I tried to reach out to coinbase customer support to see if I was impacted. Once I wasted my time with the AI bot and got a human they were unaware of the breach. I was the first person to inform them about it.
ycombinatrix · 7m ago
Maybe the actual first person got unlucky with a lazy customer support agent.
AznHisoka · 1m ago
I’ve been getting scam texts from scammers who claimed my Coinbase account was compromised and to contact them. I wonder if this incident was the root cause
> We will reimburse customers who were tricked into sending funds to the attacker due to social engineering attacks. If your data was accessed, you have already received an email from no-reply@info.coinbase.com; all notifications went out at 7:20 a.m. ET on 5/15 to affected customers.
gkoberger · 20m ago
The no-reply is an interesting decision. I get how difficult it is to run a company like Coinbase (their biggest strength, centralized + customer support, is also what enables this social engineering), but feels like an odd choice.
PeeMcGee · 13m ago
> No passwords, private keys, or funds were exposed and Coinbase Prime accounts are untouched.
I'm curious why no Coinbase Prime accounts were part of the leak (assuming that's what they mean). Is there some sort of additional layer of data protection behind the Coinbase Prime paywall? Or perhaps those accounts were intentionally avoided as they would presumably belong to more savvy users.
czk · 10m ago
Coinbase Prime is its own exchange with its own support (actual humans in the USA that are available to chat to). It's for "institutional investors" so unavailable to most customers without the proper credentials/paperwork. They don't share the same outsourced "support" as the regular exchange, which appears to be the attack vector here.
thepasswordis · 2h ago
The problem is that it seems like the data that leaked is also the data that would be used to do account recovery.
And what that means is that
1) If you lose access to your account (through either your own fault, or coinbases fault) that the process of recovering it may not be so straightforward anymore.
2) Hackers can try to “recover” accounts now using this leaked info.
This is a huge problem. What coinbase needs are IRL offices where you can go and do things like account recovery, and where people trying to steal money can be caught and prosecuted (and makes a huge barrier for the overseas thieves who are usually doing this)
The only solution here is: hardware 2 factor like yubikeys.
piva00 · 2h ago
> What coinbase needs are IRL offices where you can go and do things like account recovery, and where people trying to steal money can be caught and prosecuted (and makes a huge barrier for the overseas thieves who are usually doing this)
That's just a bank.
dowager_dan99 · 1h ago
Beyond the regulatory-dodge and crypto marketing explain to me how Coinbase is NOT a bank
Analemma_ · 18m ago
Cryptocurrency firms exist in a quantum superposition of bank and not-a-bank until you interact with them, at which point they collapse into whichever state costs them less money.
thepasswordis · 2h ago
Correct. Coinbase is a bank that holds cryptocurrency.
DonHopkins · 25m ago
And OpenSea is a zoo that holds apes.
lovich · 20m ago
Watching crypto enthusiasts run into every problem that society already tackled with in the past when developing currency and its controls, and then coming up with solutions that look exactly the same as what dirty fiat currency uses, has been a source of much entertainment the past few years
voidspark · 8m ago
This is an exchange problem, not a crypto problem. You don’t need an exchange to hold crypto.
growlNark · 5m ago
I'm surprised they only demanded $20M. Surely that customer data is potentially worth, like, potentially orders-of-magnitude more.
Correspondingly I'd assume either a) paying the ransom doesn't take it off the market or b) the info they stole isn't that interesting.
pentagrama · 1h ago
Maybe it’s a naive question, but in many breach reports I see things like 'No passwords, private keys, or funds were exposed.' How come companies can usually protect that kind of data, but not emails, names, and other personal info?
LorenPechtel · 2m ago
Such data is typically encrypted and purely write-only, only read by the system itself. Thus it is only exposed if the database itself is exposed. If the leak was compromise of the systems that access the data (which appears to be the case here--insiders copied data they could access) the write-only info is not exposed.
selectout · 1h ago
Companies want the ability to use things like emails, names, and other data for user experiences (go to settings, see name and change it), advertising (target this address book for X ad), etc. So these are typically plaintext (oversimplified) and accessible by different systems while passwords or private keys have one use case only and can have a higher bar of protection.
wat10000 · 21m ago
A properly implemented login system will never store a password in the first place. Properly hashed passwords can still be cracked in some cases, but if your password is strong and the hash is good, it’s safe.
dboreham · 1h ago
It was some BI/analyst database that leaked?
blindriver · 2h ago
There should be an ISO standard with respect to how much power and information that front line customer support agents have. The more information you need, like changing passwords or accessing personal information, should get forwarded to higher level customer support agents with better training and more monitoring. This way you can design customer support experience with as little exposure to security issues as possible.
wepple · 27m ago
> better training and more monitoring.
That’s very load-bearing. It won’t help.
The CS reps are based in a LCOL country so the opportunity for theft is simply incredibly lucrative.
What is really needed, is customer-in-the-loop for access to their data. The problem is, not all accesses would make sense. Doing analytics over the data of the top 1% of customers, for example, requires some level of access, but would freak out those customers if they had to approve it.
wat10000 · 20m ago
If it would freak out the customers, maybe they shouldn’t be doing it.
xyst · 16m ago
Compartmentalization is a very expensive customer support model.
caseyohara · 11m ago
So are $20M ransoms and the reputational damage from data breaches.
whyever · 2h ago
They main defense against internal attacks is bookkeeping. Banks have been dealing with this for thousands of years. I recommend the corresponding chapter in Security Engineering by Ross Anderson: https://www.cl.cam.ac.uk/archive/rja14/Papers/SEv3-ch12.pdf
elif · 1h ago
So this is probably why the phishing calls have increased from ~1 per month to ~3 per week.. good to know... Wish coinbase would let me DO something about it... Maybe fresh accounts for everyone? Maybe KYC data not directly linked to accounts? There should be SOMETHING they can do because the sheer volume of people constantly harassing CB customers is nuts.
xyst · 18m ago
Forget relying on brokerages like COIN. If you care about the security of your digital assets, use a cold wallet or non-custodial account.
ycombinatrix · 6m ago
The comment you're replying to was complaining about scam calls, not about wallet security.
It's ironic this came [out] the day after COIN is going to be added to the SP500.
molticrystal · 1h ago
And the reason Coinbase has to keep all that sensitive stuff, much more than what would be required to identify and authenticate you, which you hope will never be stolen, is because of know your customer laws, so you can thank your government that pictures of your passport got stolen and for whatever criminals and rogue Coinbase employees do with that info.
ryuhhnn · 38m ago
There are very good reasons for KYC, the problem here is not the government regulation, it's once again private companies being sloppy with their customer's data because sloppy is cheap and it's not their info on the line, it's yours, so there's little motivation for them to safeguard it _unless_ they're compelled to do it by law.
>We will reimburse customers who were tricked into sending funds to the attacker.
How many people are going to anonymously attack themselves now, just to get a reimbursement!
daveguy · 1h ago
... and once the crypto is transferred. Poof, you're ducked.
mxhold · 2h ago
Interesting coincidence?
>On April 12, Coinbase updated their user agreement to take effect TODAY, May 15, with new language about waiving some rights to class action lawsuits and jurisdiction selection.
Also, "Coinbase had detected the breach independently in previous months", aren't they required to disclose this? In the EU they are: Every EU institution must do this within 72 hours of becoming aware of the breach, where feasible
kmfrk · 1h ago
The classic added arbitration clause after a massive breach. Happened with Sony and iirc Valve (through Steam) off the top of my head.
What they got
- Name, address, phone, and email
- Masked Social Security (last 4 digits only)
- Masked bank‑account numbers and some bank account identifiers
- Government‑ID images (e.g., driver’s license, passport)
- Account data (balance snapshots and transaction history)
Wow. Why does customer support staff have access to images of the user's passports?
rtkwe · 1h ago
I also like 'last 4 digits only' as if that's not the most important parts and the part so many places use to validate your identity, the first 5 are just area and group so they're not exactly random.
aianus · 9m ago
Who else would verify the user passports if not the customer support staff? Who verifies (and photocopies! in Asia and Europe) your passport at a hotel or car rental office?
thepasswordis · 1h ago
Ah, cool. My name, home address, phone number, social security number, and images of my drivers license and passport as well as what bank I use.
The article keeps saying overseas employees or contractors, but isn't more specific on who Coinbase entrusted with this sensitive customer PII.
The bottom line is Coinbase didn't adequately secure sensitive customer information, and it was leaked.
Not, "Gosh, 'overseas' people, what can ya do?"
voidspark · 2h ago
How can customer support operate without knowing anything about the customer?
browningstreet · 2h ago
You know how your bank asks you to verify details when you call?
Without the right details the customer support people don’t get entry into the customers account details.
Banks have been doing this for 30+ years..
udev4096 · 1h ago
Which is such a lame and flawed mechanism to avoid letting them access anyone's data. I mean what are you even trying to prove here? That banks care about customer's security when they can't even implement a secure 2FA which is not just an unencrypted text message
“Give a man a gun and he can rob a bank, but give a man a bank, and he can rob the world.”
dowager_dan99 · 1h ago
CS can validate without knowing the details, the same way you don't enter a password and then check to see if that matches the password in the system.
The fact that they keep blaming overseas customer support is pure blame shifting - you still hired someone and gave them access to all this data, Coinbase!
voidspark · 1h ago
We don’t know if they had access to everything. They got data for “less than 1% of monthly transacting customers”.
ty6853 · 2h ago
A shared or hashed secret would do it.
Plenty of exchanges don't know their customers, and in fact that is how they get their customers.
voidspark · 2h ago
No. Coinbase deals with fiat money, therefore subject to AML and KYC regulations.
ty6853 · 2h ago
The question was about customer support. AML and KYC regulations do not require that customer support persons know your PII. That can be kept firewalled from them.
kragen · 2h ago
That's not related to customer support, though. It's more like customer surveillance.
No comments yet
kgwxd · 2h ago
Isn't the whole point of crypto to keep PII out of it completely? If not, what is all this non-sense for exactly, other than the typical goals of pyramid schemes?
ty6853 · 2h ago
The main point of crypto IMO is to have a large-denomination bearer asset.
This is overlooked most places but if you examine around the time the FATF finally pretty much eliminated bearer bonds, bearer stocks, and large bank notes was exactly the time crypto really took off.
yes. IIRC ~2015 was when the last of bearer bonds/shares were pretty much all completely immobilized. I can't recall when the last ~1000 USD equivalent banknotes were printed but it was also close to that time.
sowbug · 2h ago
Coinbase is a bridge between digital currencies and the traditional world.
charcircuit · 2h ago
Unfortunately government regulation does not make that possible for exchanges. It also is not the point of crypto.
udev4096 · 1h ago
It's simple. They want to centralize crypto and dickheads like armstrong are happy to be in line to make that happen. Just look at tether, what's the point of it? It's nothing but a front for inflating the price of bitcoin. It has NEVER been audited and has been found to NOT have any USD backing at all
voidspark · 2h ago
Not if you are dealing with a regulated exchange that facilitates fiat money transactions.
You can receive crypto privately to your own wallet without sharing PII, without any exchange.
dboreham · 1h ago
The PII is required by governments, to convert crypto money into real money.
