Author

Topic: How CoinPal avoided PayPal fraud (Read 16529 times)

newbie
Activity: 7
Merit: 0
September 17, 2021, 09:33:09 AM
#28
I think you sold me my first bitcoins at 0.26 each.  I bought like 500 coins, and actually did appreciate the phone call.  If I remember correctly, you wondered why I was interested in buying them, and I replied something along the lines of "I dunno, I think these are cool and just want to own a few to try them out.

Wow. where are you now ? a billionaire maybe?
legendary
Activity: 2940
Merit: 1333
December 24, 2018, 02:41:34 PM
#27
There is a coinpal.eu that is a scam, they got me for approx $780 yesterday.

Bitcoin address: 12awVrBX3J95qXjDKC7btodpL27mxgg2fF

This thread is about a service which closed in 2011. Your post is offtopic here.
newbie
Activity: 2
Merit: 0
December 24, 2018, 12:39:51 PM
#26
There is a coinpal.eu that is a scam, they got me for approx $780 yesterday.

Bitcoin address: 12awVrBX3J95qXjDKC7btodpL27mxgg2fF
hero member
Activity: 518
Merit: 500
BTC < > INR & USD
August 15, 2013, 10:09:36 AM
#25
Excellent writeup mate.!
full member
Activity: 172
Merit: 100
December 13, 2012, 10:40:19 PM
#24
i wish you could give the specifics, just for the sake of an interesting read but i understand why you can't.  good info, thanks!
member
Activity: 66
Merit: 10
November 30, 2012, 02:43:18 PM
#23
It's unfortunate that you were unable to continue such a service.  I know there has been much controversy with bitcoin being used at time for less then legal actives, but that definitely doesn't mean that all activities associated with it are illegal.  As bitcoin continues to grow I guess it's bound to happen than those who they may directly or indirectly loose business too would be shunned.
newbie
Activity: 56
Merit: 0
November 26, 2012, 11:21:22 AM
#22
A great write up. Thanks for the service.
legendary
Activity: 1372
Merit: 1008
1davout
November 25, 2012, 05:58:04 PM
#21
very interesting read
sr. member
Activity: 369
Merit: 250
November 25, 2012, 05:49:03 PM
#20
Excellent writeup, mndrix...
((...snip...))

Seconded / agreed.

Though on the subject of paypal's ToS, I won't comment.
legendary
Activity: 1358
Merit: 1002
August 05, 2012, 12:34:15 PM
#19
EclipseMC, Inaba's pool, no?
donator
Activity: 1218
Merit: 1079
Gerald Davis
August 05, 2012, 12:31:35 PM
#18
D&T, TheBitMint got shutdown cause the kid used one(or several) Non-Verified Paypal account(s) and when he reached the account limits he couldn't verify cause he's only 17, remember? You should remember, because you were burned on it.

Indeed maybe not the best example but just pointing out that it is like PayPal only cares about limiting fraud or the risk of digital goods.  Maybe the OP and the pool (man for the life of me can't remember which one) are better examples.  Very low and no fraud and still shutdown without reason or recourse.  The OP was even told he was authorized.  He was "authorized" AND kept his fraud to a minimum something which PayPal should have rewarded and instead he got slammed.

Dysfunctional. 
legendary
Activity: 1358
Merit: 1002
August 05, 2012, 11:44:02 AM
#17
D&T, TheBitMint got shutdown cause the kid used one(or several) Non-Verified Paypal account(s) and when he reached the account limits he couldn't verify cause he's only 17, remember? You should remember, because you were burned on it.
donator
Activity: 1218
Merit: 1079
Gerald Davis
August 05, 2012, 11:34:59 AM
#16
Exactly. some bitcoin people act as if PP has some kind of personal vendetta (besides competition) against bitcoin when that is not true at all.

That isn't exactly true.  TheBitMint (and many others) have gotten shutdown simply for selling Bitcoins and not even having fraud.  One pool offered payouts in PayPal.  No bitcoins actually exchanged hands and since the pool was paying out (i.e. funds only going to users not from them) there was no risk of chargeback or fraud.  PayPal also shut them down.

The problem with PayPal is that they are very dysfunctional.  Even if you get permission from one dept it doesn't mean that won't change later, or be counteracted by another department.  We payout using PayPal but keep the amount of funds limited on PayPal limited and are under understand that PayPal could shut us down any second without reason or recourse.  We have taken every precaution possible: only sending PayPal never receiving, a year long spotless no fraud record, business account, 2 factor authentication, paying fees (no "gifts"), advising PayPal in advance of our significant transaction volume,  prefunding our account using only ACH, providing PayPal a letter from our bank, etc.  Even with all that we might still be offering PayPal payouts in a year or shutdown in a week.
member
Activity: 101
Merit: 10
August 05, 2012, 10:35:21 AM
#15
This thread should be stickied as a useful resource for anyone developing bitcoin services.
A sage, informed and useful post mndrix, thank you!


BB.
newbie
Activity: 19
Merit: 0
August 05, 2012, 05:47:32 AM
#14
Well I declare! Behind the times indeed.... why I remember... um... Does 9/11 count? Embarrassed
sr. member
Activity: 244
Merit: 250
August 05, 2012, 05:44:02 AM
#13
also paypals anti-fraud department is extremely good, stolen accounts are almost always flagged even if they use an IP in the same city.

PayPal's anti-fraud measures are decent and I relied on them as an initial filter.  However, I caught many fraudulent orders that PayPal missed.  Their system is optimized for physical goods.  They do automatic chargebacks on digital goods disputes, so they have little incentive to improve there.

Exactly. some bitcoin people act as if PP has some kind of personal vendetta (besides competition) against bitcoin when that is not true at all. The fact of the matter is PP does not support digital goods, even on eBay. I have sold numerous digital goods and have been scammed on a few of them, from legitimate eBay users wnho even eventually got out of my negative feedback.
PP simply is not an advanced company, they keep it very simple and are behind the times. Things are starting to sell digitially and they need a lot more protection there. Adequate proof (beyond a reasonable doubt using logic) that would stand in a courtroom does not stand with PP. PP's definition of proof is a bit different and very limited.
vip
Activity: 447
Merit: 258
July 18, 2012, 02:53:21 PM
#12
Any chance we can get you to share what you're up to lately? Bitcoin-related, I hope?

Unfortunately, I've spent most of the last year on non-Bitcoin projects.  I've spent only a little time each month on my next Bitcoin project.  It's something others have tried and failed.  I'd rather not announce any specifics in case I meet the same fate.  Better to show than tell, I figure.
legendary
Activity: 1260
Merit: 1031
Rational Exuberance
July 18, 2012, 02:19:02 PM
#11
Not to use PayPal again Smiley  I had planned to accept credit card payments instead.  Over the last year, other ideas have consistently seemed more fruitful so I'm not pursuing credit cards anymore.

Any chance we can get you to share what you're up to lately? Bitcoin-related, I hope?
legendary
Activity: 1904
Merit: 1002
July 18, 2012, 01:04:18 PM
#10
What was your plan to avoid having your account frozen again?

Not to use PayPal again Smiley  I had planned to accept credit card payments instead.  Over the last year, other ideas have consistently seemed more fruitful so I'm not pursuing credit cards anymore.

Ah.  Good plan Smiley.
vip
Activity: 447
Merit: 258
July 18, 2012, 01:01:23 PM
#9
What was your plan to avoid having your account frozen again?

Not to use PayPal again Smiley  I had planned to accept credit card payments instead.  Over the last year, other ideas have consistently seemed more fruitful so I'm not pursuing credit cards anymore.
vip
Activity: 447
Merit: 258
July 18, 2012, 12:56:43 PM
#8
also paypals anti-fraud department is extremely good, stolen accounts are almost always flagged even if they use an IP in the same city.

PayPal's anti-fraud measures are decent and I relied on them as an initial filter.  However, I caught many fraudulent orders that PayPal missed.  Their system is optimized for physical goods.  They do automatic chargebacks on digital goods disputes, so they have little incentive to improve there.
legendary
Activity: 1904
Merit: 1002
July 17, 2012, 11:26:26 PM
#7
What was your plan to avoid having your account frozen again?
hero member
Activity: 588
Merit: 500
Hero VIP ultra official trusted super staff puppet
July 17, 2012, 11:11:58 PM
#6
I think you sold me my first bitcoins at 0.26 each.  I bought like 500 coins, and actually did appreciate the phone call.  If I remember correctly, you wondered why I was interested in buying them, and I replied something along the lines of "I dunno, I think these are cool and just want to own a few to try them out.

lol. Talk about nostalgia. It's hard to think of Casascius as not knowing what bitcoins were.
vip
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
July 17, 2012, 11:05:46 PM
#5
I think you sold me my first bitcoins at 0.26 each.  I bought like 500 coins, and actually did appreciate the phone call.  If I remember correctly, you wondered why I was interested in buying them, and I replied something along the lines of "I dunno, I think these are cool and just want to own a few to try them out.
donator
Activity: 452
Merit: 252
July 17, 2012, 10:49:44 PM
#4
member
Activity: 104
Merit: 10
July 17, 2012, 05:58:32 PM
#3
Good article, hopefully it will help some out dealing with paypal hell.
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
July 17, 2012, 02:06:05 PM
#2
Excellent writeup, mndrix. And I can't believe that PayPal would willingly throw away business from someone such as you that was so careful and diligent about fraud.
vip
Activity: 447
Merit: 258
July 17, 2012, 01:59:31 PM
#1
As most of you know, I operated CoinPal before it was closed in April 2011.  I had planned to reopen it, but plans have changed.  I still own, follow and advocate Bitcoin.  Nothing has changed there.  About once a month, I receive an email asking "How did you avoid scammers on CoinPal?"  I decided to post about it so the entire community can benefit (and give myself a URL to point to).

Background

CoinPal allowed one to purchase Bitcoins with PayPal funds.  PayPal payments can be reversed easily but Bitcoin payments are permanent.  This asymmetry made CoinPal a constant target for PayPal fraud.  After I experienced my first wave of fraud, from which I learned many lessons, CoinPal lost less than 0.9% of revenue to fraud losses.

Fraudulent buyers exhibit certain characteristics that distinguish them from legitimate customers.  Some of these characteristics could be easily abandoned if the scammers recognized them.  They appear not to.  This kind of obscurity makes poor security.  Nevertheless, recognizing these kinds of easily abandoned practices saved CoinPal lots of money.  I won't describe any of these patterns since the scammers will simply abandon them once they're published.  Instead, I'll describe characteristics which scammers are unable to change.  These ought to remain relatively helpful over time.

Stolen accounts as currency

The most important realization is that stolen PayPal accounts or credit card numbers are a digital currency (although a poor one).  If I write a virus or phishing attack, my wages are denominated in the currency of stolen accounts.  Alternatively, I can exchange fiat currency for stolen account currency, by trading on various black market forums.

As a digital currency, stolen PayPal accounts are subject to double spending attacks.  For example, the legitimate owner may change his account password thus spending stolen funds back to himself.  Or a vendor selling PayPal credentials can sell the same credentials to multiple buyers.  Without a blockchain to rescue them, those holding this digital currency must spend it quickly before someone beats them to it.

Scammers are in a nasty hurry and can't do anything about it.  I saw this over and over again at CoinPal.  I see it at other online retailers too.  This is why CoinPal and VirWox have tiered purchase limits based on an account's age. 

Conclusion: scammers have an unusually high discount rate.  With this discount rate, the present value of a payment 7 days in the future is less than his cost of acquiring stolen credentials.

Measure Everything

Collect data on everything you can possibly measure.  Record it in your database associated with each order.  When fraud happens, compare all the data you have against known legitimate orders.  Scammers operate under different conditions than legitimate buyers and it invenitably shines through.  When they try to hide it, it causes other tell tale signs.

In the short time that CoinPal operated, I collected a couple hundred metrics about each order placed on the site.  Perhaps a dozen of those metrics proved useless.  The rest were valuable and I incorporated them into automated fraud screening.  Unfortunately, these patterns are the easily abandoned ones I mentioned above, so I won't give specifics.

Conclusion: If you can measure something about your customers, do it.  Spend plenty of time analyzing what you measured.

Legitimate Customers

You can't stop all fraud.  Some will get through your defenses.  Currency exchange profit margins are too narrow to absorb much of it, so you need a healthy legitimate customer base across whom you can distribute those costs.  As chargebacks come in, it's tempting to focus entirely on eliminating fraud.  Unfortunately, that focus inconveniences legitimate customers so much that they go elsewhere.

Early in CoinPal's history, I manually contacted every customer that wanted to purchase coins.  I bought a bunch of long distance calling credit and spent hours on the phone asking customers questions about the name of their nearest grocery store or which direction Lake Something was from their house.  I never had a chargeback from these orders, but they hated it and I hated it.  I lost many legitimate customers as soon as I emailed them asking if I could call them on the phone.  I know they were legitimate because many of them bought coins after I eliminated this process and they never charged me back.

Conclusion: a healthy customer base is as important as fraud detection.  Profit from serving them will sustain you through the scammer attacks.

Fees Select Customers

This should be obvious, but it's repeatedly violated by new Bitcoin exchanges.  A legitimate customer is spending his own hard earned money, so he cares about fees.  A scammer is spending someone else's money, so he doesn't.  Increasing fees scares away profitable customers leaving you with only scammers.

A small price elasticity of demand and a high discount rate combine to explain a common fraud symptom in retail.  Fraudulent customers are far more likely to pay extra for overnight shipping.  They don't care about the money and need the goods quickly before their scam is detected.

Conclusion: High fees favor fraud.  Although scammers could avoid this characteristic by frugally spending their stolen funds, frugality demands patience which they can't afford.

Repeat Business

CoinPal averaged 1.6 orders per legitimate customer.  Many of those customers first purchased from me shortly before the site closed and never had a chance to return, so that figure is artificially low.  Many legitimate customers placed the maximum allowed order every single week until the site closed.

Scammers, however, manifest as one time buyers.  After the first purchase, their stolen funds are spent and they must switch identities.   This distinction means you can safely lower your defenses for repeat purchases.  As best I can find/remember, CoinPal never had a chargeback from a repeat customer.

This dichotomy gives vendors another means to distinguish between good and bad buyers.  For a legitimate buyer, one-time fees will be amortized over the life of his business.  A scammer, must recoup the entire fee on his first purchase.  If the fee exceeds his profit, he'll quit.

Late in CoinPal's life, I instituted automated phone verification for first time buyers.  These buyers paid an extra $0.50 to cover the cost of the service.  For legitimate customers that's $0.50 amortized over several future orders.  For scammers, it's $0.50 plus the cost and inconvenience of acquiring a working phone number per order.

Conclusion: One-time fees favor legitimate buyers.
Jump to: