Monthly Archives: October 2014

Secure transfer of coins

As many of you know I have always tried to work with safety and security in mind when developing for you all. One of the things that got me started with SuchList was being scammed myself and seeing other being scammed online.

You see, one of the inherit problems with online based commerce is that anybody can claim to be anybody and it’s really hard for someone else to make educated decisions on whether to trust the supplied information or not.

For this reason I decided, early on, to build features to let users verify information about themselves. This includes things like Reddit accounts, Twitter accounts etc. It does in no way give you a complete picture, but instead serves to help you make your own educated decision. Someone with a, several year old, public Twitter profile that makes legit posts might be easier to trust.

But this relies on two things. Users willing to verify their information and other users actually making use of the available information in their decision making. Unfortunately it still happens that people spend large amounts of coins on some item offered by some user who has verified no additional information or only a brand new Reddit account without any history. Of course a user like this could be 100% legit, but it can be really hard to know or feel comfortable putting trust in a user like that.

How to add extra security?

The most crucial part of any online transaction is the transfer of funds from one party to the next. Here the ideal situation is to use some kind of extra layer in order to guarantee that the funds are not just blindly sent from one user to the next but instead have a platform that adds security and removes incentive for any party to try to be deceitful.

This is normally the domain of an escrow service. An escrow service works in the way that the seller requests a payment of x coins from the buyer. The buyer then transfers the coins. But instead of transferring them to the seller directly they are transferred to a third party that will hold on to the coins. The amount of coins received are displayed to the seller so the seller knows once the payment is done in full. The seller is then free to ship his goods to the buyer.

The nice part here is that both parties can verify that the payment is covered, but neither the seller nor the buyer can single handily withdraw the coins. Instead the buyer will release the coins once the goods have arrived.

This removes the incentive for a seller to try and scam a buyer, since the seller only get the coins once the buyer has actually received the goods. A seller not set on actually shipping any goods would thus never receive any coins.

It also removes the incentive for buyers trying to scam sellers into shipping goods and getting paid once it arrives, without actually planning to pay for the goods at all. Since the coins would be held in escrow and not easily reclaimed by the buyer.

Up until recently I recommended the escrow service for this service. It was very easy to use and the times I tried it, worked flawlessly. The problem as of late has been the small annoying fact has not been online for quite some time. The site was owned and operated by Moolah. and given all the drama around that it’s quite clear that it wont be comming back (and if it did I could not with a good conscience recommend it).

Solutions to’s absence

During the time was down but all the problems with Moolah still hadn’t been brought to light I opted in to act as a manual escrow for users of SuchList who needed the extra layer of security. This worked fine, but introduced a lot of extra work for me. More importantly it broke one of the main ideas of the site, that no user should have to rely on me for their payments to go through etc.

Ever since the start of SuchList I have had users asking me to include my own escrow service on the site. Several other sites do this in one for or another and I have not been blind to the use case for such a thing. But one thing I have always been against is the site storing coins in any way. A site, full of user accounts, full of coins, is a prime target for hackers. Even though a lot of safe guards are already in place I feel it would be dumb to add the extra risk.

You see, users loosing coins to hackers is one the worst things for the currency. A lot of, often unintentionally, insecure services have been breached and caused bad headlines. I did not want to add to that problem.

For this reason I declined the idea of implementing my own escrow service and stated my opinion and reason for this every time I got the question.

But the downfall of Moolah and the absence of really annoyed me since I felt users were now left without a quick and (at the time) reliable escrow service. Asking people to go back to sending coins directly to each other without any security was not something that was good enough for me. But what could I do?

Introducing the fully integrated SuchList escrow service, with zero coins held by SuchList

I have always tried to think of a way to somehow creating  a very secure way of transferring the coins. After talking to various people I now think that I have found the solution that I have been looking for. It brings the best of both worlds. A fully integrated escrow service that works within SuchList itself. But at the same time SuchList will hold absolutely zero coins on the site. No, I don’t mean that I will export them to some cold storage and keep it secure like that. This would make users 100% dependent on me and when I had time and energy to transfer requested funds.

Instead, every escrow transaction will be kept secure by the one thing we trust the most (even if we don’t know it), the block chain.

Instead of trying to stash the coins held in escrow away somewhere  and hoping no one gets to them we hide them in plain sight. The way this works is through multi-signature transactions. That is, instead of you signing you transactions like you normally do on the Dogecoin network a transaction that requires more than one users signature is created.

