Hacker News new | past | comments | ask | show | jobs | submit login
Coinbase Insured (coinbase.com)
137 points by markmassie on Aug 29, 2014 | hide | past | web | favorite | 41 comments

Unless I'm misunderstanding, they're really saying they're now insured for ~3% of the BTC they hold. For security, they've always said they only store about that much online, the rest is offline cold storage, but this post says:

"Coinbase is now insured against theft and hacking in an amount that exceeds the average value of bitcoin it holds in online storage at any given time."

So you're still at the mercy of their offline storage security. Not saying there is a better option for most people, but this wouldn't protect you against a Gox-like breach.

> The insurance covers losses due to breaches in physical or cyber security, accidental loss, and employee theft.

I'm not convinced that this even protects the online wallet against Mt Gox style corporate malfeasance, where much of the damage was done as an intentional corporate decision by the leadership. (I'm conjecturing that's what happened at Mt Gox; regardless, this seems not to cover against them trying something intentionally with their coins related to trading, and then losing them all.)

Additionally, as you pointed out, this only covers a very small portion of their holdings - a percentage smaller than the number of Mt Gox coins that were "recovered" (about 25%).

Finally, Coinbase being insured against the value of the bitcoin loss doesn't translate in to you being covered, as Coinbase may accrue other debts they have to pay off before your holding in the event of a hack large enough to cause a serious business disturbance, such as paying off creditors with higher standing.

That's key: Coinbase is insured.

With FDIC, the depositor is insured, not the bank. This is the bank being insured, not the depositor.

And in the case of FDIC, evidence of gross malfeasance on the part of the bank would likely result in a seizure of the bank and its assets. The FDIC then becomes the "receiver"[1], entrusted with ensuring as many of remaining funds can be returned, and any covered and outstanding amount paid by the insurance.

[1] https://www.fdic.gov/about/strategic/strategic/receivership....

"Finally, Coinbase being insured against the value of the bitcoin loss doesn't translate in to you being covered"

Additionally I'm very curious why they never disclosed this publicly before. It's a decent marketing and selling point so there must be some reason they decided (or were required) to keep it under wraps for so long.

>>So you're still at the mercy of their offline storage security. Not saying there is a better option for most people, but this wouldn't protect you against a Gox-like breach.

Just FYI, Coinbase's staff is infinitely superior to the embarrassing shenanigans of MtGox. If you want to get an idea of what they're doing, jump to 12min30secs in this video https://www.youtube.com/watch?v=ZwG1roO70co

Assuming that Bitcoins won't be FDIC insured in the foreseeable future, this is as good as it gets imho unless you feel better moving the majority of your coins to your own address and keeping the private-key yourself.


And as always, Disclaimer: Bitcoins are not FDIC insured and it's still wild-west out there. Don't play with money you cannot afford to lose without any recourse.

That was the impression I also got from the post. It would be nice to have someone from coinbase clarify.

For people not experienced with bitcoin: For some types of bitcoin wallets the user retains their own private key, whereas with other wallets they have to trust a 3rd party (like coinbase) with their keys. This second type isn't really a wallet any more, per se... it's more like a bank that you are trusting with your money.

Of course, bitcoin startups really want to use the second model, where THEY control the money, which gives them many more avenues for profit: As any salesman knows, the closer you are to the money in a business, the more money you're likely to make yourself.

This means bitcoin companies are bending over backwards to say "look how safe your money is!" However, be aware if you ever buy bitcoins, it is much better to store your own bitcoins or use a wallet that allows you to manage your own private keys, or use a (now trendy) multisig wallet where the wallet company can't move money without your permission.

If a bitcoin bank says "We insure our bitcoins" your best response is "No thanks, I'd rather not have to trust you with my money in the first place." The whole raison d'être of bitcoin is that such trust isn't necessary.

For the vast, vast majority of people, they will be much better off letting someone else handle their wallet.

Even for those of us who are computer savvy, the lengths you have to go to in order to make sure that your wallet is completely secure and redundant isn't easy. I feel a lot more secure with the bank holding my money.

This is why the whole notion of Bitcoin's success is paradoxical. To really succeed it probably has to be pushed by these third-parties, which is an advantage over our current banking system because the core protocol will still be neutral, but only to an extent: third parties will almost certainly build features that lock people in on top of it. This is a far cry from the vision some proponents have of a completely decentralized system.

This is nothing against Coinbase or other centralized wallet services for that matter, but Coinbase is practically being forced to ask their users for a blood sample during user verification these days.

This level of user verification, necessitated by KYC, AML policies and so on, is extremely burdensome for end users.

In fact, I've heard Coinbase is now requiring their users to declare exactly _where_ bitcoins are to be sent when a withdrawal request is made. Furthermore, Coinbase is having to shut down customer accounts that are known to be associated with online gambling.

Native wallets don't come with these "features". That's the benefit of being in control of your own money.

You are right, but if Bitcoin ever goes mainstream that kind of regulation that impacts both services and users is going to happen. It never was going to overthrow the flank the financial system like some people hoped.

If Bitcoin ends up relegated to native wallets it probably will look like TOR - something that tech savvy people can use for certain activities, but not something that really caught on in widespread use.

Being able to be in control of your own money is great, if you can do it, but I tend to think most people don't want or can't handle that level of responsibility. Kind of at the heart of Bitcoin is a very libertarian philosophy on life and government. Our political system shows us that the vast majority of people aren't looking for that, and by extension, it probably applies to financial matters as well.

>For the vast, vast majority of people, they will be much better off letting someone else handle their wallet.


As I stated, it does take some work to make sure your wallet is secure and redundant (or even just your private key). Most people are just barely computer-literate, and therefore can't realistically do that. For them, third party services are a much better option.

Or I could just skip all of the convenience and regulatory stuff that will have to be built up around bitcoin to make them mainstream usable and just continue to use US Dollars which already have all that infrastructure in place.

Using bitcoin for currency as a whole (IMO) is almost like a misguided application rewrite -- sure, at the beginning it has all these advantages of being light and nimble and having limitless possibility, but by the time you add all the stuff users actually want/need back into the system you wind up pretty much right back where you started with the old heavy app, perhaps with a shift of power behind the scenes (from the old architect to the new architect, if those are different parties), but nebulous real advantages for end users at the end with a lot of transitional pain in between.

The "mainstream users should use hosted wallets" meme is inaccurate.

3rd party wallets do not provide security via black magic. They use tools like passwords, 2FA, and email addresses, all of which could be compromised on a user's computer. Think key loggers, viruses, social engineering, people leaving their computers unattended with the wallet open.

There is no technical reason why the security measures that Coinbase implements cannot be done using a personal wallet. Moreover, when storing coins on Coinbaes, you are additionally subject to counter party risk (Coinbase goes under, loses their coins) as well as regulatory risk (Coinbase shuts down withdrawals due to regulations).

I don't consider it a meme.

Yes, they use passwords, 2FA, and email addresses, but those are all things mainstream users are familiar with and have to use for any other major service. They are not familiar with the concept of encrypting a wallet or the fact that deleting a wallet can lose you money.

Of course you are at risk of something bad happening to Coinbase, but steps like getting insurance are hedges against that. I should point out that when I talk about mainstream users, I'm not so much talking about right now, but in potentially a few years when Coinbase is more of a known institution or existing banks or other parties have jumped into the game. At that point a wallet hosted by Google or something will be a much better bet for most consumers.

> For the vast, vast majority of people, they will be much better off letting someone else handle their wallet.

Yes, and they can do that without handing over their private keys (see blockchain.info, etc.)

Unfortunately, blockchain.info and similar implementations are vulnerable to the Lavabit attack; you never know if the JS code your browser just downloaded won't send an unencrypted copy of the private key to their servers.

I would trust lots of professionals will my bitcoins more than I'd trust myself, especially if they had the right insurance policies in place.

The problem is that Coinbase only insured themselves against damage from coins-in-transition being accidentally lost or being stolen. That doesn't actually cover most of the cases that I'm worried about, because while a 3% loss would be annoying, it's nothing compared to the other failure modes and should be a loss that's sustainable by Coinbase independent of this insurance policy.

The problem isn't fundamentally exchanges holding the coins, but rather, exchanges holding coins so irresponsibly currently.

You actually didn't give a single good reason not to trust insured 3rd party storage. You just jumped to conclusion while shitting on companies that are improving bitcoin security.

Mt. Gox provided a very good reason not to trust a 3rd party

Though it was it was not the first (or second, or third) such example.

Mt. Gox didn't offer insured storage.

This is like saying "You never gave a good reason not to stab yourself in the eye".

The fact is that web wallets are available that are just as user friendly as coinbase that don't require you to do this. (trust a third party and/or stab yourself in the eye)

Regardless of whatever private insurance it has, Coinbase does not have a money transmission license in California or a surety bond as required by federal and state law.

They know they need one; they have applied in other states, such as Florida. See https://archive.org/download/coinbasefloridamtl/20140415.coi....

Interestingly, Coinbase appears to offer false information to the State of Florida in item 6(A)(2) of its application, which has since been withdrawn. Coinbase did receive a subpoena in the NY DFS's investigation of various Bitcoin companies in August, 2013. See http://www.reuters.com/article/2013/08/12/us-digitalcurrency....

I don't know how anyone who reads your experience with facecash could come to any conclusion other than the only way to innovate in payments is to brazenly break the law and never even try to deal with the California DFI.

One difference between my experience with regulators and Coinbase's is about $31.7 million in venture capital funding. Compliance is expensive, but they can afford it.

I'm reminded of the old saying that rich people didn't get rich by being loose with their money.

I would hardly consider negotiating with authorities "being loose with their money"...

Then you just don't have enough "hustle" for this business.

It wouldn't be a BTC or alternative money processing thread without Aaron thread-crapping.

The bitcoin insurance policy I want from an exchange is where they insure me against loss due to actions taken by the exchange and underwritten by a major underwriter, and not the exchange itself. Only then would I really believe that the exchange meant to protect my bitcoins fully, because they've essentially put themselves on the hook for the damages (by having to bear the cost of the insurance policy, recouped by some kind of holding fee or transaction fee).

The exchange having insurance does relatively little to protect me against loss, even if it's a smart business move on their part to limit their losses to creditors in the event of a theft of inventory. That's only sane business, and it's a little crazy how long it took that to become normal in bitcoin.

It seems (naively) reasonable that the exchange could float something like 10k-20k policies of some mixture of 0.1btc, 0.5btc, and 1btc protection, depending on the level of activity in an account, and require that anyone holding more bitcoin than that in their trading account take out a separate policy for that amount or else acknowledge that they're only protected up to 1btc. (An additional corporate policy against theft of inventory seems reasonable, and likely would lower the rate on these separate policies, since the underwriter would know you could cover some degree of loss already, through that policy.)


Thinking about the numbers, it would only be ~$20 million of coverage to cover 50,000 customers (40,000 at 0.5btc and 10,000 at 1btc). This seems reasonable.

How are premiums calculated for this kind of insurance? Are there software insurance tiers based on code & systems inspections?

Off topic, but why does it still take 4 days to buy bitcoins from the site?

Same reason as always: The existing payment system used in the world has a weird system of "chargebacks" which mean that it's hard to know that any transaction is ever "final" and can be considered completed. This flaw in the traditional payment infrastructure makes it hard for coinbase to hand you over your coins even if they received a perfectly valid bank wire or credit card payment.

Whether it's a "flaw" is in the eye of the beholder.

I have confidence buying from questionable online merchants using a credit card because I know I have a recourse if they are deceptive. I would say it's more of an issue of incompatibility between the systems rather than a real "flaw" in either.

Except waiting 4 days really wont help you against chargebacks.

This reply is so bitcoin.txt that I honestly don't even know where to begin.

>> Our users, of course, won’t be charged for this insurance.

So, where the money came from?

Insurance is a cost of doing business. Coinbase generates their revenue from fees on the purchase and sale bitcoin, and from fees on merchant services. That's where the money comes from.

"Our users, of course, won’t be charged for this insurance." Of course. For now.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact