Hacker News new | past | comments | ask | show | jobs | submit login
100s of El Salvadorans Report Bitcoins Disappearing from Their Chivo Wallets (thecryptobasic.com)
137 points by dustintrex 4 months ago | hide | past | favorite | 145 comments



This is a question for any El Salvadorans browsing HN: are the funds stored in Chivo subject to the same financial rules and regulations as the rest of the El Salvadoran banking/financial sector?

I'm asking regardless of practical enforcement of those regulations, because I want to understand the risk model here as people actually using the app perceive it. Are the people regularly using it under the impression that the government will help claw back or recover lost or stolen funds, or is there widespread understanding that it's irreversible?


> This is a question for any El Salvadorans browsing HN: are the funds stored in Chivo subject to the same financial rules and regulations as the rest of the El Salvadoran banking/financial sector?

No.

> I'm asking regardless of practical enforcement of those regulations.

From public information and press releases it doesn't seem like they do.

- For starters the password is just a six digit number. So it doesn't follow the same account security recommendations required by the regulator for every other financial institution in El Salvador.

- Every financial institution in El Salvador is required to publish their corporate information on their website, including their financial statements and board of directors. But their website doesn't even publish their address.

- The app is not a member of the local deposit insurance scheme (IGD). But the app is the financial institution with the most clients in El Salvador. 3 million, compared to 1.5 from the rest of the financial sector

> I want to understand the risk model here as people actually using the app perceive it

> Are the people regularly using it under the impression that the government will help claw back or recover lost or stolen fund.

I don't know. I mean, all other banks are required to publish customer service statistics, including how many credit card chargebacks they do and how many fraud complaints they receive. But the app doesn't do this as far as I know.


Thanks for the response, I appreciate it.


Incentivising users to associate real world identities with their crypto identities by paying them $30 isn't a terrible idea. That's more than you get when some advertising giant builds a profile for you based on your browser characteristics. But preloading wallets and saying "use this wallet with you government ID to claim the money" fails to scratch the itch in so many ways:

- Users need to understand public/private keys so that the can rotate keys whenever necessary. They should have had users generate the wallets empty and then have them authenticate as a second step to get the payout.

- Maybe you need government-authored software to carry out the business of government, but since the chain is public and the keys can be used for signing things other than transactions there's no need for that software to ever see your private key. You ought to be able to handle everything you need by sending signed messages to the government app or having the government app examine the chain.

- Pairing an ID number with a photo of a face is not a valid authentication step. Neither of these things are secrets. You're going to need a government employee to look at the ID and the face before they accept the key, that way when skulduggery ensues, that employee can be found and questioned. Relying on non-secrets to do the job of secrets is a bad idea--as everybody who has a ssn knows.


> Incentivising users to associate real world identities with their crypto identities by paying them $30 isn't a terrible idea.

There's this project called Worldcoin which gives you "crypto of the future" for registering your retina and more "crypto of the future" for setting up "orb" devices to scan other's retinas.


I've heard if it. I just don't think biometrics are ever going to be good enough to securely drive a key from.

And even if they were, I'm not sure one-key-per-human is what you'd want. I think we ought to be able to generate pseudonyms which provably belong on to a taxpaying citizen, but which can't be traced to the specific one. For protecting whistleblowers and such.


An inverted funnel of world coin, it seems.


Their only soure documents "over 50" cases, not hundreds.


Is the "Chivo Wallet" an actual lightning wallet?

I have not found any confirmations so far, that People in El Salvador are actually using Bitcoin. For all I know it could be Government fiat that is denominated in Bitcoin.

Does anybody here know more about it?


There’s been a few articles on it.

Chivo -> Chivo transfers are not done with Lightning, or ok the blockchain itself. Govt is not obliged to back the amount of “Bitcoin” in all the wallets by any specific amount.

There are, I believe, gateways to both LN and the BTC blockchain itself. So you can transfer funds to/from Chivo with a real Bitcoin transaction. But sending to another Chivo user is just handled by Chivo centrally.


Yes, you can send funds from Chivo wallet to any bitcoin wallet (or the other way around)


Ok, but the same would hold true for any exchange app. But that does not make it a lightning app. The coins would be held by the exchange and the app only displays your balance.


It’s precisely like that.


If you're going to centralize the keys, why bother with Bitcoin? Isn't the whole point that you're insulated against untrustworthy governments? It's kind of sounding like decaf coffee ..


So the Chiva Wallet is not a lightning app?


What does state owned mean? Is it run like a centralized bank or is it just the official "lightning wallet"?

The article is confusing because it mentions missing funds but not whether there are any transactions by hackers or scammers.


Chivo Wallet is non custodial. It is managed by the government somehow. It’s pure evil what they did there. Afaik a government official could take it all.


It’s very much “custodial”.

Non-custodial would mean you held your own keys etc.


Oh sorry yes you’re right it’s the other way around.


I'm curious - if someone was able to develop a new type of computing (or phishing) to get the private keys and simply took them, would that be stealing? Do people who own Bitcoin have any legal right to the coins? What if the person who "stole" them claimed they mined it themselves. How could you disprove this?


Solo-mined coins are recognizable as outputs of special coinbase transactions. Pool-mined coins tend to have a very short history as pool payout from recent coinbases. So any mining claim to coins with a longer history are obviously false.


IANAL but I would be surprised if any jurisdiction didn’t find that was the case.

Difficulty in proving something happened doesn’t suddenly make it legal.

As the thief, you could only plausibly claim you mined it if you stole it from someone who did (as otherwise there would be a history of UTXOs). Depending on the history of the coins in question, it could be used as evidence.

Ie if one of the last prior UTXO was associated the gov airdropping it to Alice, 65yo non-techie, still having those keys on her iPhone, and then maybe sending some to her nephew and spending it on a webshop order shipped to her home address, and then Bob, 35yo CS Phd with addiction problems... I’d say that’s more evidence than what’s needed to put someone in jail in many places. But I think as with many things legal it’d depend a lot on the circumstances in the individual case.

People have been found guilty of defrauding people of cryptocurrency. It’s not that exotic.

This made me thinking, if you want to “insure” yourself for such a potential future situation, construct a hash of an arbitrary secret, sign it with your private key, and publish it on-chain. If you’d end up as the victim in that scenario, you could present the preimage, thereby presenting proof you had control of the keys at that point in time, as opposed to gaining access to them recently.

I wonder if the Lightning wallet they’re using has enough information for its internal database to already have that, considering how Lightning channels and payments work.


What if the person 'stealing' the bitcoin didn't 'hack' or 'phish' the private key, but instead guessed it?

There's been documented cases of coins being sent to wallets generated with empty-string seed phrases, or people using seed phrases that are easily guessable.

If I guess your private key/seed phrase, I've not accessed any network or equipment I don't have authorisation to access, I've not tricked or defrauded anyone, what crime have I actually committed?

Certainly stealing bitcoin this way would be morally wrong, but I don't see what crime you could charge me with.


IANAL but in the United States that would still be wire fraud because you interact with a network to move the bitcoin into a wallet you would control. You can disprove the other actions by looking at Bitcoin's distributed ledger but for certain transactions if they liquidate the coins it can be a great deal of work to figure out where the money went.


How would you distinguish this "bad" behavior from the good? It seems inherently intractable without centralization.


How is it any different than determining if a credit card charge was fraudulent? Either way, someone "figured out a way" to extract funds.


Credit cards are centralized and it's trivial because of that.


I went to a presentation where Capital one has an anomaly detection system for credit card fraud that could process a transaction below 1ms or even lower than that. They had a system with around a Terabyte of memory using a streaming data system (I think it was spark).

This is a nontrivial system that has false positives and negatives.


False positives or negatives don't really matter with credit card systems because you have recourse from the perspective of the end-user. Obviously Capital One incurs costs around such things and so they have complicated infrastructure developed, sure.

However from the end user perspective:

If you have a credit card and a fraudulent charge appears you call the credit card, they freeze the transaction, contact the vendor who may or may not be able to corroborate the legitimacy of the charge, and it's done.

The alternative would be using cash, where it is not possible at all. So in comparison to the alternative, I do believe it's "trivial." That being said I regret using that word, I should've used "straightforward", instead.


The merchant is also an end user, and they lose the money.


How is it trivial to determine if a charge was fraudulent? Fraudulent charges are made in the exact same way as genuine ones.


Depends on the nature of it - if the locale is different for example you can immediately reverse it and ask the vendor the fraudulent charge came from for details regarding the transaction and cross reference with the details about the owner of the card.

However if you were using stolen cash it wouldn't really be possible. In this scenario the stolen private key and corresponding bitcoin is like stealing the cash. There's not really anyway to determine anything.


Maybe fraudulent wire transfers would be a better analogy, but I don't think this is fundamentally different than traditional banking. You determine if a charge was fraudulent by whether or not you authorized it.


If you stole the private key how would you be able to determine who the original authorized user is?

More simply: how can you distinguish someone who ceded their Bitcoin voluntarily to someone else vs someone who had it stolen from them with no centralized entities involved?


My point is that you distinguish it in the exact same way as you distinguish a charge from a cloned credit card, or a bank transfer with a stolen password, or cash swiped out of a wallet.

In all cases, the fraudulent money is used in exactly the same way as genuine use.

If you figure out a bitcoin private key, that doesn't give you any more right to the money than figuring out a way to guess someone's bank password. And remediation would be the same.


You're not really answering the question. It's fundamentally easier to do it with cloned credit cards, or banks because they are centralized entities dealing with individuals with verified identities.

Even if you had someone's bank password, what will you do with the money? Transfer it to another bank? If so the wire will be reversed. Why? Because you can call someone and tell them to do so and an investigation will be done, but you will be presumed to be innocent first.

So again, with Bitcoin, with no centralized entities involved, how can you distinguish between someone ceding their bitcoin to someone else vs. it being stolen from them?


If you wire money to a fraudulent account, it's gone forever. Unless you can track down the fraudsters for criminal charges.


This isn't true though. Look up SWIFT Recall. Again, we're talking about Bitcoin here, not wire fraud.


I don't think this discussion is going anywhere, but you most certainly can irrevocably lose money with wire fraud. Even many debit cards are not covered from fraud.

And we are comparing Bitcoin and wire fraud.


OK so you basically don't have any response on how to distinguish Bitcoin being given to someone vs being stolen without centralized entities being involved, got it. I won't be responding to you anymore since you have nothing to add.


Yes, exactly like you can't distinguish wiring money to someone intentionally vs wire fraud.


How do you think they traced Ross Ulbricht? You do actual detective work to figure out who did the transactions and then you can work backwards to who the coins belong to.

Same with MT.Gox the stolen bitcoin is being given to the people who had the original accounts.

Bitcoin is largely anonymous not because of its encryption but basically security to obscurity because that since every transaction is on one central ledger.


With Ross, he didn't steal private keys, did he? And with Mt.Gox it was only possible due to it involving a centralized entity, which is my point to begin with.


Yes but Ross had really poor operational security. He reused identities across stack overflow. If you want to prove that someone had a private key stolen and had poor operational security what this hypothetical person could do is as follows.

1. Takes the private key of the person in question.

2. Immediately sends an email to a fence or just sends the BTC to an exchange.

3. Takes the money.

In a court case you could claim the following:

The user that got their private keys stolen has record of a file containing a private key that they own which is older than the other user and has done at least one purchase with it.

If the person who stole your private key has transactions that aren't older than the original owner that's how you could argue the case.


They elected a crypto-bro as president.


And you're not even exaggerating, here's his Twitter profile:

https://twitter.com/nayibbukele?s=20


“CEO of El Salvador”

This would be hilarious satire if the man wasn’t in charge of peoples lives.


Yeah thats corny as shit, but the guy is actually trying to improve the country and leave their external debt behind, and remember, he’s in Latin America


Not just a crypto-bro, but a failed sovereign[1].

[1]: https://www.latimes.com/world-nation/story/2021-12-09/el-sal...


But he's so young and wears a baseball cap! Surely he cannot be like all the others.


So basically someone just centralised a coin based the bitcoin lightning network and censored it. LoL. Waiting for crypto pedlers and Buteriks to shut the heck up about their ponzi schemes. They would defined come up now saying, bUT bUT uSeRS muSt knOw abOut prRiVate and PubLiC keYs. Dude in real world most of the people including software engineers don’t even understand basic password practices 2FA etc. Its time people start accepting bitcoin/ethereum is just a new problem for a solved problem, with a new database.


Since this is lightning network, isnt this also possible that the users are subscribed to some payment? perhaps the subscription is malicious, or maybe its not


Care to elaborate? Lightning doesn’t have a concept of pull-payments, it’s still all push. Or does their wallet software additionally contain functionality for automated subscriptions?


I don’t know

I heard subscriptions could be done but i havent checked in years


Presumably it would show as such in the app?


That’s the great thing about Bitcoin. You can defraud people at scale and completely get away with it. Hardly seems newsworthy at this point.


> You can defraud people at scale and completely get away with it

Ever heard of fiat currency inflation?


You're not wrong, but the USD has had ~6% inflation over the last year while Bitcoin has experienced ~15% inflation since the end of last motnh.


> You're not wrong, but the USD has had ~6% inflation over the last year while Bitcoin has experienced ~15% inflation since the end of last motnh.

I was merely making a point that if you think defrauding currencies is limited to crypto, you are missing the big picture that every currency out there has been smashed by inflation over the past 50 years. Look at how the dollar went downhill since it went off the gold standard. And that's within one's lifetime.


Kind of cherry picking when over the same year as the 6%, Bitcoin has experienced ~45% deflation, isn't it?


You’re just providing additional evidence that Bitcoin is widely more volatile than USD. A +45% swing this year could easily mean a -45% swing next year…


Goalposts wherever you like.

> A +45% swing this year could easily mean a -45% swing next year...

Volatility is a function of speculation. When most of the currency supply is held by speculators, high volatility. Less of that the more people actually use it as a currency.


Stability is a feature. 6% is pretty rough, ~45% is atrocious world ending stuff.


The deflationary aspect of Bitcoin was a design flaw, but it's not inherent to cryptocurrencies generally. Nothing says there has to be a finite supply of coins as opposed to the supply scaling in proportion to how much the value of the currency exceeds the cost of hardware or electricity.

And even with Bitcoin itself, think about what Wall Street and governments would do with securities derivatives and Bitcoin-denominated debt instruments. The supply of Bitcoin isn't actually limited by the supply of Bitcoin.


> Stability is a feature

so the USD going to the ground at 6% per year is a feature? Aren't currencies supposed to be store of value over the long term, you know, over dozens of years since you need hard cash to retire?


Inflation has historically been targeted around 2%, though we've seen period of higher inflation and sometimes very rarely a little bit of deflation (though not recently).

Some inflation is normal and fine. 6% is rough but tolerable, but getting it back to 2% is obviously desirable.


> Inflation has historically been targeted around 2%,

thats' been much higher than that because the basket they use to measure inflation is not at all representative and does not account for the cost of energy, anywhere.

Believing the propaganda from governments does not help much.


Right we don't include fuel or groceries in that normalized figure because across the US it will pull the average in very funny places. The figure with those included is available on the same page, but it's not the standard inflation figure.

It's far too boring to be some conspiracy or propaganda.


> It's far too boring to be some conspiracy or propaganda.

You don't even need to bring lizard men in the mix to understand that the government has a clear conflict of interest when it comes to reporting inflation.


Barring specific examples of governments inflating their currencies to escape sovereign (not individual!) debts, can you explain how inflation "defrauds" anyone?

You might as well say that deflation does too, since it amplifies illiquid market behaviors and is a net detriment to the economy[1].

[1]: https://en.wikipedia.org/wiki/Deflation#Effects


I will take deflation over inflation any day of the week. Inflation punishes good behavior of people who save money and create cushions for the pissible bad days. It robs people of their savings.

I've been storing my life savings in crypto, and so far it's been phenomenal compared to my USD ones.

Deflation actually forces you to think of how to spend money more rationally, not to buy junk that will pollute the planet. (yes, I know BTC mining isn't great for the emissions, and I wouldn't recommend BTC anyway)


> I will take deflation over inflation any day of the week. Inflation punishes good behavior of people who save money and create cushions for the pissible[sic] bad days. It robs people of their savings.

As an individual, deflation benefits me too. But that's because you and I are individual actors, not a government in charge of maintaining a diverse economy of actors.

To cut the entire thing short: the general undesirability of deflation is considered a settled matter in economics. Just about any resource will help explain why that is, and why we (agents in the economy) benefit from small amounts of inflation.


Deflation forces the economy to grind to a halt. I hope that's not the only way to fight climate change and pollution.


No, it doesn't. Electronics is pretty much a deflationary market, and it's hot. Think about it, if you wait a year, you can buy the same PC or a smartphone for much less. Yet people buy them like mad.

Deflationary grinds stupid chachki markets to a grind maybe. The stuff that pollutes the planet.


These two points are in conflict: the mass electronics market is the stupid tchotchke market, which you’ve correctly observed is hot despite decreasing unit costs.

Edit: This can be explained by the disconnect between unit price (which is indeed decreasing for consumer electronics) from unit value (which is relatively stable for consumer electronics, especially post-Moore). Consumers don't care if their laptop is "worth" 40% less YoY if the laptop they hold off for is only 0.5% faster. So it's not clear where the deflation is.


> the mass electronics market is the stupid tchotchke market

No, it's not. Very few people can afford to buy new smartphones/laptops/TVs for fun. Most consider their purchase for a while, choose the right model, and then use it for a few years. Most people use these tools daily, hourly even. These are not random tchotchkes.

But pretty much everyone can buy some dumb dollar store toy for their kid, only for the kid to play with it once or twice and lose all interest.


Has your life really changed that much since computers? I guess I have a different career, but in most respects it's about the same. These things are addictive little tchotchkes I can't seem to put down. My wife was just complaining about the Nest products I buy and then never take out of the box.


Yes, didn't everyone's life change since computers?

They are everywhere, they govern pretty much all aspects of our lives. It's hard for me to name a niche that they haven't permeated.


In many ways, life today is the same as it was 2000 years ago. It's hard to decide what axes to use to measure similarity/distance in the space of human experience.


> Deflation forces the economy to grind to a halt.

extraordinary claim that requires extraordinary proof.


> Inflation punishes good behavior of people who save money and create cushions for the pissible bad days

If everyone did that, then there wouldn't be enough currency in circulation to actually do work. This is known as the paradox of thrift. There is a nice version of it with baby sitting coupons:

http://www.pkarchive.org/theory/baby.html

TL;DR people can panic buy money the same way they can panic buy toilet paper, except money is absolutely essential for commercial employment and thereby cripples the economy through a depression.

>It robs people of their savings.

