Taxis, Web3, and a $26,000 Fraud
The web3 community is obsessed with decentralization to a fault. They believe every company should be a DAO and every API a protocol. Let me tell you what this trades off, and why it might not be worth it.
In August 2022 I was defrauded of $26,000.
The scheme prays one of the few major vulnerabilities of the existing payment network, namely that debit and credit cards place too much trust in the merchant. This particular fraudster used a fake taxi and point-of-sale device to steal both my debit card and corresponding 4-digit pin. I was forced to use my debit because the fake PoS first declined my credit card. Over the next several days, the fraudster proceeded to withdraw and rack up thousands of dollars’ worth of charges. For reasons still unknown to me, the bank’s fraud detection systems did not freeze my card.
Credit cards are more secure than debit cards because payments are reviewed at the end of the month and fraudulent transactions can be flagged before a consumer has their funds withdrawn. This places the onus of compliance on large credit card companies who possess the resources to investigate and insure themselves against fraud. Debit fraud is a consumer’s worst nightmare because funds are drawn directly from their account and it is the responsibility of the individual to convince their bank of the validity of the fraud. Banks can take months to refund fraudulent debit transactions — if refunded at all.
When I realized something was wrong, I immediately canceled my cards, reported the fraud to my bank, and opened a police case. Although the police case remains open, within 4 weeks the bank had returned all of the missing funds. Let me repeat that: within one month of claiming it was stolen, my bank wired me $26,000.
Let’s imagine that this fraud had occurred in the web3 ecosystem.
Pretend 26,000$ of Ethereum had been stolen from my wallet by a fraudulent smart contract. I think we can all agree that almost no wallet, exchange or crypto investment platform in the world would fully return those funds. Even Coinbase (the gold-standard for security and compliance) has a spotty history of returning hacked customer funds. This insurance from devastating outcomes is a fundamental difference in traversing the web3 versus traditional finance (trad-fi) ecosystems.
This is important, because when you’re down $26,000 the only thought going through your mind is “I’m so glad my money is with a big, boring traditional bank.”
In order for crypto to be mainstream, it must provide the same level of safety and security as tradfi.
I was recently having a conversation with a well-respected engineer at a top web3 startup. This particular company has tens of millions of users and hundreds of millions in funding from top crypto VCs. When I explained my concern about participating in the crypto economy without proper insurance against devastating loss, he responded with the common refrain that “Consumers need to take responsibility to educate themselves.” This libertarian mantra is ubiquitous among web3 enthusiasts. The idea is that individuals should understand the crypto stack, take custody of their own assets, and fully manage their own risk.
My experience has been that the most highly educated and involved web3 engineers are some of the most likely to fall victim to crypto scams.
Consider NFT airdrops, one of the most ubiquitous attack vectors.
The scam works by sending an NFT to a freshly-funded wallet with the instructions to run the contract and mint the token. In reality, the contract simply transfers funds out of the wallet. Wallets like Metamask, Slope, Phantom, and Coinbase Wallet have gotten smart to these scams and now run transaction simulations which can warn users about certain contracts. Unfortunately, these transaction simulations are limited in their effectiveness because it is impossible to know the output of code without fully running the code itself (see Halting Problem). So while these warnings are helpful, false negatives leave millions of consumers vulnerable.
Later that day, I was airdropped an NFT for an exciting upcoming project. I asked the same engineer whether he thought I should mint it. We looked over the project website (it was beautiful), their Twitter (18k followers), and inspected the smart contract (it passed without warning). Still, I was unsure how I should proceed.
Imagine if instead of making multiple individual withdrawals over several days, my taxi cab fraudster had gained full access to all of my accounts, and in a single transaction, could steal all of my funds. On top of that, imagine that there was no bank or central authority to insure me against fraud and no way to ever recover my funds. This is the current web3 experience. A quote from the same engineer: “Everybody gets rug pulled at least once.”
Web3 doesn’t appreciate long-tail risk.
To be clear, this is not a theoretical condemnation of distributed finance. I hold thousands in crypto myself and am excited about innovations in payments, social media, and gaming. This is a practical problem that must be addressed before web3 can be properly adopted. Millions of consumers have been drawn to crypto in the past 3 years. These consumers primarily identify as economically conservative or libertarian. However, strong societies are not built laissez-faire, but by balancing individual and social needs. In order to onboard the next billion users, we need to offer protection to the most vulnerable. In crypto, this means looking out for newcomers. We need to spend more time worrying about the couple who have their retirement savings stolen by Celsius or the college student who gets rug-pulled buying their first NFT. Code is law, bugs and all- but it shouldn’t be.
Why did my traditional bank return my funds?
I think it’s worthwhile to consider this question deeply. It certainly wasn’t just to keep my business: the $26,000 is probably greater than the lifetime value of my account. It might have been to avoid bad PR, although a Google search for “Taxi Fraud Canada” reveals dozens of stories detailing my exact experience, so going to the press would not have revealed any new salacious details.
No, I believe my bank returned my funds because they have fully internalized insurance (reinsurance or otherwise) as part of the cost of doing business. If something terrible happens to my finances, I trust that they will look out for my interests, up to the point of returning 100% of my stolen funds. They know that consumers expect nothing less, and they’re paranoid about security and minimizing legal exposure. It’s about time we start demanding the same of our web3 institutions.