Author

Topic: Best Practices: Preventing man-in-the-middle attacks (Read 6077 times)

hero member
Activity: 714
Merit: 504
^SEM img of Si wafer edge, scanned 2012-3-12.
Forgive my ignorance, but I'm not sure what the problem is. When Bob puts his money into your bank account for bitcoins that he thinks he is buying from the scammer, where is your liability? You've never had contact with Bob. To me, it seems you wouldn't owe Bob a dime. He was the butt of a scam that you had nothing to do with. Somebody else fraudulent used your banking information. Correct me if I am wrong here...
I've contacted the official "Fraud helpdesk" in my country, and it turns out you're wrong. Since I had nothing to do with Bob, and since the payment Bob made to me was not meant for me, I'm obliged to return it.
hero member
Activity: 715
Merit: 500
Forgive my ignorance, but I'm not sure what the problem is. When Bob puts his money into your bank account for bitcoins that he thinks he is buying from the scammer, where is your liability? You've never had contact with Bob. To me, it seems you wouldn't owe Bob a dime. He was the butt of a scam that you had nothing to do with. Somebody else fraudulent used your banking information. Correct me if I am wrong here...
hero member
Activity: 714
Merit: 504
^SEM img of Si wafer edge, scanned 2012-3-12.
EDIT: I further scam proofed your link, by shortening www.is.gd/warningO to the same link, in case scammer switches zero to letter O. Also this: http://is.gd/READ_THIS_LINK_BEFORE_SENDING
Thanks Cheesy
The latter might not fit in the transaction message. I don't even know if that length is standardized, really.

Interesting idea, but what if Bob walks into your bank and does a cash deposit into your account rather than a fund transfer?  Wouldn't Bob just notify the scammer and then the scammer notify you with your link in his or her email?
A cash deposit can also be done with a transaction message. But indeed, if the scammer did this, I would have a problem. There's no way to give the money back, but I wouldn't want to send the Bitcoins either. I suppose I should be really clear about that when someone requests a cash deposit then. Thanks for the heads up Smiley


That seems like good enough deterrent for the average scammer, they'll just move on to somebody else that doesn't require anything which probably explains why this hasn't happened again.
Yeah, probably. Well, I can only be responsible for my own security, I guess.
hero member
Activity: 899
Merit: 1002
This kind of fraud was rampant with Liberty Reserve for years so they had ppl write messages in the bank transaction message as well. They were also scamming direct cash deposits the same way, almost always through fraud ebay auctions.

The guy who was ripped on ebay then harassed the LR exchanger 'where's my coat/diamonds/laptop' and the exchanger had to refund the money. They solved this direct deposit problem by having everybody upload a scan of the direct deposit receipt with "Not for auctions" written on it. Problem is scammers soon got around this by printing out the pic of the receipt, and writing on it themselves then re-scanning and sending to LR exchanger who usually was pretty lazy in checking out the pic and just released the funds.

I'd be interested if any ideas too I got taken by a MITM scam once

Quote
I require the buyer to put the link "www.is.gd/warning0" in the transaction message.


That seems like good enough deterrent for the average scammer, they'll just move on to somebody else that doesn't require anything which probably explains why this hasn't happened again.

EDIT: I further scam proofed your link, by shortening www.is.gd/warningO to the same link, in case scammer switches zero to letter O. Also this: http://is.gd/READ_THIS_LINK_BEFORE_SENDING
newbie
Activity: 58
Merit: 0
Interesting idea, but what if Bob walks into your bank and does a cash deposit into your account rather than a fund transfer?  Wouldn't Bob just notify the scammer and then the scammer notify you with your link in his or her email?
hero member
Activity: 714
Merit: 504
^SEM img of Si wafer edge, scanned 2012-3-12.
Recently I've been the victim of a number of man-in-the-middle attacks. Here is an explanation of how they work:

Quote
Imagine a scammer contacting me to buy Bitcoins. At the same time the scammer gets into contact with someone else, let's call him Bob. The Scammer sells Bob bitcoins, or something else, let's say a coat.

The scammer then gives Bob my bank account number. Bob pays, thinking he's paying for a coat. I get Bob's money, thinking I've been paid for Bitcoins. Naturally, I send the scammer the requested Bitcoins.

Later, Bob doesn't get his coat, and file charges against me, because I received Bob's money. Meanwhile, the scammer is nowhere to be found.

This happened twice to me, at roughly the same time. I inquired with local law, and it turns out I had to refund the scammee, Bob.

Note that exchanges typically solve this problem by requiring you to verify your bank account beforehand. That's not really something I can do.
Discarded solutions are:

Asking for ID. They can be faked, or the request can be just as easily forwarded by the scammer.
Calling the person. This might work, but just a bit. So you have their phone number. What then?
Starting with small amounts. This might be helpful, but it's slow, and not really ideal.

The best solution I've been able to come up with is this: I require the buyer to put the link "www.is.gd/warning0" in the transaction message. The page behind the link explains that they should be talking to me, via my email, and explains the above scamming scenario. The scammer hopefully can't require Bob to put this in his transaction message, because Bob would wisen up when he reads the link.

I've not had any more MitM attacks since then, so so far it's been working. Suggestions are welcome.
Jump to: