Posted on

How Dell, Expedia and Others Accept Bitcoin Payments

image

Screenshot of Coinbase merchant landing page.

—-

Dell recently announced that they are accepting Bitcoin as a means of payment. Expedia announced last month they’ll start rolling out Bitcoin payment for their services. How are these companies implementing Bitcoin payments online?

Dell and Expedia use Coinbase.com. Coinbase is a popular US service for buying, selling and storing Bitcoins (they’re an exchange and offer a wallet). Unfortunately Coinbase is not available for Canadian customers.

NewEgg and TigerDirect (online electronics stores) use BitPay.com. BitPay is targetted at developers rather than business people. BitPay is like Stripe for Bitcoin. BitPay can be used by Canadian businesses.

The three main Canadian exchanges have their own merchant integration services (with varying ease of use):

  1. CaVirtEx (the largest exchange in Canada)
  2. QuadrigaCX (here’s a video aimed at merchants that they published today: https://www.youtube.com/watch?v=rjkltZ_C6rU)
  3. Vault of Satoshi (the most complicated API)

Stripe, a popular credit card payment integration service, has announced that they will soon offer a Bitcoin payment method but it’s currently in beta.

Posted on

How to buy Bitcoins at Decentral

At Decentral we have a convenient bitcoin teller machine that makes purchasing bitcoin easy. To use the machine at our location, simply follow these steps: 

  1. Click  "Start" on the main screen when you are ready to begin. The price per bitcoin displayed at this point will be your purchase price. Note, of course, that you can always buy fractions of a bitcoin, but the minimum amount per transaction is $5 Canadian. 
  2. Enter your phone number and then the verification code that you receive by SMS message. 
  3. Choose “Buy Bitcoin”
  4. Next, choose “Yes” if you already have a bitcoin wallet. Choose “No” if you would like the machine to print a paper wallet
  5. Place the QR code for your wallet’s public receive address in the scanner; it’s the top-right horizontal slot. 
  6. Start inserting your Canadian cash into the bill acceptor, which will have a green light activated to indicate that it is ready.
  7. After you’ve inserted your individual bills, click “I’m Done” to complete the transaction. 
  8. Congratulations, you now have bitcoin! A confirmation of the transaction will be sent via SMS to your phone. You can also print a paper receipt for your records.

Note that the machine will read only the QR code for your public bitcoin address; you cannot type the address in manually. Fortunately, all bitcoin wallet systems on your phone or computer are able to display a QR code for the wallet’s public receive address. 

If you have any questions about the process, please come by Decentral and we’ll help you get started. 64 Spadina Ave. Toronto, ON. Canada. 

image

Posted on

What You Need to Know About the New Canadian “Bitcoin Law”

This post was written by Addison Cameron-Huff, a tech lawyer who works for Decentral. Addison is a lawyer but he is not your lawyer. You should seek legal advice before acting on any of the legal information presented in this article.

 

What’s Happened?

A Canadian federal law affecting Bitcoin passed last Thursday. Bill C-31, an omnibus budget act, contains provisions that will eventually bring certain Bitcoin businesses into Canada’s anti-money laundering regime. The new rules are not in effect yet.

 

Who Will Be Affected?

In short: anyone engaged in the business of buying or selling of virtual currencies and who has Canadian customers.

 

Any person or business who “ha[s] a place of business in Canada and that [is] engaged in the business of providing … the following [service]: … dealing in virtual currencies”.

 

Also affected: any person or business who “do[es] not have a place of business in Canada, that [is] engaged in the business of providing at least one of the following services that is directed at persons or entities in Canada, and that provide those services to their customers in Canada: … dealing in virtual currencies.”

 

Citations for above: Bill C-31, s. 256(2): http://www.parl.gc.ca/content/hoc/Bills/412/Government/C-31/C-313/C-313.PDF (pgs. 164-165).

 

What is “Dealing”?

Dealing isn’t defined in the act but generally means buying or selling. Coupled with the requirement that someone be “in the business of”, it’s likely that this law won’t affect people buying or selling for personal use or merchants using Bitcoin.

 

The law can be expected to be similar to how car dealing works: selling your own car doesn’t require a license but running a car dealership does.

What is “Virtual Currency”?

The new law doesn’t define “virtual currency”. The definition will be in the regulations that will eventually be passed (see below).

 

What Will the Rules Be?

Anyone covered by the new rules will have to register as a “Money Services Business” (MSB) and comply with the anti-money laundering regime (please see previous Decentral blog posts).

 

Probably the most significant MSB rule is that companies may only do business in amounts up to a certain threshold before requiring that customers provide identification. The threshold will likely be either $1000 (current MSB rules for the money transmission/remittance category) or $3000 (foreign exchange category).

 

The exact rules won’t be known until the corresponding regulations are published (here). The final rules will probably be preceded by a notice of proposed regulation posted in Part I of the Canada Gazette.

 

When Will the New Rules Take Effect?

The new rules won’t take effect until the government declares them in effect.

 

Section 298(3) of the law states that s. 256(2) (the key Bitcoin-regulating part of the law) will “come into force” (become a law people are required to follow) “on a date to be fixed by Order of the Governor in Council”.

 

What is an Order in Council? An Order in Council is one of the pathways by which laws can come into force. They are published on the Orders in Council site (hard to navigate/monitor) and in the Canada Gazette Part II (easier to monitor, it’ll be published as a “Statutory Instrument” [e.g. “SI/2014-XXX”]). The only way to know that an order has been published is to check every day and see if something’s been published.

 

What Should Bitcoin Businesses Do?

Find a lawyer and attempt to understand how money laundering rules apply to your business and what the registration/compliance steps are.

 

FINTRAC (the regulatory agency for anti-money laundering) offers some guidance for money services businesses on its website: http://www.fintrac-canafe.gc.ca/msb-esm/intro-eng.asp.

 

Registering as an MSB is free and quite straightforward. Compliance is complicated and will likely affect involve hiring a lawyer.

 

What’s Going to Happen?

  1. Canadians may be banned from some online virtual currency services. Although Canada is a base for many Bitcoin businesses, Canadians are a small market. The money laundering rules have such severe penalties that probably services will just not allow registration by Canadians rather than attempt to comply.
  2. Some Bitcoin businesses may have business models that aren’t compatible with the new regulatory regime. They’ll have to adapt their model to the new environment.
  3. Small businesses may not be able to afford the compliance costs. This may lead to consolidation in the industry.
  4. The new regulatory regime may provide a big boost to the Canadian Bitcoin industry. Canada will soon have the world’s first nationally regulated virtual currency industry.

 

Photo by @spettacolopuro.

Posted on

Dealing with Cryptowall and Ransomware

by Michael Perklin

As a digital investigator who spent years tracking cyber criminals online, and as someone who has launched a Bitcoin security consulting company, I’ve been contacted a number of times by victims of digital ransom, looking for ways out. The story is always the same: they see a warning on their computer screen telling them that their files are encrypted, and unless they pay a hefty ransom (with Bitcoin) before the clock runs out, they will never gain access to their files again.

I’ve decided to write this blog post to answer some questions about this type of ransomware and help the thousands of Canadians who must be affected by it.

Jump to the bottom to read the four suggestions on how to deal with this ransomware, or continue reading for more details about it.

In late 2013, a new form of ransomware titled CryptoLocker hit the Internet, indiscriminately encrypting portions of every file it could get its hands on. Files stored in “My Documents” folders, external drives and even shared folders hosted on other computers in the local network had portions of the contents encrypted using an RSA encryption key. The decryption key was made available to victims of this attack for the price of $300, paid in Bitcoin.
Although the CryptoLocker’s command and control servers were taken down in May 2014 thanks to a joint US Department of Justice raid on servers hosted in Kiev and Donetsk, this hasn’t stopped ransomware from spreading.

A new piece of ransomware has made its rounds lately: CryptoWall. My research into CryptoWall shows it is essentially the same code as CryptoLocker, but is designed to use a different command-and-control methodology to hopefully outlive its CryptoLocker predecessor. It also asks for $500 in ransom instead of CryptoLocker’s $300. Thankfully, this newest variant seems to use much of the same code as the old one, including all of its flaws.

The older CryptoLocker software had a few flaws in how it a) chose encryption keys to encrypt the victim’s files, and b) how it used these keys to encrypt the files in the first place.
Performing cryptographic operations with software in a secure manner is not easy. Care must be taken when using the encryption key in software to ensure it is only used to encrypt, and is removed from the system immediately afterwards. If this care isn’t taken, the encryption key can linger in a few places including RAM, pagefiles on the hard drive, and even cached locations on disk. These can be written inadvertently by the application, the application’s framework (.NET, JavaVM, Rails and other frameworks) or by the Operating System itself (in this case, Windows).
This is one of the services that my company, Bitcoinsultants, provides our clients: advice on using cryptography properly to ensure their applications don’t succumb to any of the 7 classes of attacks on information systems (Information Leakage being one).

In a true case of irony, this difficulty of securely using encryption keys has left CryptoLocker insecure, leaving copies of the key on victims’ computers. Where this would normally be an example of an Information Leakage vulnerability, in this case it is a bastion of hope for all of CryptoLocker’s (and CryptoWall’s) victims.

