
Buy Or Sell Bitcoin By Connecting Any U.S. Bank Account - barmstrong
http://blog.coinbase.com/post/34357253898/you-can-now-buy-and-sell-bitcoin-by-connecting-any-u-s
======
tptacek
Be very, very, very careful about giving any service, _ever_ , information
about your actual bank account. This is a much bigger deal than giving a
service your credit card information.

(Individual ACH charges may, with some effort, be reversible like a credit
card charge, but invalid reversible credit card charges are pretty much all
you have to worry about with a stolen credit card, and _not_ all you have to
worry about with a stolen bank account).

~~~
nym
I trust Brian Armstrong / Coinbase more than Paypal, and Paypal also requires
your routing / account number.

Full disclosure: I run <http://howdoyoubuybitcoins.com/> and my wife's cupcake
bakery, cupsandcakesbakery.com sells cupcakes for bitcoins in San Francisco
(9th/harrison)

~~~
shrughes
Why do you think Coinbase is less likely than Paypal to lose your routing /
account number?

~~~
anu_gupta
There's a _huge_ difference between supplying an account number and giving a
service the login credentials for your bank account.

As far as I can remember, PayPal has never asked me for my bank account login
details.

~~~
Retric
Looks like Paypal will also asks for your bank username and password for
instant verification and has the same fallback option of 2 Random deposits.

[http://www.ecommercebytes.com/C/abblog/blog.pl?/pl/2009/2/12...](http://www.ecommercebytes.com/C/abblog/blog.pl?/pl/2009/2/1235839118.html)

PS: That or that blog's part of a great phishing scam.

~~~
drivebyacct2
What the hell? Seriously, what. Why? Why not use a token? Oh if only there
were already protocols written to handle identity and access auth.

~~~
seandougall
On the financial system's technological timeline, those protocols won't happen
for another 20-30 years yet.

------
anu_gupta
I don't mean to be harsh, but the fact that you're even asking for banking
credentials means I want nothing do with your service, and I feel like
actually shouting loudly to everyone I know not to use it either.

There have been far too many shady Bitcoin related hacks/frauds/incidents for
this to be something that you should even be encouraging. What protection do
your customers have if you do get hacked?

~~~
barmstrong
It's a fair point, and I think you're right to be wary of new services.

We debated offering instant account verification for the reasons you
mentioned, but we ultimately went with it for the following reasons:

\- we don't store any bank credentials on our servers after the verification
completes (or fails), and take care to filter it out of any logs etc

\- it allows someone to verify an account and start buying bitcoin in just a
few minutes instead of 2-3 days (lowers the hurdle to getting started)

\- it's the default in the U.S. for services like Paypal so people are
somewhat familiar with it

\- for anyone who is uncomfortable with it, the challenge deposit verification
is available to them (we make two small deposits to your account and ask you
to verify the amounts, which take 2-3 days to arrive)

I think you're right that users should be wary of any site asking for such
information, so it's up to each user to make their own decision. We at least
wanted to provide it as an option given the above precautions. Anyway, even if
you don't agree hopefully this better explains our thought process behind it.
We'll continue to evaluate whether to keep it along with help from our
lawyers, and I appreciate the feedback - really.

~~~
tptacek
I think it's clear why it's convenient to be able to instantly verify a bank
account, and that instant verification is the reason you want account
information. What's not clear is why that makes giving bank account
information to a startup a reasonable risk.

~~~
blake8086
What does "reasonable" mean?

~~~
tptacek
* Effectively mitigated by countermeasures

* Access scoped narrowly to a simple use case

* Backend by the assets of a very significant stakeholder

* Risk outweighed by benefit

I'm not saying Coinbase is unreasonable. I have no idea how they work under
the hood at all. I'm just saying, it is not suddenly O.K. to give bank account
information to startups simply because there's a way to use Paypal that also
takes that information. Paypal also doesn't have my account information.

------
fruchtose
Given the horrible security record of Bitcoin trading platforms, there is no
way in hell I will give my bank account details to one. There are so many
amateurs in the field that I cannot take any of them seriously.

~~~
jerguismi
Well, don't use bitcoin then? The reason why there are so many services is
because there is demand. Certain people will continue using bitcoin, no matter
what (unless better alternative comes along). In the long run the more stable
and secure services will survive.

And there has been some bitcoin services which have been pretty stable and
solid all the time. They just don't get in to the news...

~~~
fruchtose
"Well, don't use bitcoin then?"

I don't use it in the first place.

"And there has been some bitcoin services which have been pretty stable and
solid all the time. They just don't get in to the news..."

As far as I am concerned, it's just a matter of time before the trading
platforms get hacked. Tens of thousands of dollars, if not hundreds of
thousands, have been stolen in Bitcoin hacks. Online banking is not easy for
large banks to defend; I have little confidence that an indie team can perform
as well as a major bank.

~~~
jerguismi
Btw, mtgox for example employs something like 15 people nowadays, and they
mostly focus on the security I guess. (At least they are not focusing on new
features, since the service has been the same for last year or so...)

Edit: And you are sure that they will all get hacked? You sure have faith in
the big organisations...

~~~
fruchtose
Banks have money. Money goes a long way in hiring engineers and experts with
experience who are able to develop secure portals.

------
wmf
Give us the password to your bank account? Really?

~~~
barmstrong
A valid concern - we have a fallback option of verifying two small credits
amounts to your account if you are uncomfortable with the first option. It
just takes a bit longer (2-3 business days) so we wanted to provide both
options. Hope it helps.

~~~
e1ven
Your company seems really interesting, and I'm considering setting up a
merchant-account, but I'd STRONGLY advise you to drop the bank login feature.

I know it took a lot of code to write. And I know you convinced yourself it's
an advantage. But it's not.

It's making people run from your site.

Look at the comments here, and these are from FRIENDLY people. Many many many
others will see that in your blog article, and decide not to sign up for an
account, and you'll never even know.

They won't write an article, they won't email you, they'll just decide you're
skeevy, and abort.

You're already working with one tech that people thing is a bit "iffy". That
means you need to do EVERYTHING POSSIBLE to make EVERY other bit of your
service seem 10,000% above board.

Asking for bank login credentials, _EVEN AS AN OPTION_ , torpedos that.

You're probably thinking to yourselves - "Maybe we should make the Credit Card
primary, and make this secondary?" Just don't.

I know you spent a long time writing this, and I really wish it were a good
idea, but I'd really suggest you just comment out the feature.

You can always put it back in a year or three if you really really want, once
your service has inertia, and is already more trusted. But even if Square or
Stripe asked for that, it'd scare people away, and lose customers. It's just a
bad idea right now.

I want you guy to do well. Please kill that feature.

~~~
drumdance
It's not like he's blazing new ground here. People have already done this with
Mint. When it launched TechCrunch was full of comments exactly like yours.

------
xntrk
What could possibly go wrong. It's not like bitcoin exchanges get hacked every
6 months.

~~~
wmf
No, _this_ is the one that's not going to get hacked. Because YC. Or
something.

~~~
duiker101
Yhea....no. Because they are in YC doesn't mean nothing. Really it could be
the NASA or the FBI or whatever. If there is money in it (specially
untraceable money like bitcoin) someone will hack it.

~~~
srdev
I'm not sure I like this handwavey security argument. There are lots of
services handling money that don't get hacked, at least not in ways that cause
a loss of said money. Treating being hacked as a foregone conclusion is rather
bad practice.

Its a poor argument to try to excuse the Bitcoin community's abhorrent record
with security (sans the actual Bitcoin protocol, which is quite secure).

------
hnwh
So if your site gets hacked, the hackers can order a bunch of untraceable
bitcoins with my banking funds right?

Thanks, but no thanks..

------
steve8918
I find it absolutely incredible that they are asking for online banking
username, password and PIN number to "instantly verify" an account.

I'm not saying this company is a scam, but if I wanted to create an elaborate
phishing scam, this is __exactly __the type of setup I would create.

