I got my coin out of Inputs.io just a few days before they got hacked, and I've got a low balance in Coinbase. I'm going to make that a zero balance, because I've completely lost faith in any company's ability to manage Bitcoin.
Please ensure you're using random passwords on every site you use, select the best available security questions, use a password manager, and enable two factor authentication everywhere that allows it.
Also move all your coins in to offline wallets. No online web wallets have a bank grade reputation.
Were you born yesterday?
The steal-all-your-money rate of bitcoin businesses is running right around 100%, and you're going to lecture people that "they can only ever lose a small portion of all stored user funds"? Really?
And there won't be even when they do.
And when they close due to massive theft / loss of coin, and take all of their users' funds with them, that will be the first suggestion that any user hears of.
It happened to me. It's not fearmongering, it's fact.
To use a metaphor, a failed proof of reserve is like detecting that someone who's riding a motorcycle without a helmet has been launched into the air due to a car crash, and is about to hit the ground. That doesn't change the fact that they're not wearing a helmet in the first place. And in bitcoin's case, no such "helmet" exists. There is no protection for consumers against losing their funds by the exchange.
There's always going to be this massive risk of the coins disappearing due to any number of reasons: that they get hacked, that the founder steals them, that they lose them to some massive technical problem, that they experience another undocumented bitcoin protocol issue like malleability, that they lose access to their cold storage wallets, etc.
This has happened at, what, a dozen exchanges so far? They've all died due to one of the above reasons. Who's next? It's completely possible that Coinbase is next, and that you're recommending users throw their money away by trusting them. There's no reason to trust Coinbase. Keep your funds in your own secure cold storage wallet, and you'll have them forever. Keep them in Coinbase and you'll have them exactly as long as Coinbase lasts.
In regards to Coinbase, if only because their terms make it clear they aren't liable for a customer loss of any cause whatsoever.
Their actions make clear that they are enormously untrustworthy.
Honestly, the best thing for the bitcoin ecosystem is to learn from Paypal and Visa, and to emulate their good qualities. I know it's popular to hate on the existing ways of doing things, but the existing ways have a lot of hidden wisdom embedded in them.
This could lower the transactional-risk cost between doing business with certified exchanges, and still allow users to do business outside but with the increased transactional costs.
But then again you're just building another financial exchange system controlled by the certificate issuer - except it would need to be backed by some form of international enforcement (e.g. WTO?).
Where is the benefit to bitcoins then?
You won't need insurance when the coins simply can't be stolen.
It'd be a good idea for Coinbase to implement, though.
But there are also some online wallets that already implemented it:
https://www.bitalo.com/ (this one is also at the same time something like localbitcoins.com)
From the top comment in that thread, it looks like the company with insurance underwritten by Lloyd's is Elliptic.
Please read my post carefully next time.
Perhaps you're arguing so vehemently in support of Coinbase because you're keeping all of your coins there? If so, I would suggest you move them to a secure cold storage wallet immediately.
Besides, I trust my mattress. It's a nice mattress made by a great VC backed mattress company. It's not like I'm putting my money under some mattress that I bought on craigslist.
Regarding user names, they are optional and meant to be public.
I think the biggest problem here has been that Coinbase hasn't been responsive to messages sent to their whitehat@ address. That and the fact that users are being spammed by "researchers," which is a problem that falls back on them to mitigate.
They haven't been "hacked" though, and the only thing that has been "leaked" is public account names and account existence. The latter is almost impossible to avoid if you require unique emails for accounts (if I'm wrong about that please correct me).
That's just my naive two cents, so let me know where I'm missing the picture if that's the case! :)
Their official response confirms this: http://blog.coinbase.com/post/81407694500/update-on-coinbase...
I suspect that the person who made this Pastebin just ran a huge list of known leaked emails, or dictionary based emails through the minor information leakage vulnerability discussed yesterday (https://hackerone.com/reports/5200). I would be willing to bet that this brief list is actually all he got back, and he is just lying when he says "Full list much bigger."
Since the vulnerability was reliant on knowing the email first, and since my email used on Coinbase is not a known email that I publicize I doubt he would have been able to discover my Coinbase account, nor the Coinbase accounts of anyone else who uses a sufficiently random and unknown email address when signing up.
There is no full list, and there is no leak. We're drafting a more formal response now.
A lot of people are getting nervous that you're not taking security seriously at Coinbase. Ignoring whitehat reports would seem to be a serious issue.
Those aliases are cheap insurance, but they aren't free: they'll cost you some tech support cycles.
A basic tech support person might be able to fend off the dozens of word salad "security notifications" sent by ESL students, but as they get more complicated and no less often irrelevant, you need people who actually know how your infrastructure works.
On top of the technical hassle comes the customer experience hassle of keeping a bunch of wanna be hackers happy as they demand rewards and their name on your site for their idea of a CRSF vulnerability that happens to have no basis in reality.
Not just emails, either. See also event logging: https://www.schneier.com/blog/archives/2014/03/details_of_th...
According to the original researcher, he mailed them and got no response, and got no response at all from several other attempts at contact,.
I wouldn't be surprised one bit to find that the inbox for that address is full of spam and crackpots, but, like 'tptacek said, if you're going to have the list you had better dedicate resources to reading it.
I love this. Look these silly free social sites do it, so it must be ok. Anyone know if BofA or WellsFargo allow user enumeration?
You're correct. They don't. Not even to authorities without a warrant. Which is the point I was trying to make in my earlier comment.
Wells Fargo has 10-11 digit (depending on if it's WF or previously Wachovia) account numbers. One portion defines the bank branch where the account was opened, another portion defines the account type, and the last digit is a check digit. You can guess at an account number by attempting a deposit (in person or online).
There's also the fact that BofA and Wells Fargo have account numbers displayed in cleartext on pieces of paper that are handed to strangers.
I'm not arguing the merits of Coinbase's security, but traditional banks don't fare well either. Coinbase can improve. Traditional banks are limited by standards that they can't change.
So I started generating random numbers between common document number ranges (1000000-4000000).
Our public health system has a web app that lets you check your enrollment status by entering an document #, and there are no CAPTCHAs! So the attack was like this: generate a random document number, send a request to the public health app and get the target's info (name, date of enrollment and other info).
The most interesting thing was that I tried to login into all accounts by using the birth date of the target as a password (the bank's password policy: just numbers, a min. of 6 numbers...). Around 40% of the clients were vulnerable.
The fact that they didn't help the customer until they took their grievances public indicated to me that either Coinbase don't care about their customers, or they were too busy trying to balance their books because of some proprietary trading gone wrong.
Thus I think it was foolish of Coinbase to release the letter condemning MtGox. Now anything that happens to Coinbase makes them look like total hypocrites. People, glass houses, stones etc.
It's one thing for a magic card trading company to morph into a Bitcoin exchange and have problems... but for a hot-shot start-up in San Francisco with self-proclaimed tech superstars at the helm and millions in the bank to screw up royally, well, it's just embarrassing.
There are rumors that a joint statement will be released at 5PM Pacific Time...
Joint Statement Regarding CoinBase
Apr 1st, 2014
The purpose of this document is to summarize a joint statement to the Bitcoin community regarding CoinBase.
This tragic violation of the trust of users of CoinBase was the result of one company’s actions and does not reflect the resilience or value of bitcoin and the digital currency industry. There are hundreds of trustworthy and responsible companies involved in bitcoin. These companies will continue to build the future of money by making bitcoin more secure and easy to use for consumers and merchants. As with any new industry, there are certain bad actors that need to be weeded out, and that is what we are seeing today. CoinBase has confirmed its issues in private discussions with other members of the bitcoin community
We are confident, however, that strong Bitcoin companies, led by highly competent teams and backed by credible investors, will continue to thrive, and to fulfill the promise that bitcoin offers as the future of payment in the Internet age.
In order to re-establish the trust squandered by the failings of CoinBase, responsible bitcoin exchanges are working together and are committed to the future of bitcoin and the security of all customer funds. As part of the effort to re-assure customers, the following services will be coordinating efforts over the coming days to publicly reassure customers and the general public that all funds continue to be held in a safe and secure manner: Kraken, BitStamp, Circle, and BTC China.
We strongly believe in transparent, thoughtful, and comprehensive consumer protection measures. We pledge to lead the way.
Bitcoin operators, whether they be exchanges, wallet services or payment providers, play a critical custodial role over the bitcoin they hold as assets for their customers. Acting as a custodian should require a high-bar, including appropriate security safeguards that are independently audited and tested on a regular basis, adequate balance sheets and reserves as commercial entities, transparent and accountable customer disclosures, and clear policies to not use customer assets for proprietary trading or for margin loans in leveraged trading.
The following industry leaders stand by this statement:
Jesse Powell — CEO of Kraken
Nejc Kodrič — CEO of Bitstamp.net
Bobby Lee — CEO of BTC China
Nicolas Cary — CEO of Blockchain.info
Jeremy Allaire — CEO of Circle
p.s. Yes, this is the MtGox letter... who will be the last man standing? :-)
Check the forums over at BitcoinTalk, for months now, people using Kraken have been unable to withdraw their money, and deposits have been going 'missing'. The fact that support is conducted over a public forum, out of sheer desperation on the customers part, tells you something.
If CoinBase did go down, would you bet against the other providers crafting a public relations message to drum up business for themselves? It's dog eat dog out there - the idea that there is a community of Bitcoin businesses looking out for each other is a joke.
Unless the company actually had inadequate reserves to meet customer withdrawals, thus leaving the solvency of the company at risk of a good old-fashioned fractional reserve style bank-run...
I know CB is not a financial company and they are not obligated to provide the same protections to consumers/customers.
Phishing is not the only reason why a customer would not like their bank to confirm that they have an account.
As a matter of fact in this situation, when someone sends a fund request, CB should never let the requesting party know the name of the account holder, unless the account holder explicitly gives them permission, maybe not even then.
With any other organization law enforcement would require a warrant to get basic confirmation if a customer has an account and the name on the account.
On the password reset form, there's a big difference between saying "That email does not exist in our system"/"Emailed password reset instructions" vs "If that account is registered, we will email you instructions".
If you say, "we don't allow two accounts with the same email address", you have the same issue as coinbase.
I can't see how you can avoid making the experience for the duplicate user exactly the same as a new user.
> I can't see how you can avoid making the experience for the duplicate user exactly the same as a new user.
The workflow diverges at the email verification step, before you grant any access to the site. Existing users get an email informing them that someone has tried to sign up a second time using their email address while new users get the standard email verification email.
I highly recommend not allowing account creation before email address verification. I have a difficult to spell last name, so I have one email address that contains my initials and a common word instead of my last name. You'd be surprised the number of people who don't know their own email address and the number of sites that allow people to sign up (and apparently transact significantly) without verifying email addresses. Off the top of my head, if I wanted to, I could steal one person's tax accounting account (I got confirmation that they filed their state taxes this year, and later confirmation their state accepted their filing), another person's car rental account, and a third person's business's trash service account. From time to time the one person tries to reset their car rental account password. I imagine I could reset the passwords for all of these accounts (and others) and get the last 4 digits of their credit card numbers and other personal information and use that as a starting point for gaining access to other accounts they own. In the case of the tax account, I could probably re-download the tax paperwork and get their SSN. Neither the tax accounting company nor the car rental agency replied when I informed them that accounts were set up with the wrong email addresses. (I also get business quotes from time to time. Hopefully some day I'll get email from a business or person who knows the person who keeps trying to reset their car rental account.)
If you have enough users who forget they already have an account and your signup process makes them get too far before verifying their email address, consider moving email verification earlier in your workflow.
I assume that was the original point - that on risque dating sites, the recover password system tries to hide membership.
Just because email address is known does not imply that other personal information should be given away.
Doesn't seem innocuous. Maybe coinbase ought to be making pseudonymity more easily accessible.
Stopping email address validation is, I think, impossible for a company like Coinbase, but revealing the name doesn't have to happen.
On the other hand, providing the first and last name could be very valuable to the users, though. If I send coins to email@example.com, I'd like to see the real name behind that address.
On the other other hand, if anyone can make any first and last name they wish, then the safety of that goes away. Maybe I make firstname.lastname@example.org with the same real name.
EDIT The users agreed to have their names given to people they transact with. Does that include strangers attempting to transact with them? I'm thinking "no" but can see the other side.
(1) is opt-in on the recipient's side and fails with something like "that recipient email address doesn't have an account, the name doesn't match, or they haven't decided to allow name verification"
(2) is only available on payments above your highest guess at the expected value of matching an account-email-name triple for spearphishing, and the error messages (and timings) are identical if the name doesn't match or the given email address doesn't have an account.
I imagine there are few profitable attacks where an answer "yes, email_address with name has a Coinbase account" costs a minimum of 100 USD to an attacker and getting an answer "Either email_address doesn't have an account, that name doesn't match our records, or they've chosen not to share their name" costs 0 USD. However, I'd have to think a bit more about that 100 USD minimum.
"This is the bullshit excuse they are trying to use to make it SEEM like its not a vulnerability."
Coinbase is deliberately misleading their users regarding privacy if they do not fix this issue!
Not only they are not rate limiting and leaking names, their
implementations are simply laughable.
With a proper design, customer should have been allowed to either enable/disable that end-point when somebody is searching for their email, or there should have been an option to have a 'whitelist' a set of users/user that are able to look up that information and make a transaction request.
On top of that, they should have been able to detect a pattern such as this attack and pro-actively block it.
This would pass for a to-do app API but Coinbase? Wow.
Almost any site that has a password reset can be used to verify whether an email account exists in that system - depending if the system tells you "no user with that username exists" or not. Coinbase is in no way unique with the amount of info they expose, which is the point they were trying to make on their "official" response.
I would have liked to see them announce that the API does have some sort of throttle and maybe they are going to think of ways to enable an option for this behavior or something - basically anything except to just dismiss it. Because even though I personally agree with them as far as the level of vulnerability - a lot of people don't and Coinbase doesn't seem to understand this perception problem.
1. User enters email in password reset form.
2. Website shows the same message whether the password was reset or not.
3. Email is what differs. If the account exists, send a password reset link. If it does not, send an email asking them if they want to create an account (and offer an unsubscribe link so people can't spam signup emails).
1. User enters email in signup form.
2. Website states it is sending an email to verify the account.
3. If it already exists, send a message saying they already have an account. If not, send the normal email verification link and then they can complete filling in their account details.
This prevent someone without access to the email from finding that the account exists, and also keeps the owner of the email filled in if they just forgot which email they used for the account or that they already had an account.
The problem is the convenience tradeoff. Take a site that has an instant green/red indicator that a username is already taken. People love the instant feedback, but it creates an attack vector. If you had to wait around for an email to see if you had already signed up - I bet a "Show HN" would have people here telling you that your site was user hostile! Even though it is unquestionably more secure.
I do think what Coinbase is doing now is not out of line with standard practices. But for a financial site they might be wise to start erring in the direction of security at the expense of a little convenience.
I don't think many banks (if any) will let you do a password reset based on your email address, they would use your credit card/account number as identifier of some sort not tied in to their authentication system or system that can be hacked (ie: email).
Them comparing a financial service API that deals with money to Google+ or Facebook should tell you as much.
edit: The recent adobe email list comes to mind.
What you describe is exactly the exploit that was disclosed and exactly what the person exploiting it seems to have done based on the content of the list. Of course, Coinbase argues that this is a feature and not a bug.
That doesn't really mean anything, since it clearly says at the top:
"Here is a partial list of Coinbase user emails and their full names. Full list much bigger."
Which could be bullshit and scaremongering. But it certainly could be true that they have a large number of Coinbase user's emails.
It could also be that you are reading too much into it.
>"Here is a partial list of Coinbase user emails and their full names. Full list much bigger."
Where does it say in that sentence that he the OP has access to the "full list"? It doesn't say that. It implies it, which you picked right up on. But he doesn't explicitly say, "Here is a partial list of the full list in my possession".
A website is not a bank. There are no armed guards or vaults and there is no federal insurance for your bitcoin. You're basically all handing your money to some guy who keeps all the coin on the second floor of a corporate office with a single old dude standing guard at the elevator. It's totes hard to get past that guy, because like, he has a badge and a hat and everything.
I'm not buying Bitcoin because it's decentralized. I'm buying it because there is a market bubble, and I can profit from currency speculation.
Coinbase is more like an AC'd storage facility with locks on the doors and people on staff checking IDs than an a "dark open lot 2 miles from my house". Yeah, its not Fort Knox, or even a basic bank vault, but if I think I'm much more likely to lose a thumb drive or have my computer stolen than suffer a catastrophic problem with a storage facility owned by reputable people, how does it not make sense?
That said, I'd probably be thinking about this a lot harder if I had any serious money put away in bitcoin. A storage facility is not an appropriate place to store 5 tons of gold.
Decentralization means the freedom to partially centralize.
>There are no armed guards or vaults and there is no federal insurance for your bitcoin.
You can pay for private insurance, which can cover more money than federal insurances (albeit it's not free). Just like it should be.
That is interesting accusation. Even if this is true, we will unlikely have evidence. Is there a serious risk to Coinbase users granted Gov is having full access?
The allegation of a gag order is a bit odd, however. This should all be fairly obvious, so I'm not sure why anyone would want to keep it secret. Counting on the hubris and naivety of criminals, I guess?
Also, I should note I am no expert on this topic, I just think people would be very foolish to cheat on their taxes or commit financial crimes via Coinbase or any very large exchange. One should assume government prosecutors or tax collectors can and do access it just as easily as with the regular banking infrastructure (to whatever extent that is), even if they don't actually do so yet.
Btw, has anyone actually confirmed any of these emails / names are real? I have a coinbase account and am not mentioned in the leak.
Also, what is the evidence for the assertion that transaction logs are delivered daily? Given recent revelations, it's probably a reasonable assumption, but there's still no actual evidence given.
Um, no. If that is what Coinbase believes, I just lost respect for their claims of security.
You can find people's G+ profile if you guess the email correctly. I wouldn't be surprised if LinkedIn,Facebook,etc. had the same type of thing. I do think that coinbase-API should be rate-limited or unreplayable, but I'm _much more_ interested in where the email-list input data came from. My email wasn't in this alleged partial list, but if it was I'd like to know where they got my email from to begin with because the source of that email-list is the real problem IMHO.
I will say this though: Coinbase, please make sure there is absolutely no api call that returns banking/CC info!
This whole debacle is making a mountain out of a molehill.
They take in all mail - instead of telling the sending MTA that the account doesn't exist the message is accepted and sent to /dev/null. A bounce message may be generated but the automated MTA won't see that as the message will be carrying invalid mail sender information.
The data obtained is an email address and a name (only if the user filled in the "name" field). This may as well be treated as public information.
1) Aids phishing attacks against Coinbase and customers
2) Oftentimes harmless tidbits of information can be combined to form non-harmless information. In this case, disclosing email, name, and the fact of being a Coinbase customer, or not, seems minor on its own. However, combine it with some other dataset (let's say emails/passwords taken from an unrelated site), and now it would be easier to break into accounts without setting off warning bells, since you already know who is a user or not.
Dismissing the information disclosure strikes me as akin to the "it's only harmless metadata" argument of the NSA. As we have already seen in many reports, "metadata" can be surprisingly powerful.
If one cares about the privacy aspect, then don't use an email that is tied back to you in any way, and certainly don't fill in your personal information.
If CoinBase is so needlessly sloppy then it's not hard to picture a Mt Goxish scenario in its future.
First, the vast majority of attackers are more "smash and grab" than "stealthy jewel theft." They really don't care about leaving tracks, they are going for volume. Want to phish people for coinbase creds? Email a mass of people. Have a list of usernames/password from a data breach? Attackers have automated tools that will automatically try them against thousands of websites. It's more expensive and time consuming for them to try and leverage minor info disclosures to narrow down their attack than to simply brute the crap out of everything. The economies of scale devalue the info discloure.
Second, you are making an apples-to-oranges comparison. The boolean "Is/Is not a Coinbase user" provides a single data point, and is far less valuable than a hundreds if not thousands of datapoints about who is communicating with whom, and for how long. The single piece of meta-datUM of Coinbase pales in comparison to the meta-datA of phone logs.
But if you know somebody has a lot of money, then the rational amount of effort to apply goes way up. That's why stealthy jewel thieves are stealthy.
Since the whole point of Coinbase is to contain money that, from other BTC sites, appears to be easily stolen and easily laundered, I think a set of known Coinbase accounts could well be worth the effort.
So, this sort of leak or enumeration basically reduces the (though tenuous) degree of security afforded by one's privacy.
Some people certainly do: https://twitter.com/search?q=just%20bought%20coinbase&src=ty...
I agree it's not ideal, but if your security relied on a guessable email address staying private, you're already not in a good place.
Bonus points: That screenshot also tells you I have an account with Patelco Credit Union.
If someone who is not an employee of either company manages to steal funds from me just based on that screenshot then there is some other security-issue somewhere else and it was bound to happen sooner or later.
Probably something like this, which I don't really see how you'd protect yourself against. Like getting hit by a car running a red-light.
Think about it. Email enumeration is possible if accounts associated with an email address. Otherwise forgot password forms would simply say successful even if someone typo'd their address (terrible UI) or the signup forms would allow multiple accounts with the same email address.
EDIT: On the other hand even if the response is always the same, I expect most implementations to be vulnerable to a timing attack ;)
A list of emails and names feels a lot like trying to cause a panic to get people to dump Coinbase.
Erik: Our engineers are aware of this development and concluded that the released information was not acquired through a security breach in our systems. Instead, the poster was already in possession of your email address and used our "Request Money" functionality to obtain the name given to our system on the Settings page of your account (https://coinbase.com/settings). Although this is an intended feature, we understand that some users may wish to not disclose information to third-parties that are able to obtain their email addresses. As such, we are working on improvements that will give users an option to hide their name from other users.
I like to be able to track who spams me and in case of leaks I like the ability to disable an email address...
and did you always do this or did you start at one point having to go back through a lot of old accounts to change emails and passwords?
I'll also use it for sites that I know are going to send me spam, and then immediately create a filter than deletes emails sent to email@example.com (note: that's not my real email)
I use firstname.lastname@example.org for this purpose and it makes it handy to see who has somehow lost/disclosed my email to third parties and not informed me (FreshDirect for example)
Or, more importantly, it lets you authenticate the sender in some way. Citibank has to send you email to you.citibankiscool1253stuffonlyIknow@example.net and it is unlikely for a spammer to guess that exact wording (without also trying hundreds of others, which would give it away by filling your inbox).
Otherwise, as a 'true' spammer, why wouldn't you just always strip off everything after the plus when adding the email to your distribution list?
I started doing this four years ago but before that I had an email address that I reserved only for signing up for most websites (to prevent spam leaking into my personal email address).
virtual_alias_maps = hash:/etc/postfix/db/virtual_aliases
That gets forwarded to your actual email address, and you can see how it was tagged. If needed, you can whitelist/blacklist specific senders from specific tags as well.
That functionality is not an RFC requirement, however.
If Coinbase is going to report earnings to the IRS, it's a good idea to match what they report or you might trigger the algorithm.
So I think the manual and automatic processes are considered to be two forms of the broader term "audit".
"An audit may be conducted by mail or through an in-person interview and review of the taxpayer's records."
"You will be provided with a written request for specific documents needed."
"An IRS audit is a review/examination of an organization's or individual's accounts and financial information to ensure information is being reported correctly, according to the tax laws, to verify the amount of tax reported is accurate."
Consquently by my interpretation (and actual experience over many years) your last sentence is not correct.
Also there are some borderline issues with taxes (and/or self employment or small corp) that can give you problems. (One for example is deducting for a home office, another might be charitable deductions, another might be writing off some auto usage).
Think in terms of what happens when you see the flashing lights of a police officer in back of you. Even if you haven't been speeding you don't automatically think "no problem I didn't do anything wrong" you get anxious thinking there might have been some mistake that you have made.
 See the typical business owner isn't Zuck and doesn't have an army of knowledgeable advisers to handle all the details. You are essentially on your own with your accountant.
And sure, 1 in 1,000 is nice odds, but you're still breaking the law. And some people care about not breaking the law on principle.
Also, if you do something the government doesn't like, then they can retroactively investigate you and bring the full force of the law down on you for tax evasion, which carries harsh penalties.
How is that legal/constitutional? It's one thing to monitor one "target's" transactions, but everyone's?
(Then again, r/games faked moderation corruption as their April Fool's joke. That did not go over well.)
Perhaps yesterday's "bug" reporter was unhappy at being dismissed (and he paid for Burp Suite, too!) so perhaps he decided to cause, in his words, "panic".
There's good reasons to dislike Coinbase but this isn't one of them. And of course the "full list" is bigger - the list just contains some previously-known emails and their associated, optional, Coinbase name.
It's easy to block the account if spammers get hold of it, nobody is able to double check if I use other services by comparing login emails, I know which service has leaked my email... bottom line, I am in control. I feel sorry for these Coinbase users.
“Well,” he says looking at me knowingly, “Women don’t usually think in terms of efficiency and effectiveness”.
And right now, an email is part of your security auth since it's email * password.
When email is known as a 'good user' that reduces that multiplication to just password.
While I want to contact support for help, I am hesitant to fully disclose my issue in their contact form.
support.coinbase.com is just an alias for their Desk account.
It is kind of a moot point because I have committed to moving my bitcoin out of coinbase.