Topic: Double Spending - How To? (Read 4581 times)

Sorry mate, I wasn't aware of this. In this case if having few cups of coffee double spent would really hurt your friend salesman, you better think twice about doing it and accepting Bitcoin for such payments. It's all about that risk/reward ratio and if the risk is high for you guys than you better stay away from it.

Fast internet isn't required to accept Bitcoin at all. A slowish internet is fine for using POS systems like Bitpay with minimal delay. Transaction wise, it takes less than 3kb on average to send a transaction, no need for fast internet at all.

Philippines is not ready for Bitcoin transaction, the Philippine Government should work on the very slow internet service first before Philippine merchants can start using them. I know there are a few merchats out there who accepts bitcoin but still internet will play a big role in accepting this service.

Mickeyb, you are thinking "western" here. The Philippines is not western. It is an under-developed third-world country. Less than 20% of adults (those 18yo and over) have a bank account. Less than 5% of all shop purchases are made with a credit/debit card.

Yes, a cup of coffee costs about USD2 to USD3 in the Philippines, but that is almost half a day's salary for most workers. A graduate engineer in the Philippines earns about USD15 per day. A shop salesperson earns about USD6.50 per 10 hour day.

Well look, there is a risk everywhere. I think that the credit card chargeback rate is about 20-25% and merchants take this risk on themselves. But you are also using a logic that person that paid $3 for a cup of coffee won't be doing a chargeback. It's not worth a risk.

We can use the same logic about the Bitcoin double spend. But if you are looking for a 100% solution, I guess that Bitcoin is not ready for paying a coffee like Ciyam has said above. Honestly I am not sure that this will be ever necessary in order for Bitcoin to succeed.

Ha, you want to cheat and spend money you've already spent? What an ass! Why do you want to be a cheat? A fraud?

I hope my merchant doesn't see this topic. I can guess his response, "It looks to difficult and risky, I'll stick with cash only".

I have a meeting with his later next week.

Double spending can be successful if the merchant is not aware that the mining pool have different policy from their client. example, if majority of the mining pool does not accept outputs with dust below 1000 satoshi, they will not mine it and the merchant's tablet will state that the invoice is paid.

Reference:https://www.mail-archive.com/[email protected]/msg00500.html

Yes, yes I understand this. Once I have sent a transaction without the fee at all and it was stuck out there until I haven't double spend it. Well I guess that against this low or none tx fee problem there is no solution at all then.

A transaction can still be "legit" but never get confirmed - if a tx has less fees than required then it won't be propagated at all (so the merchant wouldn't see it in the first place) but if the fee is exactly the bare minimum and the size of the tx is large then it is entirely possible the tx won't get confirmed (a situation that was occurring during the so called stress testing).

Aren't there some third party applications being developed that are dealing with this exact problematic? I remember reading about this, that there will be applications that will give you 99.9% ease of mind that the transaction is actually legit.

You could implement something that might give instant payments without fee's. Hand out pamphlets to regular customers and encourage them to use a wallet with off-chain support. If they transfer money from their Xapo account to his account, they pay zero fee's and the transaction is instant.

Xapo clients will like this, because there is no waiting time, and the merchant will be happy, because there is no risk of the transaction not getting confirmed.

It's just a temporary alternative to make up for the slower on-chain transactions in Bitcoin.  

If he isn't using a payment merchant then he is actually going to leave himself wide open to people paying without correct fees and this is a "double spend" attack that requires virtually no skill and does not require sending the second tx within seconds (such a tx can be sent anytime later).

Assuming only a few BTC txs are expected in a week then maybe as long as he does check how many txs have confirmed at the end of the week he can decide whether or not it is worthwhile to continue taking the risk.

A made a correction to that (bolded)

The merchant, in this case, is hoping to just use an Android smartphone/tablet with say the Bitcoin Wallet ap installed to accept bitcoin payments. At the end of the day (or week) the merchant would use a Philippines bitcoin exchange to convert the received bitcoin into PHP and have it deposited directly into his bank account.

Initially, bitcoin sales are likely to be only one or two a month so capital outlay has to be kept very low. I can not see him investing even one centavo in anything more complicated.

From the replies that I have received in this thread, it looks like my response to the merchant's "double spend" concerns will be:


I need to keep my response fairly simple. Would this response be reasonable?

I just say make the drink and do not give it to the custom until 1 conf.

If customer asks, just explain that you would like a conf. first, as anyone who uses bitcoin should at least understand why the shop owner would need a conf. in the first place.

Since 51% attack too expensive for the coffe.
You can use; "Replace by Fee" https://bitcointalksearch.org/topic/reminder-zero-conf-is-not-safe-1000usd-reward-posted-for-replace-by-fee-patch-179612

Bitcoin is not ready for "purchasing coffees" would be my answer.

Unfortunately it is actually quite simple to configure software to pay no fee at all and if the UTXOs are not old and the tx is small (and perhaps made up from many micro payments like most ad-sig posters wallets would likely do) then there is a good chance such a tx would not confirm before being actually dropped from the memory pool (restoring the funds to the purchaser - there are many topics created here about txs not confirmed after 2 days, etc.).

So you don't even need to "double spend" you just spend without enough fees to ever confirm!
(note that this will especially be true at times when people are purposely spam attacking the network to try and fill up blocks)

I guess the only chance for the vendor is if their Bitcoin payment processor identifies that the tx doesn't have enough of a fee to realistically confirm.

It's not as simple as you're expecting. 

Do you understand what the blockchain is?  That is the first question.

If the user is using properly written wallet software that includes a proper transaction fee, and isn't running any custom software of their own or colluding with anyone else, then they won't be able to "double spend" the bitcoin.  The transaction will confirm eventually, and the the shop owner has a larger risk of their employees simply giving free food to their friends and family.



With zero transaction fee, there is a bit more risk that the transaction will never confirm (and that the customer will spend those bitcoins elsewhere either intentionally or accidentally).  There are some steps that the merchant can take to reduce his risk in this situation.

To start with, the merchant can make sure to use software that identifies when a high risk transaction has occurred (such as a transaction with no fee).  They can train their employees that if the software indicates a "high risk" transaction, then the customer must wait for 1 confirmation.  If the customer is unhappy about waiting, then they shouldn't send without a fee.  The can send a new transaction with a proper fee to receive their product immediately, and the merchant can use software that will refund the zero-fee transaction back to the customer.

Assuming that the merchant is unwilling (or unable) to train their employees to recognize and handle high risk transactions, they can use software that will pay the fee for the customer when the customer fails to include a fee.  The sofware would need to recognize that a transaction has been recieved without a fee, and would need to immediately re-spend that transaction and include a large enough fee on the new transaction.  This new transaction would provide incentive for miners to confirm both transactions at the same time (since the fee paying transaction can't be confirmed without the free transaction being confirmed).  The miners that have implemented "Child-Pays-For-Parent" in their transaction selection algorithms will then work to confirm both, so that the risk is significantly reduced.  The merchant can also use software that will re-braodcast transactions that they have received which have not been confirmed within a day or so.  This will prevent the transactions from being dropped from the memory pool of nodes before it confirms.  The merchant may need to write (or pay someone to write) some of this software.  I'm not sure how much of it already exists.

As for your question about "How does this customer "double spend" his/her bitcoin"...

Double spending they way you are thinking about it really comes down to the following scenario. It can be either intentional or if the transaction has no fee it can be accidental:

• Customer creates two transactions that spend the same bitcoins.
• One of those transactions is broadcast in such a way that the merchant receives a copy of it, but most miners either don't receive a copy or they ignore the copy they receive.
• The other transaction is broadcast in such a way that most miners receive a copy and attempt to confirm it, but the merchant either doesn't receive a copy or they ignore the copy they receive
• The first transaction pays the bitcoins to the merchant's address, so they think they've been paid
• The second transaction pays the bitcoins to an address controlled by the customer.
• One of the miners that are processing the second transaction confirms it before the first transaction becomes confirmed

In this situation, the second transaction becomes the "real" transaction (since it got confirmed), and the first transaction becomes invalid.

Properly written wallet software won't allow a user to do this, but nothing is preventing an attacer from writing their own software that attempts to connect directly to the merchant's wallet and send them the first transaction while simultaneously connecting directly to many mining pools and sending them the second transaction.

The merchant can further reduce their risk if they use software (which they may need to create or pay someone to create) that connects directly to (and only to) some of the largest mining pools, listens for any competing transactions, and alerts the employee immediately of the fraud attempt.