(Individual ACH charges may, with some effort, be reversible like a credit card charge, but invalid reversible credit card charges are pretty much all you have to worry about with a stolen credit card, and not all you have to worry about with a stolen bank account).
Full disclosure: I run http://howdoyoubuybitcoins.com/ and my wife's cupcake bakery, cupsandcakesbakery.com sells cupcakes for bitcoins in San Francisco (9th/harrison)
(honestly would like to know)
As far as I can remember, PayPal has never asked me for my bank account login details.
PS: That or that blog's part of a great phishing scam.
That has not been my experience; the 2 random deposits are the first option, not the last resort. Paypal has never asked me for a user/pass.
Since there is clearly a demand for buying bitcoins _quickly_, I believe Brian is providing both a good UX for those who want to just use their account / routing numbers, while also allowing people to get bitcoins in LESS THAN 10 MINUTES (I bought 1BTC today with coinbase / wells fargo).
I should note that Mint did the same thing in order to get access to transaction history, and they had 5 million registered users as of 2011 (source: http://qr.ae/8QB9G).
If the big banks addressed the need for APIs, startups like Mint and Coinbase could do this in a more sane way, but we're talking about big banks, and in the case of Wells Fargo they actually charge users a monthly fee for using Quicken to talk to their backend.
tl;dr- Mint asked users for bank passwords and got 5 million registrations. Likewise, Coinbase is just providing a "quick" ux path for the people who want to act quickly.
I'm not trying to militate against using Coinbase; I'm just saying, Coinbase and Mint aren't directly comparable for more than one reason.
A Hackersafe pen test is not a security audit. A public company SEC-required annual audit is not a security audit either.
There is no audit if there is no public audit statement from the auditor. Without one, whatever security measures were taken cannot be called an audit.
Perhaps some reporters (like the ones that reported on the WMD-based justification for going to war against Iraq) didn't do their jobs properly.
I trust my banks with all my money. That doesn't mean it's safe to trust any company with my money, simply because banks manage to do it. I don't trust arbitrary banks, either.
I do think that a lot of Hacker News contributors have blinders on, wherein they devalue the work a big, established service has done, and compare smaller, less-established companies favorably to the same, because they have this narrative of young, smart developers "disrupting" old and established businesses. Its useful to remember that sometimes those big, old businesses are not actually brittle and incompetent, and may actually know more than you think.
Don't fall into Dunning-Kruger.
In practice, the ACH system relies on fraud detection & prosecution rather than secrecy.
There have been far too many shady Bitcoin related hacks/frauds/incidents for this to be something that you should even be encouraging. What protection do your customers have if you do get hacked?
We debated offering instant account verification for the reasons you mentioned, but we ultimately went with it for the following reasons:
- we don't store any bank credentials on our servers after the verification completes (or fails), and take care to filter it out of any logs etc
- it allows someone to verify an account and start buying bitcoin in just a few minutes instead of 2-3 days (lowers the hurdle to getting started)
- it's the default in the U.S. for services like Paypal so people are somewhat familiar with it
- for anyone who is uncomfortable with it, the challenge deposit verification is available to them (we make two small deposits to your account and ask you to verify the amounts, which take 2-3 days to arrive)
I think you're right that users should be wary of any site asking for such information, so it's up to each user to make their own decision. We at least wanted to provide it as an option given the above precautions. Anyway, even if you don't agree hopefully this better explains our thought process behind it. We'll continue to evaluate whether to keep it along with help from our lawyers, and I appreciate the feedback - really.
* Access scoped narrowly to a simple use case
* Backend by the assets of a very significant stakeholder
* Risk outweighed by benefit
I'm not saying Coinbase is unreasonable. I have no idea how they work under the hood at all. I'm just saying, it is not suddenly O.K. to give bank account information to startups simply because there's a way to use Paypal that also takes that information. Paypal also doesn't have my account information.
Feel free to send me a message (contact information in profile), and I can share advise on how the banking and creditcard industry deals with cross authentication and verification.
And there has been some bitcoin services which have been pretty stable and solid all the time. They just don't get in to the news...
I don't use it in the first place.
"And there has been some bitcoin services which have been pretty stable and solid all the time. They just don't get in to the news..."
As far as I am concerned, it's just a matter of time before the trading platforms get hacked. Tens of thousands of dollars, if not hundreds of thousands, have been stolen in Bitcoin hacks. Online banking is not easy for large banks to defend; I have little confidence that an indie team can perform as well as a major bank.
Edit: And you are sure that they will all get hacked? You sure have faith in the big organisations...
I know it took a lot of code to write. And I know you convinced yourself it's an advantage. But it's not.
It's making people run from your site.
Look at the comments here, and these are from FRIENDLY people.
Many many many others will see that in your blog article, and decide not to sign up for an account, and you'll never even know.
They won't write an article, they won't email you, they'll just decide you're skeevy, and abort.
You're already working with one tech that people thing is a bit "iffy".
That means you need to do EVERYTHING POSSIBLE to make EVERY other bit of your service seem 10,000% above board.
Asking for bank login credentials, EVEN AS AN OPTION, torpedos that.
You're probably thinking to yourselves - "Maybe we should make the Credit Card primary, and make this secondary?"
I know you spent a long time writing this, and I really wish it were a good idea, but I'd really suggest you just comment out the feature.
You can always put it back in a year or three if you really really want, once your service has inertia, and is already more trusted. But even if Square or Stripe asked for that, it'd scare people away, and lose customers.
