DashDirect Virtual Visa/MC Proposal Updates

craymarshallg

Member
Masternode Owner/Operator
Sep 5, 2021
72
154
73
www.dashdirect.org
I'm honored to present the new, improved Ionia card programs. We will be building all 3 programs to be available at your choice as a user of DashDirect. Use one, two, all three, or none of the programs as you see fit. Program overview: https://ionia.docsend.com/view/kvuftnzfatn8jtdb

Here are some important details to note:

-Rewards Local is available with no-KYC in 30+ countries and gives 2% discount on the face value at the time of purchase; non-reloadable; funds expire in 4 months
-Rewards Plus is available with no-KYC in the US and has up to 5% Dash back on purchases at over 50,000 merchants; non-reloadable
-Rewards Premium requires KYC and has up to 5% Dash back on purchases at over 50,000 merchants; enables international purchases, ATM withdrawals, P2P transactions, and more; reloadable with no limits

Notably, we are now partnered with issuing banks and we have a relationship directly with Visa as well (more details to follow upon finalizing one more agreement). These relationships promise to help shore up our resilience against potential attack from other parties. We have a full review from outside counsel at a top global fintech law firm, which provides us guidance, assurance, and back-up in the case of inquiry or adverse action.

We appreciate the Dash community; your strong, free spirit and desire to promote the human rights of privacy and freedom. We appreciate your patience and understanding as we paused our program to re-evaluate and rebuild a better, more resistant, more rewarding program. We look forward to launching these new card programs in the coming months. We will have some special offers and incentives for the Dash community specifically and I am excited to be able to bring you an increased level of financial access, freedom, and rewards.

If you have any questions about the new card programs, please direct them here publicly, so everyone can benefit from the questions and answers. Thank you.

On a side note, I've been particularly inspired of late. Here are a few pictures from my trip to NYC last week. May we all continue to fight for human rights and freedoms in the "continuing and expanding conversation in the ever-unfinished story of liberty."
 

Attachments

GrandMasterDash

Grizzled Member
Masternode Owner/Operator
Jul 12, 2015
3,320
1,400
1,183
I'm not sure about this.

  • The "local" version is actually international and the "plus" is US only.
  • No KYC for the US Plus but mobile / email required for everyone else. Isn't email / phone a form of soft KYC?
  • No ATM at all unless you KYC.
  • Non-US will lose all unspent funds after just 4 months.
  • Not clear, needs example, $1K max per card, yet $10K max per day. This is to say $1K per day from pre-loaded and $10K per day if you spend directly from crypto? Just want some clarification.
  • What are the 30+ countries?
 
  • Like
Reactions: vazaki3

craymarshallg

Member
Masternode Owner/Operator
Sep 5, 2021
72
154
73
www.dashdirect.org
I'm not sure about this.

  • The "local" version is actually international and the "plus" is US only.
  • No KYC for the US Plus but mobile / email required for everyone else. Isn't email / phone a form of soft KYC?
  • No ATM at all unless you KYC.
  • Non-US will lose all unspent funds after just 4 months.
  • Not clear, needs example, $1K max per card, yet $10K max per day. This is to say $1K per day from pre-loaded and $10K per day if you spend directly from crypto? Just want some clarification.
  • What are the 30+ countries?
  • Local was intended to convey that it can be used in your local area, but we debated the name and I'm still debating whether it should be called something else to avoid confusion.
  • The Rewards Local program does not perform any KYC. The bank sends an SMS or Text to allow access to their website. No, asking for information is not KYC. Not in any way shape or form. This is one of the biggest challenges to explain to people. If I tell you my email is [email protected], there is no way in the world you can identify me using that, but more importantly, we are not even attempting to identify the user based on an email or phone number. The Rewards Plus does not perform KYC and does not ask for any information to create a card or use it.
  • The ATM and other restrictions is per the legal requirements.
  • Only the first program has an expiration on the value. This is not something we want, but we cannot get the bank to change their program. We will continue adding programs and features to support non-US persons and merchants without the expiration of funds.
  • If you buy 10 cards for $1,000 each, that's $10,000. You can do that per day.
  • There are more than 30 countries where we have access to the Rewards Local program, but we have to confirm which ones will be feasible to launch. There are about 130+ countries where the program is supported.
 
  • Like
Reactions: AgnewPickens

GrandMasterDash

Grizzled Member
Masternode Owner/Operator
Jul 12, 2015
3,320
1,400
1,183
Thank you for making this clearer.

I understand only email / telephone number are collected and it is a requirement imposed on you by others. It is, in fact, somewhat traceable using warrants. It is also the very same reason why I can't convince financial institutions to switch from SMS 2FA for a more secure TOTP or U2F. Frankly, I find SMS 2FA a PITA for losing / switching SIMs, or expired SIMs. They all know how vulnerable SMS is to SIM swap attacks.

I understand you're attempting to integrate with this crazy antiquated system that is holding us back. But as I previously said, hats off to you for your perseverance, I know I couldn't do it.
 
Last edited:
  • Like
Reactions: AgnewPickens

craymarshallg

Member
Masternode Owner/Operator
Sep 5, 2021
72
154
73
www.dashdirect.org
Thank you for making this clearer.

I understand only email / telephone number are collected and it is a requirement imposed on you by others. It is, in fact, somewhat traceable using warrants. It is also the very same reason why I can't convince financial institutions to switch from SMS 2FA for a more secure TOTP or U2F. Frankly, I find SMS 2FA a PITA for losing / switching SIMs, or expired SIMs. They all know how vulnerable SMS is to SIM swap attacks.

I understand you're attempting to integrate with this crazy antiquated system that is holding us back. But as I previously said, hats off to you for your perseverance, I know I couldn't do it.
Actually, for the Rewards Local program, either email or phone can be used. While law enforcement could obtain the information (email or phone), the email and phone have not been kyc'd, which means you can use whatever. Just setup a private email for transactions and use that. Since no other information is being captured, you're golden. The email address is not tied to your identity. I made test transactions using this program this week. It works perfectly with an email address. You have 10 minutes to confirm an OTP sent to the email address in order to login to the bank's portal. That's what it is used for. The process for activating the card isn't great and we are working to see if we can automate it to make it a cleaner UX.
 

GrandMasterDash

Grizzled Member
Masternode Owner/Operator
Jul 12, 2015
3,320
1,400
1,183
Two months since the last update, anything new?

Btw, can't install DashDirect from the Philippines, Play store says "country not supported", even though companies like Amazon are doing free delivery here. I'm an apk person but just nudging you about this.

Btw btw, I get similar problems when using the bitrefill website. Even if I set my country as "United States" they deny purchases, so I always have to switch the VPN to the US.
 

craymarshallg

Member
Masternode Owner/Operator
Sep 5, 2021
72
154
73
www.dashdirect.org
Two months since the last update, anything new?

Btw, can't install DashDirect from the Philippines, Play store says "country not supported", even though companies like Amazon are doing free delivery here. I'm an apk person but just nudging you about this.

Btw btw, I get similar problems when using the bitrefill website. Even if I set my country as "United States" they deny purchases, so I always have to switch the VPN to the US.
Thanks for the nudge. We have been building the products and have made a ton of progress. Here are a few relevant updates for the community:

  • We signed an agreement with Visa, to officially become a Visa Fintech partner! We are getting their approval on the press release. This was one of the most important accomplishments to finalize for the long-term viability of the program. We will post the press release once it is approved.
  • Outside counsel has given us a memorandum, which gives us confirmation that the program design is compliant with FinCEN rules and guidance. Two of the programs will have no Customer Information Program, meaning no KYC will be performed for the Visa Rewards Local (soon to be renamed) and Visa Rewards Plus programs. Having outside counsel provide this memorandum is a major milestone and helps bolster the banks' understanding and give us a measure of protection, should it be needed. The memorandum is internal and no other party may rely upon it, but it gives us confidence in the direction and design of the programs.
  • We have decided to ask the community for feedback/voting on the card designs for this program. We have several ready to submit to the community, but we want to include one more. Once these are done, we will post an informal poll for community voting.
  • We have approval from the first issuing bank as to the program design and requirements and have begun integration to their platform.
  • We have signed approximately 50k locations from 7,000 merchant brands to join our card-linked rewards program. This means you can use your Visa at their locations or on their websites and earn Dash as a reward for your purchase!
  • We built, tested, and launched our Dash Rewards platform, which will send Dash to users as a reward for activities like referring another user, making a purchase at a participating merchant, etc.
  • Our UX/UI is almost complete, and we believe it represents a simple, intuitive interface and experience for users, whether they are new to Dash or seasoned veterans of our community.
  • We have also made huge improvements to the Visa Rewards Local (soon to be renamed) program, making the user experience much better.
There is still work to be done, but we have our team focused on the Visa program launch and we look forward to sharing more details.

With regard to international support, we are working to add many, many merchants outside the US (about 30 other countries) and we will allow the app to be downloaded from non-US app stores in conjunction with the international launch. We do have to add support for each local currency and language, which will be the heaviest lift for this effort.

If you have any questions or feedback, please feel free to share with me here or directly through PM. Thank you for the ongoing support!
 

rion

Member
Aug 26, 2016
87
121
73
I'm not familiar enough with what you're calling the "Visa Rewards Local" program (and others) to know what exactly this all means. I like the Dash Back (not the real name) feature, and that much is new to me, but could you please give us the "diff" (to use a coding term) between what is planned to land and the old Dash Direct MasterCard feature?

Will I be able buy things at (all?, most?) Visa-accepting merchants using Dash and without giving up any personal data?
 

craymarshallg

Member
Masternode Owner/Operator
Sep 5, 2021
72
154
73
www.dashdirect.org
I'm not familiar enough with what you're calling the "Visa Rewards Local" program (and others) to know what exactly this all means. I like the Dash Back (not the real name) feature, and that much is new to me, but could you please give us the "diff" (to use a coding term) between what is planned to land and the old Dash Direct MasterCard feature?

Will I be able buy things at (all?, most?) Visa-accepting merchants using Dash and without giving up any personal data?
The details of each of our 3 programs are posted here:

We will only be launching Visa Rewards Local and Visa Rewards Plus within DashDirect. There is no KYC in these programs and the cards will work at any Visa merchant in the US (Plus) or globally (Local; exceptions for sanctioned regions).
 

craymarshallg

Member
Masternode Owner/Operator
Sep 5, 2021
72
154
73
www.dashdirect.org
That sounds like what's now called "Local" is the *global* version. Not confusing at all :) - glad they will be renaming that.
The name was originally due to supporting local currency. It was not global, as it worked in the region where you live. The new program is easier and has a better UX, but is only in USD. It can be used globally, so we will rename it Visa Rewards Global.
 
  • Like
Reactions: xkcd and rion

GrandMasterDash

Grizzled Member
Masternode Owner/Operator
Jul 12, 2015
3,320
1,400
1,183
Can't say any of them inspire me, sorry. Any other designs that didn't make it to this shortlist?

At this point, I would prefer a simple plain card with no pattern. I understand you are following brand style guidelines for the words "DashDirect", but maybe you could experiment with a plain black card with "DashDirect" in a bright green, a kind of reverse of the Wise card. Am just saying, you don't have to strictly follow brand style guidelines, there's plenty of room for artistic discretion.

Is there a special edition for those proving they are an MNO? I don't care for exotic materials such as metal, just a distinguishing design.
 

craymarshallg

Member
Masternode Owner/Operator
Sep 5, 2021
72
154
73
www.dashdirect.org
It's my pleasure to share a prototype for the new DashDirect, with the Visa Rewards Plus program integrated. A few very important notes about prototypes and how to use them and a few notes on this specific prototype:

1. A prototype is not a working application; it is a mock-up to show the user experience at a high level
2. A prototype does not include all features of the application, just specific features you desire to showcase
3. You can see which features/areas are clickable in the prototype, by clicking outside of the prototype (desktop viewing) or clicking in a non-interactive area of the prototype (for mobile viewing).

This prototype has the following features available to showcase at a high level:
1. Instant Creation of a Visa with no KYC with less than $1,000
2. Viewing the card
3. Adding the card to your Apple Pay wallet
4. Locking and unlocking the card
5. Instant Creation of multiple Visa cards with no KYC with an aggregate amount over $1,000
6. Scrolling through and viewing each card
7. Locking and Unlocking the cards

You can start your prototype journey here:

https://www.figma.com/proto/m5QfFRf...ng-point-node-id=50:7448&show-proto-sidebar=1
 
  • Like
Reactions: peter

vazaki3

Active Member
Jul 1, 2019
628
299
133
34
apogee.dynu.net
Dash Address
XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
Do you mean for the DashDirect app, or for the prototype? The prototype works on desktop. DashDirect uses the Dash Core mobile wallet, and is only for mobile devices.
This is a deficiency, because in many parts of the world, revealing your phone number equals to KYC.
At least, we can use a wifi tablet, cant we?
 

craymarshallg

Member
Masternode Owner/Operator
Sep 5, 2021
72
154
73
www.dashdirect.org
This is a deficiency, because in many parts of the world, revealing your phone number equals to KYC.
At least, we can use a wifi tablet, cant we?
I believe you are conflating mobile app, phone number collection for 2FA, and KYC. We do support WIFI only devices. We just don't yet have a version for desktop use. For now, we do ask for a phone number to secure your account with 2FA, but we may be able to change that in the future. That is unrelated to the above and also unrelated to KYC. It doesn't matter where you are in the world, sending an OTP via SMS is NOT KYC. DashDirect does not perform any KYC for any users in any way.
 

GrandMasterDash

Grizzled Member
Masternode Owner/Operator
Jul 12, 2015
3,320
1,400
1,183
I don't want to be so picky but for someone like me - which I accept is possibly the minority - when a financial service demands SMS OTP and refuses point blank to implement TOTP or U2F as an alternative, then yes, I definitely see this as soft KYC. It is compatible with "follow the money", knowing various logs will be created, even if it's not by the financial service themselves.

A working example of how negative SMS OTP is for foreign travel. The act of logging into a bank or the processing of transactions may at some point trigger an SMS OTP verification. For the customer this means:
  1. Use your home country SIM, which probably works but...
    1. it reveals and links who and where you are to the telcos and to all the people they share your data with.

    2. your home country SIM will expire if your stay is extended (definitely someone like me).

    3. you only have one SIM slot / phone and it's a PITA to switch SIM / drop the SIM / misplace it.

    4. Roaming may still be active even though you have disabled it in settings! This is 100% true, and the only way to be sure is to physically remove the SIM.
  2. I travel abroad and I don't know what my foreign phone number will be ahead of time, which is probably everyone.
    1. place a long distance call and sit in a queue for an hour before you can inform them of your new number and thereby reveal your current location, which should be none of their business. Assuming access to banking services but no forign ATM / in-store payments (which is also me).

    2. go online and upload new photos holding ID and so on. Not to mention the PITA it is to deal with time zones and weekends.
I realize I am the edge case here and many people are just super compliant, and the banks take advantage of this. And I'm definitely not saying Dash Direct is in the same league as these banks! But I think if you have a technically savvy customer that is familiar with TOTP / U2P, then I think, why not offer it as an option? It doesn't strike me as particularly high maintenance code.

Regarding app usage vs the web. A lot of services have a nasty habit of building a captive audience and then adding all sorts of required permissions later. Again, I am not saying this is Dash Direct!!! But this behavior grows general caution and distrust among certain users.
 
  • Like
Reactions: vazaki3

vazaki3

Active Member
Jul 1, 2019
628
299
133
34
apogee.dynu.net
Dash Address
XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
I don't want to be so picky but for someone like me - which I accept is possibly the minority - when a financial service demands SMS OTP and refuses point blank to implement TOTP or U2F as an alternative, then yes, I definitely see this as soft KYC. It is compatible with "follow the money", knowing various logs will be created, even if it's not by the financial service themselves.

A working example of how negative SMS OTP is for foreign travel. The act of logging into a bank or the processing of transactions may at some point trigger an SMS OTP verification. For the customer this means:
  1. Use your home country SIM, which probably works but...
    1. it reveals and links who and where you are to the telcos and to all the people they share your data with.

    2. your home country SIM will expire if your stay is extended (definitely someone like me).

    3. you only have one SIM slot / phone and it's a PITA to switch SIM / drop the SIM / misplace it.

    4. Roaming may still be active even though you have disabled it in settings! This is 100% true, and the only way to be sure is to physically remove the SIM.
  2. I travel abroad and I don't know what my foreign phone number will be ahead of time, which is probably everyone.
    1. place a long distance call and sit in a queue for an hour before you can inform them of your new number and thereby reveal your current location, which should be none of their business. Assuming access to banking services but no forign ATM / in-store payments (which is also me).

    2. go online and upload new photos holding ID and so on. Not to mention the PITA it is to deal with time zones and weekends.
I realize I am the edge case here and many people are just super compliant, and the banks take advantage of this. And I'm definitely not saying Dash Direct is in the same league as these banks! But I think if you have a technically savvy customer that is familiar with TOTP / U2P, then I think, why not offer it as an option? It doesn't strike me as particularly high maintenance code.

Regarding app usage vs the web. A lot of services have a nasty habit of building a captive audience and then adding all sorts of required permissions later. Again, I am not saying this is Dash Direct!!! But this behavior grows general caution and distrust among certain users.

And smth similar applies to Crowdnode and @ndrezza . For some strange reason, all these services rely on OTP (or even on TOTP) which could be considered as a soft KYC.

And for another strange reason, I cannot find an opensource command line interface(cli) software for OTP or TOTP. Me and @xkcd were trying hard to compile an (T)OTP cli software, but it requires a lot of irrelevant (and suspicious?) libraries that I wonder whether they reveal information about the hardware used to perform the (T)OTP procedure.

If someone knows an opensource cli (T)OTP software that does not reveal hardware information, let me know. I want to use it to subscribe both in Crowdnode and in DashDirect, while ensuring that my anonymity is safely preserved.


TOTP
TOTP credentials are also based on a shared secret known to both the client and the server, creating multiple locations from which a secret can be stolen.[4] An attacker with access to this shared secret could generate new, valid TOTP codes at will. This can be a particular problem if the attacker breaches a large authentication database.[5]
For the above reason, many TOTP implementations are also tied to the hardware. And because they are tied to the hardware, they can be considered a soft KYC.
 
Last edited:
  • Like
Reactions: xkcd

GrandMasterDash

Grizzled Member
Masternode Owner/Operator
Jul 12, 2015
3,320
1,400
1,183
I'm pretty sure I've seen TOTP as a script before, possibly php. IIRC the algo is quite straight forward. I'll take a look sometime.

I'm not sure I would describe TOTP as soft KYC, though it depends on how it's offered. For example, some services, such as tax services, will direct people to their own app for the OTP when in fact you can switch it out for an open source alternative. Of course, your average person would blindly install the app which might be sending home all sorts of sensitive data.
 

GrandMasterDash

Grizzled Member
Masternode Owner/Operator
Jul 12, 2015
3,320
1,400
1,183

and


and


and probably others.
 
  • Like
Reactions: vazaki3