As Meni mentioned, PayPal unfroze my account about 6 months after freezing it.  I was able to withdraw my cash at that time.

However, until last month (about 4 years after the freeze) that PayPal account was still restricted.  That is, I was unable to add or withdraw any new funds or make any transactions with that account.  Before those restrictions were lifted, I had to provide a verbal promise that I would not use the account to trade virtual currencies.  So PayPal's baby steps towards Bitcoin haven't reached the ToS department yet, apparently.

I didn't read the full post, but I wanted to comment on trustless P2P exchanges.  Most payment methods people want to exchange for Bitcoin (PayPal, credit cards, bank transfers, etc) inherently require trust.  Until that demand changes, all P2P exchanges seem destined to require trust as a central component.

It will be exciting indeed when cryptocoins are adopted widely enough that a design such as you suggest can be popular.

Diffie-Hellman key agreement is really easy using elliptic curves.  Maybe because of that, I was unable to find a good, working example with which to experiment, so I wrote one: 32 lines of Go.  It should be equally short for any other language that has a decent EC math library.

Here's a sample run:

$ go run ecc.go
Alice: c84fd9a9c8538375d86d4fb03f6651ed62431d236584d07d45048432
       18424947940967940791172868542123538214411876209787668504243298468721
Bob: a2101edbea799523a0ab0cf0281e32cc39fdca05a7b6cb8c9e534f6c
     25522202360313088829965757364820961191890334919586259842035197968775

Alice: 21477883440431114094502151543289380813227450324823096547884771069269
Bob:   21477883440431114094502151543289380813227450324823096547884771069269

The first 4 lines show Alice and Bob's private and public keys, respectively.  The final 2 lines show that they each calculate the same shared secret.  The example uses curve P-224 instead of secp256k1 since the former is part of Go's library.

The Wyoming Secretary of State notified me that I'm officially on the ballot for this fall.  My website is now available with details about me and my positions on various issues.

My reading of Wyoming campaign rules suggests that I can accept small Bitcoin contributions (less than $100) anonymously under the "pass around a donation jar" rule.  You can send those donations to 1K31DHAgY2beZ53PaaU9YpqfGVZPNDJVFv  If you want to contribute more than that via Bitcoin, email me and I'll give you a special donation address.

Contributions will help defray the cost of yard signs and campaign flyers.

CoinCard is now permanently closed.  As other demands have come up, I've had to trim back on some activities.  There are far more Bitcoin exchanges operating today than when I started CoinCard 18 months ago.  CoinCard just isn't as important as it once was.

I'm still convinced that Bitcoin is the future and will continue working on Bitcoin projects as opportunity permits.  Thanks for all your business.

A MtGox withdrawal was delayed for 11 days, so that put me behind schedule on funding.  I expect to have Amazon funds available by Friday of next week (August 24th), at the latest.

I'm the first Libertarian to run in this district in a long time (ever?).  State and National LP candidates likewise haven't done well in this district in the past.  As you mentioned, having R by your name pretty much guarantees you'll win.

As best I can tell, I'm the only candidate besides the Republican.  He's an unpopular county commissioner and there's no Democrat running, so those could both help my chances.

I live in Hanna.  My district includes all of Carbon County outside of Rawlins and some rural areas of Sweetwater and Albany counties.


It's great to hear of more Bitcoiners in Wyoming.  I'm currently waiting for the Wyoming Secretary of State to certify my position on the ballot.  Once that's done, I'll have more details about collecting contributions and the associated reporting requirements.

I'll post to this thread again once I know more.

Keep me posted on your progress via email.  If Amazon doesn't give you the funds after 30 days, they bounce back to my account and then I can refund your Bitcoins.

The service is still operating.  We've done stiff business the last couple weeks as Bitcoin exchange rates have been high.  I recommend that new customers do just what they'd do with any Bitcoin service they haven't used before: try a small transaction first to make sure everything works to their satisfaction.

I've had a couple customers do a $500 transfer for their first try and then find out that Amazon doesn't like their account for some reason.  They spend a few days working through Amazon's machine before they can get their funds.

Unfortunately, I've spent most of the last year on non-Bitcoin projects.  I've spent only a little time each month on my next Bitcoin project.  It's something others have tried and failed.  I'd rather not announce any specifics in case I meet the same fate.  Better to show than tell, I figure.

For those subscribed to this thread, I posted another thread about anti-fraud lessons learned while operating CoinPal.

Not to use PayPal again   I had planned to accept credit card payments instead.  Over the last year, other ideas have consistently seemed more fruitful so I'm not pursuing credit cards anymore.

PayPal's anti-fraud measures are decent and I relied on them as an initial filter.  However, I caught many fraudulent orders that PayPal missed.  Their system is optimized for physical goods.  They do automatic chargebacks on digital goods disputes, so they have little incentive to improve there.

As most of you know, I operated CoinPal before it was closed in April 2011.  I had planned to reopen it, but plans have changed.  I still own, follow and advocate Bitcoin.  Nothing has changed there.  About once a month, I receive an email asking "How did you avoid scammers on CoinPal?"  I decided to post about it so the entire community can benefit (and give myself a URL to point to).

Background

CoinPal allowed one to purchase Bitcoins with PayPal funds.  PayPal payments can be reversed easily but Bitcoin payments are permanent.  This asymmetry made CoinPal a constant target for PayPal fraud.  After I experienced my first wave of fraud, from which I learned many lessons, CoinPal lost less than 0.9% of revenue to fraud losses.

Fraudulent buyers exhibit certain characteristics that distinguish them from legitimate customers.  Some of these characteristics could be easily abandoned if the scammers recognized them.  They appear not to.  This kind of obscurity makes poor security.  Nevertheless, recognizing these kinds of easily abandoned practices saved CoinPal lots of money.  I won't describe any of these patterns since the scammers will simply abandon them once they're published.  Instead, I'll describe characteristics which scammers are unable to change.  These ought to remain relatively helpful over time.

Stolen accounts as currency

The most important realization is that stolen PayPal accounts or credit card numbers are a digital currency (although a poor one).  If I write a virus or phishing attack, my wages are denominated in the currency of stolen accounts.  Alternatively, I can exchange fiat currency for stolen account currency, by trading on various black market forums.

As a digital currency, stolen PayPal accounts are subject to double spending attacks.  For example, the legitimate owner may change his account password thus spending stolen funds back to himself.  Or a vendor selling PayPal credentials can sell the same credentials to multiple buyers.  Without a blockchain to rescue them, those holding this digital currency must spend it quickly before someone beats them to it.

Scammers are in a nasty hurry and can't do anything about it.  I saw this over and over again at CoinPal.  I see it at other online retailers too.  This is why CoinPal and VirWox have tiered purchase limits based on an account's age. 

Conclusion: scammers have an unusually high discount rate.  With this discount rate, the present value of a payment 7 days in the future is less than his cost of acquiring stolen credentials.

Measure Everything

Collect data on everything you can possibly measure.  Record it in your database associated with each order.  When fraud happens, compare all the data you have against known legitimate orders.  Scammers operate under different conditions than legitimate buyers and it invenitably shines through.  When they try to hide it, it causes other tell tale signs.

In the short time that CoinPal operated, I collected a couple hundred metrics about each order placed on the site.  Perhaps a dozen of those metrics proved useless.  The rest were valuable and I incorporated them into automated fraud screening.  Unfortunately, these patterns are the easily abandoned ones I mentioned above, so I won't give specifics.

Conclusion: If you can measure something about your customers, do it.  Spend plenty of time analyzing what you measured.

Legitimate Customers

You can't stop all fraud.  Some will get through your defenses.  Currency exchange profit margins are too narrow to absorb much of it, so you need a healthy legitimate customer base across whom you can distribute those costs.  As chargebacks come in, it's tempting to focus entirely on eliminating fraud.  Unfortunately, that focus inconveniences legitimate customers so much that they go elsewhere.

Early in CoinPal's history, I manually contacted every customer that wanted to purchase coins.  I bought a bunch of long distance calling credit and spent hours on the phone asking customers questions about the name of their nearest grocery store or which direction Lake Something was from their house.  I never had a chargeback from these orders, but they hated it and I hated it.  I lost many legitimate customers as soon as I emailed them asking if I could call them on the phone.  I know they were legitimate because many of them bought coins after I eliminated this process and they never charged me back.

Conclusion: a healthy customer base is as important as fraud detection.  Profit from serving them will sustain you through the scammer attacks.

Fees Select Customers

This should be obvious, but it's repeatedly violated by new Bitcoin exchanges.  A legitimate customer is spending his own hard earned money, so he cares about fees.  A scammer is spending someone else's money, so he doesn't.  Increasing fees scares away profitable customers leaving you with only scammers.

A small price elasticity of demand and a high discount rate combine to explain a common fraud symptom in retail.  Fraudulent customers are far more likely to pay extra for overnight shipping.  They don't care about the money and need the goods quickly before their scam is detected.

Conclusion: High fees favor fraud.  Although scammers could avoid this characteristic by frugally spending their stolen funds, frugality demands patience which they can't afford.

Repeat Business

CoinPal averaged 1.6 orders per legitimate customer.  Many of those customers first purchased from me shortly before the site closed and never had a chance to return, so that figure is artificially low.  Many legitimate customers placed the maximum allowed order every single week until the site closed.

Scammers, however, manifest as one time buyers.  After the first purchase, their stolen funds are spent and they must switch identities.   This distinction means you can safely lower your defenses for repeat purchases.  As best I can find/remember, CoinPal never had a chargeback from a repeat customer.

This dichotomy gives vendors another means to distinguish between good and bad buyers.  For a legitimate buyer, one-time fees will be amortized over the life of his business.  A scammer, must recoup the entire fee on his first purchase.  If the fee exceeds his profit, he'll quit.

Late in CoinPal's life, I instituted automated phone verification for first time buyers.  These buyers paid an extra $0.50 to cover the cost of the service.  For legitimate customers that's $0.50 amortized over several future orders.  For scammers, it's $0.50 plus the cost and inconvenience of acquiring a working phone number per order.

Conclusion: One-time fees favor legitimate buyers.

CashStar changed their checkout process breaking my auto-purchase scripts.  I've disabled those two gift card options until I can figure out a way to automate the purchases again.

Amazon payments are still working great and we're handling a steady volume of them each week.

You can now donate Bitcoins to the Darcs project via CoinCard.  There's no fee for this service.  This method of donations will be listed on the Darcs donation page soonish.

Background: Darcs is a version control tool based on a unique cherry-pick workflow.  I'm part of the Darcs core team.  The Software Freedom Conservancy manages Darcs finances but won't accept Bitcoin donations directly (because the EFF stopped accepting Bitcoin).  After processing $100 in donations manually, I figured it was easier to just teach CoinCard to handle them.

Thanks for the suggestions.  I'm a big fan of competing currencies. I plan to have that discussion during the campaign and in the legislature.  I think conditions are right for changes in that area.

Politics in Wyoming has definite advantages.  Since the legislature only meets 60 days every two years, normal citizens can participate without making it a full time job.  Many of our elections have a great, small town feel.  For example, my district has only 9,000 people in it.  They're spread out over 20,000 square miles, but at least I have a chance to meet nearly every one of them during the campaign.

This weekend at the Wyoming Libertarian convention, I was elected as the party's candidate to run for Wyoming House District 47 in the election this fall.  Because of my history with Bitcoin, I thought some might be interested.  One platform of my campaign is to make all state business licenses optional (hair salons, restaurants, etc).  This is similar to how the state handles concealed carry permits.  The proposal also makes optional the licenses required by the Wyoming Money Transmitters Act.

I'm still learning the details of local campaign finance laws.  I'd like to accept Bitcoin donations to my campaign, but need to make sure I can meet all the necessary reporting requirements.