Hopefully no one is stupid enough to give this key online banking information
to this company or anyone else that asks for it.

~~~
nym
Mint asked for bank passwords, and had 5m registered users as of 2011. They
sold for $170 million. I believe Coinbase is copying common UX patterns which
have been proven to be palatable with users.

~~~
steve8918
Coinbase is neither Mint nor Paypal. We have no idea if they will survive 6
months, and we can't trust they don't store credentials on their servers, even
though they say they do. Have they been security audited? Or do we just take a
one-line comment on Hacker News as the truth?

If they reach a level of legitimacy, then maybe it might fly with some users.
But I personally think it's way too premature to ask for usernames and
passwords for banks, especially given how much fraud, hacking, security
problems, and monetary loss associated with Bitcoin companies.

------
salsakran
Maybe I'm just being harsh but I'm not quite ready to give my banking
credentials to a barely styled bootstrap site.

------
miles
Anyone working with bitcoin would do well to read this advice from jellicle
and forensic daily:

<http://news.ycombinator.com/item?id=2973803>

------
pelle
While CoinBase needs to do this to make it easy for mainstream US customers,
it is a dangerous move for them.

They are at a huge risk of the ACH equivalent of chargebacks first and
foremost.

Their banking connection will undoubtedly cut the cord as well. I'm surprised
they even were able to launch this.

Their 1% transaction fee is way to low to deal with the risk.

See this article on why:

[http://stakeventures.com/articles/2012/03/07/the-may-
scale-o...](http://stakeventures.com/articles/2012/03/07/the-may-scale-of-
money-hardness-and-bitcoin)

~~~
wiredfool
Right. They're running WEBs.

On one hand, they're getting pretty good authorization with the credit
matching part, not sure of the legal details of the un/pw bit. That's also
going to help a bit with the miskeyed account number problem.

On the other hand, return rates on WEBs are bad, and the number of people who
will revoke their authorization is pretty high. (Even if they have to make a
signed statement under penalty of perjury, it happens.) And they have 60 days
to do it. It's going to be hard for them to reverse a return even if they have
all their auths in line.

On the gripping had, there's the low daily limit. That limits their risk to
any particular account, but it's possible that someone would wind up
contesting a bunch of charges all at once, say after they got their bank
statement.

edit: I'd love to see their underwriting documentation and just how they're
explaining this to their bank. And I'd love to see their bank's comfort level
in 60 days.

------
codewright
Wasn't this the company with the extremely questionable not-on-the-advice-of-
a-security-firm security practices?

~~~
kiba
Maybe you're thinking of a different company in a bitcoin ecosystem.

~~~
codewright
Nope, this is the one with the usb key scheme that wasn't designed with the
consultation of a security firm.

------
polemic
From some of the other comments, it sounds like (asking for bank passwords) is
a semi-common practise [in the US]. Is that accurate? I'm absolutely stunned
that anyone could think that (a) it's a good idea, and that (b) anyone would
be so unbelievably stupid to actually provide them!

I can't imagine the banks are thrilled with this either - and if they're not
actively blocking this sort of activity, they probably should be. I'd be
careful that providing your password doesn't invokes various liability clauses
in your banking agreement.

The only way I would _ever_ consider doing this, is if I set up a new bank
account, preferably with a different bank from my usual transactions, where I
specifically put funds for this purpose. In which case, it's probably not
worth the hassle.

------
tokenadult
A while ago I wrote that perhaps the greatest contribution the Bitcoin
experiment will make to humankind is to teach you and me and our neighbors
more about the realities of economics. And later I added that the Bitcoin
experiment will also contribute to greater understanding of attack surfaces
and online crime. Many of the ideas about how to mine Bitcoins, store
Bitcoins, and trade with Bitcoins as a medium of exchange illustrate both the
strengths and weaknesses of any other medium of exchange in a world full of
human beings. Seeing the discussion of Bitcoins here on Hacker News reminds me
of early online discussions in the 1990s of online payment systems such as
PayPal, and the arguments beforehand that PayPal wouldn't have to invest a lot
of time and effort (as it eventually did) building defenses against theft and
fraud. If a weakness in a system is attached to a lot of money, the way to bet
is to bet that someone will go looking for that weakness, even if you haven't
thought of it.

This prompts a question for all the security-knowledgeable persons who
participate here on Hacker News, a question once asked of the inventor of
Pretty Good Privacy (PGP). How expensive do you think it would be for the
United States National Security Agency (or a comparable organization from
another national government) to crack a Bitcoin store, given that we know that
some Bitcoin caches have already been cracked? And if the organization storing
Bitcoin data held personal bank account data too, how attractive a target
might it be to thieves?

------
kevinpet
Lots of people here are right to question the security given the track record
of ... well, pretty much everyone involved in BitCoin trading, but I work at a
company that has looked into using this type of instant bank account
verification and it's not quite as ridiculous as some people are assuming.

To pull money from your account, they are using ACH (Automated Clearing House)
sometimes called e-check. The standard way to confirm an ACH relationship is
to make two small deposits known as microdeposits into the customers account,
and then the customer needs to come back and confirm the amounts.

This requires waiting for what's usually a daily process to send the ACH micro
deposits, then waiting until they show up in the customer's account. Thus, the
customer needs to wait several days before they can add funds.

Another option is to use a service like By All Accounts which logs in on the
users behalf to their their bank account and confirms that they actually have
access to the bank account they are trying to draw from and confirms
sufficient funds.

Once either of these happens, then the company can pull from your bank
account. This is great if you're setting up something like automatic bill pay
or hooking up a scheduled deposit into an investment account.

So if you trust this BTC dealer as much as your credit card company or stock
broker, this is a reasonable method to get money to them. If you don't trust
them, then you probably don't want to give them money anyway.

------
incision
Can you actually buy anything legitimate with BTC yet?

When I was last involved (2 years ago), the entire economy seemed to be an
amusing dance between get rich quick miners / speculators and a relative
handful of early adopters and pool operators siphoning cash off of the former.

~~~
jamoes
Check out <https://en.bitcoin.it/wiki/Trade> to see a long list of pretty much
all the services that allow you to trade in bitcoins.

My personal favorites:

<http://bitmit.net> \- an auction site that allows you to buy and sell goods
with bitcoins.

<http://coindl.com> \- Download digtal files, and pay the content creator in
bicoins. Many downloads have "pay as much as you want" pricing. These micro-
transactions are only really possible with bitcoin.

 __Bitcoin Magazine __\- There is so much drama in the bitcoin world, and they
do a great job of summarizing it and making it fun to read about.

------
benmanns
Why is the spread so high on the buy/sell orders? Mt.Gox currently has Ask:
$9.99 Bid: $9.92 while Coinbase has Ask: $11.27 Bid: $10.05. This is an
effective 12% fee on purchases in addition to the 1% fee you already charge.

------
joejohnson
Why is this whole thread about the instant-verification feature? If it looks
scary, use the 2-3 day method!

Anyway, this service looks very cool and I will try it out for future bitcoin
purchases.

------
ojiikun
Interestingly, the exchange rate is slumping the last two days:

[http://bitcoincharts.com/charts/mtgoxUSD#rg60zczsg2012-09-01...](http://bitcoincharts.com/charts/mtgoxUSD#rg60zczsg2012-09-01zeg2012-10-27ztgSzm1g10zm2g25)

I wonder if an easier disposal method for US customers is letting miners
unload en masse?

~~~
hnwh
liquidity is a factor in pricing

------
pixelcort
Glad to see USD/BTC exchange getting easier again. With mining GPU
requirements continuing to rise, it is becoming less feasible for most people
to mine for bitcoins, and purchasing them will be the only feasible way of
acquiring them, especially if difficulty levels continue to rise.

------
sbochins
I just went to the comments section to see how many people would be warning
about giving away your banking credentials to another shady bitcoin site. Glad
to see I wasn't disappointed.

------
zoom
Still, you have to wait 1-2 business days for the bitcoin. That's too long
with 1/hr bitinstant around.

------
srehnborg
Seems legit. /sarcasm

