Most active commenters
  • bdangubic(3)

←back to thread

I have recordings proving Coinbase knew about breach months before disclosure

(jonathanclark.com)
685 points jclarkcom | 24 comments | 16 Nov 25 20:18 UTC | HN request time: 0.631s | source | bottom
Show context
chaps ◴[16 Nov 25 20:59 UTC] No.45948347[source]
Once did some programming/networking work for a company that did the networking of a office sharing building that Coinbase was running out of. Early in my work there I noticed that the company had its admin passwords written on a whiteboard -- visible from the hallway because they had glass for walls. So I sent them an email to ask that they remove it (I billed them for it).

Their fix was to put a piece of paper over the passwords.

What a time.

replies(4): >>45948409 #>>45948413 #>>45950978 #>>45970370 #
650REDHAIR ◴[16 Nov 25 21:08 UTC] No.45948413[source]
This doesn’t surprise me at all.

Bitcoin, and really fintech as a whole, are beyond reckless.

replies(5): >>45948422 #>>45948453 #>>45948644 #>>45952637 #>>45953031 #
1. danielhlockard ◴[16 Nov 25 21:38 UTC] No.45948644[source]
You say that but I work in fintech (granted, one of the larger more corporate ones, after an acquisition) and we are heavily regulated, and audited.
replies(6): >>45949539 #>>45950218 #>>45950272 #>>45950314 #>>45950489 #>>45952371 #
2. mmooss ◴[16 Nov 25 23:43 UTC] No.45949539[source]
Wall Street is heavily regulated and audited, and still is 'beyond reckless', causing global financial calamities multiple times.
3. protocolture ◴[17 Nov 25 01:55 UTC] No.45950218[source]
>You say that but I work in fintech (granted, one of the larger more corporate ones, after an acquisition) and we are heavily regulated, and audited.

I have seen some toe curling shit in fintech.

replies(1): >>45952322 #
4. 650REDHAIR ◴[17 Nov 25 02:08 UTC] No.45950272[source]
How big was it when you joined?
5. bdangubic ◴[17 Nov 25 02:18 UTC] No.45950314[source]
funniest thing I read this year on HN - well played mate, well played!!!
replies(1): >>45953440 #
6. devin ◴[17 Nov 25 02:57 UTC] No.45950489[source]
You're almost there. Think to yourself now: what was it that happened in the past that necessitated the need for a large regulatory apparatus, auditors, etc.?
7. klaushougesen1 ◴[17 Nov 25 10:18 UTC] No.45952322[source]
timetravelling the ledger anyone ? :)
replies(1): >>45952546 #
8. ItsBob ◴[17 Nov 25 10:28 UTC] No.45952371[source]
FWIW, I work for a major financial organization in the UK as a software architect and I've brought it up more than once over the years in various roles: not a single bank in the UK supports Yubikeys or custom Authenticator apps.

Not one (I last checked about a month ago!)

Security, while pretty good, is still lacking imo!

replies(1): >>45952865 #
9. withinboredom ◴[17 Nov 25 11:04 UTC] No.45952546{3}[source]
I once had a banking app that reported the wrong transaction amounts (downloading the statements resulted in a different balance than what was shown in my account -- this isn't the US, so it should show the correct amount). When I reported the bug, they changed the values on my statements instead of fixing the app -- so now, it didn't reflect my receipts.

It was a fun time. They eventually fixed it in the app to show my true balance and fixed my statements back to what it was. But holy shit, the fact that an engineer would think that would be the proper fix is wild... this is pre-llms, otherwise, I'd think they'd been vibe-coding.

replies(1): >>45952790 #
10. johnisgood ◴[17 Nov 25 11:46 UTC] No.45952790{4}[source]
Pre-LLM or vibe-coding, it is the same shit ultimately I'd say: shitty developers doing software development. :D
replies(1): >>45953359 #
11. cjrp ◴[17 Nov 25 12:01 UTC] No.45952865[source]
Ironically until fairly recently Nationwide required the little keypad authenticator thing, and everyone hated it!
replies(2): >>45952927 #>>45953557 #
12. ItsBob ◴[17 Nov 25 12:13 UTC] No.45952927{3}[source]
I had one of those umpteen years ago with RBS. I hated it at the time too :)

However, I use a Yubikey as often as I can nowadays and authenticator apps too where possible.

I'd like the option to use one but I can't :(

replies(1): >>45953104 #
13. cjrp ◴[17 Nov 25 12:46 UTC] No.45953104{4}[source]
I wonder if the higher-end banks, e.g. Coutts, let you use one.
14. ChrisMarshallNY ◴[17 Nov 25 13:26 UTC] No.45953359{5}[source]
I tend to avoid auto-cashiers. It's mostly because I find they don't save any time, and just exist to fire cashiers.

