Coinbase Breach Notification(oag.ca.gov) |
Coinbase Breach Notification(oag.ca.gov) |
https://therecord.media/hackers-bypass-coinbase-2fa-to-steal...
We will be depositing funds into your account equal to the value of the currency improperly removed from your account at the time of the incident. Some customers have already been reimbursed -- we will ensure all customers affected receive the full value of what you lost
At least they will be reimbursed, and everyone should walk happy.
The reimbursement comes from somewhere. Investors may not be happy. "everything is securities fraud"
https://www.google.com/search?q=%22everything+is+securities+...
It's funny how everything old is new again. We are just reinventing FDIC insurance for crypto.
I don't think you'd get FDIC money back if an attacker got into your account. The bank might cover you if they agree it was their fault, similar to Coinbase.
I mean, they'll more likely just move the goalposts than be won over, but at least they're running out of things to complain about. Between this and the Coinbase card, Coinbase has already tackled the two biggest (valid) critiques of crypto that I hear.
It's like people saying, "I don't like the bank with their ridiculous paperwork so I will use a loan shark instead, he doesn't need paperwork"
Then the loan shark disappears/beats you up/asks for loads of interest etc. and you still want to complain to the police.
Most people hate regulators but they are there for a reason. What certifications does coinbase have to hold your millions of dollars of virtual currency?
They were actually created as a much lighter weight framework to avoid the onerous regulation of an actual depository institution.
https://help.coinbase.com/en/coinbase/other-topics/legal-pol...
I don't see the connection with your link to securities fraud though.
Edit: California, not Canada. My bad.
Minor nitpick: I find your framing problematic as it transfers "burden of security" to the end-users over a process that did not involve them: this was not an attack on the users - it was an attack on the telecoms infrastructure.
I have a similar gripe against "identity theft", which really ought to be "fraud against corporation X, using false identity" - however, that framing is necessary to make consumers accept, by default, the burden of clearing debts they were never party to simply because the defrauded party did not have adequately verify perpetrators identity.
From the telco's perspective, they have a responsibility to stop SMS and SIM fraud, and our regulations have failed to properly hold them accountable in this domain.
I would add that the users have some responsibility for losing their emails/passwords, but my initial framing insufficiently demands responsibility for the service providers in this instance. The service providers should be expected to take all reasonable steps to prevent fraud on their platforms, and that should include extra scrutiny of SMS-based authentication mechanisms (e.g., identity verification). This is why Coinbase paid them back, accepting some responsibility for the fraud.
... bank robbery by unknowing proxy. If we reframed the narrative, I bet banks and financial institutions would bust their asses to make things better.
"However, in this incident, for customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to your account"
The key part being: "a flaw in Coinbase’s SMS Account Recovery"
[1] https://oag.ca.gov/system/files/09-24-2021%20Customer%20Noti...
What makes you believe a specific exploit like that existed against Coinbase's 2FA? And if it existed, then why wasn't that caught in a routine pentest?
[0]: https://krebsonsecurity.com/2021/03/can-we-stop-pretending-s...
[1]: https://lucky225.medium.com/its-time-to-stop-using-sms-for-a...
No, I don't think they have. The document says they will, not that they have. I personally know someone who was had 2FA and tends to be security knowledgeable and was struck by this on 6/7, which is well past their claimed date, so either they are lying or the hacking continues undetected. He has had no ability to get anyone on the phone who will help with the issue. He lost less than $2,000, but it is ridiculous how crypto currency combines the worst of the wild west with the worst of banking with the worst of crappy customer service.
Long story short, I was never refunded despite raising two support tickets. :(
Crypto's value is because it is the wild west. Otherwise, it'd be gold: custodians holding the commodity for owners, most of it locked in cold storage, fully regulated, and governments pursuing theft whenever reported.
Eventually, the end state desired will be reached (regulation, customer service, insurance, pursuit of value theft, etc), it's just taking time for governments and Big Finance to catch up.
EDIT: https://www.cnbc.com/2021/10/01/defi-protocol-compound-mista... (DeFi bug accidentally gives $90 million to users, founder begs them to return it)
Coinbase should continue doing what they are doing, which is to support SMS, and educate and encourage users where possible to use something else instead.
(It’s also the only option offered by many US banks, which is a sad commentary on the level of tech innovation in finance in the USA.)
source? I kind of doubt that's something coinbase would call a flaw in their system?
> Even with the information described above, additional authentication is required in order to access your Coinbase account. However, in this incident, for customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to your account.
My guess is, because funds were stolen from users' accounts, the CA breach notification laws apply and this needed to be disclosed as such. However, that doesn't necessarily mean that Coinbase was technically "breached," only that customer accounts were compromised.
If the attacker controls your personal email associated with Coinbase, accompanying passwords, and phone number, and you use SMS 2FA, then your funds were stolen. Otherwise, they were safe. That's my reading of the article.
[0]: https://krebsonsecurity.com/2019/08/who-owns-your-wireless-s...
1) They had a reasonable account recovery process after I lost my phone and therefore google authenticator. Binance's process was needlessly annoying and pointless, kucoin straight up decided this was a good opportunity to just block my account completely and steal my money, even after email verification, as well as me supplying all emails they sent me about account activity.
2) They were the most transparent about new requirements about identity verification than others, and still allow withdrawals without verification.
3) Best UI in the game.
From the Coinbase statement
>the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process
Your speculation and conjecture dismisses you from any and all future discussions on this matter. You have demonstrated that your are unfit to comment.
How is this not? 2FA is not to 2FA is you can recover your account with just a text. It does seem a bad engineering decision on their side.
6000 customers affected. If it wasn't a YC company you'd never say that.
I sympathize with the "Not your keys, not your coins" crowd, but you have to admit that you are far more likely to be compensated in the event of an attack if you are using a large exchange. Not guaranteed, of course, but Coinbase has an image to maintain.
I also believe, personally, that a large exchange has much better security than anything I could muster with a hot wallet. Yes, I know I can airgap a cold wallet but I like the ability to quickly sell some amount of crypto at market rates without having to transfer from a paper wallet. I also worry about physical security since my home has been burglarized before. Therefore, I keep my coins on exchanges and follow good practices with 2FA across my accounts (no SMS for any) and have withdrawal delays / whitelisting active.
I'll guess the users had the same usernames and passwords that they've used for a hundred other sites, and one of those got breached at some point. Don't do that!
If they were certain this was PURELY a phishing campaign against their users, then they had no need to disclose to the government.
Their wording in their disclosure is very very carefully crafted to not deny a breach of their data - pending "conclusive" evidence.
They made a choice to disclose so that the gov't could never claim that they failed to disclose should Coinbase data appear on a darknet website.
And While they make an allusion to social media data collection - I was a target in June, and I absolutely had ZERO social media talking about using coinbase. There is NO WAY hackers could have deduced on social media that I was Coinbase user, nor gotten my cell phone number.
I am 90% confident that Coinbase WAS breached directly, allowing hackers to gain access to email and phone number for my account.
This disclosure is 100% CYA.
Did you ever use any other cryptocurrency website? If so, one of those could have been hacked in order for the hackers to get a list of users to target.
Coinbase
Coinbase <https://verify-customers.elastic-galileo.185-150-117-78.plesk.page/>
Verify your email address
In order to continue using your Coinbase account, you need to reconfirm
your email address. To avoid service interruptions verify your email.
Verify Email Address
<https://verify-customers.elastic-galileo.185-150-117-78.plesk.page/>
If you did not sign up for this account you can ignore this email and the
account will be deleted.
Get the latest Coinbase App for your phone
Coinbase iOS mobile bitcoin wallet
<https://verify-customers.elastic-galileo.185-150-117-78.plesk.page/>
Coinbase Android mobile bitcoin wallet
<https://verify-customers.elastic-galileo.185-150-117-78.plesk.page/>
Whois info:> whois plesk.page
Domain Name: plesk.page
Registry Domain ID: 41B85291E-PAGE
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: https://www.namecheap.com/
Updated Date: 2021-07-10T14:00:29Z
Creation Date: 2020-03-18T03:06:27Z
Registry Expiry Date: 2022-03-18T03:06:27Z
Registrar: Namecheap Inc.
Registrar IANA ID: 1068
Registrar Abuse Contact Email: abuse@namecheap.com
Registrar Abuse Contact Phone: +1.6613102107
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: REDACTED FOR PRIVACY
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: Privacy service provided by Withheld for Privacy ehf
Registrant Street: REDACTED FOR PRIVACY
...
Traceroute shows that site hosted by Hurricane Electric.Anyone who lost money in this should sue Namecheap and Hurricane Electric. They will be stumbling all over themselves to tell your lawyers who their customer was, to avoid liability.
I don't even have a Coinbase account.
I am 90% certain Coinbase has suffered a broad breach of customer data that they have not disclosed yet.
https://haveibeenpwned.com/ says my data has been leaked ~25 times.
Hardware:
*manage: generate, transmit/sync, authenticate, back up
Discussion: https://youtu.be/9k4GP3Evh9c
I actually operate a business that exists solely as a result of this fact.
If you give a user a key, they will lose it. If they’re a customer, you need to have a back up plan for what happens when they lose their keys.
True. And the is also true for password. Sure, generation is different and a way to authorizing a transaction is different, but otherwise form usage perspective password can be viewed as a primitive case of a private key. And industry made a huge progress in password authentications: password managers, OTP, biometric authentications, WebAuthn, etc. Specifically password managers and biometric authentication mechanisms can be re-used for private keys as well.
Having multiple wallets, multisig authentication and smart contracts allows to have recovery paths, while making sure that varios custodians can only perform certain transactions and in a transparent way.
To me, that reads as "if you had 1 BTC stolen on May 20, we will deposit 40k USD into your account, because that was the value of 1 BTC as of May 20", not "if you had 1 BTC stolen, there is now 1 BTC back in your account".
The timeframe listed in the letter covers exactly the time of a massive price spike, so a USD payout would put most people in a better situation than a BTC payout in this specific case, but I'm still curious how this is handled, and whether there is a universally agreed standard for it.
Because next time "we'll reimburse you the USD value of your crypto as of the date of the attack 6 months ago" could mean that someone "made whole" like this has only 10% of what they would have if the attack didn't happen.
Although it sounds like these are email accounts that have been hacked in other ways too.
Falling back to SMS to reset 2FA, or Skype calls where you hold up your ID with a CSR or whatever is just asking for shit like this. In bulk the hardware is probably <$5/token, so well under $10/user (probably closer to $5/user even for a pair of tokens). If your CLTV for your high security financial service can’t afford that, go do something else.
This is a solved problem; the fact that financial institutions have not got on board with 10+ year old stable, cheap, widely available technology is a market failure caused by massive overregulation.
Nothing about this is hard, nothing about this is expensive, there’s just a pervasive attitude in financial technology circles of “this is the way we’ve always done it” or “this is the way everyone else does it”, even if those ways encapsulate a ton of waste and risk.
Even without the whole “n+1 tokens, used only as primary 2fa recovery” scheme, I don’t think there’s a single US retail bank that supports U2F even for normal 2FA login. It’s shameful.
This industry is so ridiculously ripe for disruption but it’s so heavily overregulated that nobody that doesn’t suck is allowed to enter the market. Simple was the first to try (and even they had to use a partner bank) and they got erased via acquisition (and I think subsequently shut down).
The other issue is that you ultimately need some sort of fallback mechanism if someone loses their keys. And it will happen. So you still end up with a process that can be socially engineered, which is generally the weak link in any authentication system.
Doing 2FA via app is fine for most users. The failures happen when users lose their phone and need to reset 2FA. That's where the pain in the ass (but secure pain in the ass) of U2F would come in handy, to re-enroll primary 2FA.
Nobody presently has good ways of doing 2FA resets. U2F hardware is a near-perfect solution.
I am probably not understanding this correctly, but if the attacker had to have knowledge of your password then why did they reimburse affected users. They could've called it a day and claimed it was the user's fault.
Archived version: http://web.archive.org/web/20211001155216/https://oag.ca.gov... (consider https://archive.org/donate to support the cost of operating the archive).
There were a spat of Coinbase SMS phishing texts in July 2021. So the window could be much longer, and the campaign ongoing.
I'll take my chances with the banks and Nigerian Princes.
I don't know if this is right. Traditional money transfer is not some absolute, irreversible thing. It is the product of software yes; but more importantly, it is the product of trust between institutions and individuals, backed by government and the legal system.
In traditional finance, there is _far more_ than just the correctness software ensuring the safekeeping and transfer of your assets.
It's wont stop, not just crypto but almost everything that involves software will have potential attacks. Crypto is just another area where attacks happen. IMO More the attacks, over the time crypto industry will become more robust.
It is so commonplace and high volume that it is not news
If incidents were listed alongside unexpected crypto seizures, crypto would look like the better option whether it was onchain, smart contracts or custodial institutions (like Coinbase) involved. And that has nothing to do with the size of the respective markets
Its not a contest, but anti-crypto people or skeptics are just falling for clickbait at this point and it’s pretty goofy to see.
One thing I've become painfully aware of recently is how all MFA is rendered pretty insecure by various "fallback" processes. I recently switch jobs and realized I had a few accounts using my old work phone as SMS 2fa number. In every case it was ridiculously easy to call a CSR and get 2fa disabled from their end.
Use yubikeys. Use coinbase vaults.
When OTP is available I always remove my phone and use that. Sim swap is such a common attack these days.
https://help.coinbase.com/en/coinbase/getting-started/verify...
Most of the knew jerk reactions in here really don't see to know very much about how this actually works and how it's actually the users responsibility at the end of the day.
Service providers should know better than their users and make the best choices for them.
It is not like when you buy a car you get to choose whether you want airbags or not. They decided for you, and you must have airbags, period.
Users, on overage, do not posses the knowledge to make the best decision when it comes to security.
They go with the least friction solution. SMS works great everybody know how they work.
So, yeah, the burden and responsibility should not be on the end user. This is clearly companies' fault.
I see 2 conflicting claims here:
> While we are not able to determine conclusively how these third parties gained > access to this information
"these" being username, pw, phone number etc. And then:
> We have not found any evidence that these third parties obtained this information from Coinbase itself.
You're technically correct but the first claim undermines the second one to me.
Your car was stolen. I haven't been able to determine conclusively who did steal it or how, but I know it wasn't me.
It's difficult to prove a negative here until you find where the stolen credentials originated from. They're just saying that they have no evidence that it came from themselves thus far.
So it doesn’t necessarily mean they got it from Coinbase.
If people reused passwords, they also could potentially have cobbled together 6000 valid username/password/phone combinations from previous hacks of other services.
Despite all the criticisms that come with "the banking system", banks do provide a lot of value to individuals. It is completely understandable that people would want to wrap their decentralized currency inside of a centralized system (exchanges, custodianship, IRAs, etc.) for the benefits that having a bank-like organization can provide.
Apart from the fact that you can save value over time? Because the dollar is only going down.
This is only a recent phenomenon, and I don’t think it holds for all “large exchange[s]”.
If people make a run on the BTC Bank, and your value drops by 40%, CoinBase isn't going to refund you the losses.
password is 1FA.
SMS is 2FA (not a great one, but still). Coinbase failed at 2FA. 2FA is critically important; that's why it exists.
Not sure why you discount username and phone either. Each of these is an additional layer of security simply by being more information an attacker needs to collect and associate. Coinbase doesn't publish a list of usernames. And how would someone associate phone numbers back to them?
Hardware wallets seem to have so many downsides, as far as I can understand.
You can keep multiple copies of your password manager's database (something like a kbdx file), but you won't have multiple copies of the hardware wallet. Therefore a single point of failure. If the wallet is stolen, damaged in a house fire, crushed by some accident etc. you're done. Also, can't the firmware of the hardware wallet possibly have some unknown bugs that might cause some failure in the future? Is the hardware failure-proof? No possibility of manufacturing defect etc.?
Secondly you've to buy a hardware wallet and whatever the cost, it's not free. Whereas an open source password manager like keepass is completely free (as in freedom as well as beer).
You could use a multi purpose computer, e.g. a phone or PC and software to do the same, but they are more complex devices with more avenues to exploit them, e.g. a keylogger plus something than can upload your keepass file means you're robbed.
This is incorrect. Hardware wallets typically come with a recovery seed. Even if the original device gets destroyed, the seed helps you to get access to your addresses/crypto. This covers against all of the scenarios you mentioned.
For example, I just updated the firmware on my device this afternoon. Before I did it, I'm double-prompted to make sure I have my recovery seed in case the update fails.
As for storing in a password manager, you certainly could. I used to print my wallets out back in the day. The hardware just makes the process a bit easier and makes mistakes on my part less likely.
As for SPoF -- hardware wallets are initialized with a seed phrase. You can make as many copies of the seed phrase as you like. You don't even need to load them onto a new device if yours is lost or stolen; the phrase alone is sufficient to re-derive the keys on any computer (although you will sacrifice some security if you decide to recover that way).
In hindsight, I should've known better than to use PII in my account.
It scared me into exiting the space entirely.
Gold owners also use responsible custodians when they don't store the gold themselves. I think bitcoin owners do not do the same because they want to have easy access to trading and there aren’t companies that both operate trading and are either responsible custodians or make it easy to use a different custodian for storage.
If so, I agree. I'm just surprised to see it stated so baldly.
Here’s an old story of a friend who had a weird talk with someone who had redirected their phone:
However, around the time of the breach date (March - May 2021), there were a number of "B2B" services that offered a "type in any SMS number and you will get all text messages to that number," type feature intended for customer support teams to use for shared SMS access. Those systems often had privileged access to telcos and were regularly exploited by attackers to break 2FA without even a SIM swap [1]. With those tools, stealing all SMS to a number required only intent, not conversations with telco support personnel.
[0]: https://news.ycombinator.com/item?id=28720280
[1]: https://krebsonsecurity.com/2021/03/can-we-stop-pretending-s...
Is that not what we just watched a HN reader do with that analogy?
It would be equally accurate to say "We have no evidence that it wasn't our fault," either statement is equally meaningless when they have no significant evidence.
They chose to phrase their ignorance the only way that it could be misinterpreted as mitigating their liability, and we just watched that misinterpretation play out here.
"We haven't found any evidence of who was at fault" would be more forthright than answering only the half of that question that sounds better for them.
The thing that might have been hacked could have easily been a CRM or email marketing system - possibly even via some 3rd party supplier.
Obviously there was no hack of the Coinbase accounting system - for the reasons you mentioned.
Also, their mobile app recently was updated to support NFC Yubikeys...
They also had a security bug in their SMS-based recovery system, according to other commenters in the thread.
All that is to say that Coinbase and Mt Gox were operating in completely different leagues of sophistication.
EDIT: on reading some of their docs, recovery is supposed to be followed by the user submitting ID documents etc before they get full access back - maybe that's the part they didn't do before or that could somehow be circumvented? (which is a flaw, but still requires intercepting the SMS to use?)
The "flaw," in my reading of it, was to support SMS-based account recovery at all. But I'm not necessarily right here, and open to alternatives.
It’s unfortunate how much is out there.
You can however bet 100% that your dollar is going to be worth WAY less in 20 years than now.
I don't think they would have used that phrasing if it were individually simjacked phones.
[1] https://oag.ca.gov/system/files/09-24-2021%20Customer%20Noti...
The technical barrier to entry for accruing and using breach databases is near-zero [2], same with the barrier to SMS fraud. Both are routine and easy methods for criminal groups with no special technical abilities, and therefore they are likely. Since the onus is on Coinbase to do identity verification in account recovery, a large number of successful takeovers would be a "flaw" in their process, even if it's not a technical flaw (which I would expect to be expressed in language like "vulnerability").
Accepting untrusted, unauthenticated user input as a SMS verification number would be a serious login-related flaw, and certainly Coinbase pentests their login pages. Any competent pentester would discover such a flaw. So between "Coinbase shipped a critical and obvious login flaw to prod" and "a routine and common criminal tactic was employed successfully against them," I find the latter more likely.
[0]: https://news.ycombinator.com/item?id=28720101
Coinbase is very clear in the breach notification that attackers had already acquired users' (a) emails, (b) passwords, and importantly (c) already have access to the users' primary email accounts. At that point, the only thing left preventing account takeover would be the 2FA challenge, and since Coinbase said there was "a flaw in Coinbase’s SMS Account Recovery process" I find it a bizarre conclusion to think that flaw was just a standard SIM-swap.
Edit: Actually, pretty positive it was not just a standard SIM-swap given that, if it were, Coinbase would not have specifically called out "a flaw in Coinbase’s SMS Account Recovery process". If it were just normal SIM-swapping bad guys would have just used that to defeat 2FA during the login process - there would have been no need for them to mess with the account recovery process. That's actually not that uncommon a bug, where 2FA works great to protect login, but there is an oversight that makes it not required during the account recovery process (by definition you're letting people into an account during the recovery process even if they're missing one of their authentication methods) that makes the whole 2FA moot.
How is it possible to update the SMS recover protocol to prevent sim swapping?
When I saw this happen, Google was not aware the number was gone, so calls and texts from other Google Voice users still worked.
https://arstechnica.com/information-technology/2021/03/16-at...
That's not snark, those are great use cases, both have thousands of years of popularity behind them and tons of demand.
Hence my parent comment, which points out that when you use the more heavily regulated centralized exchanges like coinbase the one remaining use case is gambling.
Classic answers like "banking the unbanked in third world countries" don't seem to be shaking out yet.
https://www.theguardian.com/technology/2016/apr/19/ss7-hack-...
International tourists will also be less likely to get a local SIM card and then pay exorbitant roaming charges.
(Here in South Africa, clients must provide proof of their residential address. Some telcos even insist on verifying the thumbprints of their clients)
And your mobile phone number is invaluable here.
why sms? because everyone has it. we're not in a otp/u2f only world yet. sms 2fa is better than no 2fa
The cost benefit analysis probably does not make sense for a gazillion low balance users. It may make sense to enforce strong factors for high balance users. You have to balance that against them taking their business elsewhere.
SMS is handy but it should be a last resort rather than the main second factor.
RSA enrollment is probably the single most challenging end user issue our IT folks deal with. After password reset it’s the #2 call, and lots of time, training and engineering effort has been expended to improve the experience. (And those efforts were very effective!)
[0]: https://help.coinbase.com/en/pro/managing-my-account/account...
Physical possession of wealth is a bad long term strategy. Eventually people WILL find out, and you WILL become a target.
One of the main functions of government is private wealth protection. Banks are a feature, not a bug.
Transferring 500k between most developed countries should be easy enough, I'd probably talk to both banks first for such a large amount.
If you think the government is protecting your wealth, you're incredibly naive.
The smallest possible fraction of a dollar is $0.01. You can transact BTC in denominations with a lot more zeros behind the decimal point.
https://www.visualcapitalist.com/purchasing-power-of-the-u-s...
> fixed supply
Perhaps we've identified a small crack in this otherwise bulletproof logic.
SMS can be good enough to confirm a password reset link that was sent by email (so you will not really do anything without access to an account's linked email address), but not as the main second factor for login.
What I really mean is what can do you in DeFi that is connected with the real world? In other words, what can you do other that doesn't fall into the category of using your money to make more money with no effect on the material world?
Examples of things that traditional finance enables that connect to the real world:
- Get a student loan (you get an education)
- Get a car loan (you get a car)
- Get a home loan (you get a house)
- Insure your car or home (perhaps including insurance in finance is a bit broad, but I think it's appropriate)
- Have some claim on the future cash flows of a company that makes real things (public equities)
Obviously traditional finance isn't some bastion of providing "real world" value and resistance to over-financialization. But DeFi seems like pure financialization so far. I suppose the first step is to enable payments (arguably the definition of money is a payment system), but it doesn't seem like that has caught on very much either.
An end goal of crypto is to have all financial and ownership services exist on-chain. To conceptualize the real world as somehow forever separate is going to lead to the correct conclusion that DeFi doesn't seem to affect "the real world".
> - Get a student loan (you get an education)
Requires identification.
> - Get a car loan (you get a car)
Requires identification.
> - Get a home loan (you get a house)
Requires identification.
> - Insure your car or home (perhaps including insurance in finance is a bit broad, but I think it's appropriate)
Requires identification.
> - Have some claim on the future cash flows of a company that makes real things (public equities)
Doesn't necessarily require identification. There are cryptos looking to tokenize and fractionalize public/private equities. The equity would exist on chain, not on the private ledgers of banks/clearing houses/brokers/the NASDAQ. You would own your equity via a private key, and not by the say so of Fidelity (e.g.) and the government.
You've listed three types of loans that require you to have some form of identity which allows for the existence of credit/reputation. Until crypto has a functional decentralized identity ((which is being worked on by many)[1], and even has a (W3C draft)[2]) and government recognition, you will likely not see traditional lending products. Doesn't mean it isn't possible.
Insurance also requires identification for reputational purposes, but less for enforcing payments and more for measuring risk.
Crop insurance is a popular use case being investigated for poor rural areas to get insurance. Remember, traditional finance requires massive human capital infrastructure, general civil infrastructure, and minimized governmental corruption to ensure debt repayment occurs. It's may be easier bootstrap insurance from a decentralized network/blockchain + satellite internet, for certain communities.
This does involve using a centralized service to an extent, but the amount of trust you are asked to extend is limited. They can't unilaterally take your funds, and they can't stop you from moving them to another wallet which you fully control. At the same time, you can safely use the wallet online with the additional convenience and safeguards provided by Muun, and it would be difficult to lose your funds permanently from "one small mistake".
As I said, it's a hybrid—so it has some elements of "being your own bank" as well as elements of a custodial system. The point of the multi-sig model is to allow the wallet to be used for day-to-day transactions like a "hot" wallet or a custodial exchange without the risk of carrying the complete keys everywhere on an Internet-connected device and without giving up control over the funds. The backup and the 2-of-2 multi-sig each serve important functions; neither "defeats" the other.
> If their backup is stolen, the thief can empty their wallet.
And no one ever has their traditional bank account emptied due to poor password hygiene or a vulnerability in the bank's 2FA system? Transferring custody to a third party doesn't mean you can stop worrying about security. If you don't have something equivalent to this offline backup then it's true that there is one less way for a thief to gain access to the account, but then you risk being unable to prove that you are the authorized owner of the account and losing your funds that way.
> Not much different from using a hardware wallet in that respect.
Hardware wallets have a different set of trade-offs. Personally I don't like to carry mine around with me like a ordinary wallet (or my phone) for use in daily payments. It's probably secure enough that I could do that safely, but there's always the risk of losing it, and for small, everyday payments it's just not as convenient as using an app on your phone. Also, Muun works with the Lightning network, which requires an online component; I'm not aware of any hardware wallets which can fill that role.
Could a scam system be made that seemed to work, be advertised, and otherwise identical up until the point of failure as muun?
The biggest potential point of failure, if you installed pre-built binaries from a third party such as Google Play or the Apple App Store, is that it could be updated to a new version which leaks the wallet-side private key. Which is a potential concern with any wallet software you don't audit for yourself. Of course you're also trusting the system software provider (i.e. Google or Apple) to run the application properly, as with any software running on their respective operating systems.
Personally I trust it with funds comparable to what I would normally keep in a wallet for daily use, not a safe or a bank vault. For larger amounts where the inconvenience of cold storage is justified I use a hardware wallet (Trezor).
It's amazing how many smart people take so long to realize why banks exist.
I just had to physically cross an ocean twice because my bank won’t send wires for more than $25k via their website, and that’s one of the gentler failure modes.
Here are some examples: https://old.reddit.com/r/fatFIRE/comments/pycgjx/what_in_the...
Retail banking in the USA is terrible.
It's the reason to do the crypto part at all that's more confusing. Unless of course we all just admit that gambling is unbelievably popular and fun and has been a continued hit throughout human history.
For traditional finance, it's pretty different. E.g., "If fraudulent electronic withdrawals are made from your bank or credit union account but your ATM or debit card is not lost or stolen, you are not liable if you write to let the bank or credit union know about the error within 60 days of when they send you the account statement showing the fraudulent withdrawals." https://ovc.ojp.gov/sites/g/files/xyckuh226/files/media/docu...
If you have a lot of money, most brokers will ship you a hardware token.
I get this, and I definitely am not suggesting the real world is forever separate. I am somewhat suggesting it currently is though.
> There are cryptos looking to tokenize and fractionalize public/private equities.
Yes, but the ones I'm aware of are entirely doing it on the backs of traditional finance equities.
> Requires identification.
This is a good point and I almost explicitly called it out myself - traditional finance is valuable much because it acknowledges the existence of the individual in society, not as an abstract entity with cash flows.
Solving the identification problem is a goldmine for society at large, not just DeFi. I just find it hard to imagine a suitable solution that doesn't involve trust in the government and other institutions.
I want to make it clear that I am not anti-crypto/DeFi. I think most payment will one day be distributed/trustless at its lowest layer. But I also think that true value (in the "real world") will come when all of the trust built into the rest of society is layered on top.
Not just to lock down the logins to Coinbase, but to also secure their customers' email, Twitter accounts, and as many other online systems as would support hardware backed WebAuthn. Hell, PokerStars did this with RSA tokens back in 2008 so it's not like it's a new idea.
That also solves a major usability issue: instead of trying to juggle between a mobile application and a TOTP authenticator (on the same device!), or plugging in a USB adapter for authentication needs, you just quickly tap/wave your keyring next to the phone. Or take your phone quickly by your pocket when you need the second factor.
I'm pretty sure people have phones and Coinbase can force them to install a 2FA app.
To verify someone's identity ("Identity Proofing") using Stripe Identity [1] costs ~$2. They support IDs from 33 countries, and have implemented fraud detection in the flow. If you were so paranoid as to defend against someone stealing your government issued ID (used in the proofing process), you could paper mail a OTP to physical address on file.
Does it suck and its the cost of no digital ID infrastructure in the US? Yes. Is it insurmountable? Not at all. At the end of the day, people are the weakest link, and we must fallback to meatspace trust anchors (in this case, possession of government provided ID that can be provided on demand with robust fraud detection mechanisms). You are who you are, and own what you own, not because of key material but because of the law.
This attack wouldn't have been possible if they didn't allow SMS 2FA, so I don't think that's fair to say at all.
I don't need to ask anyone to move bitcoins.
If your cloud account is protected by 2FA that's also in the cloud... it's turtles all the way down.
Please tell me how to do that?
Two iPhones and every type of Titan key that is currently sold, still haven't been able to make NFC work, nor authentication over Bluetooth.