Hacker News new | comments | show | ask | jobs | submit | barmstrong's comments login

Coinbase CEO here, I can sympathize that this was probably frustrating but I think it stems from a misunderstanding about the service that Coinbase provides. In a purely bitcoin to bitcoin world, this sort of transaction would not be an issue and you wouldn't have a risk of an account being closed. But you're not trying to do a purely bitcoin transaction here - you are trying to exchange bitcoin into your local currency and put the funds in your bank account (this is what we offer with our merchant tools).

To offer this service, we (Coinbase) work with those bank rules and that is why you are seeing our service act much like the traditional financial world. You might not like this, but we didn't make those rules, and it is the only way I know of that works if you want to exchange bitcoin in the traditional financial world. (John's answer from the support thread you linked also explains this).

Accepting purely bitcoin-to-bitcoin payments would be one solution that might work for this if that is what you want (there are plenty of other solutions other than Coinbase for this). I should mention that we are probably at fault for marketing it more as a bitcoin wallet vs an exchange which has different implications to people (I think this is part of the reason for the confusion).

Finally, I believe you may be mistaken that you can't access the $5k in funds. Are you sure? This page describes our policy on that topic: https://support.coinbase.com/customer/portal/articles/190568...

It's worth pointing out that we never converted our Bitcoin to any other currency (other than Bitcoin), it just sat in our account accumulating. We never actually tried to exchange into our local currency. Nowhere in your documentation or user agreements does Coinbase mention denying companies like ours (adult comic publisher). https://www.coinbase.com/legal/user_agreement (see APPENDIX 1)

I appreciate the response, but honestly I’m still disappointed. You have an opportunity here to create a new breed of payment processor and you are squandering it. I’m sure Coinbase is successful, but is that all you want? Are you okay being just another payment processor that happens to accept Bitcoin?

I am quite familiar with banks having varying levels of comfort with different industries (ours being adult comics), but that didn’t stop us from finding banks that were okay with what we publish and working with them. You should have relationships with multiple banks for situations like this. The fact that your company is locked into a bank that can arbitrarily deny merchant accounts, based on how comfortable they are with each business, is concerning.

More concerning is the fact that the first support email we received tried to pass our account closure off as a FinCEN issue, which only showed how little research was put into our case before the account was closed. How much effort is put into defending your merchants in situations like this?

Instead of closing accounts of small publishers or artists you should be defending them. You’d no doubt have a lot more adamant supporters. If you really do care, and you’re not just commenting to save face, I encourage you to reach out to the Comic Book Legal Defense Fund (http://cbldf.org/). They provide legal support and counsel for censorship issues like this. They have legally defended countless adult publishers, artists, and readers over the years.

As the CEO of Coinbase you have the resources to make a difference and fix situations like this for the future. Don’t be afraid to stand up and defend merchants, publishers, artists, or whoever else decides to use your service. If you want to be another payment processor that’s fine, but you could be so much more.

Response: https://www.reddit.com/r/btc/comments/3u68oo/coinbase_ceo_re...

You still didn't answer the original question though. Why can't he do business with you?

Perhaps you are not legally obliged to give a reason, but it would definitely make you look a lot better then simply saying "uhuh, not here buddy".

I think you can't have it both ways, ignoring support questions and not having to deal with backlash like this.

I think I did answer the question. He can't do business with us because our bank partners don't want to support certain types of businesses. If you are wondering why the banks don't want to support certain types of businesses, I could only speculate but I'd guess it is reputation risk and they may have seen that category as a front for other illegal activity in the past. But that is their decision to make, not ours.

For example, Stripe also prohibits adult content which is largely (I would guess) a result of input from Wells Fargo https://stripe.com/us/prohibited-businesses

That's the first time you've stated clearly why his account was closed.

It's still unclear to me why, if you have multiple banking partners, you don't have even one that would support an adult business. There is a lot of adult video and website business - they must have banks.

Furthermore, it's really the lack of transparency that rubs people the wrong way. When your customers are told that their accounts are frozen or closed all of a sudden and with almost no explanation, they are left flailing to try to understand what the heck is going on. It's like being kicked out of a restaurant half way through dinner and when you ask why, they just say "sorry, we can't continue to serve you..." I consider that method of dealing with your honest customers disrespectful.

Coinbase lets you control your own private keys: https://www.coinbase.com/multisig


Thanks this was my biggest question. I was wondering why it doesn't just stay tethered to the ground in one single position (or as close as possible) flying into the wind.

I guess it makes sense if it rotates perpendicular to the wind - like the tip of a rotor blade, to achieve these higher speeds.

Would be curious to understand more of the math/physics behind that. But at least intuitively it makes some sense now.


Yes, see https://www.coinbase.com/docs/api/multisig

Good question!


This is another cloud service that allows free public API access, but it's the first one I'm aware of that is also open source. Much better to build a service or business on something you are in control of.


- https://helloblock.io/

- https://github.com/helloblock/helloblock-app



Don't forget https://github.com/bitpay/insight


Very sorry for the trouble on this, the blame goes squarely on me for this - those emails should never have gone out. YC had nothing to do with this, and it was completely our fault in using this private list for marketing purposes.

There is really no excuse other than poor judgement and rushed decisions. I apologize and we will make an effort to be much more careful about this in the future.


To give an opposing view, as an applicant, I personally didn't feel there was any privacy breach. Everyone that applied knew they were applying to the entire conglomerate of YC companies, so when one sends a nice email, thanking all the applicants, there really should be no privacy issue. If anything, sending a more official looking email, explaining what it was for instead of just a transaction could have preempted any concerns.


As mentioned in the blog post, payment services also commonly allow user enumeration, including Paypal, Venmo, Square Cash, and others.

The reason you don't see it with banks is that they don't allow you to send money to an email address.


Those systems are insured, and a lot more effort to steal and clean funds. Bitcoin is one stop fraud: get the coins and you're good to go. Don't need a drop to ship electronics, don't need proxies or remote desktop IPs to fool paypal/stripe fraud filters.

If I were a criminal blackhat would be nice to have user enumeration to confirm names on Coinbase so I could send personalized wallet stealing emails pretending to be from Coinbase.


Maybe in the US they don't, but in Canada you can. I'm quite sure in most of Europe & Australia you can as well.


Interac e-Transfers (the only widely used method for doing this I'm aware of) do let you send money to someone via an email address, but it's a notification channel, nothing more. An account enumeration isn't possible with it, the actual email is sent some time after the money for the transfer has left the source account, and the sender doesn't get any information about the delivery of the email.

I suppose you could send e-Transfers to random email addresses and then see if any are accepted, but that would cost you an absolute minimum of $0.01 per attempt and would probably have a terrible response rate.

Source: this is my day job.

Edit: sorry, forgot to mention this is Canada-specific.


You can't in Australia

Source: I live in Australia


Respectfully, could you list a couple of benefits of enumerating a user's name if someone is requesting funds that outweigh the risk even in the slightest?

The question is not for sending money but receiving or requesting money. I personally can't think of a single benefit to getting this information at time of requesting funds.

As a matter of fact, if the name was enumerated when sending money that would to some (very small) degree be acceptable as the sender stood to have a financial loss.

edit: grammar


I don't know about the other large US banks, but Chase definitely does and has been for years.


Coinbase CEO here. You can see an updated response on this issue here for more information: https://hackerone.com/reports/5200


I apologize in advance for the following unsolicited advice, but if there's anything that should have been learned from the press after the Gox implosion, it's that you absolutely must stay ahead on security and the perception of security. If you don't, the entire cryptocurrency ecosystem ultimately suffers. You have a responsibility far beyond your active userbase to be responsive and professional, rather than dismissive, especially when a whitehat is just offering up auditing. There's no obvious downside to rate limiting some types of API requests, so why not simply be responsive and do it?


Any info on why emails to whitehat@coinbase.com are being ignored?

EDIT: For what it's worth, judging by the upvotes, a lot of people are hoping for any answer.


Because Coinbase has moved the program out of email and into here: https://hackerone.com/coinbase


What they could do is turn it into an autoresponder at least with a link to that inside.


Yep, that's on the way!


You can read some more information on our response here https://hackerone.com/reports/5200


Thanks for this! Perhaps an internal flag (to review) can be set when too many bounced emails come from a single api key?


Coinbase CEO here - can confirm it was not us.

Checked with the team and we couldn't find any interaction matching that description. http://www.reddit.com/r/Bitcoin/comments/1wtbiu/how_i_stole_...

We work with a community of security researchers who help us test these sort of things https://coinbase.com/whitehat including quite a lot on race conditions. We use a variety of datastores for different parts of the app where they are best suited.



Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact