Difference between revisions of "Secure Trading"

From Bitcoin Wiki
Jump to: navigation, search
(Introduction)
(Add link to cointastical's github list of no-kyc exchanges)
(59 intermediate revisions by 20 users not shown)
Line 1: Line 1:
''Secure Trading Online''
+
Bitcoin users may want to trade bitcoin directly with each other in what is known as an over-the-counter market. This topic is a guide on how to set up your online identity and includes some best practices for trading with others in the Bitcoin community.
  
This topic is a guide in how to set up your online identity and best practices for trading online in the Bitcoin community.
+
Peer-to-peer exchanges such as [[Bisq]] and [[Hodl Hodl]] can be good alternative platforms for direct KYC-less trading. For a full list of no-KYC exchanges see: https://github.com/cointastical/P2P-Trading-Exchanges/
  
 
==Introduction==
 
==Introduction==
Within the Bitcoin community, many are very careful with their security and identity.  This is because of two main reasons:
+
Within the Bitcoin community, individuals should be careful with their security and identity, primarily for two reasons:
# There is no violent body to cover your back for you.  Or more simply there is no courts to go crying to if you have been fucked over.
+
# At this time, there is little in the way of law enforcement. No court has dealt directly with a significant theft of bitcoins or determined Bitcoin's legal status. Bitcoin users are for the most part, on their own.
# One’s reputation is the most important thing that any user has; traders will take very little risk with new users who have not proven themselves.  (as they could just be last week’s scammer with a new identity)
+
# In lieu of legal action and lack of community trust outside the Bitcoin system itself, one's reputation has become the focus for building trust relationships with others in the community. Traders will take very little risk with new users who have not proven themselves (as one user can easily commit continuous fraud using many different identities.
The bitcoin community uses a few tools to help protect their privacy, and thus identity.   The first and most important is a [[Securing Your Computer|Secure Computer]].
+
   
Before proceeding please make sure you have completed the [[Securing Your Computer]] guide, this guide assumes that your computer is secure both physically and in software.
+
The Bitcoin community uses a few tools to help protect privacy, and thus identity. The first and most important is a [[Securing Your Computer|secure computer]].<br />
 +
 
 +
'''Before proceeding please make sure you have completed the [[Securing Your Computer]] guide; this guide assumes that your computer is secure both physically and in software.'''
 +
 
 +
If you are trading within Canada you are encouraged to use Interac e-transfer and Clearcoin (now closed) as outlined on [[Secure Trading-CAD-interac|this page]].
 +
 
 +
==Creating a secure identity==
 +
The first step is to create a cryptographically secure public-private key-pair.  This will be used as the basis of keeping both your wallet (see [[Securing your wallet]]) and your identity secure.
 +
 
 +
===Creating your first [http://en.wikipedia.org/wiki/Pretty_Good_Privacy PGP] key-pair===
 +
A PGP key-pair serves two very important functions:
 +
# To sign information with an unforgeable signature
 +
# To decrypt things that other people encrypt for you
  
==Creating a secure Identity==
 
The first step is to create a cryptographically secure public-private key-pair.  This will be uses as the basis of keeping both your wallet secure (see [[Securing your wallet]]), and your identity secure.
 
===Creating your first PGP key-pair===
 
A PGP key-pair dose two very important functions.
 
# You cans sign information with an unforgeable signature
 
# You can decrypt things that other people encrypt for you
 
 
This allows you to both conduct business privately (encryption), and give out promises that you cannot deny making (signature).
 
This allows you to both conduct business privately (encryption), and give out promises that you cannot deny making (signature).
 +
==== Installing GPG ====
 +
Virtually all GNU/Linux distributions include [http://en.wikipedia.org/wiki/GNU_Privacy_Guard GPG] in their default configurations, but Microsoft Windows users will need to install additional software.
 +
 +
===== Microsoft Windows:=====
 +
On Windows, the recommend package that contains GPG is the [http://en.wikipedia.org/wiki/Git_%28software%29 Git] package by the [http://code.google.com/p/msysgit msysgit project].  This package contains a collection of Unix tools that are very useful for any Windows installation.
 +
 +
* Navigate to [[Git|msysgit]] https://code.google.com/p/msysgit/downloads/list
 +
* Select the latest ''Git'' package. (Git-1.7.4-preview20110204.exe)
 +
* When installing Git on the ''Adjusting your PATH environment'' screen, select: ''Run Git and included Unix tools from the Windows Command Prompt''<br />
 +
This option will install both Git and its supporting tools that include [[gpg]] into the Windows file PATH.  This will enable any Windows application to access GPG.<br />
 +
It is possible that some other software on your system has installed GPG before. If you think this may be the case, it is advised to use the search tool or command prompt to find or run GPG respectively.
 +
* After installation, GPG can be used by entering 'gpg' into any Windows Command Prompt (cmd).
 +
 +
==== Setting up OpenPGP email ====
 +
Once you have GPG installed on your system, it is recommended that you use Thunderbird that works on both Windows and Linux systems:
 +
 +
===== All: =====
 +
# Install Thunderbird: https://www.mozillamessaging.com/en-GB/
 +
# Setup your email account with Thunderbird.
 +
# Install the Enigmail plugin for Thunderbird: https://addons.mozilla.org/en-US/thunderbird/addon/enigmail/<br />
  
===Windows:===
+
Upon loading Enigmail, Thunderbird will ask you to make a new ‘identity,’ follow this wizard and you will have created your identity.<br />
Install GPG4Win: http://www.gpg4win.org/
+
You should backup your private key in a secure place.<br />
===All:===
+
Secondary, you should create a revocation certificate and store that in a different secure place (maybe print it out and store it in your fire safe).
Install Thunderbird: https://www.mozillamessaging.com/en-GB/  
 
Setup you email account with Thunderbird.<br />
 
  
Install the Enigmail plugin for Thunderbird: https://addons.mozilla.org/en-US/thunderbird/addon/enigmail/
 
Upon loading Enigmail, thunder bird will ask you to make a new ‘identity,’ follow this wizard and you will have created your identity.
 
You should backup your private key in a secure place.  Secondary, you should create a revocation certificate and store that in a different secure place (maybe print it out and store it in your fire safe).
 
 
 
===Register with [#bitcoin-otc]===
 
===Register with [#bitcoin-otc]===
 
Follow the guide here: http://wiki.bitcoin-otc.com/wiki/Using_bitcoin-otc
 
Follow the guide here: http://wiki.bitcoin-otc.com/wiki/Using_bitcoin-otc
Line 33: Line 53:
 
===Register the same username at the popular places:===
 
===Register the same username at the popular places:===
 
* [[Bitcoin Forum]]
 
* [[Bitcoin Forum]]
* [[Bitcoin Wiki]]
+
* [[Bitcoin.it_Wiki|Bitcoin Wiki]]
* [[Freenode IRC]]
+
* [[Bitcoin Wiki:Community_portal#IRC_Chat|Freenode IRC]]
Use a strong and different password for each of these places, keeping your password in a secure place.  This will allow other people in the community to track you across the different
+
Use a strong and different password for each of these places, keeping your passwords in a secure place.  This will allow other people in the community to track you across the different Bitcoin related sites.  Also making identity theft online more challenging.
  
 
==Best Practices with trading==
 
==Best Practices with trading==
===Use Bitcoin-OTC===
+
 
* Always require the user to become registered with #bitcoin-otc
+
===Use an Escrow Service===
* require a signed message from the fingerprint quoted at: http://bitcoin-otc.com/viewgpg.php
+
Trading can benefit from an [[:Category:Escrow_services|escrow service]] such that bitcoins are help by a third party and disbursed only after contract terms have been met. Individuals willing to act as independent escrow brokers can be found in bitcoin's community.
===Make sure both parties agree to the terms of the trade with singed messages.===
+
 
* Get a PGP singed quote, and check the signature.
+
Use of 2-of-3 [[Multisignature|multisignature]] escrow eliminates the risk of the arbitrator stealing the held coins, or losing them to malware or hackers.
* Send a PGP singed recept.
+
 
This allows either party to go public if the trade has become sour.  This will stop your trading partner from claiming the details of the agreement were somehow different.
+
===Make sure both parties agree to the terms of the trade with signed messages===
Search the Bitcoin Forum for the username of the person that you are trading with, check if the user has provided constructive and usefully advice to other parties.  And importantly check for any claims that the user has scammed.
+
* Get a PGP signed quote, and check the signature.
===Use an escrow===
+
* Send a PGP signed receipt.
such as https://clearcoin.appspot.com/ or any willing respected member of the bitcoin community.
+
This allows either party to go public if the trade has become sour and stops your trading partner from claiming the details of the agreement were somehow different.<br />
 +
 
 +
====Worked Example====
 +
 
 +
# Buyer and seller agree on the terms of contract
 +
# Both choose a arbitrator
 +
# Buyer, seller and arbitrator create public keys and use them to create a 2-of-3 [[Multisignature|multisig]] address. The public keys are added to the contract and PGP-signed.
 +
# Buyer sends bitcoins as payment to the multisig address.
 +
# Seller [[Confirmation#How_Many_Confirmations_Is_Enough|waits for a number of confirmations]] and then hands over or ships the product.
 +
# After receiving the product and verifying its integrity, buyer and seller sign a transaction to transfer bitcoins to the seller.
 +
# If there is a dispute, the arbitrator uses his third key to tie-break after reviewing all the evidence and following the contract.
 +
 
 +
===Decentralised/social exchanges===
 +
Using a service such as [[Bitcoin-otc|Bitcoin OTC]] or [[CoinTouch]], you can find friends of friends that trade crypto currency, and trade with them directly. Remember to verify the counterparty using more than one means of contact (e.g. Facebook message and phone call)
 +
 
 +
====Bitcoin-OTC====
 +
The [[Bitcoin-otc|Bitcoin OTC]] acts as a secure 'Address Book' within the bitcoin community.
 +
* Always require the user to become registered with #bitcoin-otc.
 +
* Require a signed message from the fingerprint quoted at: http://bitcoin-otc.com/viewgpg.php
 +
* Follow additional [http://wiki.bitcoin-otc.com/wiki/Using_bitcoin-otc#Risk_of_fraud recommendations] for avoiding fraud.
 +
 
 +
=====Using the Web-Of-Trust=====
 +
One of the key features of the Bitcoin OTC is the Web of Trust, this allows users to 'rate' each other.  One can have more confidence trading with a user that has many good ratings.
 +
* http://bitcoin-otc.com/viewratings.php
 +
 
 +
Search the Bitcoin Forum for the username of the person that you are trading with. Check if the user has provided constructive and useful advice to other parties.  And, most importantly, check for any claims that the user has scammed.
 +
 
 +
==See Also==
 +
 
 +
* [[Securing online services]]
 +
* [http://bitcointalk.org/index.php?topic=137272.0 Tips for Local Trading]
 +
 
 +
[[de:Sicheres_Handeln]]
 +
[[zh-cn:交易安全]]
 +
 
 +
[[Category:Instructional]]
 +
[[Category:Security]]

Revision as of 14:03, 3 June 2020

Bitcoin users may want to trade bitcoin directly with each other in what is known as an over-the-counter market. This topic is a guide on how to set up your online identity and includes some best practices for trading with others in the Bitcoin community.

Peer-to-peer exchanges such as Bisq and Hodl Hodl can be good alternative platforms for direct KYC-less trading. For a full list of no-KYC exchanges see: https://github.com/cointastical/P2P-Trading-Exchanges/

Introduction

Within the Bitcoin community, individuals should be careful with their security and identity, primarily for two reasons:

  1. At this time, there is little in the way of law enforcement. No court has dealt directly with a significant theft of bitcoins or determined Bitcoin's legal status. Bitcoin users are for the most part, on their own.
  2. In lieu of legal action and lack of community trust outside the Bitcoin system itself, one's reputation has become the focus for building trust relationships with others in the community. Traders will take very little risk with new users who have not proven themselves (as one user can easily commit continuous fraud using many different identities.

The Bitcoin community uses a few tools to help protect privacy, and thus identity. The first and most important is a secure computer.

Before proceeding please make sure you have completed the Securing Your Computer guide; this guide assumes that your computer is secure both physically and in software.

If you are trading within Canada you are encouraged to use Interac e-transfer and Clearcoin (now closed) as outlined on this page.

Creating a secure identity

The first step is to create a cryptographically secure public-private key-pair. This will be used as the basis of keeping both your wallet (see Securing your wallet) and your identity secure.

Creating your first PGP key-pair

A PGP key-pair serves two very important functions:

  1. To sign information with an unforgeable signature
  2. To decrypt things that other people encrypt for you

This allows you to both conduct business privately (encryption), and give out promises that you cannot deny making (signature).

Installing GPG

Virtually all GNU/Linux distributions include GPG in their default configurations, but Microsoft Windows users will need to install additional software.

Microsoft Windows:

On Windows, the recommend package that contains GPG is the Git package by the msysgit project. This package contains a collection of Unix tools that are very useful for any Windows installation.

This option will install both Git and its supporting tools that include gpg into the Windows file PATH. This will enable any Windows application to access GPG.
It is possible that some other software on your system has installed GPG before. If you think this may be the case, it is advised to use the search tool or command prompt to find or run GPG respectively.

  • After installation, GPG can be used by entering 'gpg' into any Windows Command Prompt (cmd).

Setting up OpenPGP email

Once you have GPG installed on your system, it is recommended that you use Thunderbird that works on both Windows and Linux systems:

All:
  1. Install Thunderbird: https://www.mozillamessaging.com/en-GB/
  2. Setup your email account with Thunderbird.
  3. Install the Enigmail plugin for Thunderbird: https://addons.mozilla.org/en-US/thunderbird/addon/enigmail/

Upon loading Enigmail, Thunderbird will ask you to make a new ‘identity,’ follow this wizard and you will have created your identity.
You should backup your private key in a secure place.
Secondary, you should create a revocation certificate and store that in a different secure place (maybe print it out and store it in your fire safe).

Register with [#bitcoin-otc]

Follow the guide here: http://wiki.bitcoin-otc.com/wiki/Using_bitcoin-otc

Register the same username at the popular places:

Use a strong and different password for each of these places, keeping your passwords in a secure place. This will allow other people in the community to track you across the different Bitcoin related sites. Also making identity theft online more challenging.

Best Practices with trading

Use an Escrow Service

Trading can benefit from an escrow service such that bitcoins are help by a third party and disbursed only after contract terms have been met. Individuals willing to act as independent escrow brokers can be found in bitcoin's community.

Use of 2-of-3 multisignature escrow eliminates the risk of the arbitrator stealing the held coins, or losing them to malware or hackers.

Make sure both parties agree to the terms of the trade with signed messages

  • Get a PGP signed quote, and check the signature.
  • Send a PGP signed receipt.

This allows either party to go public if the trade has become sour and stops your trading partner from claiming the details of the agreement were somehow different.

Worked Example

  1. Buyer and seller agree on the terms of contract
  2. Both choose a arbitrator
  3. Buyer, seller and arbitrator create public keys and use them to create a 2-of-3 multisig address. The public keys are added to the contract and PGP-signed.
  4. Buyer sends bitcoins as payment to the multisig address.
  5. Seller waits for a number of confirmations and then hands over or ships the product.
  6. After receiving the product and verifying its integrity, buyer and seller sign a transaction to transfer bitcoins to the seller.
  7. If there is a dispute, the arbitrator uses his third key to tie-break after reviewing all the evidence and following the contract.

Decentralised/social exchanges

Using a service such as Bitcoin OTC or CoinTouch, you can find friends of friends that trade crypto currency, and trade with them directly. Remember to verify the counterparty using more than one means of contact (e.g. Facebook message and phone call)

Bitcoin-OTC

The Bitcoin OTC acts as a secure 'Address Book' within the bitcoin community.

Using the Web-Of-Trust

One of the key features of the Bitcoin OTC is the Web of Trust, this allows users to 'rate' each other. One can have more confidence trading with a user that has many good ratings.

Search the Bitcoin Forum for the username of the person that you are trading with. Check if the user has provided constructive and useful advice to other parties. And, most importantly, check for any claims that the user has scammed.

See Also