Dealing with Ransomware

There are a few suggestions that I regularly give to people looking for help. I’ve listed them here:

  1. Keep a backup of your data before you get hit. This may seem like a cop-out suggestion, but the fact is if you have a safe copy of your encrypted data you don’t need to pay a ransom to recover the files; you already have them. External hard drives and large USB keys make this easy; simply drag and drop your files to your external drive, and unplug it when the copy is finished. This hard drive can be used to recover your files in the event your system becomes infected;
  2. Try to decrypt the files on your own. If you have experience with programming and are an advanced technical user of computers, you may want to visit these technical resources which can help you understand and decrypt the files on your machine. Keep in mind this will take a significant amount of time and experience with the more technical aspects of computers in order to execute.
  3. As much as I hate to suggest this, consider paying the ransom. Every case I’ve helped with has had their files decrypted after paying the ransom. As dishonourable as the attackers may be in writing this ransomware, they at least keep their word when it comes to decryption. I’ve had people offer to pay for my services to decrypt their files for them out of principle – they’d rather pay a whitehat hacker than a ransom – but the fact is the amount of time and effort required costs more than the ransom. I believe the authors of this ransomware priced the ransom purposely to ensure that it will always be cheaper to pay than to hire professionals to decrypt it on their own.
  4. Canadians can report the incident to the Canadian Anti-Fraud Centre. They keep tabs on scams affecting Canadians and coordinate resources where necessary to combat them. Residents of other countries can find the counterparts to the CAFC in their country, such as the Fraud.org website in the United States;

One of the victims that I’ve helped made a comment regarding this virus and its use of Bitcoin:

“This just proves that Bitcoin is illegal, and it’s only a matter of time until governments ban it for taking advantage of people like me.”

I sympathize with all of the victims of this ransom, but personally I feel that blame should be placed squarely on the attacker and not on the medium of payment demanded. After all, people have held others hostage in demand of $1000s of dollars in unmarked bills; should the Canadian or US dollars be banned for taking advantage of people? Making these counter-arguments helped this victim see that the payment processor was not at fault, however I imagine many others who are less familiar with Bitcoin have jumped to the same erroneous conclusions, making the job of the Bitcoin Alliance of Canada that much more difficult.

The fact is, the easiest way to deal with these types of attacks is to be prepared in advance. If you don’t have a backup of your data, now is the best time to make one.

Until next time,

Michael Perklin

Posted on

What You Need to Know About the New Canadian “Bitcoin Law”

This post was written by Addison Cameron-Huff, a tech lawyer who works for Decentral. Addison is a lawyer but he is not your lawyer. You should seek legal advice before acting on any of the legal information presented in this article.

image

Photo by @spettacolopuro.

What’s Happened?

A Canadian federal law affecting Bitcoin passed last Thursday. Bill C-31, an omnibus budget act, contains provisions that will eventually bring certain Bitcoin businesses into Canada’s anti-money laundering regime. The new rules are not in effect yet.

Who Will Be Affected?

In short: anyone engaged in the business of buying or selling of virtual currencies and who has Canadian customers. 

Any person or business who “ha[s] a place of business in Canada and that [is] engaged in the business of providing … the following [service]: … dealing in virtual currencies”. 

Also affected: any person or business who “do[es] not have a place of business in Canada, that [is] engaged in the business of providing at least one of the following services that is directed at persons or entities in Canada, and that provide those services to their customers in Canada: … dealing in virtual currencies.”

Citations for above: Bill C-31, s. 256(2): http://www.parl.gc.ca/content/hoc/Bills/412/Government/C-31/C-31_3/C-31_3.PDF (pgs. 164-165).

What is “Dealing”?

Dealing isn’t defined in the act but generally means buying or selling. Coupled with the requirement that someone be “in the business of”, it’s likely that this law won’t affect people buying or selling for personal use or merchants using Bitcoin.

The law can be expected to be similar to how car dealing works: selling your own car doesn’t require a license but running a car dealership does. 

What is “Virtual Currency”?

The new law doesn’t define “virtual currency”. The definition will be in the regulations that will eventually be passed (see below). 

What Will the Rules Be?

Anyone covered by the new rules will have to register as a “Money Services Business” (MSB) and comply with the anti-money laundering regime (please see previous Decentral blog posts).

Probably the most significant MSB rule is that companies may only do business in amounts up to a certain threshold before requiring that customers provide identification. The threshold will likely be either $1000 (current MSB rules for the money transmission/remittance category) or $3000 (foreign exchange category).

The exact rules won’t be known until the corresponding regulations are published (here). The final rules will probably be preceded by a notice of proposed regulation posted in Part I of the Canada Gazette.

When Will the New Rules Take Effect?

The new rules won’t take effect until the government declares them in effect.

Section 298(3) of the law states that s. 256(2) (the key Bitcoin-regulating part of the law) will “come into force” (become a law people are required to follow) “on a date to be fixed by Order of the Governor in Council”. 

What is an Order in Council? An Order in Council is one of the pathways by which laws can come into force. They are published on the Orders in Council site (hard to navigate/monitor) and in the Canada Gazette Part II (easier to monitor, it’ll be published as a “Statutory Instrument” [e.g. “SI/2014-XXX”]). The only way to know that an order has been published is to check every day and see if something’s been published. 

What Should Bitcoin Businesses Do?

Find a lawyer and attempt to understand how money laundering rules apply to your business and what the registration/compliance steps are.

FINTRAC (the regulatory agency for anti-money laundering) offers some guidance for money services businesses on its website: http://www.fintrac-canafe.gc.ca/msb-esm/intro-eng.asp.

Registering as an MSB is free and quite straightforward. Compliance is complicated and will likely affect involve hiring a lawyer.

What’s Going to Happen?

1. Canadians may be banned from some online virtual currency services. Although Canada is a base for many Bitcoin businesses, Canadians are a small market. The money laundering rules have such severe penalties that probably services will just not allow registration by Canadians rather than attempt to comply. 

2. Some Bitcoin businesses may have business models that aren’t compatible with the new regulatory regime. They’ll have to adapt their model to the new environment. 

3. Small businesses may not be able to afford the compliance costs. This may lead to consolidation in the industry.

4. The new regulatory regime may provide a big boost to the Canadian Bitcoin industry. Canada will soon have the world’s first nationally regulated virtual currency industry. 

Posted on

Decentralized Bitcoin Exchanges: A Solution with Three Big Challenges

The author, Addison Cameron-Huff, is a lawyer who serves as part-time in-house counsel for Decentral. Decentral is Canada’s main decentralized application business development centre.

 

Bitcoin Exchanges

Bitcoin exchanges are businesses that connect buyers and sellers of Bitcoin to each other and the banking system. Exchanges pose three problems:

  1. they sometimes go out of business and lose everyone’s money + bitcoins (“counterparty risk”); and,
  2. they are easy targets for regulation that can be easily and suddenly shut down by authorities (they are “centralized”); and,
  3. they have a limited number of options for accepting payment (e.g. a US exchange is unlikely to support M-Pesa transfers).

Decentralized Exchanges: Solution?

Many cryptocurrency enthusiasts think decentralized exchanges are the solution to the problems that Bitcoin exchanges currently pose.

 

A decentralized exchange is an exchange that uses peer-to-peer (P2P) networking technology to enable users to directly trade with each other. Although a regular Bitcoin exchange allows users to trade with each other they can only do so with the exchange as an intermediary.

 

When thinking about the difference between a decentralized exchange and today’s exchanges, it’s helpful to think about the difference between Napster and BitTorrent. Napster worked by having a central server that every user’s computer checked in order to see what files were available to download from other users. Napster was shut down in 2001 by a court order that forced them to turn off the central servers. BitTorrent can’t be shut down because users connect directly to each other and not through an intermediate central server.

 

A decentralized Bitcoin exchange would solve problem #2 (see above) because there wouldn’t be a central server. Problem #1 would be solved with respect to the exchange itself but a decentralized exchange would (depending on how it works) probably introduce a new form of counterparty risk: the risk of dealing with other users. Problem #3 would probably also be solved because users could find the payment methods that work for them in their jurisdiction.

 

At a high level it would appear that decentralized exchanges are the solution to the problems identified at the beginning of this post but the devil is in the details. The devil lies especially in the details of how a decentralized exchange would handle the interface between “fiat” currency (e.g. Canadian dollars) and Bitcoin.

 

Canadian Dollars to Bitcoin

A hypothetical decentralized Bitcoin exchange would probably operate along these lines for a $ to BTC transaction:

  1. Alice and Bob agree on price and quantity (e.g. $3000 for 2 bitcoins) through the decentralized order matching system
  2. Alice sends $3000 to Bob
  3. Alice sends a message indicating payment sent
  4. Bob receives $3000
  5. Bob sends a message indicating payment received
  6. Bob sends 2 bitcoins to Alice
  7. Bob sends a message indicating the bitcoins have been sent
  8. The system marks the transaction as complete

 

The steps above pose at least three big challenges:

  1. What does step #2 mean? How will Alice send the money to Bob? Will the decentralized exchange interface with the thousands of payment systems around the world?
  2. How can Bob be sure that the money he receives in step #4 won’t be taken back by Alice after step #8? If Alice uses a payment method like a credit card then Alice can later reverse the transaction and potentially get back her money and keep the bitcoins. There are very few methods of payment that can’t be reversed.
  3. How will disputes be handled? What if Alice didn’t actually send the money? What if Bob doesn’t send the bitcoins? How can Alice prove she sent the payment? What if Alice backs out of the transaction before sending payment? Who will be responsible for offline enforcement?

 

Flickr photo shown on laptop is by @jalavega