It's just a bad idea right now.
I want you guy to do well. Please kill that feature.
 since we're on the topic of finance
"Protect your Online ID and Passcode. You should always guard your Online ID and Passcode from unauthorized use. If you share this information with someone, all transactions they initiate with the information are considered as authorized by you, even for transactions you did not intend for them to make."
Sure, why not.
I only know of one other service that asks for bank account usernames and passwords: mint.com. And they frequently have to deal with customer concerns about the security of doing so, even though they very explicitly say they only provide read-only access. Your service doesn't even have that guarantee.
So: drop the username and password thing, and only support the standard verify-two-small-transfers option that every other service uses.
I'm not saying I would trust giving my bank details out in general, especially with these bitcoin businesses, but I have to say that when I wanted to open a business account with paypal and I was faced with either waiting days or instant verification, I took the instant option even while knowing it was probably a bad idea.
If you're looking to get users into the door more quickly, you could borrow a page from LendingClub, who will let you deposit from a credit card, but only when opening a new account, not afterwards.
That said, you should absolutely ensure your security is top-notch. You should also be getting frequent public security audits.
Its a poor argument to try to excuse the Bitcoin community's abhorrent record with security (sans the actual Bitcoin protocol, which is quite secure).
Speaking from personal experience.
I realize this is a common sentiment in the Bitcoin community, but its not true and its one of the reasons why security has not improved over there.
Thanks, but no thanks..
I'm not saying this company is a scam, but if I wanted to create an elaborate phishing scam, this is exactly the type of setup I would create.
Hopefully no one is stupid enough to give this key online banking information to this company or anyone else that asks for it.
If they reach a level of legitimacy, then maybe it might fly with some users. But I personally think it's way too premature to ask for usernames and passwords for banks, especially given how much fraud, hacking, security problems, and monetary loss associated with Bitcoin companies.
They are at a huge risk of the ACH equivalent of chargebacks first and foremost.
Their banking connection will undoubtedly cut the cord as well. I'm surprised they even were able to launch this.
Their 1% transaction fee is way to low to deal with the risk.
See this article on why:
On one hand, they're getting pretty good authorization with the credit matching part, not sure of the legal details of the un/pw bit. That's also going to help a bit with the miskeyed account number problem.
On the other hand, return rates on WEBs are bad, and the number of people who will revoke their authorization is pretty high. (Even if they have to make a signed statement under penalty of perjury, it happens.) And they have 60 days to do it. It's going to be hard for them to reverse a return even if they have all their auths in line.
On the gripping had, there's the low daily limit. That limits their risk to any particular account, but it's possible that someone would wind up contesting a bunch of charges all at once, say after they got their bank statement.
I'd love to see their underwriting documentation and just how they're explaining this to their bank. And I'd love to see their bank's comfort level in 60 days.
Of course, those Bitcoin outfits don't allow you to plunder random people's bank accounts if you hack them...
I can't imagine the banks are thrilled with this either - and if they're not actively blocking this sort of activity, they probably should be. I'd be careful that providing your password doesn't invokes various liability clauses in your banking agreement.
The only way I would ever consider doing this, is if I set up a new bank account, preferably with a different bank from my usual transactions, where I specifically put funds for this purpose. In which case, it's probably not worth the hassle.
This prompts a question for all the security-knowledgeable persons who participate here on Hacker News, a question once asked of the inventor of Pretty Good Privacy (PGP). How expensive do you think it would be for the United States National Security Agency (or a comparable organization from another national government) to crack a Bitcoin store, given that we know that some Bitcoin caches have already been cracked? And if the organization storing Bitcoin data held personal bank account data too, how attractive a target might it be to thieves?
To pull money from your account, they are using ACH (Automated Clearing House) sometimes called e-check. The standard way to confirm an ACH relationship is to make two small deposits known as microdeposits into the customers account, and then the customer needs to come back and confirm the amounts.
This requires waiting for what's usually a daily process to send the ACH micro deposits, then waiting until they show up in the customer's account. Thus, the customer needs to wait several days before they can add funds.
Another option is to use a service like By All Accounts which logs in on the users behalf to their their bank account and confirms that they actually have access to the bank account they are trying to draw from and confirms sufficient funds.
Once either of these happens, then the company can pull from your bank account. This is great if you're setting up something like automatic bill pay or hooking up a scheduled deposit into an investment account.
So if you trust this BTC dealer as much as your credit card company or stock broker, this is a reasonable method to get money to them. If you don't trust them, then you probably don't want to give them money anyway.
When I was last involved (2 years ago), the entire economy seemed to be an amusing dance between get rich quick miners / speculators and a relative handful of early adopters and pool operators siphoning cash off of the former.
My personal favorites:
http://bitmit.net - an auction site that allows you to buy and sell goods with bitcoins.
http://coindl.com - Download digtal files, and pay the content creator in bicoins. Many downloads have "pay as much as you want" pricing. These micro-transactions are only really possible with bitcoin.
Bitcoin Magazine - There is so much drama in the bitcoin world, and they do a great job of summarizing it and making it fun to read about.
There will be a big "Bitcoin Friday" sale on Nov 9th.
Cups and Cakes Bakery in SF will be participating as well.
Anyway, this service looks very cool and I will try it out for future bitcoin purchases.
I wonder if an easier disposal method for US customers is letting miners unload en masse?