JumpCrisscross · 1h ago
> Coinbase didn't adequately secure sensitive customer information, and it was leaked
Practically every company has someone with credentials who is in some combination of debt, a damningly-adulterous relationship, a damningly-illegal substance relationship and/or feels underappreciated or slighted compensationwise. The question is generally how much it costs.
overfeed · 29m ago
Which is exactly why insider threats should be explored as a threat-model and mitigated to make the blast radius as small as possible via rate PII sanitization, access controls, access monitoring, rate limiting, etc.
kragen · 2h ago
It's probably hard to keep call-center workers bribe-proof.
toast0 · 1h ago
You can take the Google approach of basically not empowering the agents at all. It's not worth trying to social engineer Google CS, because they can't do anything anyway.
miohtama · 1h ago
Coinbase has the same approach. It's a miracle that ransomware operators got in touch with Coinbase support at all.
orionsbelt · 2h ago
Yes, but I do think an organization like Coinbase or a cell phone carrier - which are extreme targets of fraud - have an obligation to recognize that their employees are targets and implement greater security measures than most organizations. Maybe Coinbase should even pay higher wages and use onshore customer service agents.
kragen · 2h ago
Well, it sounds like they do implement greater security measures than most organizations.
CryptoBanker · 1h ago
Doesn't matter when Coinbase still got exploited
kragen · 1h ago
In a broad sense I agree, but it does matter to orionsbelt's comment.
thepasswordis · 2h ago
One step would be not to locate all of the call centers in countries where “stealing money from elderly Americans” is a noticeable part of their GDP.
kragen · 1h ago
You are writing this as if you know what countries Coinbase's call centers are located in and the role of organized crime in their economies, but you don't actually know either of those things.
apercu · 1h ago
Lol, that's because while Coinbase emphasizes its commitment to security and compliance specific details about the geographic distribution of its offshore personnel are not disclosed in its public filings.
kragen · 1h ago
My perspective was more "That's because you post contentious statements in public fora with no reason to believe that they are true, hoping to get a big reaction by offending people."
ivewonyoung · 1h ago
You mean like in the USA?
> ...bribed AT&T employees at a call center in Bothell, Washington, to "use their network credentials and exceed their authorized access to AT&T's computers to submit large numbers of fraudulent and unauthorized unlock requests on behalf of the conspiracy and to install malware and unauthorized hardware on AT&T's systems," according to the indictment.
Not sure how bribing employees to unlock phones early is comparable to defrauding elderly people.
ivewonyoung · 1h ago
Read my comment further:
> ..install malware and unauthorized hardware on AT&T's systems
That's not as harmless as unlocking phones early. A major carrier that has access to texts, geolocations, and call logs being hacked like that is extremely concerning.
codegeek · 1h ago
Let me add to your statement. It is hard to keep call center workers bribe-proof WHEN they are paid peanuts AND they are working for a company that is in an extremely high risk business of managing crypto.
volkk · 1h ago
correct, but what's the alternative? they're paid peanuts because it's not exactly the kind of job you ever pay out the wazoo for. the only thing that comes to mind if I'm Brian Armstrong is going all in on AI bots that can get to 90% of the way there (maybe 95%) and then have domestic based humans that are paid more with (presumably) a less probability of being bribed. but realistically, the only way to stop something like this is going 100% AI bots but then that comes at the expense of customer satisfaction, and also bots that are exploitable through prompt manipulation.
alternatively limit the roles and what the offshore people are able to do, but then any escalation means domestic people, which brings us back to "well at that point just use AI to automate easy tasks"
egeozcan · 1h ago
Normally payment should follow the amount of power/responsibility. If you pay someone peanuts but they have root access to prod, then you should pay more or restrict their credentials. Same applies to being able to access PII.
JumpCrisscross · 1h ago
> what's the alternative?
Small set of privileged employees who work from the home office and are compensated to match. If an issue requires their attention, it takes time to resolve. But it's resolved securely. In essence, what Google does.
Alternative is the banking model. Low-cost customer service massively empowered and just eat the costs of breaches as they come.
bombcar · 2h ago
Call center workers who have access PII and financial abilities should probably be vetted a little bit better.
kragen · 2h ago
How are you going to vet people to find out if they're vulnerable to bribery? Offer them a bribe during their probationary period, during which they only have access to fake customer data?
bombcar · 2h ago
You can do a background check, but the reality of the matter is that you pay citizens a living wage to do the work instead of offshore it into a country that pays pennies.
Bank tellers can take thousands out of the vault at any time and yet it seems it’s not a very big issue.
Maxatar · 1h ago
Bank tellers do steal money from the banks they work for though and banks invest a significant amount of resources and have a lot of policies to prevent it.
For example at many banks the teller might need to get manager approval for some cash withdrawals, even for seemingly smaller amounts of money. Despite what it may seem, it's not because of some distrust towards the client but a safeguard against internal fraud.
kragen · 2h ago
Bank tellers are constantly surveilled by cameras, security guards, and several-times-daily cash counting, and it's still easy to find accounts of them having stolen significant amounts of money before getting caught. These are all from within the last year:
Being US citizens doesn't make people incorruptible. In fact, many other countries are less corrupt than the US. Someone in this very thread reports having witnessed bank tellers getting bribed in one of those countries: https://news.ycombinator.com/item?id=43996765
I've been through a background check designed to screen out people who were vulnerable to bribery. They interviewed my friends and family from the previous several years to find out if I was secretly gay, cheated on my wife, gambled, drank too much, used illegal drugs, or had money problems for some other reason. It took about a year. I think it would be hard for a financial institution to be economically competitive doing that kind of thing with their call-center workers, because their customers can't tell if they're secure or not, just how much their services cost.
bombcar · 1h ago
Then shift liability and let the insurers take care of it.
With a lot of this online stuff, no matter who gets your password or access to your account it’s you who has to take care of it. Whereas if the bank teller steals from the till it’s not your problem.
kragen · 1h ago
I suggest following the links I provided, which clearly demonstrate that the comment you posted in reply to them is false.
apercu · 1h ago
> you pay citizens a living wage to do the work instead of offshore
But what about the capital class? How will they afford more yachts? So sad. They're.. um... job creators or something. Anyway, that's what Fox News told me.
harvey9 · 1h ago
It's hard to keep most people bribe proof.
lotsofpulp · 2h ago
It’s not hard, it’s expensive.
dboreham · 1h ago
Yes but you can not give them a SQL prompt. Rate limiting account queries per CSR is a common mitigation measure.
pm90 · 2h ago
Pretty sure all the Big Banks use call centers and manage to avoid this.
Question that needs to be answered if they were prosecuted. Losing your job but getting to keep the bribe just means it will still happen.
LtWorf · 1h ago
They are probably used as scapegoats and didn't even leak the stuff. Crypto companies tend to do that.
dheera · 2h ago
Bribes are one thing, but threats could also happen. This is a big part of the reason why I absolutely hate entities that think residential addresses should be public record.
This is a precedent to Coinbase employees getting physical threats at their door just because e.g. some voter registration, utility company, bank, credit card, or court record decided to release their name and addresses on the internet. People could show up at some Coinbase software engineers' apartment doors with guns demanding they send BTC to arbitrary addresses.
asah · 2h ago
AFAICT it's impractical to keep residential addresses 100% private/secure - too many ways to get an address from any number of companies, organizations and governments that collect it for various reasons.
Plus numerous ways to infer your address from other data sources, including apps that grab GPS on friends' cellphones when they visit, etc.
Finally, shutting down paid data brokers seems virtually impossible in practice, which means anybody googling you can pay $20 and get everything.
Remember, the issue isn't lazy goodguys but even slightly motivated badguys, who then use third party scripts to do the data collection.
apercu · 1h ago
Man, I hate how Wisconsin makes the data not only public, but free.
I bought a house here after a long time out of country and the first year all I got for mail was scam bullshit. Loads of it.
dheera · 2h ago
> shutting down paid data brokers seems virtually impossible in practice
Just jail them. Make it a felony to release someone's PII without their written consent, and make data brokers illegal to begin with.
> numerous ways to infer your address from other data sources, including apps that grab GPS on friends' cellphones when they visit
These are not the main vector of transmission of personal information. Yes, Meta could probably do some graph analysis and infer this, but it's a lot of work, and their data leaks are rare in comparison to all the other companies, financial institutions, and governmental organizations, that freely post residential addresses on the internet and to data brokers for the world to Google.
> companies, organizations and governments that collect it for various reasons
KYC requiring addresses should be banned. Companies should not collect a residential address.
Phlarp · 1h ago
This is a feature of bitcoin not a bug.
If you sling code for cryptocurrency you and your loved ones are "in the game" now.
It's not surprising. Coinbase is nothing but a money laundering exchange, just like every other sketchy crypto exchange out there. They were also engaged in pump and dump of various altcoins
No comments yet
chmod775 · 2h ago
Saved dimes on customer support, lost $400m.
It's hard to not believe in Karma sometimes.
Crosseye_Jack · 2h ago
It will happen (at least attempted) with on-shore support staff too, My next door neighbour used to work for a UK high street bank and even there support staff were approached, with some of them first befriended, and eventually bribed in to passing along PII. No doubt it happens in the US too. Just costs the bad guys more.
kragen · 2h ago
It's really unfortunate that KYC regulations required Coinbase to have this information in the first place. We should be establishing strong social norms against sharing PII without a legitimate reason; this is not just an individual theft risk but a national security risk. Coinbase doesn't pay into your Social Security account, so they shouldn't have your Social Security number. They don't visit your house, so they shouldn't have your address. Etc.
Historically, although KYC regulations were widespread in Communist countries, they were unthinkable in most democratic countries until 9/11, which provided spy agencies with their golden chance to write their wishlist into law. But unfortunately that helps foreign spy agencies just as much as, maybe more than, it helps domestic ones.
Let's hear you repeat this position after your Coinbase account is compromised and you're looking for recourse.
kragen · 1h ago
You seem to believe that AML/KYC regulation exists to benefit customers or to prevent or recover from account compromises. It does not, and I have no idea why you would think it does. Something like a Yubikey or iris-scanning stations could help to prevent Coinbase account compromises, but AML/KYC regulations do not require or even encourage them, though perhaps someday they will.
ceejayoz · 26m ago
You... want to replace KYC with iris scanning stations?
sroussey · 2h ago
Employees at Signal must be getting bribes as well, or even threats of violence since they can get nation state Secret communications these days.
Got to make it so employees can’t do anything nefarious. This helps protect them.
lawn · 2h ago
How would employees of Signal access the encrypted messages?
sroussey · 28m ago
They don’t need to.
Under specific conditions, the client can communicate with malware already on device, save data locally for other software to pick up, or downright stream the decrypted software to a third party.
Most likely is to introduce a flaw in the client that can be used by other walware on the client.
Clearly no red team members on HN these days.
sitkack · 2h ago
Employees can't get access to encrypted messages.
But they can look the other way about flaws in their Electron client.
sroussey · 28m ago
Or any client.
NoMoreNicksLeft · 1h ago
Roll out an update that defeats the end to end encryption in some subtle way that wouldn't go noticed for a few days. They'd be told when to do it for maximum effect, and if the window is small enough it might even go unnoticed for far longer when another uncompromised update overwrites it. They have no duty to report such things to relevant authorities even if it was discovered internally, so you could be looking at some corporate coverup that while not in on it, seeks to minimize liability/embarrassment.
Really, can you possibly tell if your Signal messages were compromised? Now that iPhones aren't really jailbreakable, you can't even see inside your own device.
https://www.coinbase.com/blog/protecting-our-customers-stand...
> We will reimburse customers who were tricked into sending funds to the attacker due to social engineering attacks. If your data was accessed, you have already received an email from no-reply@info.coinbase.com; all notifications went out at 7:20 a.m. ET on 5/15 to affected customers.
I'm curious why no Coinbase Prime accounts were part of the leak (assuming that's what they mean). Is there some sort of additional layer of data protection behind the Coinbase Prime paywall? Or perhaps those accounts were intentionally avoided as they would presumably belong to more savvy users.
And what that means is that
1) If you lose access to your account (through either your own fault, or coinbases fault) that the process of recovering it may not be so straightforward anymore.
