A few thoughts. I agree with you, which is why we are currently going through a third party security audit in addition to the impromptu peer review by Andreas the day MtGox went down and our normal reviews by accountants. We also hired a director of security from FB. Also, there were rate limits, just not well tuned enough. So it's definitely in focus for us.
What precautions have you taken against meatspace robbery? What's to stop 3 thugs with guns walking into your office(s) and cleaning out all the coins? Can you get insurance against this?
Do you also have measures to prevent evil janitor attacks like hardware keyloggers being planted at 4:00am? Do you have screens facing an open window to watch from across the street? Can I rent beside your offices, drill holes through the walls and set up spycams or gain entry? Not to sound alarmist but seems no exchange has given a thought to physical security meanwhile bank execs are dropped off at work by private guards specializing in counter-kidnapping operations, even though their money is fully insured and extremely difficult to steal. Bitcoin's are easy to steal.
> meanwhile bank execs are dropped off at work by private guards specializing in counter-kidnapping operations
Perhaps there are some bank executives for which this is true, but it is absolutely NOT the case for all banking executives. I work with some bank executives and they drive themselves to work in their own cars. The buildings DO have alarm systems and it is quite possible for the FBI to respond to physical threat incidents (because it is treated as a bank robbery) but otherwise there is little that is special in the way of physical security.
And for Coinbase, I believe the lack of special physical guards is appropriate. A high percentage ("up to 97%" according to https://coinbase.com/security ) of their coins are in cold storage and while I am not privy to the details of Coinbase's arrangements, keysharing and multiple physical storage locations that are off-premises are a reasonable precaution. They are vulnerable to hostage-taking or "3 thugs with guns" to the exact same extent (no greater) as any other company with a similar amount of protection.
I can't comment on protection against hardware keyloggers: it's a threat that they need to be prepared for. Cold storage is one major way of protecting against this threat, business insurance is another.
Any other company doesn't need to worry since robbing their head office and demanding online bank transfers is a waste of time. A cryptocoin fixed rate exchange with millions in storage you can instantly transfer is a different story. It's like Ft. Knox being located in a regular office building with gold piled on the desks. Bank vaults have physical security so why don't Bitcoin based businesses.
I did read through their security about the backups being spread around different locations, but those are backups. They would need access to the cold wallet on a regular basis if 97% of funds are truly in there. Unlikely to happen but then again police here didn't expect criminals would remove huge concrete barriers with a stolen tractor, ram a shopping mall entrance, drive through the mall and ram a gated jewelry store but they did.
> They would need access to the cold wallet on a regular basis if 97% of funds are truly in there.
Not true. First of all, that would only be true if their net daily turnover were more than 3% of their total amount stored -- which it may not be. Even then, I would expect graduated levels of cold wallets: imagine one with another 2% that is down the street in a bank safe deposit box, 5 wallets with 50% of the deposits stored in a way that can only be accessed with cooperation of 4 people in different parts of the country ... that sort of thing.
I am, of course, just speculating: I don't know how Coinbase runs their system, I just know that they seem competent and that this is how I would run such a thing.
Why wasn't any of that information in the earlier statements? When given a list that contains demonstrable flaws "we see your list and don't think it's a problem (thus by implication are not doing anything about it)" does not induce confidence, it sounds like hubris.
Simply writing that the rate limiting wasn't working correctly and you were fixing would have made all the difference in the world to me.
BofA and Wells Fargo suffer from account number enumeration.
Wells Fargo has 10-11 digit (depending on if it's WF or previously Wachovia) account numbers. One portion defines the bank branch where the account was opened, another portion defines the account type, and the last digit is a check digit. You can guess at an account number by attempting a deposit (in person or online).
There's also the fact that BofA and Wells Fargo have account numbers displayed in cleartext on pieces of paper that are handed to strangers.
I'm not arguing the merits of Coinbase's security, but traditional banks don't fare well either. Coinbase can improve. Traditional banks are limited by standards that they can't change.
Two months ago I was able to enumerate all accounts from a local bank (Paraguay), they used document number and numeric passwords for login. They were showing different error messages when you tried to login with a nonexistent ID.
So I started generating random numbers between common document number ranges (1000000-4000000).
Our public health system has a web app that lets you check your enrollment status by entering an document #, and there are no CAPTCHAs! So the attack was like this: generate a random document number, send a request to the public health app and get the target's info (name, date of enrollment and other info).
The most interesting thing was that I tried to login into all accounts by using the birth date of the target as a password (the bank's password policy: just numbers, a min. of 6 numbers...). Around 40% of the clients were vulnerable.
I have communicated the public health app problem (actually they just need to put a CAPTCHA) many times but it seems that nobody cares. About the bank, I was working as a data science consultant at that time, so it was easy for me to knock the door of the security department and tell them about my attack.
I remember a story here a few months ago about a person who had deposited tens of thousands of dollars with Coinbase, and they refused to give the customer his coins. That was a clear sign that the systems and processes at Coinbase were broken.
The fact that they didn't help the customer until they took their grievances public indicated to me that either Coinbase don't care about their customers, or they were too busy trying to balance their books because of some proprietary trading gone wrong.
Thus I think it was foolish of Coinbase to release the letter condemning MtGox. Now anything that happens to Coinbase makes them look like total hypocrites. People, glass houses, stones etc.
It's one thing for a magic card trading company to morph into a Bitcoin exchange and have problems... but for a hot-shot start-up in San Francisco with self-proclaimed tech superstars at the helm and millions in the bank to screw up royally, well, it's just embarrassing.
UPDATE: For anybody following Bitcoin news, this is obviously satire, replacing MtGox with CoinBase. Surprised people downvoted this.
There are rumors that a joint statement will be released at 5PM Pacific Time...
Joint Statement Regarding CoinBase
Apr 1st, 2014
The purpose of this document is to summarize a joint statement to the Bitcoin community regarding CoinBase.
This tragic violation of the trust of users of CoinBase was the result of one company’s actions and does not reflect the resilience or value of bitcoin and the digital currency industry. There are hundreds of trustworthy and responsible companies involved in bitcoin. These companies will continue to build the future of money by making bitcoin more secure and easy to use for consumers and merchants. As with any new industry, there are certain bad actors that need to be weeded out, and that is what we are seeing today. CoinBase has confirmed its issues in private discussions with other members of the bitcoin community
We are confident, however, that strong Bitcoin companies, led by highly competent teams and backed by credible investors, will continue to thrive, and to fulfill the promise that bitcoin offers as the future of payment in the Internet age.
In order to re-establish the trust squandered by the failings of CoinBase, responsible bitcoin exchanges are working together and are committed to the future of bitcoin and the security of all customer funds. As part of the effort to re-assure customers, the following services will be coordinating efforts over the coming days to publicly reassure customers and the general public that all funds continue to be held in a safe and secure manner: Kraken, BitStamp, Circle, and BTC China.
We strongly believe in transparent, thoughtful, and comprehensive consumer protection measures. We pledge to lead the way.
Bitcoin operators, whether they be exchanges, wallet services or payment providers, play a critical custodial role over the bitcoin they hold as assets for their customers. Acting as a custodian should require a high-bar, including appropriate security safeguards that are independently audited and tested on a regular basis, adequate balance sheets and reserves as commercial entities, transparent and accountable customer disclosures, and clear policies to not use customer assets for proprietary trading or for margin loans in leveraged trading.
The following industry leaders stand by this statement:
Jesse Powell — CEO of Kraken
Nejc Kodrič — CEO of Bitstamp.net
Bobby Lee — CEO of BTC China
Nicolas Cary — CEO of Blockchain.info
Jeremy Allaire — CEO of Circle
p.s. Yes, this is the MtGox letter... who will be the last man standing? :-)
The possibility of this being misinterpreted as valid is rather high. I think your point could have been made well with a single explaining sentence up front and without the name substitution in the actual content.
These guys stuck the knife into MtGox... when they themselves are no better.
Check the forums over at BitcoinTalk, for months now, people using Kraken have been unable to withdraw their money, and deposits have been going 'missing'. The fact that support is conducted over a public forum, out of sheer desperation on the customers part, tells you something.
If CoinBase did go down, would you bet against the other providers crafting a public relations message to drum up business for themselves? It's dog eat dog out there - the idea that there is a community of Bitcoin businesses looking out for each other is a joke.
What does that have to do with what I said? I think the manner in which you made your point has too high a chance of being misinterpreted to be acceptable here, which is probably why it was being downvoted.
Oh, I could care less about the company, but I do care about the integrity of HN as a whole. That doesn't mean I don't like the occasional joke on here either, but since that story seemed a bit light on details and people were looking for information, posting satire that looks very much like valid information can be unintentionally misleading.
Hi, Ryan here - We've moved over to hackerone.com/coinbase, and emailed everyone at the whitehat@ address about the transition. We'll be getting in touch for the details and will get an autoresponder up on whitehat@. We don't view missed reports as a good thing, we'll do better and have already made improvements.
Apropos nothing else and without judging the actual report you're referring to: if you set up a "whitehat@yourdomain" or "security@yourdomain" alias, you need to be responsive. You can't ignore good-faith messages because you don't think they're valid. You have to act like all good-faith messages are urgent.
Those aliases are cheap insurance, but they aren't free: they'll cost you some tech support cycles.
They're actually downright expensive addresses to maintain, and they don't cost tech support cycles, they cost security engineer time.
A basic tech support person might be able to fend off the dozens of word salad "security notifications" sent by ESL students, but as they get more complicated and no less often irrelevant, you need people who actually know how your infrastructure works.
On top of the technical hassle comes the customer experience hassle of keeping a bunch of wanna be hackers happy as they demand rewards and their name on your site for their idea of a CRSF vulnerability that happens to have no basis in reality.
The backlash against these aliases is perceptible, but remember that the worst-case scenarios we're talking about today, when those addresses aren't properly staffed, was the default case before they became a common feature of startups.
Seriously, this. They are being nonchalant about this whole thing, but it may be damaging their most valuable asset - the community's trust in them. Just don't ignore repeated attempts to contact your whitehat address.
According to the original researcher, he mailed them and got no response, and got no response at all from several other attempts at contact,.
I wouldn't be surprised one bit to find that the inbox for that address is full of spam and crackpots, but, like 'tptacek said, if you're going to have the list you had better dedicate resources to reading it.
Then how am I on the list with an email I only use at coinbase? With my full email and name, and i'm getting spammed non-stop by this "non-important" security flaw in your system.. multiple times today and counting.
There are still a few lingering issues, which we've been working hard to fix and will be looking at again today. To those affected, I'm very sorry for the wait. Funds are safe, it's just a question of opening the pipes properly to let them flow normally.
I think you guys will pull through in the end, but your communication is honesty bewildering.
You guys are still:
* Waiting until the last minute (after they've been waiting a week!) to tell people their accounts have been flagged as 'high risk'
* Not updating your blog with problems as they arise
* Being completely untransparent about the obviously-a-lie "24 hour rolling limit".
* Letting emails about people's already confirmed bitcoins being locked into your "wallet" go unanswered.
* Generally being completely opaque about both what is going on, and why people are getting flagged at the last minute.
My recommendation: charge more for your services and fucking hire some people to do some damage control--AND BE TRANSPARENT. It's great that you are in the reddit threads, and now on here.. but for the love of god, you are pissing EVERYONE off. There are people falling over each other to be your "customer support specialist" or whatever you were hiring for the other day; have them do some friggin' support.
Several pieces of the site scaled up about 10x in the past month or two, and this exposed some lingering performance problems. Somebody told us an analogy one time of rebuilding a car while trying to drive it down the freeway at 60MPH. That is a good approximation of what we're doing right now - in short, we are doing so carefully and with the help of great test coverage to make sure nothing breaks along the way.
Thank you your bearing with us. I wish I could say this is the last time we'll experience scaling problems in the next year, but it seems unlikely with the growth of bitcoin right now. If this seems like something interesting to work on, we are also hiring: https://coinbase.com/jobs
We'll post updates to Twitter as we come closer to a resolution. Thank you!
Im a Coinbase customer. I'm waiting for my pending transaction to go through, and for USD to hit my bank account. And I'd rather have Fred and the rest of Coinbase working on solving that problem than explaining what, exactly, the glitch is, and while they're at it, what their entire infrastructure looks like. There will be time for explanations later.
i second eof's reply, especially the high risk issue, I "bought" 14 coins at 34.50, emailed support as soon as it flagged and you basically responded with "whoops, I'm Sorry".... Meanwhile I had left the funds in escrow for a week waiting for the order to clear when I could have bought them through another source at a slightly higher rate and still profited in a large way. Then I emailed support again when I found that another customer had posted they had actually had the order forced through by support due to the issue being on Coinbase's end. That was two weeks ago and I still have not received a response as to why the order was covered for another customer but not for me.