Topic: BitPiggy - bank account locked (again) 16th May 2012 (Read 4727 times)

BitPiggy is back up and running!

Our new bank account finally got unlocked yesterday, and then this morning I had to do some last minute fixes (bank details were still set to the old bank account!).

For users who have made past orders, you can gain access to your account by choosing to 'reset password' (https://bitpiggy.herokuapp.com/password_resets/new). This will mean the site will recognise your past orders and you'll immediately be able to jump into making large orders.

Things that have changed:

• All users require a log in (email + password). This should hopefully be more convenient then the old style of email verification.
• Limits have been changed + new orders must be 7 days apart. The 7 day limit is a new restriction as a direct result of previous attacks wherein stolen funds were sent to us.

Going forward
From appearances not a lot has changed besides the new log in process. However behind the scenes a lot has changed to make future changes easier.  Those future changes include:

• Adding additional authentication methods, e.g. Facebook/twitter/OTC.
• Reduce the delay between orders + increase limits for users that are authenticated in ways that are more trust worthy.
• Adding additional payment methods.

So yes, we are back!

Please let me know if you experience any issues.
Cheers,
~Mat

Edit: I've moved this post into a new thread, https://bitcointalksearch.org/topic/bitpiggy-back-up-and-running-90152

Great suggestions, I to am eagerly awaiting "The return of bitpiggy" (sounds like a cool comedy movie).

MtBitcoins http://www.mrbitcoins.com/  6.20 AUD
SpendBitcoins https://www.spendbitcoins.com/buy/  6.314 AUD

I can underbid both of you a bit, PM me with volume (min 20 BTC, max depends on your rating) and your offer if interested.

AU bank wire transfers only to AU bank account, no cash deposits!

Trusted users only (some OTC rating or old users on this forum).

If you're talking about us, our prices have not changed. They have always been Mt Gox 24h high + 10%. The problem is that it seems higher as the value of bitcoin rises but in reality it is exactly the same. If bitcoins were selling on Mt Gox for $1 each, our rate would be $1.10, which means that $100 worth of bitcoins would cost you $110. If bitcoins were selling on Mt Gox for $100 each, our rate would be $110, which means $100 worth of bitcoins would cost you $110.

Psychologically it seems more to pay $10 per bitcoin commision that $0.10 per bitcoin commission, but in reality it is exactly the same. I'm thinking about changing the display rate to x +10% so that, for example, at this very moment it would say "5.69 + +10%" instead of "6.31". Would that be psychologically more satisfying for people, especially as prices are rising?

We would love to have lower prices, but unfortunately with wire fees, foreign exchange fees, and exchange rate risk, we have found this rate necessary to stay profitable.

MrBitcoins still selling for under $6

OVER $6 NOW!

Bitpiggy can't come back soon enough.
The prices at the competition are no longer "competitive"!

All that needs to done is devise a way to whitelist customers, without it becoming too much hassle because that is Bitpiggy's strength, that is easy and simple to do.

What I would do first is whitelist all customers that have used the Bitpiggy service and open backup.

Next I would get bank accounts at all four major banks and suggest people transfer money to the same bank as their own, then maybe same day transfer of btc could be possible instead of 24 hour wait. (overcoming a shortcoming of bitpiggy)

Next is growing the whitelist of good customers, maybe simple things like allowing them to buy 1 btc, then they must wait a week and after that if there is no fruad problem move them to the whitelist. Sure they could still scam a single btc but they risk losing a bank account they have access to for $5.

Goodluck with whatever you do. I have only had very good experiences with Bitpiggy and look forward to them returning.

Yep, I got some of my ideas from your earlier suggestion. The waiting 30 days would certainly ensure the person was legitimate.  The other stuff of the person checking a deposit I make in their account a.k.a. PayPal style, doesn't get much- previous hackers clearly had access to the person's bank account, and over several days if not longer. 


I understand the concern. I should point out BitPiggy functions more like a shop than a bank. Hence there's no funds to lock. Rather, users would be prevented from making orders (or at least the amounts + timing would be restrictive) in the first place if the use was not trusted enough.

Our bank account has been unlocked.

Pending orders have been processed. Again, thank you for your patience. As mentioned previously on this thread, creating new orders is still on hold until we make new arrangements.

Cheers,
~Mat

Have you considered one of the things I proposed in this thread?
For example https://bitcointalksearch.org/topic/m.906946

Shortly again:
1) any new bank account from which a user wants to deposit must be validated
2) user validates the account by posting the account number in a form in his account on BitPiggy, and they YOU send him a small (like 0.17 AUD) transfer to this account with text in the description: "Use this code: PJ9D43ZR to allow funding your account on BitPiggy.com from this bank account"
3) when user receives the transfer from you he enters the code on your website
4) then you wait 30 days to give time for the real account owner to notice the transaction on his bank statement in case it was done by a cracker
5) after 30 days it becomes validated and the user can deposit from that account later on instantly

Please do not use any "B" methods - it creates uncertainty for legitimate users, and will inevitably lead to becoming another Paypal-like nightmare, where you can first deposit funds, and then are locked, with many false positives.

Once funds are credited to the exchange they should be deemed clean, and if you are not sure a deposit is legitimate (i.e. has been done by the real account owner, just return it to where it came from.

Good stuff, hope to see you back to BAU soon

I would suggest using more than one of the options you listed to varying degrees. Put new users into different categories based on what information they are willing to provide.

Best - If they don't mind providing offline documentation to verify their identity and are vouched for by an existing user, allow large deposits and withdrawals ASAP.

Next Best - Vouched for by another but want to remain somewhat anonymous, allow only limited deposits/withdrawals for a probationary period.

Riskiest - No referrals and no ID, mandatory waiting period for any withdrawals.

Another update- we just got off the phone to the NAB's efraud department (they handle the efraud for NAB and UBank), and they have instructed UBank to unlock the BitPiggy account. They said it should happen some time today, though they indicated it may take until near the close of business, Australia time.

Once we gain access, we will process any pending orders.

Creating new orders however will still be on hold for the time being.

FYI, we are currently in the process of setting up other, more appropriate bank accounts (we had been using a high-interest personal savings account vs a normal business account). The efraud department of the NAB has told me their policy regarding business accounts that receive stolen funds is generally they do not lock the account, but the business may have to bare the cost of accepting the stolen funds. Hence BitPiggy will stil need to change its operations.

At the moment I am considering:

1) Accepting cash deposits (with proof of cash deposit, a.k.a. SpendBitcoins style of submitting photo of receipt).
2) Accepting bank-to-bank transfers as per normal, but with added measure to deter hackers sending stolen funds. Obviously the experience should be unobtrusive as possible, and yet it needs to change. Methods I have thought of boil down to 2 distinct types of deterrence:

A. Prevent thief receiving bitcoins in the first place.
B. Punish thief after they have received bitcoins.

For A
i) Delay sending of bitcoins, to give banks enough time to report stolen funds. Considering it took ~10 days for UBank to tell me stolen funds had been sent my way, this doesn't sound feasible.
ii) Only serve people who have successfully made orders in the past. This works for old users, but doesn't help legitimate new people.

For B
To punish a hacker, knowing their identify (or some link to it) is useful, as can either destroy their reputation, or hand over identity details to police. Note BitPiggy doesn't want to know people's details, yet identification is a common tool to deter crime.
iii) Require proof of reputation. The Bitcoin-OTC looks interesting, but it doesn't look like many people use it. Other things? Maybe people could vouch for other people, give invites.
iv) Require some form of online identification.  E.g. facebook/twitter/linkedin/google/ebay/etc account. Would need to check the account used looks legitimate.
v) Require some form of offline identification. E.g. passport/driver's license/utility bills. Not particularly interested in doing this.

One other thing could do:
vi) Report the bitcoins as tainted. I suspect this wouldn't have much impact, for the moment anyway.

Anyways, that's what I'm think for the moment. Suggestions/comments welcomed.

Cheers,
~Mat

Hi all,

Just an update. UBank has still not unlocked our account. I have been calling them every day to get an update, and all they say is they can see its being reviewed by management.

As before, all pending orders are still on hold until our account is unlocked.

Thanks for your continuing patience.

~Mat

Will BPay solve the problem?

I'm not experienced with Australian banking system but my business banker says domestic bank transfers have less chargeback problems than international wire transfers. Well, I don't seem to agree with that.

Perhaps cheque via mail is a good solution too, if online banking is that unsafe. It will take longer time though.

That your account can be frozen (twice) because people claim that their accounts have been hacked and money sent to you is ridiculous.  If that happened to me I'd be absolutely stuffed - every single payment I send and receive, from rent to insurance to school fees, not to mention receiving my salary, goes through my account. 

I hope you get back up and running ASAP.

What about two bank accounts.. one for customers who have been using the site for > 6 months and one for newbs.. that way when the newb account gets frozen the regulars are not inconvenienced.

More ideas: don't show you account number to the customer in the system. Require the customer to enter HIS account number in the system first. And then you send a small sum (0.01 or something) to that account with the message about BitPiggy in the reference, and then the customer will find out your bank acount number only from his bank transactions history.

And don't just enable customers to deposit from any bank. Enable banks one-by-one after analyzing that bank's security of outgoing transfers (does it have 2-nd factor authentication). So make an exclusive list of banks you accept transfers from (after checking their security). If someone doesn't have an account at one of these banks on your list, then he can just open one there - simple.

same here!