How does it work on SuchList?

First, let me note that this feature is not released yet. But I still wanted you all to know what will soon be here in the light of the recent Moolah drama. Functionality is in testing but not much energy has been put into UI at the moment.

When you register a deal on SuchList everything looks like normal, except you have one additional new choice to make.


Registering a Deal

Besides all the normal information you can now select to create a Multi signature escrow payment connected to your deal. Note that this is not forced and you have the option to select External Transaction. This means that the transaction is handled outside of SuchList.

Why did I do this? Since I have always said that if I ever include any way to handle payments on the site I will make it optional to use. Perhaps you know the person you are doing the deal with or you are meeting in person. You should not be forced into using a specific payment method then.

If you select to use the escrow system you will have to enter some more information.


New escrow option

I have tried to keep everything 100% free, but users have told me that I must make sure the site survives and is financed. So in order to help with that a small fee was introduced. Do note though that you are not forced into using the escrow service.

The seller and buyer can agree on how to cover this fee. They can split it, the seller can pay it or the buyer can pay it. How much the buyer will have to deposit and the seller will get when he withdraws the payment is clearly visible for every given option.

Next you select how to secure you transaction. You can select one of two ways.

  • Protect it using your SuchList password (actually a lot of random characters encrypted by your password)
  • Protect it using a passphrase you set that is unique to this specific transaction

Exactly how this is used will not be discussed here, but it’s basically used to generate the keys used to sign your transactions. A user confirming a deal will choose how to secure his/her part of the transaction in the same way. In order for the seller to request a release or the buyer to release the coins they must know their respective secrets.

One thing I have always wanted to guard against as much as possible in the event of the site having any kind of service like this is how to avoid a complete breach from loosing a lot of user coins. Sure, it’s a bit paranoid and probably not the most common scenario to try and stay secure against. But with this solution we get quite close.

Since you password is encrypted on the site and a unique pass phrase you might choose is not saved at all on the site it would be very hard for anyone to gain access to this required information and release a payment in your place.

Since coins are not actually stored on the site a breach would not give a hacker access to all the users coins. Further more, coins released from escrow are sent to a wallet of the sellers choice. Not kept in some temporary wallet controlled by the site. This further reduces the likelihood of any hacker gaining access to any coins.

Also, one last thing here is that since these transactions requires multiple signatures a hacker who obtained your password or somehow got access to the site and managed to brute force your unique pass phrase would still not be able to withdraw any coins. Since it would require at least a secondary signature as well.


I hope to have this ready for release very soon so you can all go back to making secure online commerce with escrow service if needed.

If all goes well the plan is to also add support for escrow transactions for people who are not active users of SuchList. But that will follow at a later date.

 Some development screens

Here are some additional screen shots. They are a work in progress and things have already changed a bit, but just to give you a quick glimpse.

Deals to confirm now show if they use the escrow system or not

Deals to confirm now show if they use the escrow system or not

Confirming a deal using the escrow system shows some additional information to the buyer

Confirming a deal using the escrow system shows some additional information to the buyer


A quick overview of all your active escrow payments


Payment details for a non fully funded payment


Payment details for a fully funded payment.

How to stay safe when buying something on

The problem

In the pursuit to make Dogecoin based commerce a reality we will all face a few problems. One of the largest ones will be the same thing that it is for commerce using “regular” currencies to. Scammers.

Scammers are people who basically want to rip you off. They present you with some good deal and try to figure out a way to get your cash and make a run for it.

The solution

This is nothing that digital currencies are immune to. So when I built I wanted to help people know who to trust. It must always be a user decision to trust someone or not. Having a system that somehow decides if a user is trustworthy or not would be susceptible to manipulation and could cause false positives that could get a lot of users duped.

Instead I opted for the approach of supplying mechanisms for users to prove more about their online persona and thus help potential buyers know more about them. This information, along with feedback left by previous buyers etc would help users make educated decision of who they should put their trust into. So how do you use this information on the site?


If you browse the site you will see a bunch of items offered by other users. In the listings you will see the type of offer it is, where the item is located etc. You will also see small icons representing what kind of information the user has verified about himself.


Here we see that the user has verifed a reddit account. If we click on the item to look at it in more detail we can get even more information that’s connected to your safety.


Here we are presented with the publishers name and a number within parentheses. This number indicates the users feedback score. The feedback score is based on feedback gained both as a seller and a buyer. A high feedback score makes me a bit more confident in the user. But you should still examine the user more. You can also see if a user has any validated information here.

Clicking on the users name you will be taken to his profile where you will be able to see this information in more detail. But, in order to protect users data no information about what user account on reddit that verified etc is public. Instead you have to have you own account and log in to be able to view this information, along with the user feedback details. This also keeps Google from indexing this type of information.

So, if you haven’t already, sign in and go to the users profile page. In order not to make this users information public here I will now switch to using my own profile in these examples.


Here we can see some personal information about me. Where I’m located, an overview of my feedback and my verified information. I have verified quite a bit of information. But just because of that you should not automatically trust a user. Instead you should examine it further in your quest for confidence.

One thing to check here if is the user has verified a phone number through sms. If the phone number were to have a country code of Sweden and the user claims to be in USA I would become a bit suspicious. This in itself does not have to mean the user is a scammer. He could be in the states for work or any other reason. But it would catch my attention.

Also, if the user claims to represent some website or online store and have not had that website verified I would also take this into consideration. Perhaps ask the user to verify the site he claims to represent in order to add trust.

After this I would start going through the verified accounts. Check their history. In this case I have an eBay account verified. Great right? I must be a terrific seller! Well, let’s click on it and take a look at it.


As you can see, I have an totally empty account. So only looking at the fact that an account is verified is not enough. In fact, I created this eBay account just to be able to implement the validation code for the eBay accounts. So I have never actually used it. In sweden we use a subsidiary of eBay called Tradera where I do have an account with a bit more activity on it though… hehe

If the user has a lot of activity on eBay, check their feedback on eBay. Don’t forget to check how old the account is and how old the feedback is.

Then do the same for the other verified accounts. Check the users reddit account and it’s history.


Try to find relevant questions to ask yourself about the user.

  • How old is it?
  • What reddits do the user post in?
  • How often does he post?
  • Is he the moderator of any sub reddits?
  • Has he had complaints before?
  • Is he mentioned in /r/dogecoinscamwatch

Continue to check the other accounts and their history. Twitter and LinkedIn. Someone with a verified LinkedIn account that isn’t an obvious fake is probably not keen to destroy his professional life by scamming people for instance.

After this you can look at the users feedback details.


Here you will see a lot more details about the user and the feedback he has received. Both as a seller and as a buyer. You will see the users “score” in different sub categories information about what was bought or sold, when and with what other user the deal was made.

You can then start examining each individual feedback even more.


Looking at a specific feedback entry you will be able to see detailed information about it. Use this to try to spot any attempts at manipulations. Does a user have a lot of deals but only with one other user? Perhaps he registered two accounts and tried to build himself fake rep. Check the date and time of when the feedback of different deals was given and received. Also, if the system notices that the two users that were part of a deal ever shared an IP address this will be notified in the Status field. This does not have to mean that this is fake feedback, it could be two friends making a deal on the same computer etc. But it would be another thing that would make me think twice.

Make your decision

All this information, when combined, should help you make an educated decision about trusting this user or not. If the user would have had no feedback, one verified piece of information that was a reddit account that was brand new, sold expensive but desirable goods and perhaps even insisted on payment up front I would be very skeptical.

But if everything checks out or the user in some other fashion gains my trust I would go ahead with the deal.

Adding a bit of extra comfort

If you decide to trust the user but he still don’t have a ton of feedback and you want to add some extra security I highly recommend that you use an escrow service.

The one I have been recommending that has been super easy to use has been Unfortunately it seems to be down at the moment and despite several requests I have been unable to get a clear answer from the people over at Moolah about when/if it will be back online.

Since I want you all to be able to stay safe, I want you all to know that you are welcome to contact me to function as a manual escrow until is back or until we have a good substitute. This will ad a bit of a delay since I will have to manually handle this and if a lot of requests come in I will have to put a small fee on it so I don’t drown by the work load. But for now there’s no such fee. I can be contacted through the contact form on or you can contact me on reddit /u/inquam.

Also, do note that the same level of caution and scrutiny of users should be done if you are a seller and is contacted by a potential buyer. Look at his account, verified information and the history of those accounts in the same way.