meaningful amount of BTC with fiat on Bisq.
--Clarification: we propose enacting this change regardless of what happens with protection tools discussed in #79 #93 #83. The limit should be increased even if these new tools have not yet been implemented, as proposed in #91.
The text was updated successfully, but these errors were encountered: