40 comments

[ 13.6 ms ] story [ 1290 ms ] thread
Context:

> Ferguson argues that under state and federal laws, Coinbase, the largest US cryptocurrency exchange, bears responsibility for unauthorized withdrawals. But the company has refused to reimburse him, saying in an email that security of passwords and two-factor authentication codes are his responsibility, according to the lawsuit. Two-factor authentication offers extra security by sending a code, usually to a user’s phone or email.

> “Please note you are solely responsible for the security of your e-mail, your passwords, your 2FA codes, and your devices,” Coinbase wrote Ferguson, according to the complaint, filed Monday in San Francisco federal court. “Coinbase’s email disclaimed any responsibility for the hacking of its customers’ accounts,” Ferguson said.

If coinbase was a bank. It would be their problem because the user didn't authorized the transfers. Another reason why you should keep your money at a bank.
Some banks dont pay out when money has been taken from your account fraudulently, so no, not another reason to keep money at your bank.
Some countries (like South Korea) are in the "customer are never in fault", other countries are "users have sole responsibility for their security", but US is in an ambiguous position where you need a court to determine responsibility. If someone said that a US bank didn't pay out for a hack it means that either they're poor to ligitate (understandable, the US legal system is rigged) or they're hiding something that would persuade the judge to side with the bank. This is still the case despite the "we're not responsible for hacked accounts" ToS especially if the bank is the one who fell for social engineering attacks to falsely convince to do something that was unauthorized.
Banks have little to no control over this. Banking regulation E controls this aspect.

So yes, a reason to keep it at your bank (which is regulated heavily).

Your bank conducts the investigation. They have a lot of control. Good luck recovering $96,000.
If it wasn't you. Reg E says you're not liable. Literally in the regulations. You will recover that $96,000. Anyone who has worked in bank industry will tell you this.
Yes, because we can take law at face value. So many court cases end up with result that comes from technicalities, like specific interpretation of who "you" are in the context of "transaction"
Reg e ties to your fdic insurance. Banks risk their fdic insurance if they are caught not following reg e. I don't know of anyone who lost money due to their account being hacked with the caveat they didn't share their login details to their spouse or kids and they reported the unauthorized transactions within 60 days.
Unauthorized withdrawals happen all the time at banks. They don't just reverse money because you claim it was unauthorized. You have to prove it. Within a limited time period. Under certain transaction types. Good luck doing that.
They have to prove its authorized and they have 30 days to do it per Reg E. For fraud like this, they have to get you to say "i shared my password with someone". This is literally in the reg e law. You have a duty to notify you bank in a certain period of time(60 days). Bank is under very different rules than paypal or crypto exchange.

https://www.consumerfinance.gov/rules-policy/regulations/100...

Keep your money in a bank and basicly they owe you a debt. If the bank goes belly-up, you stuck hoping FDIC insurance covers you.

Not your keys, not your coins. If one has significant savings in bitcoin, one needs to hold the private keys oneself, not trusting any third-party like Coinbase or a bank. Ideally in a geographically distributed multisignature setup to mitigate against loss, user-error, or theft.

Do we know if the OP's 96k was coins sitting on Coinbase, or if he had a linked bank account and the attacker used the SIM card swap attack via Coinbase to drain his bank account?

if he had a linked bank account and the attacker used the SIM card swap attack via Coinbase to drain his bank account

In a case like that you can reverse the ACH. It's more likely that assets on Coinbase were stolen.

> Keep your money in a bank and basicly they owe you a debt. If the bank goes belly-up, you stuck hoping FDIC insurance covers you.

If you don't trust the full faith and credit of the US government, than who do you trust?

Has FDIC ever failed to cover anyone? As for storing youre own keys, thats the equivalent of keeping your money in your mattress. House burns down with your wallet. Bye bye money. As you mentioned storing you key in parts at multi locations if you have money and knowledge. Would these locations be at a vault at a bank?
Couple months back I had to send someone $5000 and I couldn't. I get denied the use of my money because of this clown shit. Should be able to select a big boy bank account where I'm allowed to use my money but am held responsible for my own security failures
Whose security was breached?
The customer.
Unfortunate way to learn that SMS 2FA/MFA isn't adequate, especially when TOTP is available. Unfortunate way to learn, Not Your Keys, Not Your Coins. That being said, Valve has a higher level of security on my Stream account than Coinbase has. With Steam, a password reset triggers a 5 day marketplace/trading suspension.

I presume from the article an email account was hacked (password available?), which gave means for a Coinbase password reset, and then a SIM swap occurred on his account leading to a withdrawal.

One might argue Coinbase has a duty to do more here -- nothing on their site (at least the security/mfa section) suggests SMS isn't good enough. PcMagazine[1] suggests 95% of users rely on SMS 2FA/MFA, and Coinbase seems aware that these phishing campaigns are happening against SMS 2FA/MFA [2].

[1]: https://www.pcmag.com/news/95-of-coinbase-users-rely-on-sms-...

[2]: https://www.bankinfosecurity.com/crypto-exchange-coinbase-de...

Usually they do the SIM swap first, use SMS to recover email, then use email+SMS to recover Coinbase. I agree that Coinbase could do more.
Sibling comment says "the cuatomer", yet I'm not seeing how either the customer's SMS provider is not at fault if they did not sufficiently authenticate the customer when sending an SMS to a scammrr's device instead, else Coinbase for allowing SMS as an authentication mechanism.
I am not fan of Coinbase but the issue here seems to be with the phone carrier just going along with a SIM scam instead of getting confirmation.
(comment deleted)
People have been SIM-swapping Coinbase for years. They know that phones aren't secure and won't be secure.
Which is why they recommend a security key or a TOTP auth instead of SMS.

https://help.coinbase.com/en/coinbase/getting-started/verify...

And yet they still support SMS. Coinbase CHOOSE to use that security mechanism because it is quick and easy for them to onboard new business. They could, quite easily, restrict access to other mechanisms.

Instead Coinbase have decided that it is a sufficiently secure form of identification by which they will assume authorization for payment initiation.

If this users SMS was hacked, then the user didnt authorise payment, and coinbase incorrectly assumed that it was based on their own lax security requirements.

If this was regulated in the same way as a Bank, an EMI or a PISP then Coinbase would definitely be at fault here. I hope the legal system sees it in the same way and this guys assets are returned.

My bank still forces me to rely on 2FA via SMS. I would live to find a US bank that would let me use a OTP 2FA app. Any suggestions?
Same question, with a caveat that I would prefer a larger bank specifically.

The only 2 large banking institutions I have been working with (Chase and Wells Fargo) do not support OTP 2FA afaik (last time I checked was about a year ago). I think WF might support dedicated hardware 2FA tokens, but you gotta order it from them, and I would rather prefer to use only one device (my phone + printed our backup recovery keys in physical storage + Google/Microsoft Authenticator backup in the cloud). Otherwise, it is all just good old SMS 2FA, and I am not ok with it.

Chase, largest bank in the US, doesn't support TOTP yet there ar no articles how someone lost almost $100k by a sim card attack. Coinbase inability to detect and mitigate a sim card attack is on them and their lack of security.
The amazing thing is Wells Fargo Bank will allow you to 2FA with either a hardware token OR an SMS OR your email.

It's freaking mind boggling.

Why anyone uses Wells Fargo after all the shit they've been in is itself mind boggling.
And it's fine, because the regulator forces them to take the risk. As soon as the risk for having to own unauthorized transaction becomes to much for their current auth schema, you'd find it replaced faster than you can say CFPB.
Which is why my bank requires further authorisation beyond a simple password when withdrawing or transferring large amounts.
"Skill Issue"