My friend and colleague Eric Jackson co-authored a great piece today about the relevance of our experience at PayPal for Bitcoin. Well worth a read.
What PayPal’s Past Means for Bitcoin’s Future
by Eric M. Jackson and Christopher Grey
February 28, 2014
Fraud just claimed a major Bitcoin casualty. This week, Mt. Gox—the virtual exchange that once hosted 80% of the world’s Bitcoin trades—went offline, posting a statement that “a decision was taken to close all transactions for the time being in order to protect the site and our users.” A document that appears to be a leaked internal memo asserts that 744,408 Bitcoins are missing. If true, it means that a staggering 6% of all Bitcoins in circulation have been lost.
Mt. Gox’s downfall stemmed from a technical weakness in the electronic currency’s architecture calledtransaction malleability. Discovered in 2011, this flaw allowed for the manipulation of the unique ID of a Bitcoin transaction, enabling a fraudster to make it appear as if a withdrawal never happened even though they had received the funds. News that Gox had never patched the vulnerability was soon followed by reports of a “massive and concerted attack” on other Bitcoin exchanges, which temporarily caused some to cut off withdrawals.
The Bitcoin market seemingly withstood Mt. Gox’s collapse. While the exchange rate of a Bitcoin fell from $580 to $440 right after the company’s shutdown, it shook off those losses within 24 hours. And, within hours of Mt. Gox’s closure, SecondMarket announced it would be launching a New York-based Bitcoin exchange, modeled after “the early days of The Intercontinental Exchange” with Wall Street banks participating as members. (Disclosure: Our company, CapLinked, has investors in common with SecondMarket.)
So what comes next for Bitcoin now that this fraud wave is past? Unfortunately, the likely answer is: more fraud.
We believe that the early days of PayPal provide the best analogy for what likely lies ahead for Bitcoin, and much of it won’t be pretty.
PayPal launched in late-1999 and quickly rocketed into a dot-com sensation—a roller coaster ride that Eric witnessed this firsthand as the company’s first senior director of marketing. Within six months of its debut, PayPal topped 1 million users and became a popular payment option for online auctioneers on eBay. But as the online payment service grew in popularity, its ubiquity, liquidity, and accessibility made it a prime target for fraud. And that fraud wave came in several distinct forms:
1) Transaction Fraud: PayPal’s popularity led to soaring credit card chargebacks as buyers disputed transactions that went bad for reasons such as failure to ship or items not as described. It didn’t matter that the buyers and sellers were conducting business through third-party marketplaces like eBay (which had yet to acquire PayPal); PayPal had the liability for chargebacks if it couldn’t recover the funds from the seller.
2) Identity Theft: While PayPal’s website was nearly impenetrable to hackers, account theft surged as sneaky “phishing” emails tricked users into handing over their personal financial information. In one notable early case, fraudsters registered the lookalike domain “PayPai.com” and sent around emails claiming to be from PayPal telling users to login to resolve an account problem.
3) Organized Crime: Foreign crime rings turned PayPal into a virtual cash register. While PayPal’s strong encryption made user information un-hackable, there was nothing to stop mafia types from powering PayPal accounts with stolen credit card numbers obtained from the black market. They had automated scripts use those stolen cards to make payments to accounts that they controlled, before transferring the money to a bank account.
If Bitcoin is to continue growing as an alternative currency, it is likely to face all of the same types of fraud that hit PayPal. While Bitcoin does not have the same credit card chargeback risk, a hypothetical evolution into a widely accepted payment option would expose the payment system to increased risk of transaction fraud, given the inevitability of buyer/seller disputes. Theft of private keys will certainly grow as Bitcoin users become increasing targets for phishers; encryption security is no guarantee against users being tricked. And as for organized crime getting involved, Mt. Gox’s demise suggests that this is already happening.
PayPal’s early fraud problems forced the company’s management team to launch a multi-faceted response that combined technology, financial, and operational measures. The company deployed an anti-fraud team of online sleuths to track criminals and collaborate with authorities. The engineers built the Gausebeck-Levchin test—one of the first commercial applications of CAPTCHA technology—to block automated account creation by crime rings. And the company built a complex analytics system called IGOR to identify suspicious usage patterns.
In short, there were no silver bullets. But by hardening the target, PayPal drove fraud away to other competing payment services. By late-2002, Citigroup, Bank One (a predecessor to JPMorgan Chase & Co.), and Wells Fargo had all closed their online payment services or were in the midst of doing so.
The remaining players in the Bitcoin ecosystem will need to learn from PayPal’s lessons if they’re to survive the challenges from fraud that they will surely face over the months to come. As Wired magazine once put it, “PayPal came to regard fraud as something akin to an R&D expense.” Bitcoin players would be wise to do the same.
Eric M. Jackson and Christopher Grey are the co-founders of CapLinked, which offers a collaborative workflow system for complex transactions. Jackson was PayPal’s first head of marketing and author of The PayPal Wars, a memoir.