←back to thread

Coinbase says hackers bribed staff to steal customer data, demanding $20M ransom

(www.cnbc.com)
410 points gpi | 2 comments | 15 May 25 15:52 UTC | HN request time: 0.6s | source
Show context
thepasswordis ◴[15 May 25 16:40 UTC] No.43996769[source]
The problem is that it seems like the data that leaked is also the data that would be used to do account recovery.

And what that means is that

1) If you lose access to your account (through either your own fault, or coinbases fault) that the process of recovering it may not be so straightforward anymore.

2) Hackers can try to “recover” accounts now using this leaked info.

This is a huge problem. What coinbase needs are IRL offices where you can go and do things like account recovery, and where people trying to steal money can be caught and prosecuted (and makes a huge barrier for the overseas thieves who are usually doing this)

The only solution here is: hardware 2 factor like yubikeys.

replies(9): >>43996798 #>>43998374 #>>43998426 #>>43999299 #>>43999324 #>>43999430 #>>43999499 #>>43999782 #>>44001348 #
piva00 ◴[15 May 25 16:43 UTC] No.43996798[source]
> What coinbase needs are IRL offices where you can go and do things like account recovery, and where people trying to steal money can be caught and prosecuted (and makes a huge barrier for the overseas thieves who are usually doing this)

That's just a bank.

replies(3): >>43996827 #>>43997006 #>>43997941 #
lovich ◴[15 May 25 18:37 UTC] No.43997941[source]
Watching crypto enthusiasts run into every problem that society already tackled with in the past when developing currency and its controls, and then coming up with solutions that look exactly the same as what dirty fiat currency uses, has been a source of much entertainment the past few years
replies(5): >>43998063 #>>43998367 #>>43998832 #>>43998852 #>>43999920 #
codedokode ◴[15 May 25 20:11 UTC] No.43998832[source]
As I understand, the root of the problem is that Coinbase kept lot of sensitive information, including photos of IDs. If Coinbase was fully anonymous, and didn't require any KYC, the impact of the leak would be insignificant because it would be difficult to link user number 12345 with some real-world person.

So if we want to constrain impact of such attacks, we must make companies keep less data and delete them faster. For example, instead of storing a photo of ID, store just a checkbox that the person showed their ID and it was valid.

This applies not only to cryptocurrency, but to any company like Google, Uber, Amazon etc - if they didn't keep extra data, there would be little value in the leaks.

So the blame is not at cryptocurrency, but on companies not wishing to delete the data and governments demanding them to collect the data not necessary for operation. It's the government and capitalists who create problems out of nowhere.

replies(1): >>43999960 #
1. PinkSheep ◴[15 May 25 22:22 UTC] No.43999960[source]
> store just a checkbox that the person showed their ID and it was valid.

Doesn't work at scale. You get bribes, rogue employees, socially engineered employees. In the US, look up the articles about phone/SIM unlocks and SIM card copies. Russia has a problem with e-signatures, that most people have no idea about. It's possible to sell somebody's real estate with one of these. Loans granted just based on passport data. Neither politics nor media highlight these issues. Overall in this case your suggestion tries to handle the symptoms of the KYC requirement.

Here's a more extreme treatment: let people change their full legal name at will. Gender's already kinda possible.

replies(1): >>44007566 #
2. codedokode ◴[16 May 25 16:54 UTC] No.44007566[source]
In Russia one can change their name, although it is a lot of pain as you need to change it in all agreements (like bank agreement) and documents. So a better idea is simply not store customer names.