Hacker News new | past | comments | ask | show | jobs | submit login

Would you care explaining why it is that you believe email enumeration to be "insecure"?

The data obtained is an email address and a name (only if the user filled in the "name" field). This may as well be treated as public information.

It also discloses whether someone is a customer or not. Possibly en masse. Problems:

1) Aids phishing attacks against Coinbase and customers

2) Oftentimes harmless tidbits of information can be combined to form non-harmless information. In this case, disclosing email, name, and the fact of being a Coinbase customer, or not, seems minor on its own. However, combine it with some other dataset (let's say emails/passwords taken from an unrelated site), and now it would be easier to break into accounts without setting off warning bells, since you already know who is a user or not.

Dismissing the information disclosure strikes me as akin to the "it's only harmless metadata" argument of the NSA. As we have already seen in many reports, "metadata" can be surprisingly powerful.

I would argue that using a personal email and filling in your full name on coinbase, who CLEARLY state you have no expectation of privacy in this regard, is effectively the same as publicizing the information.

If one cares about the privacy aspect, then don't use an email that is tied back to you in any way, and certainly don't fill in your personal information.

Or, and this is much easier, use a web site that actually cares about its users' privacy?

If CoinBase is so needlessly sloppy then it's not hard to picture a Mt Goxish scenario in its future.

While I don't find Coinbase's response here reassuring, if you work with a business whose bizmodel is "people can send money to your email address" then it becomes essentially impossible to stop someone from verifying that your address exists.

2 things:

First, the vast majority of attackers are more "smash and grab" than "stealthy jewel theft." They really don't care about leaving tracks, they are going for volume. Want to phish people for coinbase creds? Email a mass of people. Have a list of usernames/password from a data breach? Attackers have automated tools that will automatically try them against thousands of websites. It's more expensive and time consuming for them to try and leverage minor info disclosures to narrow down their attack than to simply brute the crap out of everything. The economies of scale devalue the info discloure.

Second, you are making an apples-to-oranges comparison. The boolean "Is/Is not a Coinbase user" provides a single data point, and is far less valuable than a hundreds if not thousands of datapoints about who is communicating with whom, and for how long. The single piece of meta-datUM of Coinbase pales in comparison to the meta-datA of phone logs.

The second point is a bit of a straw-man. I never meant to imply that this Coinbase disclosure and the NSA metadata are proportional in terms of severity; just that they are structurally similar. The point is that small bits of information can become surprisingly big with the right analysis and effort.

That first point strikes me as irrelevant here. Smash and grab is what you do when your probability of success and/or your take size is small.

But if you know somebody has a lot of money, then the rational amount of effort to apply goes way up. That's why stealthy jewel thieves are stealthy.

Since the whole point of Coinbase is to contain money that, from other BTC sites, appears to be easily stolen and easily laundered, I think a set of known Coinbase accounts could well be worth the effort.

Do you publish that you have a Coinbase account? That's the issue. Now these people are valuable targets for spear phishing and other attacks on their e-mail accounts because it's known that they have hot access to at least some amount of Bitcoin. Without that information, an attacker is shooting blind.

So, this sort of leak or enumeration basically reduces the (though tenuous) degree of security afforded by one's privacy.


Some people certainly do: https://twitter.com/search?q=just%20bought%20coinbase&src=ty...

I agree it's not ideal, but if your security relied on a guessable email address staying private, you're already not in a good place.

Because "well someone else does it" has always been the best reason to behave a certain way...

No, and indeed I don't publish whether or not I have a coinbase account. But it isn't a serious security failure if that somehow got out.

Except for the non-zero possibility it could make the difference between you being murdered during a home invasion, or not.

Last time a politician was worried about non-zero probabilities, the U.S. invaded Iraq. I mean, if changing the probability someone's home gets broken into is our standard of practice nowadays there's a lot of companies which will have to close down today.

I reckon non-anonymous bitcoin holders are at greater risk than the average person with money in the bank, since draining the account of the former is a relative cinch once the keys are divulged. The whole crime could be completed within a few minutes.

That much may be true, but I'd consider that an inherent risk associated with using Bitcoin without using a pseudonym. Maybe I'm naïve but I have to assume people who care about such things are already tracking IP addresses directly from the Bitcoin network swarm itself for later investigation...

Likely Coinbase customers expected Coinbase to keep their real name secure from potential thieves. But they thought wrongly.


Bonus points: That screenshot also tells you I have an account with Patelco Credit Union.

You trust Patelco CU and Coinbase employees a lot... Watch out, it might backfire...

If an employee of either company steals from me, I'd expect them to be easily caught. If Coinbase decides to steal 1k from everyone then shutdown that would be crazy since the people behind Coinbase are very well known and in SF; I accepted that risk when I signed up. If someone inside Patelco decides to steal from me, that's a heavly regulated financial establishment - I don't think that person could get away with it or that Patelco wouldn't reimburse me.

If someone who is not an employee of either company manages to steal funds from me just based on that screenshot then there is some other security-issue somewhere else and it was bound to happen sooner or later.

Probably something like this[1], which I don't really see how you'd protect yourself against. Like getting hit by a car running a red-light.

1. http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking

I wasn't saying they would steal from you. I was referring you trusting their competence to do their job right and not be social-engineered by some hacker into giving them access to your accounts. Thank you for the downvote.

The name is an optional field, so no one is being forced here. If you don't fill out your name, this oh-so-clever "hack" doesn't work.

Weev is doing 41 months in Federal prison for the exact same type of "public information".


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact