Hacker News new | comments | show | ask | jobs | submit login

I'm pissed. My email address is among those leaked. I got two transaction requests, the first for 732342.34425 BTC and the second for 999999.99999999 BTC. The second had registered a username of "⚠ URGENT: Сoinbase hacked. We" so that the email subject line read "⚠ URGENT: Сoinbase hacked. We sent you a payment request."

I got my coin out of Inputs.io just a few days before they got hacked, and I've got a low balance in Coinbase. I'm going to make that a zero balance, because I've completely lost faith in any company's ability to manage Bitcoin.

You've just become a target. Everyone now knows everyone on that list has Bitcoin and use web wallets, so it's effectively a list of potentially profitable targets for email account compromise.

Please ensure you're using random passwords on every site you use, select the best available security questions, use a password manager, and enable two factor authentication everywhere that allows it.

Also move all your coins in to offline wallets. No online web wallets have a bank grade reputation.

Hot/cold storage as coinbase is using is probably better than any encryption. Even an end of world bug means that they can only ever lose a small portion of all stored user funds. Manual processing of this means there is some sanity checking on large withdrawals too. Encryption affords you none of that, I would be happier with coinbase than storing on any other online wallet for this very reason.

> Even an end of world bug means that they can only ever lose a small portion of all stored user funds.

Were you born yesterday?

The steal-all-your-money rate of bitcoin businesses is running right around 100%, and you're going to lecture people that "they can only ever lose a small portion of all stored user funds"? Really?

Please don't make personally aggressive remarks like "Were you born yesterday?" on Hacker News. It only adds negativity, not information. That breaks our two most important principles: optimizing for signal/noise ratio, and being civil.

Coinbase isn't some random website made in a basement. It's a well funded, YC backed, known-founder company that complies with relevant banking law. There's absolutely nothing to suggest that they hold a partial reserve or have any ill intention whatsoever.

You're right, there isn't anything suggesting that they hold a partial reserve.

And there won't be even when they do.

And when they close due to massive theft / loss of coin, and take all of their users' funds with them, that will be the first suggestion that any user hears of.

It happened to me. It's not fearmongering, it's fact.

So ask them to prove their reserves if it bothers you so. Other large services have in the past.

Proving reserves doesn't help at all. They can die at any time from massive loss. Proof of reserve reveals whether there's a problem; it doesn't prevent any problem from happening.

To use a metaphor, a failed proof of reserve is like detecting that someone who's riding a motorcycle without a helmet has been launched into the air due to a car crash, and is about to hit the ground. That doesn't change the fact that they're not wearing a helmet in the first place. And in bitcoin's case, no such "helmet" exists. There is no protection for consumers against losing their funds by the exchange.

There's always going to be this massive risk of the coins disappearing due to any number of reasons: that they get hacked, that the founder steals them, that they lose them to some massive technical problem, that they experience another undocumented bitcoin protocol issue like malleability, that they lose access to their cold storage wallets, etc.

This has happened at, what, a dozen exchanges so far? They've all died due to one of the above reasons. Who's next? It's completely possible that Coinbase is next, and that you're recommending users throw their money away by trusting them. There's no reason to trust Coinbase. Keep your funds in your own secure cold storage wallet, and you'll have them forever. Keep them in Coinbase and you'll have them exactly as long as Coinbase lasts.

> Keep your funds in your own secure cold storage wallet, and you'll have them forever.

In regards to Coinbase, if only because their terms make it clear they aren't liable for a customer loss of any cause whatsoever.

YC-backed startup means a culture of 'move fast and break things' - works for facebook, but definately not something I would want to store my bitcoin on, since 'break things' means 'losing all my money with no recourse'

There's one reason to believe they have ill intention: their habit of ignoring serious user problems (lost deposits, security problems) until they're widely public.

Their actions make clear that they are enormously untrustworthy.

That doesn't really suggest malice so much as ill attention. From their posts it sounds like they are stretched a little thin under the load, if they wanted to steal they would just be gone not occasionally unresponsive.

It doesn't matter one bit if it's malice or inattention once your coins are gone.

MtGox was the biggest Bitcoin exchange with the largest trade volume. I still lost all my BTC when it went under.

Same. It seems like it can't happen until it happens, and then you face the reality that it happened. It sucks, and there's absolutely no protection for consumers from it. There's not even any insurance policy that exchanges can purchase yet, which is pretty much the only hope at this point.

Wouldn't that add a transactional cost to bitcoin, not unlike PayPal or Visa?

I've spent a couple months trying to come up with ways to protect bitcoin consumers, and the only thing I can think of is for exchanges to purchase some kind of high-risk insurance which will cover losses by the exchange. Nothing else will protect users, as far as I can tell, precisely because of bitcoin's irreversible transactions.

Honestly, the best thing for the bitcoin ecosystem is to learn from Paypal and Visa, and to emulate their good qualities. I know it's popular to hate on the existing ways of doing things, but the existing ways have a lot of hidden wisdom embedded in them.

Well, you could create a certification program in which member exchanges agree to a set of financial standards between each other - e.g. they would automatically do charge backs on disputes within the system.

This could lower the transactional-risk cost between doing business with certified exchanges, and still allow users to do business outside but with the increased transactional costs.

But then again you're just building another financial exchange system controlled by the certificate issuer - except it would need to be backed by some form of international enforcement (e.g. WTO?).

Where is the benefit to bitcoins then?

All of you guys seem not to be aware of the things you can do with Bitcoin. Eg: multi-signature wallets.

You won't need insurance when the coins simply can't be stolen.

I am aware of multisig, but multisig precludes realtime trading, which is usually the main point of an exchange.

It'd be a good idea for Coinbase to implement, though.

Some Googling only brings up names of exchanges that are working on multi signature wallets. Do you have a link to how to set it up on your own machine?

Sure: https://www.youtube.com/watch?v=zIbUSaZBJgU

But there are also some online wallets that already implemented it:



https://www.bitalo.com/ (this one is also at the same time something like localbitcoins.com)

Yes, of course. And since transactions are completely irreversible on Bitcoin the insurance rate would have to be higher than otherwise, as there's no collateral for the insurance company to claim when they do payout.

xapo.com is insured by Meridian group. There's also one in the UK that's insured Lloyd's that I'm drawing a blank on. Have you looked into either of them?

But how can outsiders confirm that they are really insured and not just bluffing?

This is the first I've heard that any insurance company is willing to fully insure any bitcoin exchange, and it's wonderful news. Thank you so much for pointing it out! I'll look into it and see whether it's as good as it sounds.

Thank you so much for pointing that out. It did seem too good to be true.

I'm not sure how much truth there is to that post since I haven't done any due diligence myself, I just remembered seeing it a while back.

From the top comment in that thread, it looks like the company with insurance underwritten by Lloyd's is Elliptic.

Which relevant banking law? AFAIK Coinbase is not a bank.

Just invest in a raspberry pi as an offline cold storage bitcoin machine. They're not expensive, and armory (or electrum) work fine on it. Make a paper backup and keep it in a safety deposit box if you have a large amount of bitcoins.

That's not convenient. Coinbase is convenient. You're suggesting a ride on lawnmower as a substitute to a car. As a spending wallet Coinbase is fairly close to ideal.

Please read my post carefully next time.

There's no reason to argue against an inexpensive solution like a Pi + Armory in comparison to the massively risky "trust a third party to hold all my coins" approach.

Perhaps you're arguing so vehemently in support of Coinbase because you're keeping all of your coins there? If so, I would suggest you move them to a secure cold storage wallet immediately.

Ah yes convenience, clearly the most important factor when choosing where to store your currency.

I keep my savings in cash under my mattress. Sure, banks are more secure, but they have annoying hours and having the money easily accessible is much more convenient.

Besides, I trust my mattress. It's a nice mattress made by a great VC backed mattress company. It's not like I'm putting my money under some mattress that I bought on craigslist.

If crypto ever wants to win over fiat among the "masses", then yes, it clearly is. Because most people don't care about scary-sounding fluff pieces about the "Fed's fractional reserve ponzi" etc.

Why would you assume any of that? Do you put blind faith in companies as a rule, or has something about coinbase particularly enchanted you?

To be clear, the attacker got your email from somewhere else and confirmed that it was on Coinbase. That's the "bug." It's like if you went to go make an account with a certain email on Facebook and found that it was taken. You would then know that the person with that email has an account on Facebook.

Regarding user names, they are optional and meant to be public.

I think the biggest problem here has been that Coinbase hasn't been responsive to messages sent to their whitehat@ address. That and the fact that users are being spammed by "researchers," which is a problem that falls back on them to mitigate.

They haven't been "hacked" though, and the only thing that has been "leaked" is public account names and account existence. The latter is almost impossible to avoid if you require unique emails for accounts (if I'm wrong about that please correct me).

That's just my naive two cents, so let me know where I'm missing the picture if that's the case! :)

Im sceptical of this. My email was not published anywhere with regards to bitcoin or coinbase, I receive relatively little spam, yet I received 4 of these messages.

The original disclosure never claimed that emails were leaked. They were found somewhere else: http://blog.shubh.am/full-disclosure-coinbase-security/#poc

Their official response confirms this: http://blog.coinbase.com/post/81407694500/update-on-coinbase...

You can only get so much for FREE, that's not Coinkite.com's model. We charge, but we answer email and fix issues.

But a quick read over your ToS defines bitcoins as having no value and not subject to law ("Bitcoins and Litecoins ("Coins") do not constitute a currency, an asset or a form of property at law or otherwise") and that you're not responsible if they mysteriously vanish ("Any purchase or sale of Coins, for money, virtual currency or other consideration, involves inherent risks and may lead to the complete loss of any value, virtual currency or other consideration, and you agree to wholly accept any and all such risk.")

Yes, but they'll answer e-mails when you ask why all of your bitcoins disappeared.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact