Editor’s note: Eric M. Jackson and Christopher Grey are the co-founders of CapLinked, a secure collaboration and workflow solution for managing complex business deals and projects. Jackson was PayPal’s first senior director of U.S. marketing and wrote the book The PayPal Wars.
It’s been a bad month for Bitcoin.
On February 7, Mt.Gox — the once-popular exchange that hosted 80 percent of the world’s Bitcoin trades — informed users that they were temporarily halting withdrawals of the popular electronic currency from their service due to a technical problem called transaction malleability. This technical flaw allowed fraudsters to manipulate the unique ID of a Bitcoin transaction. They could make it appear as if the withdrawal never happened even though they would still receive the funds.
The news was followed by reports from Coindesk of a “massive and concerted attack” on Bitcoin exchanges. The DDoS attack exploited the transaction malleability flaw and temporarily caused Bitstamp, a Mt.Gox competitor, to also cut off withdrawals. While Bitstamp and the other exchanges have since started letting customers withdraw funds again, as of this writing Mt.Gox still has not.
How this eventually plays out for Mt. Gox in particular and Bitcoin exchanges in general remains to be seen. But if the experiences of the Web 1.0 online payments service PayPal have any bearing on the future of Bitcoin, fraud is an issue that won’t go away any time soon.
The early days of PayPal (which Eric witnessed as the company’s first senior director of marketing and later chronicled in his book The PayPal Wars) certainly suggest that fraud is going to remain a significant issue for Bitcoin. We think the PayPal experience may also provide some guidance on the types of fraud that could be in store for the Bitcoin ecosystem.
When PayPal launched in late 1999, the site was branded around “beaming money” to friends and even briefly employed Star Trek’s “Scotty” as a spokesman before pivoting to focus on e-commerce payments. The shift led to rapid growth as eBay users flocked to the service. As the site grew to 1 million users in just six months, the floodgates were also opened to a host of fraudulent activities.
Credit card chargebacks soared as buyers disputed transactions that went bad for a host of reasons, such as failure to ship or items showing up not as described. Even though third-party marketplaces like eBay were ostensibly facilitating the transactions, PayPal was left holding the bag if it couldn’t recover the funds from the seller.
Foreign organized crime rings began to leverage PayPal to cash in on stolen credit numbers obtained from the black market. They set up automated scripts that used the stolen cards to fund PayPal payments to accounts that they controlled, and then transferred the funds out of PayPal to a bank account.
Account theft surged in the early 2000s as sophisticated “phishing” attacks caught users unaware. In one early case, fraudsters registered the domain “PayPai.com” and sent around links asking PayPal users to submit their confidential information in order to resolve an account problem.
The ramifications for PayPal were severe. As the fraud rate on payment volume soared above 100 basis points, the credit card associations threatened restrictions and loss of access. PayPal’s first business model was built around the recirculation of payments within the system, meaning that initially it wasn’t equipped to deal with this kind of fraud. By the fall of 2000, the company’s monthly burn rate hit $10 million.
Salvation didn’t come overnight, and it didn’t come in the form of a silver bullet. Peter Thiel, Max Levchin, and the rest of the executive team took a multifaceted approach to tackle the problem using a mix of technological, financial and operational initiatives.
For example, Levchin and engineer David Gausebeck built one of the first commercial applications of CAPTCHA technology (dubbed the Gausebeck-Levchin test) to block automated account creation. The engineering and fraud teams built a complex analytics system named IGOR to help dedicated employees identify fraudulent behavior patterns. The product team tied withdrawal limits to account verification levels so only users “known” to us could make large withdrawals.
Cumulatively the efforts worked. Over the following year, PayPal’s fraud rates tumbled down into the 20-30 basis-point range. This improved the company’s financial performance, playing a large role in its IPO in February 2002 and acquisition by eBay later that year. As PayPal “hardened the target,” it drove fraud away to other competing payment services. By the end of 2002, Citibank, Bank One, and Yahoo had all either closed their payment services or were on their way to doing so.
We think PayPal’s experience contains several important lessons for Mt.Gox and the other Bitcoin exchanges.
Fraud can emerge on many fronts. Just as there were multiple types of “fraud” targeting PayPal, expect criminals to emerge with a variety of schemes aimed at Bitcoin services and their users.
Bitcoin services should look for multifaceted solutions, not silver bullets. Combatting fraud requires a company to leverage its technology, processes, and personnel across multiple fronts rather than just looking for a quick coding fix.
Fraudsters go after the weakest link. Regardless of the fate of Mt.Gox, don’t be surprised if other exchanges and Bitcoin services are targeted in the future. The ones that neglect security will be highly vulnerable.
With all the hype, it’s easy to forget that Bitcoin is still a nascent technology. If the issues it faces over the next few years bear any semblance to the ones PayPal experienced, then the discussion around Bitcoin-related fraud is only just beginning.