Coinbase says hackers bribed staff to steal customer data, demanding $20M ransom

(www.cnbc.com)

410 points gpi | 3 comments | 15 May 25 15:52 UTC | HN request time: 0.556s | source

Show context

thepasswordis ◴[15 May 25 16:40 UTC] No.43996769[source]▶

The problem is that it seems like the data that leaked is also the data that would be used to do account recovery.

And what that means is that

1) If you lose access to your account (through either your own fault, or coinbases fault) that the process of recovering it may not be so straightforward anymore.

2) Hackers can try to “recover” accounts now using this leaked info.

This is a huge problem. What coinbase needs are IRL offices where you can go and do things like account recovery, and where people trying to steal money can be caught and prosecuted (and makes a huge barrier for the overseas thieves who are usually doing this)

The only solution here is: hardware 2 factor like yubikeys.

replies(9): >>43996798 #>>43998374 #>>43998426 #>>43999299 #>>43999324 #>>43999430 #>>43999499 #>>43999782 #>>44001348 #

piva00 ◴[15 May 25 16:43 UTC] No.43996798[source]▶

>>43996769 #

> What coinbase needs are IRL offices where you can go and do things like account recovery, and where people trying to steal money can be caught and prosecuted (and makes a huge barrier for the overseas thieves who are usually doing this)

That's just a bank.

replies(3): >>43996827 #>>43997006 #>>43997941 #

lovich ◴[15 May 25 18:37 UTC] No.43997941[source]▶

>>43996798 #

Watching crypto enthusiasts run into every problem that society already tackled with in the past when developing currency and its controls, and then coming up with solutions that look exactly the same as what dirty fiat currency uses, has been a source of much entertainment the past few years

replies(5): >>43998063 #>>43998367 #>>43998832 #>>43998852 #>>43999920 #

1. PinkSheep ◴[15 May 25 22:18 UTC] No.43999920[source]▶

>>43997941 #

> every problem that society already tackled with in the past

More KYC creates more problems while solving some others. Why didn't the same society despite KYC/AML tackle the problem pointed at in a previous comment? "Florida teens kidnap Las Vegas man, drive him to Arizona desert, steal $4M in cryptocurrency"[1] Why is there this crime?

Without mandatory KYC laws, this particular attack would be near pointless. No name tied to account, bookkeeping doesn't archive wire transaction details for the past 10 years.

Let businesses easily accept cryptocurrency (like... regular cash?), without a blade to their throat held by the government, and the need for such centralization points will greatly diminish. People get in trouble by p2p-exchanging money with unknown peers; in some instances this "trouble" has the unit of "years".

It's in nobodies' interest to protect cryptocurrency payments as the alternative, other than the activists, and the big groups jumping in on it for the speculation purposes - something they had refined decades ago. There's CBDC is on the horizon.

[1]: https://news.ycombinator.com/item?id=43999011

replies(2): >>44001627 #>>44002592 #

2. lovich ◴[16 May 25 03:37 UTC] No.44001627[source]▶

>>43999920 (TP) #

Yea see the problem is that you are arguing under some implicit idea that you’ll just accept the results of the system.

Every single crypto property I’ve talked to has ended up at a point where they believes that someone cheated them outside the bounds of the system and then look to authority figures to rectify the situation, like the government.

If you are someone who actually believes that crypto transactions should be unmodifiable by any third party then what you said makes sense. I just don’t think that anyone telling me they believe that isn’t lying to themselves at best, and lying to everyone else at worst

3. tsimionescu ◴[16 May 25 07:16 UTC] No.44002592[source]▶

>>43999920 (TP) #

> Without mandatory KYC laws, this particular attack would be near pointless. No name tied to account, bookkeeping doesn't archive wire transaction details for the past 10 years.

But this attack is already fully pointless with traditional finance. You can't steal someone's bank account at gun point.

Conversely, even without KYC, blockchain based currencies paint a huge target on anyone who uses a small number of wallets to store a large amount of money. Dedicated criminals and even state actors can figure out who owns the wallets by tracking transaction patterns, getting information from vendors, etc. As long as you're actually using your crypto wallets (unlike, say, Satoshi), you can quite easily be tracked. Anyone who you order a pizza from in BTC knows the address of whoever has that wallet. Sure, you can take a lot of steps to protect yourself from it, but it's hard, and one slip-up is all it takes. Opsec is not for the careless.

Also, crypto's reliance on secrets instead of legal personhood to ascertain ownership fundamentally makes it prone to stealing money in this way. Since the money doesn't belong to a legal person, but to whoever knows some secret key, that key can be stolen from whoever has it through simple violence. Even if you're extremely careful not to leak details of your accounts, use XMR for untraceable payments, etc - someone who is physically close to you could see that you're rich and decide to attack just on the chance that you may have crypto, without knowing anything specific.

↑