2) Hackers can try to “recover” accounts now using this leaked info.
This is a huge problem. What coinbase needs are IRL offices where you can go and do things like account recovery, and where people trying to steal money can be caught and prosecuted (and makes a huge barrier for the overseas thieves who are usually doing this)
The only solution here is: hardware 2 factor like yubikeys.
That's just a bank.
Correspondingly I'd assume either a) paying the ransom doesn't take it off the market or b) the info they stole isn't that interesting.
That’s very load-bearing. It won’t help.
The CS reps are based in a LCOL country so the opportunity for theft is simply incredibly lucrative.
What is really needed, is customer-in-the-loop for access to their data. The problem is, not all accesses would make sense. Doing analytics over the data of the top 1% of customers, for example, requires some level of access, but would freak out those customers if they had to approve it.
Using a hardware/"cold-ish" wallet does not protect you from scam calls: https://www.bleepingcomputer.com/news/security/physical-addr...
How many people are going to anonymously attack themselves now, just to get a reimbursement!
>On April 12, Coinbase updated their user agreement to take effect TODAY, May 15, with new language about waiving some rights to class action lawsuits and jurisdiction selection.
https://bsky.app/profile/jsweetli.bsky.social/post/3lp7sw647...
Also, "Coinbase had detected the breach independently in previous months", aren't they required to disclose this? In the EU they are: Every EU institution must do this within 72 hours of becoming aware of the breach, where feasible
https://www.coinbase.com/en-de/blog/protecting-our-customers...
Wow. Why does customer support staff have access to images of the user's passports?The bottom line is Coinbase didn't adequately secure sensitive customer information, and it was leaked.
Not, "Gosh, 'overseas' people, what can ya do?"
Without the right details the customer support people don’t get entry into the customers account details.
Banks have been doing this for 30+ years..
“Give a man a gun and he can rob a bank, but give a man a bank, and he can rob the world.”
The fact that they keep blaming overseas customer support is pure blame shifting - you still hired someone and gave them access to all this data, Coinbase!
Plenty of exchanges don't know their customers, and in fact that is how they get their customers.
No comments yet
This is overlooked most places but if you examine around the time the FATF finally pretty much eliminated bearer bonds, bearer stocks, and large bank notes was exactly the time crypto really took off.
You can receive crypto privately to your own wallet without sharing PII, without any exchange.
Practically every company has someone with credentials who is in some combination of debt, a damningly-adulterous relationship, a damningly-illegal substance relationship and/or feels underappreciated or slighted compensationwise. The question is generally how much it costs.
> ...bribed AT&T employees at a call center in Bothell, Washington, to "use their network credentials and exceed their authorized access to AT&T's computers to submit large numbers of fraudulent and unauthorized unlock requests on behalf of the conspiracy and to install malware and unauthorized hardware on AT&T's systems," according to the indictment.
https://abcnews.go.com/Politics/att-employees-bribed-1m-unlo...
> ..install malware and unauthorized hardware on AT&T's systems
That's not as harmless as unlocking phones early. A major carrier that has access to texts, geolocations, and call logs being hacked like that is extremely concerning.
alternatively limit the roles and what the offshore people are able to do, but then any escalation means domestic people, which brings us back to "well at that point just use AI to automate easy tasks"
Small set of privileged employees who work from the home office and are compensated to match. If an issue requires their attention, it takes time to resolve. But it's resolved securely. In essence, what Google does.
Alternative is the banking model. Low-cost customer service massively empowered and just eat the costs of breaches as they come.
Bank tellers can take thousands out of the vault at any time and yet it seems it’s not a very big issue.
For example at many banks the teller might need to get manager approval for some cash withdrawals, even for seemingly smaller amounts of money. Despite what it may seem, it's not because of some distrust towards the client but a safeguard against internal fraud.
Vannia Chatt: https://6abc.com/post/former-citizens-bank-teller-accused-st...
Karen Farrell Tigler: https://www.irs.gov/compliance/criminal-investigation/former...
Stephanie Rose Kilbert: https://people.com/bank-teller-stole-money-while-pretending-...
Derek Aut: https://www.justice.gov/usao-ma/pr/former-bank-teller-arrest... https://www.usatoday.com/story/news/nation/2025/03/28/boston...
Mountee Brown: https://www.justice.gov/usao-md/pr/maryland-bank-teller-plea...
Being US citizens doesn't make people incorruptible. In fact, many other countries are less corrupt than the US. Someone in this very thread reports having witnessed bank tellers getting bribed in one of those countries: https://news.ycombinator.com/item?id=43996765
I've been through a background check designed to screen out people who were vulnerable to bribery. They interviewed my friends and family from the previous several years to find out if I was secretly gay, cheated on my wife, gambled, drank too much, used illegal drugs, or had money problems for some other reason. It took about a year. I think it would be hard for a financial institution to be economically competitive doing that kind of thing with their call-center workers, because their customers can't tell if they're secure or not, just how much their services cost.
With a lot of this online stuff, no matter who gets your password or access to your account it’s you who has to take care of it. Whereas if the bank teller steals from the till it’s not your problem.
But what about the capital class? How will they afford more yachts? So sad. They're.. um... job creators or something. Anyway, that's what Fox News told me.
https://www.americanbanker.com/news/call-centers-and-bank-br... "Call centers and bank branches are major fraud liabilities"
https://www.bai.org/banking-strategies/beating-crooks-at-cal... "Aite Group’s findings that 61 percent of fraud can be traced back to the [call] center are equally concerning, as is its prediction that contact center fraud loss will double by 2020."
This is a precedent to Coinbase employees getting physical threats at their door just because e.g. some voter registration, utility company, bank, credit card, or court record decided to release their name and addresses on the internet. People could show up at some Coinbase software engineers' apartment doors with guns demanding they send BTC to arbitrary addresses.
Plus numerous ways to infer your address from other data sources, including apps that grab GPS on friends' cellphones when they visit, etc.
Finally, shutting down paid data brokers seems virtually impossible in practice, which means anybody googling you can pay $20 and get everything.
Remember, the issue isn't lazy goodguys but even slightly motivated badguys, who then use third party scripts to do the data collection.
I bought a house here after a long time out of country and the first year all I got for mail was scam bullshit. Loads of it.
Just jail them. Make it a felony to release someone's PII without their written consent, and make data brokers illegal to begin with.
> numerous ways to infer your address from other data sources, including apps that grab GPS on friends' cellphones when they visit
These are not the main vector of transmission of personal information. Yes, Meta could probably do some graph analysis and infer this, but it's a lot of work, and their data leaks are rare in comparison to all the other companies, financial institutions, and governmental organizations, that freely post residential addresses on the internet and to data brokers for the world to Google.
> companies, organizations and governments that collect it for various reasons
KYC requiring addresses should be banned. Companies should not collect a residential address.
If you sling code for cryptocurrency you and your loved ones are "in the game" now.
https://www.bbc.com/news/articles/c20qee5030do
No comments yet
It's hard to not believe in Karma sometimes.
Historically, although KYC regulations were widespread in Communist countries, they were unthinkable in most democratic countries until 9/11, which provided spy agencies with their golden chance to write their wishlist into law. But unfortunately that helps foreign spy agencies just as much as, maybe more than, it helps domestic ones.
In https://en.wikipedia.org/wiki/Know_your_customer#Laws_by_cou... you can see when they were introduced in different countries.
Got to make it so employees can’t do anything nefarious. This helps protect them.
Under specific conditions, the client can communicate with malware already on device, save data locally for other software to pick up, or downright stream the decrypted software to a third party.
Most likely is to introduce a flaw in the client that can be used by other walware on the client.
Clearly no red team members on HN these days.
But they can look the other way about flaws in their Electron client.
Really, can you possibly tell if your Signal messages were compromised? Now that iPhones aren't really jailbreakable, you can't even see inside your own device.