Most active commenters
  • voidspark(4)
  • ty6853(4)

←back to thread

Coinbase says hackers bribed staff to steal customer data, demanding $20M ransom

(www.cnbc.com)
410 points gpi | 23 comments | 15 May 25 15:52 UTC | HN request time: 0.992s | source | bottom
Show context
neilv ◴[15 May 25 16:07 UTC] No.43996445[source]
The article keeps saying overseas employees or contractors, but isn't more specific on who Coinbase entrusted with this sensitive customer PII.

The bottom line is Coinbase didn't adequately secure sensitive customer information, and it was leaked.

Not, "Gosh, 'overseas' people, what can ya do?"

replies(12): >>43996466 #>>43996524 #>>43996557 #>>43996649 #>>43996661 #>>43996746 #>>43997312 #>>43997316 #>>43997530 #>>43997817 #>>43997825 #>>43998830 #
1. voidspark ◴[15 May 25 16:28 UTC] No.43996649[source]
How can customer support operate without knowing anything about the customer?
replies(4): >>43996708 #>>43996714 #>>43996892 #>>43996992 #
2. ty6853 ◴[15 May 25 16:35 UTC] No.43996708[source]
A shared or hashed secret would do it.

Plenty of exchanges don't know their customers, and in fact that is how they get their customers.

replies(1): >>43996822 #
3. kgwxd ◴[15 May 25 16:35 UTC] No.43996714[source]
Isn't the whole point of crypto to keep PII out of it completely? If not, what is all this non-sense for exactly, other than the typical goals of pyramid schemes?
replies(7): >>43996727 #>>43996754 #>>43996761 #>>43996776 #>>43996781 #>>43997318 #>>43997471 #
4. charcircuit ◴[15 May 25 16:36 UTC] No.43996727[source]
Unfortunately government regulation does not make that possible for exchanges. It also is not the point of crypto.
5. sowbug ◴[15 May 25 16:38 UTC] No.43996754[source]
Coinbase is a bridge between digital currencies and the traditional world.
6. ◴[15 May 25 16:40 UTC] No.43996761[source]
7. ty6853 ◴[15 May 25 16:41 UTC] No.43996776[source]
The main point of crypto IMO is to have a large-denomination bearer asset.

This is overlooked most places but if you examine around the time the FATF finally pretty much eliminated bearer bonds, bearer stocks, and large bank notes was exactly the time crypto really took off.

replies(1): >>43996870 #
8. voidspark ◴[15 May 25 16:41 UTC] No.43996781[source]
Not if you are dealing with a regulated exchange that facilitates fiat money transactions.

You can receive crypto privately to your own wallet without sharing PII, without any exchange.

9. voidspark ◴[15 May 25 16:45 UTC] No.43996822[source]
No. Coinbase deals with fiat money, therefore subject to AML and KYC regulations.
replies(2): >>43996862 #>>43996872 #
10. kragen ◴[15 May 25 16:49 UTC] No.43996862{3}[source]
That's not related to customer support, though. It's more like customer surveillance.
replies(1): >>43996916 #
11. Tokumei-no-hito ◴[15 May 25 16:49 UTC] No.43996870{3}[source]
this? https://www.investopedia.com/terms/b/bearer-instrument.asp
replies(1): >>43996958 #
12. ty6853 ◴[15 May 25 16:50 UTC] No.43996872{3}[source]
The question was about customer support. AML and KYC regulations do not require that customer support persons know your PII. That can be kept firewalled from them.
13. browningstreet ◴[15 May 25 16:51 UTC] No.43996892[source]
You know how your bank asks you to verify details when you call?

Without the right details the customer support people don’t get entry into the customers account details.

Banks have been doing this for 30+ years..

replies(2): >>43997387 #>>44000593 #
14. ◴[15 May 25 16:54 UTC] No.43996916{4}[source]
15. ty6853 ◴[15 May 25 16:58 UTC] No.43996958{4}[source]
yes. IIRC ~2015 was when the last of bearer bonds/shares were pretty much all completely immobilized. I can't recall when the last ~1000 USD equivalent banknotes were printed but it was also close to that time.
16. dowager_dan99 ◴[15 May 25 17:00 UTC] No.43996992[source]
CS can validate without knowing the details, the same way you don't enter a password and then check to see if that matches the password in the system.

The fact that they keep blaming overseas customer support is pure blame shifting - you still hired someone and gave them access to all this data, Coinbase!

replies(2): >>43997259 #>>44003838 #
17. voidspark ◴[15 May 25 17:27 UTC] No.43997259[source]
We don’t know if they had access to everything. They got data for “less than 1% of monthly transacting customers”.
18. dboreham ◴[15 May 25 17:32 UTC] No.43997318[source]
The PII is required by governments, to convert crypto money into real money.
19. udev4096 ◴[15 May 25 17:38 UTC] No.43997387[source]
Which is such a lame and flawed mechanism to avoid letting them access anyone's data. I mean what are you even trying to prove here? That banks care about customer's security when they can't even implement a secure 2FA which is not just an unencrypted text message

“Give a man a gun and he can rob a bank, but give a man a bank, and he can rob the world.”

replies(1): >>44000040 #
20. udev4096 ◴[15 May 25 17:46 UTC] No.43997471[source]
It's simple. They want to centralize crypto and dickheads like armstrong are happy to be in line to make that happen. Just look at tether, what's the point of it? It's nothing but a front for inflating the price of bitcoin. It has NEVER been audited and has been found to NOT have any USD backing at all
21. lavezzi ◴[15 May 25 22:31 UTC] No.44000040{3}[source]
> I mean what are you even trying to prove here?

That there are more options than holding your hands up and arguing the company couldn't have done anything further in terms of implementing effective controls.

22. bcrosby95 ◴[16 May 25 00:10 UTC] No.44000593[source]
This also wouldn't be particularly difficult to implement.
23. mlrtime ◴[16 May 25 10:54 UTC] No.44003838[source]
Where do you see blame, this is a fact and it's relevant.

If they didn't say this, there would be pitchforks out about not giving enough information.