One place that they basically force you to use it, is my local drug store (big chain, that I won't call out by name).

Their auto-cashier absolutely sucks. It's almost impossible to avoid having an issue that requires you waiting around for the poor schulb to come over and fix.

They recently set up touchscreens, at the prescription counter.

I have not once had success with the touchscreen. It can never find me, or my wife. They always have to just take my information manually.

I suspect that the backend (the algorithm and main engine) is good. I think almost all the problems are with shoddy frontend stuff. For example, I think the touchscreen issue is capitalization, and the old system cut off our surnames, so I actually have to type in about half my name, in all caps, to have it find my prescription.

I feel personally offended, when I encounter stuff like that.

replies(2): >>45953963 #>>45960279 #
15. aiisjustanif ◴[17 Nov 25 13:38 UTC] No.45953440[source]
They could work for the Plaid or Stripe which are pretty known for taking proactive security very serious.

https://security.plaid.com/

https://docs.stripe.com/security

replies(1): >>45953529 #
16. bdangubic ◴[17 Nov 25 13:51 UTC] No.45953529{3}[source]
I am 1,000,000% sure that many fintech companies are taking security very, very seriously (I am Stripe customer myself). But I don't think that has anything to do with statement "we are heavily regulated, and audited" - that is too funny.
replies(1): >>45955243 #
17. Ntrails ◴[17 Nov 25 13:54 UTC] No.45953557{3}[source]
I thought they still did for website flow at least. Bizarrely we seem to think that phone apps are infinitely secure and don't need the extra step because biometrics?
replies(1): >>45953812 #
18. victorbjorklund ◴[17 Nov 25 14:24 UTC] No.45953812{4}[source]
Isn’t it because the assumption is that a mobile device is personal in 99,99999% of cases while it’s common (less now than 15 years ago) with shared computers in libraries, schools, etc.
19. johnisgood ◴[17 Nov 25 14:39 UTC] No.45953963{6}[source]
I have never used these auto-cashiers or whatever they are called. It might be due to anxiety, which is weird because social encounters should be more anxiety-inducing. I just feel like I would mess something up.

Oh, and here real cashiers usually scam you by scanning the items twice and so forth (not sure if intentionally or not), it happened a couple of times to my parents (not considered elderly yet) in the past few months I would say.

In any case, I feel your pain.

20. fragmede ◴[17 Nov 25 16:38 UTC] No.45955243{4}[source]
In the wake of every scandal in finance is a wave of regulations. Finance is one of the most heavily regulated industries the is. That smart people keep finding new areas that haven't yet been regulated doesn't mean that the existing areas agent heavily regulated and audited.

If you give me $5, and then I pass it on to Bob for you, how many licenses and how much paper work do you think I should need to do that if I did that as a business? If you give me some money and I am a business, how much paperwork should that incur?

replies(2): >>45955849 #>>45957347 #
21. chaps ◴[17 Nov 25 17:34 UTC] No.45955849{5}[source]
The big problem is that the exchanges are largely self-regulated. Or at least when I was in the field. A company I worked at sued a counterparty to our trade because we had proof of market manipulation. I won't say any of the details of who, etc, but the trades of the counterparty were so... plainly obvious of market manipulation in violation of the exchange's rules. At one point in that lawsuit the exchange's lawyers accidentally CC'd my bosses, showing that the exchange was colluding with the counterparty.

From what I was told, the issue for the exchange was that if they were found out to not enforce their self regulation then it'd be the precipitous event to the hammer coming down on them from regulatory bodies.

So yeah. Regulation's kinda shite here.

22. bdangubic ◴[17 Nov 25 19:40 UTC] No.45957347{5}[source]
give me some examples of this “regulation” actually doing serious “regulating”? on paper, there may be 1,000’s of statutes and whatnots doing all sorts of regulations - in practice though… not to mention this industry is probably the most “self-regulated” when you actually dig in than most others…
replies(1): >>45977773 #
23. protocolture ◴[18 Nov 25 01:08 UTC] No.45960279{6}[source]
We have 2 near identical supermarket chains in aus.

I use the one with the better self service checkout, that doesnt reliably make me wait for the schlub.

24. fragmede ◴[19 Nov 25 10:03 UTC] No.45977773{6}[source]
Here's the DEA with a specific money laundering case: https://www.dea.gov/press-releases/2025/05/29/two-money-cour... but there are many more of your search for money laundering.