←back to thread

I have recordings proving Coinbase knew about breach months before disclosure

(jonathanclark.com)
685 points jclarkcom | 5 comments | 16 Nov 25 20:18 UTC | HN request time: 0s | source
Show context
chaps ◴[16 Nov 25 20:59 UTC] No.45948347[source]
Once did some programming/networking work for a company that did the networking of a office sharing building that Coinbase was running out of. Early in my work there I noticed that the company had its admin passwords written on a whiteboard -- visible from the hallway because they had glass for walls. So I sent them an email to ask that they remove it (I billed them for it).

Their fix was to put a piece of paper over the passwords.

What a time.

replies(4): >>45948409 #>>45948413 #>>45950978 #>>45970370 #
650REDHAIR ◴[16 Nov 25 21:08 UTC] No.45948413[source]
This doesn’t surprise me at all.

Bitcoin, and really fintech as a whole, are beyond reckless.

replies(5): >>45948422 #>>45948453 #>>45948644 #>>45952637 #>>45953031 #
danielhlockard ◴[16 Nov 25 21:38 UTC] No.45948644[source]
You say that but I work in fintech (granted, one of the larger more corporate ones, after an acquisition) and we are heavily regulated, and audited.
replies(6): >>45949539 #>>45950218 #>>45950272 #>>45950314 #>>45950489 #>>45952371 #
ItsBob ◴[17 Nov 25 10:28 UTC] No.45952371[source]
FWIW, I work for a major financial organization in the UK as a software architect and I've brought it up more than once over the years in various roles: not a single bank in the UK supports Yubikeys or custom Authenticator apps.

Not one (I last checked about a month ago!)

Security, while pretty good, is still lacking imo!

replies(1): >>45952865 #
1. cjrp ◴[17 Nov 25 12:01 UTC] No.45952865[source]
Ironically until fairly recently Nationwide required the little keypad authenticator thing, and everyone hated it!
replies(2): >>45952927 #>>45953557 #
2. ItsBob ◴[17 Nov 25 12:13 UTC] No.45952927[source]
I had one of those umpteen years ago with RBS. I hated it at the time too :)

However, I use a Yubikey as often as I can nowadays and authenticator apps too where possible.

I'd like the option to use one but I can't :(

replies(1): >>45953104 #
3. cjrp ◴[17 Nov 25 12:46 UTC] No.45953104[source]
I wonder if the higher-end banks, e.g. Coutts, let you use one.
4. Ntrails ◴[17 Nov 25 13:54 UTC] No.45953557[source]
I thought they still did for website flow at least. Bizarrely we seem to think that phone apps are infinitely secure and don't need the extra step because biometrics?
replies(1): >>45953812 #
5. victorbjorklund ◴[17 Nov 25 14:24 UTC] No.45953812[source]
Isn’t it because the assumption is that a mobile device is personal in 99,99999% of cases while it’s common (less now than 15 years ago) with shared computers in libraries, schools, etc.