Hacker News new | past | comments | ask | show | jobs | submit login

When random teen can easily steal $46M from a "Bitcoin pioneer" what hope is that for regular folks could make safe use of said value store?

The bitcoins were stored on a centralized exchange using a phone number as 2FA. Banks and brokerage accounts can be hacked the same way, though at least they'll make you whole if you catch it soon enough.

To really secure bitcoins, a hardware wallet or a passphrase in a safe deposit box are both pretty simple options that nontechnical people use all the time. Neither is expensive and both are widely known.

Holding the coins is one thing, transferring is another. I just transferred my bitcoin out of my paper wallets. I can promise you there is absolutely no way for a non-technical person to do this safely. What are they going to do? Visit some random website to sweep their wallets and hope their private keys are not stolen (which they will be)?

I haven't used a hardware wallet - I suspect they solve the transferring problem. But what's the risk my hardware wallet still works a year from now? 10 years from now?

I decided trusting Coinbase in 2021 is the most reasonable option for the amount I have. (Different calculus back in 2016). I admit I don't know what I'd do with 8-figure balances though.

Hardware wallets do solve that problem. Keep your 24-word passphrase somewhere safe, and you can use that to restore your keys into any hardware wallet, without plugging it in to a computer. The passphrase algorithm is a public standard, so if your hardware breaks, you can restore onto another one.

After that, plug the hardware wallet into a computer and you can transfer without the computer ever seeing your private key. The hardware wallet displays the destination address, which you should check.

I do agree that Coinbase is reasonably safe, as long as you use a strong password and 2FA, and don't give them your phone number.

> a passphrase in a safe deposit box are both pretty simple options

_If_ you can get a safe deposit box in your bank, that is. My local bank (Chase) is always sold out of boxes. Sure, you'll next say: change your bank. But the other one (BoA) is also out.

My point is, it's not such an easy option as you're making it out to be.

Funnily enough my bank very recently made me sign an agreement which precluded me from subleasing my safe deposit box. Maybe this is the next arbitrage opportunity.

When I shopped for a local bank branch that had safe deposit boxes (maybe decade ago), one of the bankers told me a lot of banks and branches were trying to get rid of their boxes, and not wanting to include boxes in new branches.

I managed to get a box in the basement of the BofA in Harvard Square back then, and kinda wish I'd kept it, since I doubt I could get one today.

Maybe stop going to big corporate banks?

I got one last week without any issue.

Yeah I remember trying to open one in the bay area a while back. My local bank had a wait time of more than three years for a box.

So back to shoving cash under the bed, essentially.

> Neither is expensive and both are widely known.

I'd say that ~97%-99% of the people in the US and Europe have no idea how to use a hardware wallet. The vast majority have no idea what a hardware wallet is. You're very far off the mark in your estimate.

Bitcoin is at the adoption stage where the general public is only beginning to use services like Coinbase. They do not know how to use a hardware wallet, most of them do not know that such a thing exists.

> Bitcoin is at the adoption stage where the general public is only beginning to use services like Coinbase. They do not know how to use a hardware wallet, most of them do not know that such a thing exists.

You are creating a persona tailored to back up your argument. It is not that strange that a good chunk of "common people" buying right now bitcoins know what an hardware wallet is, at least as a concept (not the tech implementation obviously).

I think you should increase that by an order of magnitude. I'd be very surprised if more than 1/1000 could describe how to safely use a hardware wallet properly.

The vast majority of people in crypto know what a hardware wallet is

Not really sure how this is relevant, seeing how the original comment said

> what hope is that for regular folks could make safe use of said value store

I just googled "how to safely store bitcoin" and a bunch of articles with good, simple advice came up.

But is it foolproof?

"Why Johnny Can't Encrypt" was published decades ago. With this stuff you cannot make any mistake. PGP advice appeared to be good and simple, yet people made errors all the time. I wouldn't expect this to be different.

Hardware wallets are considerably simpler than PGP. I can only think of two ways to screw up:

1) Lose the passphrase. The device does quiz the user on words of the passphrase upon setup, to be sure the user at least wrote it down. Hopefully this reinforces its importance. Ledger provides a card to write the words, with prominent instructions to save it somewhere safe.

2) When sending, don't verify on the device's display that you're sending the money where you think. But the display is right there on the device, and displays the destination address while waiting for you to push a button right next to it.

For smart contracts it helps to get a larger device that shows all the contract parameters, but for simple sends that's all there is to it.

This shows a fundamental misunderstanding of how cryptocurrency works. Bitcoins aren't stored anywhere. You don't need to get hacked; to have your bitcoins stolen.

If you want to be pedantic about it, you have to store your private key securely.

The difference is that often the institutions (i.e. banks and brokerage firms) are often repay lost funds or can reverse the transactions where as here it is a lot harder.

This explanation doesnt make total sense to me, so 2FA, by definition is two-factor. This explains how one factor was compromised. How was the other factor compromised?

You may be right. A lot of orgs will happily let you use SMS for 2FA at login, but let you recover your account with that same SMS, making it 1FA x 2 (or 0FA, to line up with RAID 0)

Probably password reuse, then leaked. Like you'd see on https://haveibeenpwned.com/

The issue is that most communication is centralized between two companies, Verizon and ATT, and those companies have employees that are very, very fallible.

We need to decentralize our communication infrastructure.

No real reason to point the finger at people at Verizon and ATT are more fallible than others. Almost anyone can fall for social engineering if done right/often enough. I know you probably think you're too smart to be fooled like that, but that's exactly how you'll fall to a scam.

The people Verizon/ATT are more fallible, because of the implicit risk/threat model that is imposed on us by duopolistic infrastructure.

They have vastly more power without the required training.

This asymmetry makes them larger targets, and therefore, more fallible.

ATT/Verizon employees are the weakest link in almost all threat models, including our national one.

I don't think I am personally infallible; and I am/used to be the reason you have to take cyber, social engineer, and spear attack trainings every year.

It is because I know the true weakest links (humans with unrelegated access) that compel me to remind others:

do not use SMS for 2FA.

There are other ways of getting the nonce/temporal secret to the end-user without pitting the security to a overworked 27 year old druggy CSR in upstate new york.

Eh to be honest your whole argument fell apart as I read the last few words. Hope you change your outlook on the world, for your own good.

That's a problem for sure, but it's not the problem here. The problem here is cryptocurrency trustees implementing snake oil "2FA" using the PSTN, which was never intended to provide the needed security properties.

>When random teen can easily steal $46M from a "Bitcoin pioneer" what hope is that for regular folks could make safe use of said value store?

That's easy. Regular folks don't have $46M to store. Also being rich doesn't mean you always take the best decisions.

The stolen sum was taken from a centralized, bank-like account. Not your keys, not your coins.

Given how incredibly likely people are to trust these untrustworthy organizations, not much hope regular folks can be safe.

People steal USD from companies and people all the time.

"What hope is that for regular folks could make safe use of said USD?"

It will take some time for the infrastructure to mature.

It's been 10 years, meanwhile everyone is hyping up how awesome and fast-moving the "web3" space is and how all the best developers have left their day jobs and are building for it. What's taking so long?

Nothing in this incident is to do with "web3" tech, the coins were on an exchange which is centralized "web2" tech.

They're literally building all the foundational infrastructure from scratch. It took the web a long time to mature as well.

"How can I safely authenticate myself" is not being built from scratch. People were working on that problem for many decades before Satoshi came along.

web3.js has been around for at least 5 years. Think how much the WWW evolved in that amount of time.

Think about how far we came from bitcoin to ethereum and defi.

I might be wrong, but my concern is that attackers will mature as well. At the end of the day, putting your security entirely in your own hands is a level of liability that most people aren't willing to take on. I like some of the ideas in the cryptocurrency space, but I really wish they would openly contend with the fact that centralization has its benefits.

And until then? We just say "oh, fraud, oh well"?

This is what banks and credit card companies do already. It's the cost of doing the business. If someone steals your credit card and uses it then you're not responsible, the bank is. And you get your money back. But there's no such recourse or security for individuals in this new system.

Straw man argument.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact