The problem is that it seems like the data that leaked is also the data that would be used to do account recovery.
And what that means is that
1) If you lose access to your account (through either your own fault, or coinbases fault) that the process of recovering it may not be so straightforward anymore.
2) Hackers can try to “recover” accounts now using this leaked info.
This is a huge problem. What coinbase needs are IRL offices where you can go and do things like account recovery, and where people trying to steal money can be caught and prosecuted (and makes a huge barrier for the overseas thieves who are usually doing this)
The only solution here is: hardware 2 factor like yubikeys.
The Crypto industry continues their speedrun of rediscovering all of the reasons for why the global financial system exists.
What you've described is the same thing that many Crypto enthusiasts call a "Bank"
Many banks don't have physical branches.
One that I'm using does, but I find it extremely annoying when they have me go to a branch to unblock my account that they locked due to a poorly calibrated risk system (that they need due to not supporting actually secure 2FA methods).
except banks staff can easily be bribed too. There is plenty of bank fraud happening.
If my bank money gets stolen from me via fraud (unless I literally just Zelle the scammer), I get it back. That's the big difference.
I know it's the massive exception but I was reimbursed when the exchange that tried to rugpull its users felt legal pressure. Things have changed slightly over the years - don't get me wrong, scams are still rampant.
It's been ages since I was in college and had an overdraft or some other bs bank related fee, but the bank manages to 'scam' you legally too. I'm just playing devils advocate and sharing an anecdote, I'm minimally involved in crypto anymore.
Zelle is ultimately a bank transfer. Yes they say to consider them like sending cash, but a bank transaction is at least tracable to a real account owner, who could then be pursued in the case of fraud, and it well might be reversible if push came to shove or if there is documented fraud.
I can walk into a bank branch and show documents.
I guess I can walk downtown to CB HQ, but something tells me I won't get past the front desk.
Can you show us that? Where the consumer is left with no money at all and bank does not take the loss.
Go Zelle someone and try to get the money back.
When I was "hacked" two years ago, their final hurrah before I finally got everything offline for a time, they sent zelles as much as they could and was able to recover it without any loss on my end.
I guess things have changed since it has not always been the case that the bank would reimburse you.
https://www.nytimes.com/2022/03/06/business/payments-fraud-z...
Yeah, I think it truly depends on whether you hit the send button or not. Since I was hacked, it wasn't me hitting the send button.
Coinbase is identical to a bank because it holds customer funds. Your comment isn't quite the dunk you think it is. Blockchains allow money to be held anonymously without any banks involved. Centralized exchanges are just profiting on speculation and probably should be banned.
My money in the bank in case of fraud is protected unless I voluntarily gave the fraudster my money. If a bank goes bankrupt, my money is protected by the government
First one might be kind true in the US. Second one is only true up to $250k and how much Yellen likes you. But they are not true around the world and probably for most of it.
By law yes it’s only $250K. But when the banks collapsed last year, the government made sure that no one lost money. In fact, no one has ever lost money because of an FDIC insured bank failure.
No they don’t. “Cryptocurrency” isn’t money at all. Just because you can trade it in for money, doesn’t make it so. I can also trade in my hat to the Buffalo Exchange for money. But my hat is not money.
There is no bright line separating "money" from any other type of fungible asset
Except for, you know, being able to spend it where you buy things? And deposit it into an actual bank? Those seem sort of intrinsic to how we use money today.
> > There is no bright line [...]
> Except for, you know, being able to spend it where you buy things? [...]
The extent to which you can use it to buy things is a good metric, but I think that comes in varying degrees rather than being a sharp line or binary true/false. There are at least some things you can buy with cryptocurrency, and arguably there are some forms of "regular" (fiat, national, government-issued) money that aren't very widely accepted.
I am paid my salary in crypto. I pay my rent in crypto. I pay for flights and car rentals in crypto. That's surely enough to be considered money.
Yeah, it would be more accurate to say that Coinbase is de facto a brokerage but does not have the same level of regulation as traditional brokerages. The result is the same though.
what's more important to me is how quickly can you trade your hat, how quickly can you determine the marketable value of your hat for selling, how close in value can you buy that hat for the same price you sold it, how many hats can you buy or sell at that price?
and that's where hats fail in all metrics to cryptocurrency and how cryptocurrency satisfies my criteria for money
If you ever sent money to or from a wallet you control, I'd think a reliable recovery factor would be to use that key to sign a message that Coinbase can verify with the address in their records. Cryptocurrency after all is just another PKI.
And dumb-dumb me just realized how trivial that would be to break. Social engineer someone into sending/receiving money to/from your wallet then pretend to be them requesting an account recovery.
Coinbase would have to make you sign a challenge ahead of time that would mark the wallet as the authorized public key for your account.
> What coinbase needs are IRL offices where you can go and do things like account recovery, and where people trying to steal money can be caught and prosecuted
People getting locked out of their account (which can happen due to no fault of the user, e.g. by an overly nervous risk system) will be really happy to have to potentially travel to a different city to regain account access...
I would be very happy to do this.
Fine, make it optional. I actually would love a version of cold storage that is: never release this money unless I personally travel to an office if NYC and authorize it.
Just buy sone gold bars, and bury them in your yard.
The the data that would be used to do account recovery is 99% either public record or already part of dozens of prior major data breaches.
I'd imagine that anyone who's sophisticated enough to use a yubikey would just buy a hardware wallet and self custody.
> The only solution here is: hardware 2 factor like yubikeys.
And when that’s lost, what do you do? Aren’t you back to account recovery step?
> What coinbase needs are IRL offices where you can go and do things like account recovery, and where people trying to steal money can be caught and prosecuted (and makes a huge barrier for the overseas thieves who are usually doing this)
That's just a bank.
Beyond the regulatory-dodge and crypto marketing explain to me how Coinbase is NOT a bank
Well, right now they’re applying for a charter which suggests they don’t think they’re a bank, but I can think of some other reasons, too.
I mean this isn't the criteria you're looking for but I can trade assets within coinbase's website. It looks like a stock trading platform. I don't for the record.
I don't think commodity, forex or stock trading is built into any bank interface but I don't have enough money to know for sure.
So it's different in that way I guess.
lol they even do fractional reserve things like banks, except they're more shady and don't acknowledge it, now I'm either connecting dots that shouldn't be connected or some withdrawal locks that happened through some big arbitrage opportunities were very suspicious.
Correct. Coinbase is a bank that holds cryptocurrency.
Watching crypto enthusiasts run into every problem that society already tackled with in the past when developing currency and its controls, and then coming up with solutions that look exactly the same as what dirty fiat currency uses, has been a source of much entertainment the past few years
> every problem that society already tackled with in the past
More KYC creates more problems while solving some others. Why didn't the same society despite KYC/AML tackle the problem pointed at in a previous comment? "Florida teens kidnap Las Vegas man, drive him to Arizona desert, steal $4M in cryptocurrency"[1] Why is there this crime?
Without mandatory KYC laws, this particular attack would be near pointless. No name tied to account, bookkeeping doesn't archive wire transaction details for the past 10 years.
Let businesses easily accept cryptocurrency (like... regular cash?), without a blade to their throat held by the government, and the need for such centralization points will greatly diminish. People get in trouble by p2p-exchanging money with unknown peers; in some instances this "trouble" has the unit of "years".
It's in nobodies' interest to protect cryptocurrency payments as the alternative, other than the activists, and the big groups jumping in on it for the speculation purposes - something they had refined decades ago. There's CBDC is on the horizon.
> Without mandatory KYC laws, this particular attack would be near pointless. No name tied to account, bookkeeping doesn't archive wire transaction details for the past 10 years.
But this attack is already fully pointless with traditional finance. You can't steal someone's bank account at gun point.
Conversely, even without KYC, blockchain based currencies paint a huge target on anyone who uses a small number of wallets to store a large amount of money. Dedicated criminals and even state actors can figure out who owns the wallets by tracking transaction patterns, getting information from vendors, etc. As long as you're actually using your crypto wallets (unlike, say, Satoshi), you can quite easily be tracked. Anyone who you order a pizza from in BTC knows the address of whoever has that wallet. Sure, you can take a lot of steps to protect yourself from it, but it's hard, and one slip-up is all it takes. Opsec is not for the careless.
Also, crypto's reliance on secrets instead of legal personhood to ascertain ownership fundamentally makes it prone to stealing money in this way. Since the money doesn't belong to a legal person, but to whoever knows some secret key, that key can be stolen from whoever has it through simple violence. Even if you're extremely careful not to leak details of your accounts, use XMR for untraceable payments, etc - someone who is physically close to you could see that you're rich and decide to attack just on the chance that you may have crypto, without knowing anything specific.
Yea see the problem is that you are arguing under some implicit idea that you’ll just accept the results of the system.
Every single crypto property I’ve talked to has ended up at a point where they believes that someone cheated them outside the bounds of the system and then look to authority figures to rectify the situation, like the government.
If you are someone who actually believes that crypto transactions should be unmodifiable by any third party then what you said makes sense. I just don’t think that anyone telling me they believe that isn’t lying to themselves at best, and lying to everyone else at worst
As others have said, it has nothing to do with crypto, it is an exchange problem, and a government intervention problem.
As I understand, the root of the problem is that Coinbase kept lot of sensitive information, including photos of IDs. If Coinbase was fully anonymous, and didn't require any KYC, the impact of the leak would be insignificant because it would be difficult to link user number 12345 with some real-world person.
So if we want to constrain impact of such attacks, we must make companies keep less data and delete them faster. For example, instead of storing a photo of ID, store just a checkbox that the person showed their ID and it was valid.
This applies not only to cryptocurrency, but to any company like Google, Uber, Amazon etc - if they didn't keep extra data, there would be little value in the leaks.
So the blame is not at cryptocurrency, but on companies not wishing to delete the data and governments demanding them to collect the data not necessary for operation. It's the government and capitalists who create problems out of nowhere.
> store just a checkbox that the person showed their ID and it was valid.
Doesn't work at scale. You get bribes, rogue employees, socially engineered employees. In the US, look up the articles about phone/SIM unlocks and SIM card copies. Russia has a problem with e-signatures, that most people have no idea about. It's possible to sell somebody's real estate with one of these. Loans granted just based on passport data. Neither politics nor media highlight these issues. Overall in this case your suggestion tries to handle the symptoms of the KYC requirement.
Here's a more extreme treatment: let people change their full legal name at will. Gender's already kinda possible.
In Russia one can change their name, although it is a lot of pain as you need to change it in all agreements (like bank agreement) and documents. So a better idea is simply not store customer names.
This is an exchange problem, not a crypto problem. You don’t need an exchange to hold crypto.
But they need exchanges to get real money to flow in and out of cryptocurrency easily. Without it, cryptocurrency by itself would likely be worth far less than it is today.
Yes that's true, but no need to hold your crypto there as a permanent storage. Once your fiat is exchanged to crypto, immediately transfer the crypto to your private wallet.
This just trades the unsolved exchange hacking problem for the unsolved lost/stolen keys problem.
That problem is trivially solved by backups.
Backups don't solve seed phrase phishing for example.
As opposed to the bank's ...? Or your other account's ..., what exactly, passwords? Phising is everywhere. How many times have you heard the elderly have their money stolen, both online and in real life? It happened to my grandma. The mailman is bringing her own pension as cash, and guess what, he has scammed my grandma for years! The food delivery guy who has been delivering lunch for my grandma, guess what he did? He scammed my grandma out of her money! We are talking about cash, right now, and no phising involved, just good old "lying".
Hence why cryptocurrency would never replace regular banks for regular people. The situation with scams and thefts has only gotten worse. Not your keys, not your coin.
I definitely cannot imagine my grandma making use of crypto, or PayPal, or her bank's online site. :)
Theft or loss has always been a problem since life evolved on Earth.
I don't think anyone claimed that crypto was un-losable or un-stealable. It's not magic.
You need an exchange to do some core things that people want to use cryptocurrencies for.
It may not be a crypto-as-a-theoretically/ideologically-pure-construct problem, but it absolutely is a crypto-as-a-real-world-asset problem.
Yes, I think I’m familiar with the crypto enthusiasts defenses that all boil down to looking at a single aspect of their system in a vacuum and not realizing that if anyone wants to functionally use crypto as a currency and not as a speculative asset or tool in crime, then all these aspects actually have to work and work together
I don't really care about crypto personally (volatile shitcoins) but I think that's a straw man argument. They all know it gets troublesome when it comes to dealing with fiat transactions. The hardcore crypto enthusiasts want to avoid fiat entirely.
If only hardcore crypto enthusiasts who didn't want any fiat had cryptocurrency bitcoin would be worth a couple dollars a piece and 99% of other cryptocurrencies wouldn't exist. The vast vast majority of people who have crypto are doing it because they think they can get rich from it and that's why anytime it's talked about it's talked about in terms of fiat values
Is there anything crypto does that paper currency doesn’t?
Paper currency can be devalued by the government by printing lot of paper (this has happened many times in our history). Cryptocurrency cannot.
Is there anything crypto does that paper currency doesn’t?
Gets you the equivalent of mugged by people on the other side of the planet?
At least with cash, it's a one-on-one involuntary transaction.
Yes, electronic transfer.
Come on, if you’re going to copy someone else’s snark, pick a good one.
"Cryptocurrency" is a misnomer, because none of them are actual currencies.
Cryptocurrencies are classified, for now, as securities.
Currency is currency and cryptocurrency is not. So please do not attempt to compare apples to oranges here.
https://en.wikipedia.org/wiki/Security_(finance)
If you wish to compare cryptosecurities to other securities, then do that, but don't try to act like it is some sort of future utopian currency.
Cryptocurrencies are not classified as securities. Bitcoin and Ethereum, the largest cryptocurrencies, were both declared as non securities by the SEC.
> What coinbase needs are IRL offices where you can go and do things like account recovery, and where people trying to steal money can be caught and prosecuted
Is this satire?