
Coinbase Vault - superchink
http://blog.coinbase.com/post/92842072992/sleep-well-knowing-your-bitcoin-is-safe
======
patio11
Interestingly, unless you're large enough that your particular account moves
the needle, the only thing this changes for you is introducing a delay to cash
out (which is in general a plus security-wise). If you have some nominal
number of Bitcoins, say 100, then vaulting them still gives you an unsecured
receivable against Coinbase and a row in their database. That that row is
tagged "vault" vs. "demand deposit" doesn't particularly obligate them to
segregate 100 BTC and cold store them. You still get aggregated with 10k other
accounts and have your withdraws covered by a hot wallet.

Also, in case a particular bankruptcy proceeding taking place in Tokyo hasn't
demonstrated it enough, "cold storage" is attributed with vastly more security
by Bitcoiners than is warranted. If implemented correctly it minimizes
Bitcoins lost by one genre of attack, but have no doubt, there are many, many
more ways to lose your Bitcoins.

My guess is this is primarily marketing designed to convince people that
keeping Bitcoins is safe and secondarily a product decision to reduce loss
caused by poor user password management rather than by sophisticated attacks.

------
schmidp
I once nearly lost access to my coinbase account when I got a new iPhone and
lost my 2-factor-authentication codes I had stored with the Google
Authenticator app. I then stupidly managed to delete my fallback phone number
from coinbase. Luckily I had clicked "Remember this computer for 30 days" and
managed to transfer all of my bitcoins away from coinbase before loosing
access to the account.

I tried their support, but they never really tried to help. While their vault
seems like a good idea, I would not trust them with my bitcoins anymore :-/

~~~
c0n5pir4cy
That kind of thing just makes me trust them more, I don't want people to be
able to talk around the support staff to get to my Bitcoins and I actually
wish my bank done the same.

That being said I don't trust any third party with any of my wallets full stop
at the moment.

~~~
schmidp
If they would have denied helping me because of some security policy, I would
agree with you, but their support didn't understand the problem and just
stopped responding.

What if you run into a bug? From my experience I would not expect to get any
qualified help.

~~~
javert
I wonder if you can sue them, or if there is other legal recourse. Probably.

~~~
jonknee
Probably not. These days as a consumer you can't really sue companies you do
business with because they make you agree to arbitrate any disputes. It's
nutty.

Briefly checking the Coinbase TOS reveals this:

> 8.2. Arbitration; Waiver of Class Action. EXCEPT FOR CLAIMS FOR INJUNCTIVE
> OR EQUITABLE RELIEF OR CLAIMS REGARDING INTELLECTUAL PROPERTY RIGHTS (WHICH
> MAY BE BROUGHT IN ANY COMPETENT COURT WITHOUT THE POSTING OF A BOND), ANY
> DISPUTE ARISING UNDER THIS AGREEMENT SHALL BE FINALLY SETTLED ON AN
> INDIVIDUAL BASIS IN ACCORDANCE WITH THE AMERICAN ARBITRATION ASSOCIATION'S
> RULES FOR ARBITRATION OF CONSUMER-RELATED DISPUTES AND YOU AND COINBASE
> HEREBY EXPRESSLY WAIVE TRIAL BY JURY.

[https://coinbase.com/legal/user_agreement](https://coinbase.com/legal/user_agreement)

~~~
javert
I wonder if that really applies in this case / would hold up. I mean, if I do
not enter into a contract with Coinbase and they come to have property that
belongs to me and refuse to release it to me, I can surely sue them.

I'm not sure that you can get someone to sign away basic property rights in a
contract.

Analogously, if I lose my password to my bank's website, I bet I can legally
force them to return my funds.

~~~
jonknee
You do enter into a contract with Coinbase though, by signing up you have to
agree to that. Banks are different (highly regulated, but also house real hard
currency!) and simply losing a password isn't going to have the same effect.

There was an interesting article about this in the NYT recently. Apparently
arbitration clauses do have a decent chance of standing up to challenge. It's
discomforting because when all the vendors in a space have the clause there is
no way to have your right to trial.

[http://www.nytimes.com/2014/07/19/your-money/a-closer-
look-a...](http://www.nytimes.com/2014/07/19/your-money/a-closer-look-at-the-
arbitration-process-for-investors.html?_r=0)

It's even more dubious in finance because you not only agree to arbitration,
but you agree to arbitration by the private financial regulatory organization
Finra. Think about that--to get a brokerage account you must agree to
arbitration through Wall Street's self-funded watchdog. Unsurprisingly Wall
Street has a great track record in winning.

------
kovrik
I've just tried to sign up at Coinbase - they require my Full name. Really?

What's the point of cryptocurrency if you enter your email + full name?

~~~
dmix
They also openly do Javascript font probing to fingerprint your browser,
circumventing privacy tools like VPNs.

Coinbase is not at all known for caring about privacy or pseudonymity. They've
become somewhat of a counterpoint to how BTC started out ideologically. They
are building a mainstream, government regulation friendly business.

------
starnix17
Another terrible Coinbase story. A bug in their backend caused a transaction
to go through to my bank account, withdraw funds, but not credit me coins.

Contacting support yielded no results at all. I had to go through my bank,
close my account (which is a nightmare in itself), and get the money refunded
via the bank's fraudulent ACH reversal process.

I would not trust this company.

~~~
javert
So we should instead trust a different payment processor that undoubtedly also
has bugs, but has not yet detected and fixed them? (This is supposed to be a
playful comment, not a bitter or sarcastic comment, it kind of came out the
wrong way.)

------
jeremyrwelch
Multi-signature security via Coinbase accounts is a great first step, but true
multi-signature via Bitcoin private keys is the feature that will make
transactions and storage much more secure -- regardless of whether you store
them personally or with a company like Coinbase.

~~~
FatalLogic
If they're only doing multi-sig internally, that's a bit disappointing.

I think the Copay wallet from Coinbase's competitor, Bitpay, does true multi-
signature.

Coinbase's current solution is a significant improvement for people who must
use Coinbase for some other reason, I suppose. Anyone else should think about
the advantages of true multi-sig on the blockchain

------
korzun
> Withdrawals are time delayed with notifications delivered to your phones and
> emails.

I see what they are trying to do here but why not just simply approve/deny
transactions? Time delay seems a bit weird.

I don't know much about it but if it's delayed by 1-2 hours attacker can
simply make request at 4AM in the morning.

> Up to 97% of bitcoin is stored entirely offline in geographically
> distributed safe deposit boxes and private safes.

Again, I know what they are trying to do here but this does not make me feel
safe. Drop the hardware and you have potential data loss.

How are the logistics? Are they going out on the same truck to multiple
locations? Etc.

Just seems a bit too high level and does not contain any context.

~~~
modeless
The time delay is 48 hours. During that time they attempt to contact you at
multiple previously specified email addresses and phone numbers (which can
belong to multiple people if you want). This ensures that even if your account
is hijacked without your knowledge and a withdrawal is started, you will be
able to stop it before it happens.

The offline storage is likely done in such a way that no one storage location
is critical. This is easy to achieve with cryptography.

------
tinco
I generally like coinbase, and I'd trust them with some spending money, but
this blog post does not come across as trustworthy at all.

They very well know the risks involved with sending your bitcoin savings to an
address you don't control and they make no effort at all of alleviating any of
the concerns.

There's no mention at all of how you can verify they actually control the
bitcoin you gave them to, even though there's been schemes for doing this for
years.

You might as well send your money into a black hole.

------
brianwawok
Q: how do they do this with no fee?

If some guy on the street corner offered to watch all my cash in a secure
facility for free, I would worry a little bit.

For as much fun as banks can be, they do provide some pretty good oversight
and legal protection. The dude on the street corner, not so much.

~~~
JoshTriplett
They charge a fee when you purchase or sell coins through them. That also
means they get a cut of all payments made through them. That gives them a
significant interest in making sure the large volume of coins they hold and
transmit remains secure.

~~~
Jach
You mean like Mt. Gox? Such incentives alone are not very reassuring. (I
really don't know why an average Joe would trust any third party with his
bitcoins. At least banks give a tiny bit of interest and a piece of plastic to
use the money whenever.)

------
LeoPanthera
Previously on HN:
[https://news.ycombinator.com/item?id=7976841](https://news.ycombinator.com/item?id=7976841)

------
callesgg
Yeap i will sleep well knowing they are safe on my OWN computer.

------
ForHackernews
I wonder how long it will take for this to get Goxed?

------
jasonlingx
Beware - keeping your bitcoin in a wallet you do not absolutely control (like
Coinbase), you can and almost certainly will lose them at a moment's notice,
sooner or later.

~~~
gfodor
"can" is true "almost certainly will" is pure speculation.

~~~
jasonlingx
Nothing is more certain actually, like how the sun will one day surely die.

~~~
gfodor
it's not nearly certain that your bitcoins will be stolen, particularly if you
don't consider what happens to them after your death.

