Silk Road forums

Discussion => Security => Topic started by: CityLights on May 04, 2013, 06:47 pm

Title: Tutorial: Buying and Selling bitcoins safely
Post by: CityLights on May 04, 2013, 06:47 pm
Cashing out and Buying Bitcoins Safely
A guide by CityLights

When I first began vending I had a lot of trouble figuring out how to cash out my bitcoins and it seemed like the subject was somewhat taboo on the forums. Now that I've been working with bitcoin for awhile, I thought I should share my knowledge with the community. Feel free to message me with any changes I should make to the guide, I hope that this will protect people from the regulations being imposed and the inherent risks of online drug trading.

DONATE TO: 1FHGutrLt2snj3x3NMfZzcXWZLdmsNdcW5
-------------------------------------------------------
This guide assumes the user has previous knowledge of GPG

While Mtgox and other online exchanges seem to be popular they are both inconvenient and unsafe. With regulations on bitcoin becoming more and more strict, large exchanges are hardly any better than banks in terms of maintaining privacy and avoiding scrutiny. If you want to avoid having to give your identity and transaction history to a large corporation to do what they please with, read on. Peer to peer trading is the most quick, discreet, and even profitable way to cash out or buy.

Bitcoinfog and the block chain:

Bitcoin is not anonymous in nature. People don't seem to understand this. It can, however, be made anonymous through additional precautions such as a laundering service. Every bitcoin transaction ever made is recorded into the block chain. Thats what the bitcoin miners do, they add blocks of information about previous transactions and receive a reward of newly generated bitcoins for doing so. If the authorities get ahold of one of your bitcoin addresses, they can go back and track your bitcoins through the network unless you obscure your trail with a laundering service.

Bitcoinfog explains what they do in simple terms on their website. "Using our service you mix up your bitcoins in our own pool with other users' bitcoins, and get paid back to other addresses from our mixed pool, which, if properly done by you can eliminate any chance of finding your payments and making it impossible to prove any connection between a deposit and a withdraw inside our service." Once you run your dirty bitcoins through bitcoinfog, you can exchange them with another trader without worrying about hiding your identity. Though you can never be COMPLETELY anonymous, it would take massive amounts of work on the part of whoever wants to track you down combined with prior suspicion to prove that the source of the bitcoins was elicit. If you'd still like to conceal your identity when cashing out, there are more precautions you can take but personally I think anything else is superfluous.



Method One- localbitcoins.com

While this method is somewhat hit or miss, I thought I'd include it because if you do find a good local trader, you won't have to bother studying the much more complicated bitcoin-otc, and don't even need to use GPG. Enter your zip code and browse the local ads, if anybody is conveniently located and not charging an obscenely high fee, shoot them a message. You'll notice next to the username on the listing there are statistics and the letters OTC which are usually greyed out. Statistics for local traders are frequently very low, but I wouldn't recommend using online traders on localbitcoins. That's what OTC is for. If the letters OTC by the name are not greyed out, the trader is on both localbitcoins and bitcoin otc. While there are ways to artificially inflate ratings on localbitcoins, bitcoin-OTC is impossible to manipulate if the user checking the ratings understands how the system works. If you live in a large city full of libertarians and don't enjoy the more technical side of bitcoin, finding locals to buy your bitcoins through this site is probably the easiest way to cash out.

Be sure you meet with the other trader in a public place with wifi and receive your cash prior to sending them bitcoins. There is absolutely nothing you can do to get your bitcoins back once they are sent. I don't recommend using the site's built in transaction service, I always just sent the bitcoins directly from my wallet to the receiver's wallet. They can verify that coins are being sent by looking up the transaction on blockchain.info. Using localbitcoins is foolproof assuming you can find a willing buyer.

There is no reason for the buyer to know why you are selling bitcoins, they are viewed more as an investment now than a secret black market currency. Since the recent boom and resulting media attention, bitcoin has become more popular and less closely associated with illegal activities. You don't really need to hide your identity, but if you wanted to you could just access the site through tor and use a tormail address when creating your account. Have the other person communicate with you through the site and don't give them any personal information when you meet them, just take the cash and send them bitcoins from a wallet that is not traceable to you. The only situation I can imagine this being necessary were if you were already under scrutiny and didn't want anyone to know you used bitcoin.





Method Two- #bitcoin-otc on irc.freenode.net

Bitcoin-otc has a steep learning curve but I would argue that it is the best method. There is no need to meet in person with bitcoin-otc, and if you follow my instructions and advice you will not get scammed. Start by downloading an IRC client, I use Colloquy but there are many decent ones that will work just fine, depending on your OS. DO NOT try to route your irc client through tor. I wasted a ton of time trying to figure out how to do that but freenode makes staying anonymous very challenging if not impossible, and I'd recommend not trying to hide your identity at all with bitcoin-otc since other members will be weary of a constantly shifting IP. Start a new connection to irc.freenode.net, chose a nickname, then click join room and enter "#bitcoin-otc" .
In the channel there is a built in bot called gribble, enter two semicolons before your text to send it as a command to gribble. Text entered without the semicolons goes straight into the channel. You can also PM gribble like another user by entering "/query gribble" followed by your command. Before you begin trading you need to use gribble to register a username to gribble and authenticate it with a gpg key or bitcoin address. You should also register your nickname with freenode, keep in mind this is not the same as registering a username with gribble in bitcoin-otc. The next three steps are for getting a profile set up.

1) Register a username with gribble in bitcoin-otc:

Enter the command gpg eregister <whateverusernamesuitsyourfancy> <the 16 digit keyID for the gig key you want to use>.
You can find your keyID by looking up your key in a keyserver. I use http://pgp.mit.edu. Search the name or email address the key you want to use was uploaded with and the key should come up. Only the last 8 digits of the keyID appear in the search, so click on the ID to get the entire public key plus its 16 digit ID to come up.
The end result should look like:
;;gpg eregister JohnDoe 0x8abee0207be50a8f
Gribble will tell you the request was successful and ask you to authenticate your gpg key if everything went well.

2) Authenticate your bitcoin-otc username:

Gribble will return a one time password for you to decrypt. When you submitted your keyID gribble used it to look up your public key and encrypt the password with it. You then are able to prove the public key was really yours (authenticate it) by using the secret key to decrypt the password.
Gribble's response with the password will look like this:
<gribble> Request successful for user <whateverusernamesuitsyourfancy>. Get your encrypted OTP from http://bitcoin-otc.com/otps/665FC11DD53E9583

Follow the link and decrypt the message. It will look something like this:
freenode:#bitcoin-otc:6132ffd1c3c4468e40303d844f3e30661bc34617054f7cc5e3fa03c8b41c376

Send the password back to gribble with the following command:
;;gpg everify <thedecryptedpassword>
Which ends up looking like:
;;gpg everify freenode:#bitcoin-otc:6132ffd1c3c4468e40303d844f3e30661bc34617054f7cc5e3fa03c8b41c376
Gribble will answer:
<gribble> Registration successful. You are now authenticated for user '<whateverusernamesuitsyourfancy>' with key <your16digitgpgkeyID>
you will remain authenticated until you disconnect from the room, this way when people check on your identity they know you are who you say you are. You'll have to prove you're the owner of the key your username is registered with every time you login and want to trade.

3) Register your nickname with freenode
Message nickserv to register your name with freenode
/msg NickServ REGISTER <thinkofapassword> <youremail@example.com>
a confirmation email will be sent to you with instructions and a password to send back to nickserv. The process is similar to registering with the channel #bitcoin-otc, but gpg is not used. Registering your name to freenode prevents people from using it while you are away.


Once your account is set up, ask around the channel for anyone willing to buy however many bitcoins you'd like to sell. Specify that you will ONLY trade with established members. Bitcoin-otc is similar to SR in the sense that people rate each other and build reputations. You will not have any ratings at all so you'll be expected to send the bitcoins before they send the money, so be sure who ever you're sending bitcoins to is trustworthy enough that they won't lie and say they never received the funds. There are several things you should do to protect yourself. However many you choose to do should depend on the size of the trade and your caution to laziness ratio. Just be sure you check up on who you're trading with. ALWAYS. Seriously, if you skip that, you deserve to get scammed.

1) Check if they are identified
;;gpg ident <whoeveryourethinkingoftradingwith>
If gribble responds and says they are not identified, they could be an impostor. Ask them to authenticate, if they authenticate they will show up as identified and you will know that they own the gpg key the name is registered with. Whenever you discuss any important information regarding the trade, be sure they are identified.

2) Check on their ratings
;;getrating <whoeveryourethinkingoftradingwith>
Gribble will tell you what their rating is, but do not rely on the number alone. Gribble will also provide you with a link to their profile in the web of trust. You can look at the comments that go along with each rating they've received as well as the credibility of the person who wrote the rating. It is very important that you make sure that at least some of the people who wrote the ratings are trustworthy and have decent ratings themselves, otherwise the person you're checking up on could have created several accounts and used them to artificially inflate his own rating. With enough work, somebody could create a large group of accounts and have them all inter rate each other, but you can get a feel for how safe the person is by looking at the profiles of a few of the people who rated them.

3) Ask in channel if the other person is trustworthy and if the trade sounds legitimate. Everyone will be glad to help you and doing this can save you from any mistakes you may have made.

4) Only accept cash in the mail unless you're selling a LOT of bitcoins, in which case I'd recommend a wire or certified check. Methods like Dwolla require you to send in an ID to prove your identity and they report large transactions. Never take paypal. There are so many scams and mistakes that can happen when people mix bitcoin and paypal, don't even try. Sometimes neither party actually does anything wrong, paypal just doesn't allow people to buy bitcoins with their money. Cash is the least traceable but there's always a chance of loss. In my experience people overestimate that possibility by a lot, but I may have just been lucky. I've sent tens of thousands of dollars in cash and never had a problem with it, I just packaged everything discreetly. If you receive cash in the mail and don't deposit it to the bank, your tax evasive, extralegal hobbies will be completely undetectable  to the government unless the person you traded with went and reported you. Just don't give them a reason to. It is not uncommon for people to trade large quantities of bitcoins in the peer to peer network, you will not draw any attention unless you plan on cashing out enough to buy a house with a ferrari in the garage all at once. Say you're an investor and chose bitcoin instead of stocks. My largest transactions have been with investors.

5) Use an escrow is you plan on trading with a poorly established member. Very well established traders will not be willing to bother with an escrow unless you plan on selling upwards of 50k worth of bitcoins, but then again, the most established members of bitcoin-otc are probably more trustworthy than any escrow service you could go out and find.

6) Get everything in writing. Write out the details of the transaction and have the other person sign them with the key they've used to register their name. Be sure to include bitcoin addresses as everything is recorded in the blockchain. If you are thorough here it will be impossible for the other person to scam you without wrecking their reputation, even if you aren't established enough that leaving a negative rating alone would have much of an impact.

If you really want to hide your identity, you can use bitcoin-otc's web of trust to find a reliable member and then search for the email address linked to their gpg key on the key server or on their page in the web of trust. You can then contact them through tormail and give them a friend's name and address to send the money to. This increases the likelihood of a scam but then you avoid having to give up your IP address with bitcoin-otc.

Refer to the wiki for more detailed information.

And feel free to donate to: 1FHGutrLt2snj3x3NMfZzcXWZLdmsNdcW5
Title: Re: Tutorial: Buying and Selling bitcoins safely
Post by: Vegeta on May 05, 2013, 02:54 am
Thanks for the detailed write up. I'm going to link this in my wiki-like post of methods for buying/selling bitcoins
Title: Re: Tutorial: Buying and Selling bitcoins safely
Post by: Deutsche Bank on May 05, 2013, 03:58 am
Thanks for your guide, CityLights.
I really appreciate all the effort it took to write it down.
You totally deserve some Karma for it, therefore I gave you a +1.
Title: Re: Tutorial: Buying and Selling bitcoins safely
Post by: Baraka on May 05, 2013, 07:53 am
I posted this yesterday (most taken from an online guide):

Quote
localbitcoins.com works by you registering an account with your e-mail address (you could use a tormail.org address). You can also enter in your cellphone SMS number, if you want. That allows you to see when your funds have been released by the BTC seller.

Once you've done that and have found someone who will trade with you, you set up a meeting. I suggest a Starbucks close to you two. Upon meeting, cancel the transaction you used to arrange your meeting. Then immediately re-open another, so your trade is at the current market price. Allow the seller to inspect your cash, but don't hand it over until the transaction is done.

He sets the transaction in motion by transferring the BTC to the temporary address associated with your localbitcoins.com account. Then you have to wait for 3 verifications to complete, which takes a half hour (10 minutes per verification). At least that's what it is for $100. For $1000+, you may have to wait for 5 or 6 verifications. Alternately, if the seller is familiar with the system, they can transfer the BTC beforehand, meet with you, then release the funds once your cash is in hand. No waiting. But that requires trust in the localbitcoins.com system, which won't be the case if they haven't used it before.

Once the verifications are complete, the funds are available on the localbitcoins.com system, but they must be released before they're actually in your account. The seller must release the funds, at which point you'll receive a text message from the localbitcoins.com system that the transaction has been completed, which includes a verification code. Or, if you opt out of using your cell, you can just check the blockchain that the BTC has been transferred to your localbitcoins.com temporary address, and view your localbitcoins.com account as well to eyeball your balance. That's it.

I strongly recommend going through the system and paying the miniscule system transaction fee of 1%, then leaving feedback for the seller and having him do the same with you. This is a service that, just like Ebay, is only as valuable as the feedback and the actual participation in the system. Plus, you get to meet some very cool people by doing it this way, rather than through a faceless- and trackable- bank transfer.


Remember, anything done through the traditional financial system is trackable and traceable. Cash and carry in the only way to do it right. Establish good relationships with a few local BTC traders in your area and you're golden.
Title: Re: Tutorial: Buying and Selling bitcoins safely
Post by: jorgecassio on May 15, 2013, 12:09 am
I'm planning on using bitcoinfog one of these days. Would like to know if it's still a legit site. Thanks!
Title: Re: Tutorial: Buying and Selling bitcoins safely
Post by: StExo on May 15, 2013, 01:26 am
I'm planning on using bitcoinfog one of these days. Would like to know if it's still a legit site. Thanks!

It's legit alright - I put over $1000 worth of bitcoins through it every few days so I'd be the first to be complaining if it were a scam.
Title: Re: Tutorial: Buying and Selling bitcoins safely
Post by: StExo on May 15, 2013, 01:37 am
@CityLights - On localbitcoins, you can usually ask a seller of bitcoins if you can deposit the cash directly into their account in-branch. Now yes there is CCTV footage in banks, but unless you're already being watched then this shouldn't be an issue since most places for amounts under £5,000 will not ask for your name or any ID. Just let the seller know in advance you're depositing and get a receipt for the transaction and all should be good.
Title: Re: Tutorial: Buying and Selling bitcoins safely
Post by: enderseven on May 15, 2013, 02:26 am
How long does Bitcoinfog usually take? Does it depend on the amount of BTC?
Title: Re: Tutorial: Buying and Selling bitcoins safely
Post by: StExo on May 15, 2013, 02:36 am
How long does Bitcoinfog usually take? Does it depend on the amount of BTC?

There are some settings on BitcoinFog but it does depends on a few factors, here are the main 3:

Delay: In BitcoinFog, you can delay how long it takes until it starts to pay out your bitcoins. On BitcoinFog the delay option says "Number of hours to wait before starting the withdrawal. Using this value will make your withdrawal be created in pending mode. You will be able to abort it at any time up until the time it starts. (Max 48 hours.)"

Time Span: You can also specify across what time periods your transactions occur, so if you set 12 hours, there will be multiple payments into the wallets you have specified in small amount increments and after 12 hours, the sum of those payments will be equal to the amount of bitcoins you have withdrawn. BitcoinFog information on it says "Specify how many hours should transactions be spread across. (Minimum 6 hours, max 96 hours.)".

Blockchain Confirmations: As with any bitcoin transfer, there will be a slight delay between when the transaction is sent up until the transaction receives 6 confirmations which is the amount required by SilkRoad in order to be properly credited to your account (which may take an additional 10 minutes or so but is usually negligible).

So no, the size of the exchange doesn't really have any influence on how fast the transactions are processed.