Topic: Would anyone want a wallet with geofencing? (Read 278 times)

There are on-off ramps between LN <--> on-chain BTC in which you can send(receive) a LN payment to(from) the service, and the service will make an on-chain(LN network) payment on your behalf. There is generally a cost to this that exceeds on-chain TX fees (the service is aiming to make a profit). This may or may not result in a net savings over sending coin back and forth between your phone and your home computer, and absent these net savings, the cost may be sufficiently low that the value gained from only having a specific amount of coin on your phone is worth the additional cost.

It's actually a nice set up for a different consideration from geofencing/security, in that it means I don't have to manually top up my mobile wallet every time I spend from it. It would be cool to know that every time I leave my house I always have, say, 0.01 BTC on my phone. It doesn't matter if I didn't spend anything last time I was out, or I spent $10 worth, or I spent it all - when I leave my house tomorrow, I know I'll have 0.01 BTC on my phone.

The limiting factor at the moment is that not enough merchants accept Lightning, so I would find myself closing the channel frequently so I could spend coins on chain, and then having to set up a new channel every time I went home, which entirely defeats the purpose of the set up as being automated. But maybe in the future.

Relying on WiFi or Bluetooth of your home computer would reduce the risks I described, although there is the potential any of these could be spoofed.

I would not describe relying on my WiFi as relying on a "third-party" device, as I control my wireless router, and if it stops working, I can trivially create a new WiFi network with the same name.

My setup would automate the keeping an appropriate amount of coin on your phone. Since you are interacting with a direct channel to your home computer, you would not pay any transaction fees sending coin to/from your phone. Once you have the scripts written, there would be no additional setup each time you leave your house, provided your home computer is on and online.

If you are spending coin with your phone, you are presumably planning on spending them at a physical location, and you wont necessarily know the specific amount you are going to spend, or who you are going to send the coin to.

Well then you could change the geofence to instead of being based on GPS it is instead within range of your home WiFi, the bluetooth on your home PC/computer/speaker/whatever, or something similar, although I concede those all still require the correct operation of a third party device.

Agreed, unless you are using the geofence to protect your coins from yourself.

But if you are going to go to all the effort of setting up a wallet on your home computer and setting up a Lightning channel and associated scripts just to send your coins to your phone when you arrive home so you can presumably then spend them online, then why would you not just spend them directly from your home computer in the first place?

I still think the best solution to all this is to simply only hold on your phone coins that you would want to spend when you are out and about anyway. If you are going to geofence off some of your coins so you can only spend them when at home, then better to just remove those coins from your phone and store them at home permanently.

Sure, there are always risks when using third-party services. The difference in my eyes is that Coinbase (for example) is in the specific business of handling coin on behalf of their customers, which includes processing crypto withdrawals. if Coinbase screws up too much, they will eventually go out of business.

Relying on geofencing on the other hand will rely on your phone's GPS. Apple is not in the business of handling their customer's coin. They are not even in the business of providing precise location data to phone owners, or even location data in general. It is also possible that your phone's location is currently wrong, and when this gets fixed by Apple, your phone will think it is not in the correct geolocation when it is in the intended correct location.

Fair enough. Although if your security model is that you need a geolocation in addition to a PIN, you are assuming a PIN is insufficient.
For some reason I was thinking the amount allowed outside of a particular geolocation would be $50 in BTC. Fixing the amount to x amount of BTC, rather than $x worth of BTC would address this issue.

Yes, that would work. Although you would need one additional backup if you were to rely on this.

I do think a LN wallet with a channel open with your home computer that automatically sends/receives a LN tx when you leave a location would be best. If you have the private key to the address where your phone's channel will end up at when the channel is closed, you can simply broadcast an old channel state if you lose your phone.

What about this?

Just restore from seed maybe?

I am not against the idea, but it's not something I would use. If I have a mobile wallet with bitcoin in it, I would want to be able to spend it wherever I am. That's why it's mobile. It does make sense in certain situations, but it also prevents me from making a conscious decision to spend my coins when and where I want to.

You are in a store looking at some new sneakers and there is an announcement over the loudspeakers that happy hour is starting. All gear will be sold at a 40% discount during the next hour. The store takes bitcoin, but unfortunately your geofencing won't allow you to spend it.   

Imagine if you find yourself in a $5 wrench attach scenario and a robber is looking for anything valuable. You have no cash on you, no jewelry or a watch to give him, but you have some bitcoin. Happy that the attacker won't test the quality of the wrench against your head, you take out your phone only to remember that the geofence won't allow you to send it to him. Or you can only send a small amount that will make him furious. Very few robbers would agree to accompany you to your home where you can send the rest of the coins. 