Well, you cannot save in money as money has no inherent value. The best you can do is let people promise value in the future which is exactly how our money system works. Think about it this way, you have money, the other person has 40 hours of free time this week. You save your money and the week is over, the other person was unemployed and couldn't do anything since you didn't spend your money. Ultimately that debt shouldn't exist and therefore the savings shouldn't exist either. The problem is that humans age but money does not. Thus, money allows you to isolate yourself from the "storage costs" of e.g. human labor and in a general sense it allows you to isolate yourself from losses in the economy.

Isn't that strange? Insisting that those losses should never reach you is quite selfish and would give you a lot of power over those who don't own money. I hope you see where this is going. People save, not because it is virtuous or good behavior, it's simply profitable to not be the one in debt and therefore being able to shove the problem onto someone else. E.g. see Germany shifting debt to Greece and pretending to be the good guy.

Now, imagine if we solved the inflation problem. 0% inflation every single year. The storage costs problem wouldn't be gone. The system would have to actively pass on storage costs and losses in the real economy to those holding money e.g. through negative interest rates. When people actively realize that their short term deposits are not profitable, they will either work less as they already have enough and let someone else work, or they save their money as long term deposits which have higher yields or finally they directly invest their money.

All three options are better than pretending that there is something where there is nothing.

The problem with deflation is that holding onto money becomes more profitable, which actively sabotages the medium of exchange function of money and directly competes with commercial employment. People can't trade and actually working by e.g. building cars doesn't bring in as much money. One could argue that deflation is the epitome of an anti work culture.


> If everyone did that, then there wouldn't be enough currency in circulation to actually do work.

That's just not true. Money on its own is useless to people. People want to buy stuff and services. Deflationary currency just makes them think - do I really need this stuff? Inflationary currency makes you think - I better buy at least some useless junk than lose my hard earned money.


> The problem with deflation is that holding onto money becomes more profitable

Nope, it is only profitable if there are no better investments out there. You are forgetting a little thing called the stock market. Nothing happens in a vacuum.


> Barring specific examples of governments inflating their currencies to escape sovereign (not individual!) debts, can you explain how inflation "defrauds" anyone?

Why this would be barred?


Because it's a form of sovereign financial structuring, not the state attempting to defraud individual citizens.

It's another one to file under "words mean specific things, and abusing the language does a disservice to an otherwise reasonable point."


Inflation isn't controlled by any single person, not even the fed can control inflation, they can only "mitigate" it by making it harder to borrow new money.

For example. If the government were to ban car imports, then if inflation were a tax, it would be levied by the car companies, not by the government.

When workers demand higher wages, then they would be the ones taxing the owners of money.

The only universal statement that you can make about inflation is that it hurts creditors and benefits debtors and it often does so in a way that prevents debt slavery which is why I personally am fine with some degree of monetary inflation.

My point is that creditors and debtors can be completely different people at different time periods. After world war 2 consumers had very little debt but the government had a lot of it because of the war. Nowadays young students have a lot of debt. Homeowners have extremely expensive mortgages. Companies borrow to pay out dividends or do stock buybacks. Wealthy people may go into debt for tax reasons.

Blanket statements about who is benefiting aren't really possible so being angry by default about inflation helps no one.


Just like ACH fraud isn’t news so you only get news about bitcoin frauds


And $61T got transferred via ACH in 2020[0] with a 0.08% fraud rate[1]

Completely different scale with an incredibly low fraud rate. Not to mention consumer protections put in place by banks (i.e. recoverability). This analog is disingenuous.

[0] - https://www.nacha.org/content/ach-network-volume-and-value-s...

[1] - https://www.nacha.org/news/ach-payments-have-lowest-fraud-ra...


The disingenuous part is that the weekly news isnt dominated by the large frequent thefts at all, if it was actually about awareness and questioning then an ACH fraud noticed would be on the news and would conventially not mention that its a tiny tiny fraction of a basis point of activity on the network


> that its a tiny tiny fraction of a basis point of activity on the network

Hence why it's not in the news...I still don't understand your point?


Because thats the standard that should apply to bitcoin and crypto

But instead no proportions are mentioned in a crypto fraud, just large dollar values paraded as if its unique

It is intended to distort perception and its silly


How much USD$ or equivalent is moved into cryptocoins and how much of that amount is considered fraudulent? Until you have numbers there, then I simply don't believe your premise.


All I want you to do is acknowledge that the same is true about the opposite premise. They don't have a way to quantify the premise that a higher, or overwhelming, or any specific percentage is fraudulent either.

The earlier information you were exposed to is simply being assigned a higher weight arbitrarily.


The fraud rate is probably fraud against ACH members where SendBank and ReceiveBank both lost the money and ACH members had to collectively bail it out (or a bank had to eat it).

Arguably, for bitcoin, the fraud rate could be said to be 0%. Every transaction was requested in accordance with the terms of request and was sent where it was expected to be sent.

PayPal used to boast of a fraud rate of something like 0.6%, but that was fraud against PayPal, and excluded payors or recipients being defrauded when PayPal just sent the money back to other.


> SendBank and ReceiveBank both lost the money and ACH members had to collectively bail it out (or a bank had to eat it).

SendBank sends $X dollars, ReceiveBank receives $X dollars. Imposter then cashes $X out of ReceiveBank (usually giving fake info). What's a scenario of fraud where this isn't the case? AFAIK there is no instance where the money simple disappears during transmission. FYI - This is why there is so much KYC done when you setup a bank account at a bank, so if you do cash out they can trace you.

> Arguably, for bitcoin, the fraud rate could be said to be 0%.

Agreed. This is exactly the problem (1) with crypto in general and (2) how difficult it would be to even calculate fraud for any cryptocoin.


> SendBank sends $X dollars, ReceiveBank receives $X dollars. Imposter then cashes $X out of ReceiveBank (usually giving fake info).

Would this be fraud against ACH or just fraud against ReceiveBank?


There's four actors here. Victim, Criminal, SendBank and ReceiveBank.

Criminal initiates $X on behalf of Victim (or tricks them into doing so) using SendBank. Criminal then gets the money at ReceiveBank and usually withdrawals it before it can go noticed. Criminal therefore commits fraud against victim.

Since both banks are in the interest of keeping Criminals out and Victims (well just normal person/biz), they usually offer the ability to safeguard the Victim against financial harm, usually by paying the Victim money their money back and eating the cost. Hence why KYC is so important on both sides.

This is all conducted through a trust system that crypto fans love to hate because it's "centralized". AFAIK no crypto coin offers this ability because the trust system is inherently built on the idea that no person would ever be tricked into sending money to someone they didn't intend to, which is, ummm a downright terrible assumption about real world behaviors.


ACH fraud isn't news because the ACH network allows clawbacks.


Basically the defrauded doesnt notice it is occurring, at some interval, and the fraudster isnt keeping the money in the account and also using mules, and third they dont get caught most of the time

banks provide a user experience that makes them pretend to get the money back, a crypto bank can pretend to do the same thing, hardly a one to one comparison


As of 2019 (the last year before just about every financial statistic goes sideways due to COVID), the ACH payment system has the lowest fraud rate by value of any settlement system in the US[1]. I'm not aware of similar statistics for any popular cryptocurrency, but I'm not optimistic about how any of them would compare.

It's difficult to find statistics for the percentage of money recovered from fraudulent ACH transactions, but this industry survey[2] says that 92% of fraudulent transactions are discovered within two months (and 79% within one month). Given that NACHA allows clawbacks within 60 days, that offers a relatively bright prospect for funds recovery compared to an irreversible transaction.

[1]: https://www.nacha.org/news/ach-payments-have-lowest-fraud-ra...

[2]: https://www.synovus.com/-/media/files/business/webinars/2021...


Thats a nice improvement for them

Bitcoin would be calculated by value deemed as being defeauded from users onchain as payments and on exchanges, that year, and compared to a portion of its.. marketcap? or by quantity of non-fraudulent transactions?

Since bitcoin is all one kind of payment method (well lightning would be different), it would have to be compared to the other kinds mentioned in the nacha article too, ACH + ATM + Card fraud

For bitcoin I would say the data doesnt exist, but even with the headlines trying to break down just bitcoin for that year, it would be fairly low I’m thinking, even $1bn in fraudulent irrecoverable transactions would be a single digit. Percent or maybe down to a couple basis points as well just like NACHA brags about


> Bitcoin would be calculated by value deemed as being defeauded from users onchain as payments and on exchanges, that year, and compared to a portion of its.. marketcap? or by quantity of non-fraudulent transactions?

Yep, this is a serious problem when quantifying fraud in Bitcoin and other cryptocurrencies. It's concerning in its own right that we don't really have a reliable, standard way to quantify fraudulent behavior in cryptocurrencies.

> Since bitcoin is all one kind of payment method (well lightning would be different), it would have to be compared to the other kinds mentioned in the nacha article too, ACH + ATM + Card fraud

This doesn't make sense on two fronts. First, ATM fraud is ACH fraud, since ATM transactions are settled by ACH. In other words, you'd be double-counting there. Second, payment card fraud is diversified: it's either debit card fraud (which is also ACH-settled, and thus would be double-counted) or credit card fraud, which is fraud against the lending party and has its own (even simpler!) dispute resolution process.

All told: we need actual numbers to make a coherent comparison here. In the absence of that comparison, ACH's performance on an absolute scale is admirable.


I would agree but the only reason I separate atm withdrawals was because your nacha article did

> The Fed also reported that card fraud went from accounting for less than two-thirds of the value of fraud in 2012 to more than three-quarters in 2015. “The fraud rate, by value, of card payments and ATM withdrawals combined increased from 7.99 basis points to 10.80 basis points,” the survey found.

Peculiarly about a different set of years


Sorry, I missed that. Yes, in that case, we should use the combined statistic.


I thought ACH was negative-confirmation-only, and a "clawback" is really just a delayed "nope" message instead of revoking or undoing a previously issued "ok" message, simply because there is no "ok" message.

How on earth was ACH's design approved in the first place? It violates practically every principle of good transactional system design.


> a "clawback" is really just a delayed "nope" message instead of revoking or undoing a previously issued "ok" message, simply because there is no "ok" message.

That's actually not a clawback in ACH parlance: that's just a transaction rejection, which causes the original transaction to "bounce" and enter a remediation process.

Clawbacks are done via "return records", which can be issued separately of any transaction records. Clawbacks, in turn, can be dishonored and countermanded by the RDFI. I wrote a short summary of the different rules here[1].

> How on earth was ACH's design approved in the first place? It violates practically every principle of good transactional system design.

ACH's design comes from the 1960s. It was designed for a time when the average American used their physical checkbook to pay for everyday items, and there was no reliable (non-military) nationwide computer network. Its design looks bad because it's optimized for forces that are currently mostly irrelevant, but used to be common: tens of thousands of tellers filing physical paper, smudged checks, typos by secretaries, delays in the mail network, the cost of long-distance calls, &c. They probably didn't even have a sound notion of a "transaction" in the ACID sense, given that Jim Gray didn't develop that particular paradigm until the 1970s.

ACH's flexibility and complexity make it look staid and antiquated compared to modern settlement systems, but it's all there for a good (historical) reason.

[1]: https://blog.yossarian.net/2019/12/25/A-shallow-dive-into-th...


But why didn't they improve it at all during the past 50 years?


They've tried! ACH has been somewhat modernized over the decades, in the form of compliance and in-protocol changes (faster turnarounds, additional transaction codes for online transactions and different cardholder verification methods). The Fed has also been working on a modern replacement to ACH for at least a decade, and is planning on performing an initial release in 2023[1].

But as for why it's taken so long: banking in the US is, for various reasons, significantly more complicated than banking in most other countries. The US has thousands of FDIC-insured banks and credit unions, each of which operates under a patchwork of municipal, state, and federal regulations. Banks are (mostly) required to honor each other's checks and transactions which means that, in the worst case, there's a total graph of all ~10,000 banks and credit unions serving as both ODFIs and RDFIs[2]. Transaction failures between any two nodes in that graph are a possible compliance failure, so any common mechanism is both a lowest common denominator and resists any modernization or other changes than can cause disruption.

[1]: https://www.federalreserve.gov/paymentsystems/fednow_about.h...

[2]: It's actually simpler than this, since the ACH clearinghouses serve as a central resolution and dispatch service for all ODFIs and RDFIs. But each O/RDFI still has to interpret the ACH record(s) they receive, so there's still extraordinary inertia against any changes.


It's decades old.


ACH fraud is more trackable than Bitcoin fraud and in many cases you can get the money back. For example, the most recent time I ran into an ACH scam I was able to identify the bank + individual that owned the target account.


who was likely a money mule, who likely got their account overdrafted by your bank because the actual fraudster already got away with the actual money, while you just got a user experience that has nothing to do with the recoverability of money just an illusion of it

a financial institution custodying bitcoin can do that too


OTOH, ACH lets you actually pay for goods or services received, right?

I never hear of people paying invoices with Bitcoin.


I recently agreed with a client that they’d pay in Bitcoin for an invoice that I sent them :)

I received half of it in Bitcoin and the other half via old fashioned bank transfer. It was a neat experiment, and I plan on accepting payment in crypto for some invoices that I send in the future as well.


This doesn't directly concern you but how do people who transact in Bitcoin keep track of their tax obligations? When you buy Bitcoin for X and then the value goes up to Y you have to record the exchange rate that was used to pay the invoice and then include that in your tax return. It sounds really bureaucratic compared to paying off a credit card with Bitcoin.


How did you handle the fluctuation in value?


We agreed to use the average price from the most recent day in the past from the CoinMarketCap website price history page for Bitcoin, and I attached a note to the invoice stating the USD/BTC exchange rate that we would use when calculating how much they were to send me.


Why? Couldn't you just take the whole payment via bank transfer and then go buy Bitcoin afterwards if you wanted to? This sounds like extra steps that I don't understand the point of.


Its only an extra step from a dollar centric assumption.

Many of us have more bitcoin or other crypto than dollars at any point in time, directly onchain (as opposed to on an exchange, which can have extra steps or even the same limitations as any other financial institution). Even if we have a whole portfolio of other assets, its still not dollars available for trade.

If we want something instantly, internationally or outside of business hours or at a large amount, the bitcoin can accomplish that pretty instantly (few seconds with lightning, 1-20 minutes with 1 confirmation onchain transaction). Almost every other crypto asset can do it even faster.


They had Bitcoins, I wanted Bitcoins. It would have been more extra steps for me to first wait for bank transfer and then transfer money to an exchange, buy Bitcoins, and then transfer the Bitcoins to my wallet.


Or immediately buy something else with those bitcoins, or immediately invest in something else, do both while keeping some for savings etc

Some people will never get it


Guess one of my companies or the recipients should have made news articles about it throughout the last decade

There are discussions to be had about the state of bitcoin/crypto invoicing software

Bitpay’s used to be good and then they made it almost useless


Past employers have both been paying and sending invoices settled in BTC and stablecoins with other businesses.

I can’t recall hearing about anyone paying an invoice in Brazilian real. That doesn’t make me assume it never happens.


When someone is mugged and has $100 cash stolen, you don't disparage the idea of holding cash.


Bitcoin isn’t the $100 bill in your wallet, it’s your bank account.

If my bank account can be completely drained in a way that the money can’t ever be recovered, that’s not a feature, it’s a bug.


Bitcoin is neither your wallet nor your bank account. Some people want to treat it like a wallet, others like a bank account, others like their account on a stock exchange, others as an investment vehicle, others as a hedge against the dollar, and I'm sure there are other comparisons that make sense to people. Ultimately, Bitcoin is a cryptocurrency, which has both it's own unique benefits and it's own unique foibles.

... and I hope you realize that your bank account CAN be completely drained without the money being recoverable. If you're trying to say it can't, then might I suggest to watch some scam-baiting videos to see how those scammers operate, and how they try to do exactly that to the elderly and the unaware. You can call it a bug all you want, but it's quite possible to have your bank account drained; and, despite what others in this thread have said, an attacker can do that from thousands of miles away.


Thank goodness for FDIC and anti-fraud measures.


It can be both, or neither. Having your crypto savings loaded in MetaMask in your daily browser local storage is the equivalent of bringing your life savings in physical cash with you in your purse when going out clubbing.

Just like with any other currency, split between cold- and hot-wallets appropriately.


Your wrong. BTC is the 100$ in your wallet because it's literally in your digital wallet, your solely responsible for it. On the other hand a digital custody provider (which now has legal banking status in several countries) is much more like an insured bank.


It's hard to mug someone of their cash from the other side of the planet. That physical proximity limitation seems to provide a relative amount of safety.


> When someone is mugged and has $100 cash stolen, you don't disparage the idea of holding cash.

Yes, you do, if you are using “cash” in the same sense in both places (physical currency).

If you use cash to mean “fiat denominated depository accounts and investment instruments” in the second case, sure, you don't hear that, but that's equivocation as that's not something that gets stolen in a mugging.


Actually I do. I only carry around less than $50 dollars of cash around with me. So I can pay someone who can't accept credit cards.


I don't carry cash partly for this reason so yes I do?


I mean, I do.


>"You can defraud people at scale and completely get away with it."

That's possible with any fiat currency too.


No it’s not. If my savings account gets drained by someone hacking my account, the bank gives me back my money up to 250k and they have mechanisms to claw back that money from other institutions.

With crypto you can commit fraud at scale with little risk of long prison sentences due to the non violent nature of the crimes and victims are SOL.


If you're talking about the FDIC, that protects you only in the case that the bank fails. It doesn't have anything to do with fraud against you in particular.


Yes actually it is, because the analogy is your storing your fiat in your house or in your pocket, which can of course be robbed, have you even insured cash stored in your house or pocket, I highly doubt it.

Just like fiat you can store your crypto with an insured custody provider (and still own your own keys), which is the norm with smart people who have a decent amount of crypto assets.


Your savings account is getting drained every year. The mechanism is called quantitative easing.


Quantitative easing doesn't drain anything except treasuries. It just swaps treasuries for liquid reserves. Banks may lend more but that is a different question.


With flat currency it is possible to have a well-designed banking system with mechanisms for boring human pen-and-paper recourse in case of fraud. El Salvador probably doesn't have one, but they can create one. With Bitcoin, they cannot, by design.


way way way harder than that.


> way way way harder than that.

Is it?

https://www.forbes.com/sites/instituteforjustice/2021/10/25/...

https://fortune.com/2016/06/09/civil-forfeiture-erad/

At least with Bitcoin they need your passphrase.


Way way harder unless you're in an authoritarian regime with control over the banking sector.


So is this that decentralization? With Bitcoin authoritarian regime has no borders.


It’s not a big it’s a feature :/




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: