←back to thread

Coinbase says hackers bribed staff to steal customer data, demanding $20M ransom

(www.cnbc.com)
410 points gpi | 5 comments | 15 May 25 15:52 UTC | HN request time: 0.733s | source
Show context
kragen ◴[15 May 25 16:48 UTC] No.43996848[source]
It's really unfortunate that KYC regulations required Coinbase to have this information in the first place. We should be establishing strong social norms against sharing PII without a legitimate reason; this is not just an individual theft risk but a national security risk. Coinbase doesn't pay into your Social Security account, so they shouldn't have your Social Security number. They don't visit your house, so they shouldn't have your address. Etc.

Historically, although KYC regulations were widespread in Communist countries, they were unthinkable in most democratic countries until 9/11, which provided spy agencies with their golden chance to write their wishlist into law. But unfortunately that helps foreign spy agencies just as much as, maybe more than, it helps domestic ones.

In https://en.wikipedia.org/wiki/Know_your_customer#Laws_by_cou... you can see when they were introduced in different countries.

replies(1): >>43997021 #
dowager_dan99 ◴[15 May 25 17:03 UTC] No.43997021[source]
Let's hear you repeat this position after your Coinbase account is compromised and you're looking for recourse.
replies(1): >>43997082 #
1. kragen ◴[15 May 25 17:09 UTC] No.43997082[source]
You seem to believe that AML/KYC regulation exists to benefit customers or to prevent or recover from account compromises. It does not, and I have no idea why you would think it does. Something like a Yubikey or iris-scanning stations could help to prevent Coinbase account compromises, but AML/KYC regulations do not require or even encourage them, though perhaps someday they will.
replies(1): >>43997885 #
2. ceejayoz ◴[15 May 25 18:31 UTC] No.43997885[source]
You... want to replace KYC with iris scanning stations?
replies(3): >>43999066 #>>43999378 #>>43999988 #
3. wmf ◴[15 May 25 20:36 UTC] No.43999066[source]
We're not allowed to say this but hashed biometrics with proof of liveness is probably the strongest authentication.
4. coolcase ◴[15 May 25 21:09 UTC] No.43999378[source]
That is know your eye, not know your customer.

Yeah I know eventually these will be linked by some data broker and will meld into the same thing.

But I compare it to using a fingerprint to unlock a password manager on your phone. That ain't KYC.

5. kragen ◴[15 May 25 22:25 UTC] No.43999988[source]
It has real drawbacks, but I wasn't talking about what would be a good idea; I was talking about what would be a useful measure for preventing or recovering from account compromises. Iris scanning would be; KYC isn't.