Pages:
Author

Topic: Double Spending - How To? (Read 4581 times)

hero member
Activity: 798
Merit: 1000
Move On !!!!!!
October 04, 2015, 08:01:31 AM
#34
Well look, there is a risk everywhere. I think that the credit card chargeback rate is about 20-25% and merchants take this risk on themselves. But you are also using a logic that person that paid $3 for a cup of coffee won't be doing a chargeback. It's not worth a risk.

We can use the same logic about the Bitcoin double spend. But if you are looking for a 100% solution, I guess that Bitcoin is not ready for paying a coffee like Ciyam has said above. Honestly I am not sure that this will be ever necessary in order for Bitcoin to succeed.

Mickeyb, you are thinking "western" here. The Philippines is not western. It is an under-developed third-world country. Less than 20% of adults (those 18yo and over) have a bank account. Less than 5% of all shop purchases are made with a credit/debit card.

Yes, a cup of coffee costs about USD2 to USD3 in the Philippines, but that is almost half a day's salary for most workers. A graduate engineer in the Philippines earns about USD15 per day. A shop salesperson earns about USD6.50 per 10 hour day.

Sorry mate, I wasn't aware of this. In this case if having few cups of coffee double spent would really hurt your friend salesman, you better think twice about doing it and accepting Bitcoin for such payments. It's all about that risk/reward ratio and if the risk is high for you guys than you better stay away from it.
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
October 04, 2015, 12:51:38 AM
#33
I hope my merchant doesn't see this topic. I can guess his response, "It looks to difficult and risky, I'll stick with cash only".

I have a meeting with his later next week.

Philippines is not ready for Bitcoin transaction, the Philippine Government should work on the very slow internet service first before Philippine merchants can start using them. I know there are a few merchats out there who accepts bitcoin but still internet will play a big role in accepting this service.
Fast internet isn't required to accept Bitcoin at all. A slowish internet is fine for using POS systems like Bitpay with minimal delay. Transaction wise, it takes less than 3kb on average to send a transaction, no need for fast internet at all.
legendary
Activity: 1708
Merit: 1006
October 04, 2015, 12:14:39 AM
#32
I hope my merchant doesn't see this topic. I can guess his response, "It looks to difficult and risky, I'll stick with cash only".

I have a meeting with his later next week.

Philippines is not ready for Bitcoin transaction, the Philippine Government should work on the very slow internet service first before Philippine merchants can start using them. I know there are a few merchats out there who accepts bitcoin but still internet will play a big role in accepting this service.
jr. member
Activity: 48
Merit: 6
October 03, 2015, 07:28:21 PM
#31
Well look, there is a risk everywhere. I think that the credit card chargeback rate is about 20-25% and merchants take this risk on themselves. But you are also using a logic that person that paid $3 for a cup of coffee won't be doing a chargeback. It's not worth a risk.

We can use the same logic about the Bitcoin double spend. But if you are looking for a 100% solution, I guess that Bitcoin is not ready for paying a coffee like Ciyam has said above. Honestly I am not sure that this will be ever necessary in order for Bitcoin to succeed.

Mickeyb, you are thinking "western" here. The Philippines is not western. It is an under-developed third-world country. Less than 20% of adults (those 18yo and over) have a bank account. Less than 5% of all shop purchases are made with a credit/debit card.

Yes, a cup of coffee costs about USD2 to USD3 in the Philippines, but that is almost half a day's salary for most workers. A graduate engineer in the Philippines earns about USD15 per day. A shop salesperson earns about USD6.50 per 10 hour day.
hero member
Activity: 798
Merit: 1000
Move On !!!!!!
October 03, 2015, 03:24:50 AM
#30
I hope my merchant doesn't see this topic. I can guess his response, "It looks to difficult and risky, I'll stick with cash only".

I have a meeting with his later next week.

Well look, there is a risk everywhere. I think that the credit card chargeback rate is about 20-25% and merchants take this risk on themselves. But you are also using a logic that person that paid $3 for a cup of coffee won't be doing a chargeback. It's not worth a risk.

