Adnotated words of wisdom on the topic of online fraud

Tuesday, 04 December, Year 4 d.Tr. | Author: Mircea Popescu

The quoted text belongs to one Michael "ndricks" Hendricks, who for a time ran a Paypal... hm, let's just quote :

As most of you know, I operated CoinPal before it was closed in April 2011.i I had planned to reopen it, but plans have changed. I still own, follow and advocate Bitcoin. Nothing has changed there. About once a month, I receive an email asking "How did you avoid scammers on CoinPal?" I decided to post about it so the entire community can benefit (and give myself a URL to point to).

Just this and I already like the guy. Hey, Hendricks, make a blog why don't you ?

Stolen accounts as currency

The most important realization is that stolen PayPal accounts or credit card numbers are a digital currency (although a poor one). If I write a virus or phishing attack, my wages are denominated in the currency of stolen accounts. Alternatively, I can exchange fiat currency for stolen account currency, by trading on various black market forums.

As a digital currency, stolen PayPal accounts are subject to double spending attacks. For example, the legitimate owner may change his account password thus spending stolen funds back to himself. Or a vendor selling PayPal credentials can sell the same credentials to multiple buyers. Without a blockchain to rescue them, those holding this digital currency must spend it quickly before someone beats them to it.

Scammers are in a nasty hurry and can't do anything about it. I saw this over and over again at CoinPal. I see it at other online retailers too. This is why CoinPal and VirWox have tiered purchase limits based on an account's age.

Conclusion: scammers have an unusually high discount rate. With this discount rate, the present value of a payment 7 days in the future is less than his cost of acquiring stolen credentials.

The point about stolen accounts being a (poor) type of digital currency is excellent. I think many had the general feel, a vague notion of this fact, but this is an excellent articulation thereof.

As a side point, it explains quite elegantly why most everyone ignorant of Bitcoin immediately defaults to the otherwise unfounded belief that there must be something nefarious about it : the ignorant do not understand anything personally, with their own head, but they do survive by reliance on the "wisdom of the herd", such as it isii. In this version of distributed sort-of-thinking the notion likely emerged, unspoken, that the main type of independent digital currency is the digital currency of stolen accounts.

I'm not going to delve into philosophical detail about how this particular error of the herd is a clear symptom of Leviathanesque failure of the state, that sad soviet state of affairs wherein everying not controlled by a government is crimeiii. It's been done to death already, moving on.

The point about double spending attacks is even better. It does need the context of the particular cryptographical problem to be expressed, thanks the lords for Bitcoin's bringing this otherwise subtle bit of marginal minutia to the fore, so now people can readily use it as a stepping stone to both understand and express something very fundamental.

Indeed, something stolen, no matter what it is, has had its chain of ownership broken. Thus, anyone can claim title to it just as well as anyone else, which means that in most circumstances plenty will. This is incidentally the very reason why property is such an important concept, not for its practical, commercial, economic effects as much as for its intellectual benefits : it reduces the endless chorus of female babble so very prevalent in primitive, useless, failed societies to much more manageable, limited discussion. This is the reason we won, and not by happenstance and not accidentally but quite necessarily is the reason why the classical Brit had a reputation for terseness. For speaking little. You know, the same Brit that brought about the Industrial Revolution. Do you know who else had a reputation of terseness, at a time when the Brit was not quite imperial yet ? The Dutch.

If that something stolen is digital the problem increases significantly, in that transfer can happen silently, instantaneously and in complete disregard of geography or other restraints physics place on any particular person. So yes, the tenuous "owner" of something in which he holds no title finds his "ownership" limited by the quality of his control. Sounds familiar ? Why yes, it's the exact problem with ownership of Bitcoin. The subtle difference being that the "owner" of stolen goods has goods with no title because he's broken the title of another, whereas the owner of Bitcoins has no title because no title can possibly exist. An easily missed point indeed, even for clever people.

Finally, the nasty hurry. I imagine from a practical standpoint this is the most valuable nugget contained in the text, but then again the simple "be suspicious of anything that has to be done in a hurry" is about as old as the statues in the Roman forum, and probably much older than that. So, it not being news to me I can but shrug : d'uh.

Legitimate Customers

You can't stop all fraud. Some will get through your defenses. Currency exchange profit margins are too narrow to absorb much of it, so you need a healthy legitimate customer base across whom you can distribute those costs. As chargebacks come in, it's tempting to focus entirely on eliminating fraud. Unfortunately, that focus inconveniences legitimate customers so much that they go elsewhere.

Early in CoinPal's history, I manually contacted every customer that wanted to purchase coins. I bought a bunch of long distance calling credit and spent hours on the phone asking customers questions about the name of their nearest grocery store or which direction Lake Something was from their house. I never had a chargeback from these orders, but they hated it and I hated it. I lost many legitimate customers as soon as I emailed them asking if I could call them on the phone. I know they were legitimate because many of them bought coins after I eliminated this process and they never charged me back.

Conclusion: a healthy customer base is as important as fraud detection. Profit from serving them will sustain you through the scammer attacks.

People seem to think the simple fact that you can never, ever, no matter what, stop "all X", whether it be fraud, bugs, disease, genetic mutations, what have you is a bad thing. It is not.

In this particular situation the strong "you can never stop fraud" is the one, the only and the absolute defense freedom has against any who would take it away (for "better" alternatives). The fact that nobody, nowhere, even in any context and through any means whatsoever they may choose can stop all fraud is why dreams of universal financial domination are pipe dreams.

More generally, the fact that no system can ever be complete means we can never actually die. We'll just change, whatever "we" means (but whatever it may mean, it'd be through it a more recognisable "we" over the entire space of possibilities than any competing definition). And yes, "no system may ever be complete" is intended as a go-between the Godeliv statement of the property and the "you can't stop fraud" statement of the property. Indeed they're just statements of the same exact thing in different contexts.

The point about inconveniencing the user is of paramount importance, and it goes into something discussed later so let's save it one jump :

Fees Select Customers

This should be obvious, but it's repeatedly violated by new Bitcoin exchanges. A legitimate customer is spending his own hard earned money, so he cares about fees. A scammer is spending someone else's money, so he doesn't. Increasing fees scares away profitable customers leaving you with only scammers.

A small price elasticity of demand and a high discount rate combine to explain a common fraud symptom in retail. Fraudulent customers are far more likely to pay extra for overnight shipping. They don't care about the money and need the goods quickly before their scam is detected.

Conclusion: High fees favor fraud. Although scammers could avoid this characteristic by frugally spending their stolen funds, frugality demands patience which they can't afford.

These points work together. People trying to pass off stolen things don't care about fees, it's not their money. People trying to pass off stolen things don't care about inconvenience. It's not like they're gainfully employed bank managers who moonshine in dabbling stolen credit cards they've bought off the famous darkzer0.hax forum, so they could think "what the hell am I spending my time doing this shit for, I have better things to do with my time". They don't have anything else to do with their time, hence


How many actual customers would be willing to do that ? What does willingness to do that prove ? Fees select customers, hoops select customers. Adding "safety measures" to any process on the theory that "it can't hurt anything" ; "honest people have nothing to worry about" ; "you can never have too much security" and so forth is just proof of incompetence (and yes, anyone doing it should be immediately sacked). And obviously this applies to legislation, too.

As you can see, an excellent piece. Props to Michael Hendricks.

  1. Closure announcement said

    PayPal has frozen my account so CoinPal won't continue as we know it. My funds (only about $5k) are tied up there for the next 180 days.

    Overall it was a reasonably successful service, it never did very much trade (owner's figure is 60`858 BTC) and conceivably didn't turn a profit, but was an interesting experiment nonetheless. It certainly allowed a different class of Internet dweller access to Bitcoins than anything before.

  2. This is also how people vote, for the record, and this is exactly the reason why individual idiocy of the members of the electorate has but scant impact on the election results, as explained (in Romanian). []
  3. Also incidentally, the main reason why "trolling" has such cultural importance and consumes such vast a fraction of the energies of youth these days is simply this : the whole quote reads "that sad soviet state of affairs wherein everying not controlled by a government is crime and there's no such thing as humor". I know this because it's my quote. I it wrote it, so it is mine. My quote which is mine. (But then I deleted the part about humour on the end because it seemed spurious but then it took its revenge in this footnote. Now you know.) []
  4. The second works best,

    For any formal effectively generated theory T including basic arithmetical truths and also certain truths about formal provability, if T includes a statement of its own consistency then T is inconsistent.


Category: Bitcoin
Comments feed : RSS 2.0. Leave your own comment below, or send a trackback.

2 Responses

  1. [...] But I am firmly convinced that the current implementation is working in a known failure mode, which I’ve recently called Leviathanesque, in reference to Leviathan or The Matter, Forme and Power of a Common Wealth Ecclesiasticall and [...]

  2. [...] Here’s an excellent discussion of the “scammer is in a hurry” aspect. You’d think that in the particular case discussed there a terrible rush is [...]

Add your cents! »
    If this is your first comment, it will wait to be approved. This usually takes a few hours. Subsequent comments are not delayed.