Which is not unlike 2FA with Electrum wallets, or any web wallet or exchange in existence. I don't use these services and I don't want a third party to have any say whatsoever in how I spend my coins, but you can't deny that there are millions of users who do use such services. And you can always recover your wallet from your seed phrase and bypass the geolocation entirely.

I had assumed the geolocation was in addition to the usual security precautions of a password/PIN, not in place of them.

I don't understand where you are coming from here. Just set the geolocation to restrict to x amount of bitcoin. Or as in my proposal above, geolocate restrict a whole wallet while keeping another wallet free.

The geolocation is dependant on a third party agreeing you are in a specific location. So if for whatever reason apple (in the case of iPhones) does not agree you are in the geolocation of your home, you will be unable to access your coin. Or, an adversary could steal your phone and take it it to your front yard in order to steal all of your coin (without even having to break into your house).

There is also the risk of tricking your phone that the price of 1 bitcoin is $0.01, which would allow an unlimited amount of coin to be spent.

Isn't that the whole point of the proposal - to stop the end user from spending all of their coin in a certain situation? It really isn't any different to any other criterion you need to be able to spend your coins. For my mobile wallet, I need my phone, it must be charged, I must have data, and I must remember my password. For my cold storage paper wallets, I cannot spend them unless I physically go to their storage location, which is not unlike a geofence. For my multi-sig cold storage, I must physically go to multiple locations.

It would be very ill-advised to prevent someone from being able to spend all of their coin that is in their wallet unless a criterion is met (being within a geofence) as they could potentially mean the end-user is unable to spend all of their coin. Someone with login access to an iOS device can arbitrarily change the time/date, so it would be trivial to override any $/unit_of_time limitation. It would also be necessary to prevent someone from being able to access their private keys while outside of the geofence, or else an adversary could simply access the private keys and spend the entire unspent UTXO set controlled by a seed.

---

I do have one solution:
The current implementation of iOS allows automation based on certain criteria, including leaving a location and arriving at a location.

If you have a LN wallet on your phone, and a LN node on a home computer, you could create an automation that causes your phone to create a LN invoice that requests x BTC (potentially based on the current price) and sends that invoice to your home computer whenever your phone leaves a particular location. You could also create an automaton that automatically sends the remaining unspent coin whenever your phone arrives at a location.

Separately, you could create a script that approves/pays a LN invoice received from whatever information channel you designate to receive payment requests from your phone, when certain criteria are met. Your script can also automatically receive a transaction from your phone when it arrives to your home geolocation.

If your phone wallet is a LN node with a direct open channel connected to your home computer, moving the coin back and forth will be free. If your phone wallet is bluewallet (a custodial wallet), or does not otherwise have a direct LN channel open with your home computer, you will have to pay tx fees to move the coin back and forth.

I was just thinking about this thread I read a few days ago and had an idea: what about a wallet which you can configure a spending limit via geofencing?

I received a letter from my bank yesterday telling me that, for my safety, my online banking spending limit was lowered to X€. Maybe it could make sense a Bitcoin wallet that allows you to spend below some limit everywhere, for example, but above that limit only in a certain place or places.

It doesn't sound like a concept difficult for newbies to understand and it may be useful for some people.

Since there has been much discussion on the question if it makes sense or not, I will just say: "there's a market for almost anything".
Technically, it is quite easy to implement through the Google and Apple location APIs.
On iOS, bypassing location services / spoofing a location is really not as trivial as some may think as well.
Regarding something like servers breaking, phone GPS sensor malfunctioning etc., keep in mind you could always have either an emergency passphrase or directly use the seed words to restore that wallet in e.g. BlueWallet or Electrum.

Depends on your phone and maybe whether or not you've rooted it. On some versions of various Android OSs you can set an app to have administrator privileges, which will prevent you from uninstalling it the standard way and require a workaround. There are also other apps you can download which will password protect the uninstall feature for all your apps. If you've rooted your phone, you can always push Tasker as a system app and therefore be uninstallable, or even bundle it in to your custom ROM before you flash it.

But this all goes back to what I was saying above - this is a complicated and time consuming process for minimal security benefits, when almost everyone would just be better of moving their coins off of their mobile wallet in the first place.

Can't they just uninstall it?

I'm certainly not against the idea, and I think it would be a nice addition even though I would probably never use it personally, but I'm not sure it's a good solution for these people who already have poor security. If they are already keeping too much money on a mobile wallet because they are simply too lazy/naive (and not as a calculated risk as in your case), then their time would be much better spent setting up a better wallet and moving their funds there, rather than trying to apply a band aid to the poor security of their mobile wallet. There's also no way to implement a geofence that makes it anywhere near as secure as a long and complex password, so again, their time and efforts (and therefore your time and effort spent educating them) would be better directed down these avenues rather than setting up a scheme like this.

As an aside, a more secure way of achieving the same outcome (you can only spend your coins when in a certain location) would be to set up a 2-of-2 multi-sig with the second signature stored on an airgapped computer in a locked safe in your house, or similar.

I didn't originally mean the drunk boat buying / $300 of tequila just more of the security aspect.

As in everything else went wrong bit of security.
If you are being held for the $5 wrench attack, they will eventually get all your BTC $50 at a time or have you turn off the geofence or drive you near your home / secure zone.

It's more of how I and and some people I knows spend BTC / crypto in general. And some of them even after a ton of screaming by me still have really poor security.

I have a hot wallet on my phone with more crypto then I should, that's on me and a recognize that. It's being spent, but slowly. But even with that and a fair amount of places I can spend it I really don't spend much crypto when I am outside my home or office.

A little digression here but; I am cheap to a certain extent, and I also use credit cards to my advantage as much as I can. Grocery stores I have a 4% cashback card, gas stations a different 4% cash back, restaurants a different card with 4+% cash back and so on. As of now BTC / crypto does not really get me that. So when I am spending it outside of my home / office is usually going to a friend for something or at the rare location that does take crypto and I only have a card that gives me 2% back there. Many of the people I know are the same way.

So if for whatever reason I am sending out a large amount of BTC / crypto when not at home or work something either went very wrong OR someone has gotten access to my phone and wallet due to MY sloppiness.  BUT, there are plenty of users both new and somewhat experienced that do not have great security. This is just another layer for users like them and a bit more security for someone like me, who probably does not need it but it would be nice.

There would be a ton of implementation issues to be sure. But, it seemed reasonable when I posted it.

Like the equipment I was programming that brought this on, I was doing it in a secure facility that you have to go though a front door with a guard and you need a RFID pass to get in and then though a biometric door and another RFID secured door and then get into a locked cabinet. Then you can only program it when you are using a console cable plugged into a PC.
I really think that it's overkill to need a BT signal too.
But as several people pointed out on a different forum, that is that location. How many of these units are in a more relaxed office setting and although they should be in a locked server room, some tech actually does the initial setup in their cube. So now if the tech goes to the bathroom / get a cup of coffee and forgets to lock their PC you can't screw with the switch routing. I thought it's pointless, but everyone else thought it was a good idea.

-Dave

I don't see it like that. I've seen a fair share of programs having "basic" or "advanced" interface or settings when you first start it, then somewhere pretty visible you can always switch between the two.
Such a differentiation has a good chance to solve this problem.
Of course, it's still not easy to find the best balance - if it would have been easy, it would be already done, I guess.

The thing is that the advanced settings should be all there and well thought/implemented so the advanced users will go for this wallet, start suggesting it, start helping the newbies and so on. I mean that only the fences on and off are not enough for the success of such a project. Yeah.. maybe I'm hoping too much after all...

I don't know man - we've all got that one friend who wakes up in the morning down $300 with receipts for rounds of top shelf tequila in their back pocket. Any time I was heading out on such a potential occasion, I had a separate card linked to a separate checking account which I would deposit an appropriate amount of money in, so once I hit my limit that was me. If you wanted to do the same with bitcoin, this might be a solution, although I think a better solution would be to keep the bulk of your money on an airgapped wallet or hardware wallet and only transfer what you want to spend to your mobile wallet before you go out. I'm much too old for any such shenanigans now though.

I think that's the bigger issue. Any password or PIN encryption on your wallet is going to be significantly more secure than any geofencing you can set up. If someone is specifically coming after your wallet, then this presents a minor obstacle, and if someone isn't specifically coming after your coins, then your password or PIN would protect them anyway. And in terms of protecting the user from themselves, it only takes a password to unlock Tasker and disable the task, achievable in ~10 seconds, to turn the whole thing off, so is not reliable for someone who already cannot be trusted to manage their money.

For sure... that's why I said not for me and my use cases. I do like the idea of using Tasker and I had indeed had the same thought as o_e_l_e_o about leveraging it's "geofencing" abilities. It takes the onus off the wallet developer and allows a user who wants it to protect themselves... however, I still don't think there is a huge market for "people with low willpower who need a wallet that stops them from spending".

But I do see the "security" side of it... accidentally leave your phone on the table in the cafe? No worries, even if they get it unlocked, they won't be able to spend because the phone isn't in your "geo-fenced" spending area. You'd just have to hope they can't figure out how to crack the wallet and export your seed/keys... which would render any wallet level protection meaningless.


It's a fine line for wallet developers though... If you put too many fences up, even optional ones, users will simply throw their hands up and cry "arrrgh, too difficult" and move on... and if you don't enable those options by default, users generally won't enable them themselves... and then complain "why didn't your wallet stop me from being stupid?"

Honestly, it's a lose/lose proposition