Hacker News new | past | comments | ask | show | jobs | submit login

For those without subscriptions. https://outline.com/3CRjpe

>That post has since been taken down, but many comments included criticism for leaving such a large amount of Bitcoin accessible on a phone.

Not to victim blame, but it really is odd to me that someone would leave any amount of BTC on their phone, let alone millions of dollars worth.

>The Hamilton teen faces charges of theft over $5,000 and possession of property or proceeds of property obtained by crime

I've always wondered why the line is drawn at $5,000. It's mildly interesting that stealing $46M and stealing $5,000 result in equivalent charges.

> Not to victim blame, but it really is odd to me that someone would leave any amount of BTC on their phone, let alone millions of dollars worth.

The SIM swap attack was used to access an online service where the BTC was stored.

I know the classic cryptocurrency trope is that Bitcoiners will move money to a paper wallet and then store the passphrase securely somewhere, but in reality that's about as attractive as cashing it out as 46 x (hypothetical) $1 million dollar bills and storing it in a safe.

In other words: Most people who have that kind of money really don't want to do anything like that. Most people who don't have that kind of money really overestimate how easy it is to safely and securely store something like that.

But that's beside the point. We could debate all day about storing paper wallets in bank safety deposit boxes or using Shamir's Secret Sharing or any other number of increasingly complex scenarios, but in practice most with that kind of wealth aren't really interested in locking it away and not touching it. If they want to make an investment, trade, or purchase, do they jump through all of the hoops to unlock and move some of the money and then securely store it all away again? Surely someone might, but in practice most people want it somewhere that that can trade, invest, transfer, and access with reasonable security.

This inevitably turns into one of those internet OpSec debates where people on the sidelines imagine scenarios where they are smarter than the victim (with the benefit of hindsight, of course), but in reality there are many, many people out there storing vast amounts of wealth accessible by 2FA with their phone and it's rarely ever a problem. Cryptocurrency makes this more complicated because the transactions are irreversible, fast, and (somewhat) easy to hide.

So if you happen to be internet famous for bragging about your Bitcoin wealth, definitely take steps to make it impossible for people to access it via phones or anything else. But you also probably want to obscure your physical location and invest in personal security, because in-person attacks are the next step. But in reality, a huge number of people have access to a lot of funds via digital access without such problems on a regular basis. It's fun to fantasize about ultimate OpSec, but in practice most people want the money accessible and tradeable on short notice.

I'll leave alone all of the comments which imply I don't know what I'm talking about and that I'm not very smart, suffice to say you don't need crazy secret sharing systems or bank deposit boxes or anything of the sort to prevent this attack.

A dead-simple soft-wallet, which requires about 2 steps to setup and 2 more to transfer and hold your millions of dollars in, would have prevented this. Roughly 15 minutes of time, at most.

You don't need to be the NSA to secure your crypto, as you seem to be implying.

> You don't need to be the NSA to secure your crypto, as you seem to be implying.

I said that people keep their funds hot to use them, not that you need to be the NSA to secure them.

Trust me, I know how to set up a crypto wallet and secure it.

The more important part of my comment was the "15 minutes tops to completely prevent this attack", but okay. (The reverse, getting your money back on the exchange, is even shorter! Maybe 2 minutes and a few clicks.)

>Trust me

No thanks.

While you may disagree with what PragmaticPulp had to say, the tone of this last comment is unnecessarily hostile.

They make several comments alluding to the fact that I am dumb and have no idea what I'm talking about, ignores every important bit of my comments, then concludes with "trust me", and I'm hostile for saying "no thanks"?

My apologies, I guess.

Hardware wallets aren't that cumbersome to use; it only takes a few minutes to move coins on/off. Waiting for confirmations takes longer than dealing with the wallet. For daytrading you'd definitely want to keep coins in an exchange though.

I'm speaking neither hypothetically nor in hindsight since I pre-ordered the first hardware wallet back in the day and have never lost coins.

A paper wallet can be password protected. Shamir's Secret Sharing can also be used with paper wallets. Practically everyone who messes around with serious amounts of crypto money has a more sophisticated setup than keeping it on a phone, even many people who only have a few hundred dollars worth have hardware wallets like a Trezor. Just because cases like the above happen doesn't mean they're the norm. Every once in a while you also read stories about someone leaving their suitcase full of cash on a train or such. But that doesn't mean the average cash user is that careless.

> I know the classic cryptocurrency trope is that Bitcoiners will move money to a paper wallet and then store the passphrase securely somewhere, but in reality that's about as attractive as cashing it out as 46 x (hypothetical) $1 million dollar bills and storing it in a safe.

That's very hypothetical, though. There are a few key differences:

1. Moving money to a paper wallet is not difficult in practice. Ideally, yes, you would generate the private key in an air-gapped computer running a secure operating system and print out the private key and the Bitcoin address, then incinerate the computer, storing away a second identical computer that doesn't have the wallet on it yet, and that would have a similar level of difficulty to buying and installing a safe. In practice, you can probably get better security than a physical safe just by generating a new wallet in Electrum, writing down the seed phrase, and deleting the wallet from Electrum. When you need to spend some of the coin you can reanimate the wallet, sign a transaction, and delete it from Electrum again. If your cellphone is backdoored then the thieves can loot your wallet at reanimation time, but that's probably harder than drilling a safe, most of the time.

2. As you point out, million-dollar bills are hypothetical. The largest US dollar denomination ever printed was US$10k, and the largest in circulation since 01969 is US$100. So, in practice, you're talking about a safe containing 460,000 US$100 bills, which will be very difficult to either acquire or dispose of without getting robbed.

3. The dollar inflates, by design, so it's a terrible investment. It's lost 96% of its value since the end of the gold standard in 01971, and an additional 6.2% over the last year. That's the reason why a safe full of dollar bills is a total failure for wealth preservation. Bitcoin suffers from a lot of volatility but it's structurally designed to not suffer from secular inflation, and in fact one of the principal criticisms of Bitcoin is that it's inherently deflationary. It seems to have returned an average of about 150% per year over the last 10 years: https://bitcoincharts.com/charts/bitstampUSD#tgSzm1g10zm2g25..., and while that trend surely must be nearly over (it can't continue for more than another 5 years and might already be over), it also clearly hasn't been suffering from inflation. In this sense, the most important difference, the dollar and Bitcoin are opposites.

Yes, it's true that there are people who like to gamble by day-trading cryptocurrencies, but most people who do that end up losing all their money. Investing wealth doesn't require your assets to be "accessible and tradeable on short notice"; it requires rebalancing asset classes every three months. Berkshire Hathaway makes a few dozen transactions per year. You don't need to make more transactions than Berkshire Hathaway.

You say, "there are many, many people out there storing vast amounts of wealth accessible by 2FA with their phone and it's rarely ever a problem," and in a sense that's true; it's relatively unusual to have a meltdown like the Argentine collapse of 02001 (where all bank depositors lost all the dollars they had in the banks), Mt. Gox in 02014 (where all Bitcoin depositors lost all their Bitcoin, about 850,000 BTC or US$450M), Bitfinex in 02015 (where their depositors lost about 1500 BTC), the Greek banking system in 02015 (where Greeks were prohibited from carrying more than 3000 euros out of the country and could only withdraw a limited amount of cash from their bank accounts for three years), and Bitfinex in 02016 (where their depositors lost 119,756 BTC).

But it would be a terrible mistake to conclude that, just because an event like this happens only about once every four years, it is unlikely to happen to you. It's true that it's "rarely ever a problem", but when it is a problem, it's a problem for millions of people, sometimes hundreds of millions. Hosted wallets do not and cannot offer "reasonable security".

Today I see a lot of people who are "trading Bitcoin" but actually holding Tether in Binance accounts (which has replaced LocalBitcoins as the retail hosted wallet of choice here in Argentina).

Tether has historically been backed by fraud, and it's operated by Bitfinex, which (as noted above) has a history of its customers' money mysteriously disappearing, and which is locked out of the world banking system.

Binance is banned in the US and UK, is being criminally investigated by both governments, and has had to move its headquarters from China, to Japan, to Malta, which also says they're investigating it. It's also being prosecuted in Thailand.

Without casting any aspersions on the integrity of Binance's people, it's clear they're at significant risk of having their assets confiscated, at which point all of their depositors would lose their deposits. And Tether is at significant risk of collapsing, either due to fraud or to mismanagement. So these people are dancing on a tightrope, and most of them don't even know it.

So, run a wallet on your own hardware. At least a thin wallet like Electrum. Or get a Trezor.

Is there a story behind the consistent use of five digit years?

It is a weird thing done in some futurist communities to call attention to the long amount of future ahead of us. It doesn't surprise me that there is overlap between these groups and bitcoin maximalists.

They’re really into octal.

Could it have been on an exchange or something that used his number for 2FA? I’m not sure how else a SIM swap could lead to access.

Yes, I should have been more accurate and said "accessible by phone", not necessarily stored on the phone.

One would think with any significant amount of crypto that you store it somewhere non-network accessible (at the very least, not holding it all in a single online exchange).

Yes. Likely Coinbase. SIM swap is such a well known attack vector, so it is pure stupidy to leave such high amount behind an SMS.

Seems kind of crazy to leave that amount on an exchange at all.

Yeah like, this happened years after the mtgox debacle...

It was a major exchange that did not understand what the 2 in "2FA" meant, yes.

Most exchanges did not have proper 2FA until the sim-swath-swoop of 2018-2020.

All major exchanges have supported TOTP (time codes) based 2FA since 2014. However it is a different matter if they force users to use TOTP, as it hinders adoption. Need to get that IPO done first.

I hate when companies ask for my phone number on sign up. At no point do I ever want that used for auth!

The first thing I usually do is enable OTP but I know some companies will still fallback to SMS.

>I've always wondered why the line is drawn at $5,000. It's mildly interesting that stealing $46M and stealing $5,000 result in equivalent charges.

A lot of those lines are drawn completely arbitrarily, and might be very old and haven't been updated to reflect inflation/rising prices.

A classmate of mine copped a felony property damage charge as the threshold was set at a mere $500 at the time, for a typical senior year high school rivalry prank and it really fucked up his life.

Tacking on the conversation about arbitrary and static dollar amounts in law.

There's an interesting effect where law makers can pass a law with static dollar amounts that seems reasonable at the time, but the force of inflation covertly expands the scope of the state's authority deeper and deeper into the society without any further action or political risk by present lawmakers.

A great example of this is the Bank Secrecy Act, which requires reporting of transactions greater than $10,000 to the federal government. At the time it was passed in 1970, $10k was the equivalent of ~$70k in 2021 dollars. $70k actually seems like a pretty reasonable amount as that's a very large transfer that the average person does very rarely for mostly legitimate reasons, like buying a house. It's easy to justify why the feds could use this data to investigate large scale criminals and money laundering. But as inflation has stripped away the value of the dollar, more and more people and activities are falling into that $10k limit.

Basically, the surveillance state gets to sneakily expand when laws are pegged to a currency that's constantly inflating by design.

And of course, governments rarely want to change these laws of antiquity, because it is perceived as being "soft on crime". The optics of it to a lot of the voting population is poor, even if the change is just to be in line with the original intention of the law.

> more and more people and activities are falling into that $10k limit.

Like what?

What do you mean?

$10k in 1970 was the equivalent of $70k today. So all the transactions between 10k-70k in today's dollars would not have been included in the original intent of the law, but are now included today. I won't pretend to know all the kinds of transactions that fall under that scope.

> It's mildly interesting that stealing $46M and stealing $5,000 result in equivalent charges.

The reason for the differentiation is not to make a $5k theft and a $46m theft equivalent. There is a threshold because, for instance: stealing some pocket change is not a serious crime, and stealing large amounts of money is serious.

>stealing some pocket change is not a serious crime, and stealing large amounts of money is serious.

I'm curious if you actually think that I wasn't aware of this? I don't think many people need that pointed out to them.

My comment was on the arbitrariness of the line, or why there is a single line at all (opposed to a gradient, or multiple "theft over x" categories, etc.).

To be more specific, the reason for that single line is because some legal systems (like in the US) have different "classes" of offense. That line is the differentiation for which class the crime is. The lesser could be a "summary offense" or "misdemeanor" and the higher a "felony"

I, of course, was not suggesting that you didn't know the difference in seriousness. I am stating that the difference in seriousness is the reason for the line, because the underlying legal system generally differentiates crimes this way.

Fair enough. I suppose if a single line must be drawn, it must be drawn somewhere. And that line is apparently $5,000.

It could be a function of amount stolen, victim's wealth, perpetrator's wealth.

That could very well be a sentencing guideline even if the crime is still called "theft over $5000"

Just because a crime has a title [x] doesn't mean that the sentence is always [y]. Often the laws will provide for a range of sentencing depending on other factors.

I'm not sure the general population knows any better.

It's bad and all and he is f'd, but "stole $46m" does sound like a pretty bad ass line item on a teen's wrap sheet.

I could be mistaken but it looks like the $5,000 is from the CA Computer Crimes statute. For larceny (theft of personal property) in CA the bar is even lower: $950.

Yep, in Canada there is two "thefts" generally: over $5,000 and under $5,000.

I was charged with theft under 5 when I was 14 after stealing two candy bars and a drink from Walmart. Same charge as I would of had if I stole a 70" flatscreen TV, or a top of the line computer.

It's not just in Canada. Have you ever heard the term "grand theft auto"? There have been two levels in almost every jurisdiction for a very long time: petty (small) theft and grand (large) theft. The dividing line in England used to be a shilling, for which you could be hanged or transported. Sixpence would get you a short-ish time in gaol/jail.

The story is about a crime in Canada, so it's relevant.

True, but the separation between grand theft and petty theft exists in pretty much every common-law country, and has for centuries - it's not a peculiarity of Canadian law.

Theft over is liable to a term up to 10 years. Theft under is up to two years. Two years or more is time in a federal institution. Anything less (eg. "two years less a day") and you're working for the province.

It basically comes down to if you steal more than $5000 you might go to a very bad place and if it's less, you only go to a slightly less bad place. The line has to be drawn somewhere, and no prison is a particularly good place so it really hardly matters.

Seems they need a new category, "theft under $5" haha

I feel like everyone knows why the line is drawn at such a value. So people like us can't afford to commit crimes, but the rich can.

In many cases the amounts were written into the law so long ago that money was worth maybe 20x as much, or more.

My favorite example of such is https://constitution.congress.gov/constitution/amendment-7/.

$20 doesn't buy as much today as it did in 1800. :-)

$20 doesn't buy as much as it did in 2020, either...

Compared to the purchasing power difference between 1800 and 2021, a dollar buys (almost) exactly as much in 2021 as it did in 2020. ("Almost" in parentheses, because at any reasonable precision, the 20/21 difference will probably round to zero.)

When they're big enough, differences of quantity become differences of quality.

And that's why we really need to start assigning equations rather than static amounts in bills

It's not exactly that, but in Belgium penalties written in law are an amount that is multiplied by a factor that is regularly updated.

It went from 5.5 to 6 in 2011, then to 8 in 2017 and is still there AFAIK. It seems a bit haphazardly managed to me, but it's something.

Alternatively we could maintain a stable currency people can rely on as a store of value.

Inflation was known to legislators back then so its way for legislators to lower the bar and catch more people in the future, without anyone picking up on it at the time.

Anyway fabricating evidence has been around for as long evidence has been needed to settle disputes.

I think that's a bit melodramatic. Lots of people can afford 5k without being part of waves hands "the rich."

What do you mean by that? $5000 isn't a fine, it's the amount stolen that moves the offense into a higher category. How does that translate into making the rich able to commit crimes?

Because a rich person can steal 50m and get penalized the same way someone like us would when stealing a paltry sum. Though my comment also implies the rich can easily drag out their court case and afford an army of representation so they don't have to deal with whatever sentence they are getting. Even though the sentence itself is a sham because stealing 50m dollars being punished the same as stealing 5k is obviously a sham.

No, it's literally the opposite. People who steal small sums -- i.e. in street crimes -- get a smaller punishment.

??? The law has the same penalty for any crime over 5k, its literally the parent comment I am replying to.

Those that get a smaller penalty, i.e. those who steal under $5k, are overwhelmingly not wealthy. Wealthy people are not snatching people's purses on the street.

Of course. But the point is that 5k is FAR too low. The difference between stealing 5k and 50m is far greater than the difference between stealing $200 and $5001. Now read all my comments with this in mind and maybe you'll get what we've been saying.

The line at $5000 does not ascribe an equal punishment to crimes below or above that point. It changes the class of offense. The penalty will vary based on circumstances within what those classes allow.


The only difference is in sentencing, and the difference is a lower upper limit on the length of incarceration for the lesser value stolen. There is no difference in the crime itself.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact