Topic: Double Spending for BTC businesses - Best practice Solutions ? (Read 1403 times)

If a shop is processing many large ticket transactions per hour, they've probably already established themselves as reputable.

This would be true for bigger companies/retailers that you can "trust" with your funds for a short time.

If you were buying from Best Buy or Target this would work perfectly.

Would you trust a "no name" retailer holding your money for you while you shopped (for much smaller businesses)?

It still wouldn't be necessary to involve a third party. Businesses could require their own pre-paid gift cards for  big ticket items. Simply load it with bitcoins before you leave the house and they're confirmed by the time you get to the store. Unspent funds can be refunded by the cashier.

If bitcoin were to catch on enough then it would be possible for there to be 5 or 10 people in a row for example to be issued a claim ticket waiting for transactions to confirm.

A semi centralized service like greenaddress, circle or coinbase could solve the issue, as the store could advise customers to send their bitcoin to their account at one of the above services when they enter, then TX gets confirmed by the network while they shop, then the customer pays for their merchandise via their account at one of the above, then withdraws their coins back to their wallet that they did not spend.

For a transaction like that, I imagine the clerk would put your purchased items to the side, issue a claim ticket and move on to the next customer. Once the first confirmation goes through, the items are released.

Alternatively, the cashier can verify an adequate transaction fee was included (to minimize the risk) and obtain ID so that, in the event of a (still very unlikely) successful double spend at least the perpetrator can be prosecuted.

Brick and mortar businesses already accept a certain amount of risk with current payment methods. IMO, bitcoins are still less likely to be spent fraudulently and a few precautions practically eliminates the possibility of falling victim to a double spend without inconveniencing customers more than they already are.


Anyway, I believe the OP wishes to operate a site that somehow will allow users to conduct business with high values of BTC extremely quickly and possibly anonymously without any risk whatsoever. I think that's asking a little too much of Bitcoin this early in the game. We're still in beta, remember? 

You should not mind, in general.

The issue would come into play when you are selling high volume items in masse. Say for example someone is buying  a computer at Best Buy, the buyer would not mind waiting 10 minutes for the TX to confirm, but the seller (Best Buy) likely would. Now a transaction that could take 30 seconds to a minute will take, on average 10 minutes (if it gets confirmed in the next block), meanwhile everyone in line will need to wait, making their employees less efficient.

But that would require both consumer and merchant to have accounts with the same service.

In any case, if it was a high value item, why would you mind waiting for one confirmation?

Both coinbase and greenaddress would be good to be sure that payment will be received with dealing with high value items.

If you are only selling low value items (a few dollars) you should not worry about double spending attacks as they are generally expensive to execute.

Brilliant! ty Sir,

Suggestions on here are great 

Will forward to our engineer for assessment/integration.

for double-spending invalidate method, use 3 criterias to valid the real payment :
- bitcoin-QT server with instant verification
- blockchain.info instant verification (with blockr.io in backup or on main verification)
- bitcoinj verification (bitcoin android wallet)

when customer send bitcoin ... the cashier must see the 3 criterias at GREEN statut after max 10 seconds.

Nice one Edd, don't get me wrong mate - Love the Bitcoin protocol and have massive respect for the time and effort honest miners sacrifice. They're Legends in my book.

1 Confirmation may work for our model

I see, guess their model is more akin to a brokerage. Handling FIAT, I would assume that have adequate anti-fraud, charge-back assessments, insurance with there affiliate banking partner. Actually does anyone know who that is?

Well explained - Thanks btw

D&T appreciate your valuable feedback! PM'ed

Excellent! Will bring to our Dev's attention

Because you would be paying with your coinbase account, so they are really controlling
the funds.  They are the trusted third party.   This is another LAYER.  Essentially, you are telling
coinbase to pay them, and the merchant is assuming coinbase won't double spend.  Hope that
makes sense.   

There is, it's called the Bitcoin protocol.

Seriously, this is the purpose of mining - to relay and validate transactions.




Same way everyone else does.






You are limited by the network. Is one confirmation really too long to wait?

It is probably good there is no such service.  It would be rather trivial to make a service like that however double spend detection alone can't guarantee a tx won't be double spent (technically neither can confirmations).  Double spend detection can provide a reasonable assurance that your transaction has "won the race" (propagated the network) and ensure that no honest miner is working against you.  However a Finney attack can't be detected until after it has occurred by monitoring the network.  Likewise a thief could defraud you by working directly with a malicious pool.  There is no requirement that transactions have to be sent over the network (and no way to enforce that requirement if there was).  So a thief conspiring with a miner/pool doesn't have to broadcast the double spend, and this means there is nothing to detect.  Your first indication would be when the dishonest miner broadcasts a block with the double spend and your 0-confirm payment becomes invalid.

All of these factors depend heavily on what you are selling, how anonymous it is, how convertable it is to a thief, how much it is worth, etc.  There is no magic or simple "oh if you do this you will be safe".  It would not be difficult for a competent developer to code up a detection network but it should be part of a larger risk analysis.  Some services will simply always need confirmations or a way to secure alternate payment.  One example of this would be a grocery store.  Grocery store already accepts credit cards (and the associated risk).  If the store wanted to accept 0-confirm transactions for fast checkout line payment they could have users register a credit card and sign an agreement that if their bitcoin payment doesn't confirm the backup card will be charged.  The store is not taking any more risk.  If a thief has a stolen credit card and willingness to use it in person they would simply pay with the stolen credit card rather than try to perform a double spend.  So there are a lot of potential solutions but it will be very business specific.  What works for one business will not necessarily work for another.  Having a cookie cutter solution almost guarantees that naive businesses will be defrauded.

This was my main concern - Our potential engineer said he's tested and was easy to do.

I can't believe there is no service or software available to check duplicate(/multiple) transaction requests. Obviously, our system would then invalidate the transaction.

It is relatively easy to successfully double-spend with 0 confirmations. If a customer double-spends, then there is roughly a 50% chance that the merchant will see the legitimate transaction, and 50% chance that it will not be added to the block chain.

There are ways for both the merchant and the scammer to increase their odds. For example, a merchant with a better connection to the network is more likely to see both transactions and detect the attempted double-spend. The scammer can omit the transaction fee on the merchant's transaction, reducing the likelihood that it will be the one that is confirmed.

Clear and Concise, cheers man!