We can use the same logic about the Bitcoin double spend. But if you are looking for a 100% solution, I guess that Bitcoin is not ready for paying a coffee like Ciyam has said above. Honestly I am not sure that this will be ever necessary in order for Bitcoin to succeed.
sr. member
Activity: 434
Merit: 250
Loose lips sink sigs!
October 03, 2015, 12:54:26 AM
#29
To keep this simple, let's assume I am using a wallet like Bitcoin Wallet by Bitcoin Wallet developers on an Android smartphone. I go into a coffee shop and buy using my bitcoin wallet. I understand that it is going to take about 5 to 10 minutes before the transaction is first registered on the Blockchain.

How can I then "double spend" my bitcoin?

Ha, you want to cheat and spend money you've already spent? What an ass! Why do you want to be a cheat? A fraud?
jr. member
Activity: 48
Merit: 6
October 02, 2015, 06:11:33 PM
#28
I hope my merchant doesn't see this topic. I can guess his response, "It looks to difficult and risky, I'll stick with cash only".

I have a meeting with his later next week.
hero member
Activity: 630
Merit: 502
October 02, 2015, 06:50:39 AM
#27
Aren't there some third party applications being developed that are dealing with this exact problematic? I remember reading about this, that there will be applications that will give you 99.9% ease of mind that the transaction is actually legit.

A transaction can still be "legit" but never get confirmed - if a tx has less fees than required then it won't be propagated at all (so the merchant wouldn't see it in the first place) but if the fee is exactly the bare minimum and the size of the tx is large then it is entirely possible the tx won't get confirmed (a situation that was occurring during the so called stress testing).


Yes, yes I understand this. Once I have sent a transaction without the fee at all and it was stuck out there until I haven't double spend it. Well I guess that against this low or none tx fee problem there is no solution at all then.
Double spending can be successful if the merchant is not aware that the mining pool have different policy from their client. example, if majority of the mining pool does not accept outputs with dust below 1000 satoshi, they will not mine it and the merchant's tablet will state that the invoice is paid.

Reference:https://www.mail-archive.com/[email protected]/msg00500.html
hero member
Activity: 798
Merit: 1000
Move On !!!!!!
October 02, 2015, 06:46:07 AM
#26
Aren't there some third party applications being developed that are dealing with this exact problematic? I remember reading about this, that there will be applications that will give you 99.9% ease of mind that the transaction is actually legit.

A transaction can still be "legit" but never get confirmed - if a tx has less fees than required then it won't be propagated at all (so the merchant wouldn't see it in the first place) but if the fee is exactly the bare minimum and the size of the tx is large then it is entirely possible the tx won't get confirmed (a situation that was occurring during the so called stress testing).


Yes, yes I understand this. Once I have sent a transaction without the fee at all and it was stuck out there until I haven't double spend it. Well I guess that against this low or none tx fee problem there is no solution at all then.
legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
October 02, 2015, 04:52:34 AM
#25
Aren't there some third party applications being developed that are dealing with this exact problematic? I remember reading about this, that there will be applications that will give you 99.9% ease of mind that the transaction is actually legit.

A transaction can still be "legit" but never get confirmed - if a tx has less fees than required then it won't be propagated at all (so the merchant wouldn't see it in the first place) but if the fee is exactly the bare minimum and the size of the tx is large then it is entirely possible the tx won't get confirmed (a situation that was occurring during the so called stress testing).
hero member
Activity: 798
Merit: 1000
Move On !!!!!!
October 02, 2015, 04:42:22 AM
#24
If he isn't using a payment merchant then he is actually going to leave himself wide open to people paying without correct fees and this is a "double spend" attack that requires virtually no skill and does not require sending the second tx within seconds (such a tx can be sent anytime later).

Assuming only a few BTC txs are expected in a week then maybe as long as he does check how many txs have confirmed at the end of the week he can decide whether or not it is worthwhile to continue taking the risk.


Aren't there some third party applications being developed that are dealing with this exact problematic? I remember reading about this, that there will be applications that will give you 99.9% ease of mind that the transaction is actually legit.
legendary
Activity: 3542
Merit: 1965
Leading Crypto Sports Betting & Casino Platform
October 02, 2015, 12:58:44 AM
#23
You could implement something that might give instant payments without fee's. Hand out pamphlets to regular customers and encourage them to use a wallet with off-chain support. If they transfer money from their Xapo account to his account, they pay zero fee's and the transaction is instant.

Xapo clients will like this, because there is no waiting time, and the merchant will be happy, because there is no risk of the transaction not getting confirmed.

It's just a temporary alternative to make up for the slower on-chain transactions in Bitcoin.  
legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
October 02, 2015, 12:22:21 AM
#22
If he isn't using a payment merchant then he is actually going to leave himself wide open to people paying without correct fees and this is a "double spend" attack that requires virtually no skill and does not require sending the second tx within seconds (such a tx can be sent anytime later).

Assuming only a few BTC txs are expected in a week then maybe as long as he does check how many txs have confirmed at the end of the week he can decide whether or not it is worthwhile to continue taking the risk.
staff
Activity: 3458
Merit: 6793
Just writing some code
October 01, 2015, 08:30:00 PM
#21
The merchant, in this case, is hoping to just use an Android smartphone/tablet with say the Bitcoin Wallet ap installed to accept bitcoin payments. At the end of the day (or week) the merchant would use a Philippines bitcoin exchange to convert the received bitcoin into PHP and have it deposited directly into his bank account.

Initially, bitcoin sales are likely to be only one or two a month so capital outlay has to be kept very low. I can not see him investing even one centavo in anything more complicated.

From the replies that I have received in this thread, it looks like my response to the merchant's "double spend" concerns will be:

Quote
There is a very slight risk of a double spend, however you have a greater risk of one of your staff giving free food/coffee to their friend than you have of experiencing a double spend.

A double spend generally requires a customer to spend the exact same amount of bitcoin again within seconds of the first transaction and that second transaction must be confirmed on the blockchain ledger before the first transaction. None of this is easy to do in the current environment.

I need to keep my response fairly simple. Would this response be reasonable?
A made a correction to that (bolded)
jr. member
Activity: 48
Merit: 6
October 01, 2015, 07:06:05 PM
#20
The merchant, in this case, is hoping to just use an Android smartphone/tablet with say the Bitcoin Wallet ap installed to accept bitcoin payments. At the end of the day (or week) the merchant would use a Philippines bitcoin exchange to convert the received bitcoin into PHP and have it deposited directly into his bank account.

Initially, bitcoin sales are likely to be only one or two a month so capital outlay has to be kept very low. I can not see him investing even one centavo in anything more complicated.

From the replies that I have received in this thread, it looks like my response to the merchant's "double spend" concerns will be:

Quote
There is a very slight risk of a double spend, however you have a greater risk of one of your staff giving free food/coffee to their friend than you have of experiencing a double spend.

A double spend generally requires a customer to spend the exact same amount of bitcoin again within about 10 minutes of the first transaction and that second transaction must be confirmed on the blockchain ledger before the first transaction. None of this is easy to do in the current environment.

I need to keep my response fairly simple. Would this response be reasonable?
sr. member
Activity: 294
Merit: 250
October 01, 2015, 09:28:26 AM
#19
I just say make the drink and do not give it to the custom until 1 conf.

If customer asks, just explain that you would like a conf. first, as anyone who uses bitcoin should at least understand why the shop owner would need a conf. in the first place.
legendary
Activity: 1554
Merit: 1000
October 01, 2015, 09:24:11 AM
#18
legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
October 01, 2015, 09:20:49 AM
#17
Bitcoin is not ready for "purchasing coffees" would be my answer.

Unfortunately it is actually quite simple to configure software to pay no fee at all and if the UTXOs are not old and the tx is small (and perhaps made up from many micro payments like most ad-sig posters wallets would likely do) then there is a good chance such a tx would not confirm before being actually dropped from the memory pool (restoring the funds to the purchaser - there are many topics created here about txs not confirmed after 2 days, etc.).

So you don't even need to "double spend" you just spend without enough fees to ever confirm!
(note that this will especially be true at times when people are purposely spam attacking the network to try and fill up blocks)

I guess the only chance for the vendor is if their Bitcoin payment processor identifies that the tx doesn't have enough of a fee to realistically confirm.
legendary
Activity: 1722
Merit: 1000
October 01, 2015, 09:13:26 AM
#16
Thank you all who have replied.

As I said previously, an average sale could be a day's pay for an average (Filipino) worker. Not an insignificant amount. The shop employee handling the transaction would have just a basic (Filipino) high school education. This would mean that he/she can do no more than follow basic instructions - if your lucky.

Neither the sales person or the customer are going to wait for even the first confirmation. The merchant (shop) cannot set or easily check the transaction fee. Let's assume that the customer makes the purchase with zero transaction fee. (I know, Bitcoin Wallet does not allow this.)

So, the customer walks in, buys a coffee and food (take-out) with bitcoin zero transaction fee, then leaves the shop. How does this customer "double spend" his/her bitcoin?

What is "another spend that uses the same inputs"?

It's not as simple as you're expecting. 

Do you understand what the blockchain is?  That is the first question.
legendary
Activity: 3472
Merit: 4801
October 01, 2015, 08:53:02 AM
#15
- snip -
let's assume I am using a wallet like Bitcoin Wallet by Bitcoin Wallet developers on an Android smartphone.
- snip -
How can I then "double spend" my bitcoin?

If the user is using properly written wallet software that includes a proper transaction fee, and isn't running any custom software of their own or colluding with anyone else, then they won't be able to "double spend" the bitcoin.  The transaction will confirm eventually, and the the shop owner has a larger risk of their employees simply giving free food to their friends and family.


- snip -
So, the customer walks in, buys a coffee and food (take-out) with bitcoin zero transaction fee, then leaves the shop. How does this customer "double spend" his/her bitcoin?

With zero transaction fee, there is a bit more risk that the transaction will never confirm (and that the customer will spend those bitcoins elsewhere either intentionally or accidentally).  There are some steps that the merchant can take to reduce his risk in this situation.

To start with, the merchant can make sure to use software that identifies when a high risk transaction has occurred (such as a transaction with no fee).  They can train their employees that if the software indicates a "high risk" transaction, then the customer must wait for 1 confirmation.  If the customer is unhappy about waiting, then they shouldn't send without a fee.  The can send a new transaction with a proper fee to receive their product immediately, and the merchant can use software that will refund the zero-fee transaction back to the customer.

Assuming that the merchant is unwilling (or unable) to train their employees to recognize and handle high risk transactions, they can use software that will pay the fee for the customer when the customer fails to include a fee.  The sofware would need to recognize that a transaction has been recieved without a fee, and would need to immediately re-spend that transaction and include a large enough fee on the new transaction.  This new transaction would provide incentive for miners to confirm both transactions at the same time (since the fee paying transaction can't be confirmed without the free transaction being confirmed).  The miners that have implemented "Child-Pays-For-Parent" in their transaction selection algorithms will then work to confirm both, so that the risk is significantly reduced.  The merchant can also use software that will re-braodcast transactions that they have received which have not been confirmed within a day or so.  This will prevent the transactions from being dropped from the memory pool of nodes before it confirms.  The merchant may need to write (or pay someone to write) some of this software.  I'm not sure how much of it already exists.

As for your question about "How does this customer "double spend" his/her bitcoin"...

Double spending they way you are thinking about it really comes down to the following scenario. It can be either intentional or if the transaction has no fee it can be accidental:

  • Customer creates two transactions that spend the same bitcoins.
  • One of those transactions is broadcast in such a way that the merchant receives a copy of it, but most miners either don't receive a copy or they ignore the copy they receive.
  • The other transaction is broadcast in such a way that most miners receive a copy and attempt to confirm it, but the merchant either doesn't receive a copy or they ignore the copy they receive
  • The first transaction pays the bitcoins to the merchant's address, so they think they've been paid
  • The second transaction pays the bitcoins to an address controlled by the customer.
  • One of the miners that are processing the second transaction confirms it before the first transaction becomes confirmed

In this situation, the second transaction becomes the "real" transaction (since it got confirmed), and the first transaction becomes invalid.

Properly written wallet software won't allow a user to do this, but nothing is preventing an attacer from writing their own software that attempts to connect directly to the merchant's wallet and send them the first transaction while simultaneously connecting directly to many mining pools and sending them the second transaction.

The merchant can further reduce their risk if they use software (which they may need to create or pay someone to create) that connects directly to (and only to) some of the largest mining pools, listens for any competing transactions, and alerts the employee immediately of the fraud attempt.
Pages:
Jump to: