Hacker News new | past | comments | ask | show | jobs | submit login

Wire transfer fraud.

I am an insider in the Bitcoin industry, and within 1 day of opening a new bank account we started seeing fraudulent wires flooding in. When we dug deeper, it was shocking to see how many Americans' bank credentials have been hacked. It takes almost no effort for a EEU/RUS hacker to send a wire from a hacked bank account.

Once the fraudulent wire is sent, rest of the wire transfer system is tediously manual. So wire network participants simply choose to block bank accounts that receive repeated bad wires. This is why Wells Fargo cut out Bitfinex and Visa has decided to stop working with Bitcoin companies.

ACH fraud is even more rampant because you can pull money from someone's account without their consent (as long as they don't notice/contest within certain number of days). Coinbase profit margin is 0.5% per trade, so they need to keep their ACH fraud rate below that number to not lose money. ACH fraud rate is well over 1% industry-wide. This is why I strongly believe that Coinbase has to be losing massive amounts to ACH chargebacks.

As far as I understand it, Coinbase does not allow a user to fund using ACH unless they first prove control of the bank account by:

1) Providing the username and password for online access to the bank account; or

2) Allowing Coinbase to make two micro-deposits to the bank account, and then providing the correct amounts of the deposits when they are received.

If some nefarious actor has the users credentials (e.g. username / password) won't they then be able to circumvent both of those checks?

Maybe it's possible that so many people are signing up for Coinbase right now that it's flooding out the fraud?

> "If some nefarious actor has the users credentials (e.g. username / password) won't they then be able to circumvent both of those checks?"

They would. However, typical ACH fraud entails pulling money using only the routing and account numbers, which can be found on all paper checks; this mechanism prevents that.

Regarding CB ACH, They had/have a huge exploitable hole in their ACH system that a friend discovered by accident. Long story short, they credited them for a large sum that they never took from his/her account. I won't put the exact detail of how to trigger the error but suffice it to say it was shocking to learn how a system that deals with large sums of real money could fail in such a way (and likely in a repeatable manner although my friend didn't try as repeating it would likely be seen as stealing).

It's really quite shocking how a ecosystem that touts decentralization has a glaringly centralized failure point - the fiat exit exchanges. When one or two of them goes, it will bring down the whole house of cards. And given how shitty CB's software was (or maybe still is) I just hope I can get my gains out before the whole thing comes crumbling down.

So your friend is benevolent enough to not trigger the bug again because it would be wrong, but not benevolent enough to report the bug to Coinbase? Right...

Coinbase code is still horrible. I have found couple of bugs/failure points in their code, but Fred Erhsam was a jerk to me so I don't feel like reporting these issues to CB.

You should tell Coinbase and get a bug bounty.

man, gender-neutral pronouns are confusing.

No, they're not.

The Discorientating Use of the Word "They": https://www.youtube.com/watch?v=i_xVAqJ-NY0

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact