Te a few hours on December 15th, Jeff lost almost $Ten,000.
It wasgoed Ten.6 bitcoins held te the wallet service Coinbase, the most well-funded and widely implemented service on the market. Jeff, who asked that wij not use his last name, got the news of the transaction spil soon spil it happened, and after going back and forward with a customer-service representative, he had his money refunded. Exactly one month zometeen, it happened again.
Coinbase told him he’d bot hacked
This time, the news came while he wasgoed at the hospital for the birth of his daughter. He hurried to unlink his checking account, only to see a fresh purchase for $7,000 worth of bitcoins had just cleared. He quickly moved the fresh money out of Coinbase, ripping off it te a secure offline wallet where the hackers couldn’t reach it. He’d saved the $7,000 from being stolen, but his original Ten.6 bitcoins were now gone for good. Coinbase told him he’d bot hacked, and didn’t qualify for a 2nd refund.
It’s part of a string of Bitcoin thefts that have succesnummer the service te latest weeks. The Edge has confirmed two other Coinbase users with stories similar to Jeff’s, one taken for $16,000 and another for $Five,000. Ter the very first case, the victim wasgoed using two-factor authentication and received a refund, te the 2nd, two-factor hadn’t bot enabled and the refund wasgoed denied, on grounds that the user hadn’t decently set up the account’s security measures. Several other as-yet-unverified reports have also bot posted on the Coinbase subreddit.
The Edge has confirmed two other Coinbase users with similar stories
Researchers from the security stiff FireEye say the relatively petite scope of the breaches makes it unlikely that Coinbase had a service-wide vulnerability. Instead, the researchers suggested that Jeff and others had bot individually compromised, but that Coinbase’s unusually powerful API key made them more vulnerable after the attack had taken place. Used to let third-party apps access Coinbase accounts, the right API key will let any program stir bitcoins ter and out of a given accounts. Once the key is compromised, attackers can even access linked canap accounts to purchase more bitcoins. Users are advised not to authorize the API key if they don’t need it, but if an account has bot compromised, hackers may determine to authorize it themselves, spil Jeff suspects happened to him.
The petite scope of the breaches makes a service-wide vulnerability unlikely
Reached for comment, Coinbase CEO Brian Armstrong confirmed that some users had experienced attacks, but emphasized the individual nature of the breaches, telling, “phishing is something that’s ongoing. It happens on every major webpagina on the internet.” Armstrong also pointed out Coinbase’s use of two-factor authentication, a feature that’s still missing from many major banking sites. The FireEye researchers agreed: none of thesis attacks seem to be targeting Coinbase’s own infrastructure. Every indication suggests they are individual exploits targeting individual accounts, and Coinbase’s own user agreement clearly states that users are “responsible for maintaining adequate security and control of any and all IDs, passwords, private identification numbers, or any other codes that you use to access Coinbase services.” For one reason or another, Jeff and the other customers failed to do that. Still, amid real financial losses, it’s effortless to see why they feel betrayed.
Any program with the decent API key is able to make its own transactions
Te Jeff’s case, the API key wasgoed almost certainly at fault. He says he reset the key and disabled it after the very first hack, only to find it reenabled by hackers the next time he logged on. A day after Jeff’s 2nd hack, Coinbase enabled two-factor authentication via email for anyone attempting to turn on the API key, a switch that might have prevented Jeff’s losses — but by then it wasgoed too late. Even now, any program with the zindelijk key is able to make its own transactions without further authentication.
The attacks come at a critical time for Coinbase, an the Andreessen Horowitz-backed company that has become the Bitcoin market’s largest and most reputable broker te latest months. Te January, the company partnered with Overstock.com to treat Bitcoin transactions for the webpagina, the largest retail implementation the currency has everzwijn seen. Smaller sites like BloomNation, Malwarebytes, and payment-tracker Mint signed on with Coinbase shortly after. At the same time, the company has often bot the target of phishing schemes, particularly after public user transaction records were discovered this past April. Ter response to The Brink‘s report, Coinbase published a blog postbode this morning that specifically warns against phishing schemes, instructing users to “avoid clicking on suspicious or unknown URLs.”
“It wasgoed just too effortless for someone with the key to take all the funds out of the account.”
Much of the blame also lies with the basic structural properties of Bitcoin, which make it unlikely to switch sides transactions and effortless to launder money once it’s bot stolen. If the same hackers attempted to transfer funds from a traditional handelsbank account, the account possessor could have a petite but crucial window ter which to zekering the payment, and preemptive antifraud measures could halt the transaction before it took place. Because of the network’s open and pseudonymous nature, those protections are utterly difficult to implement ter the Bitcoin marketplace.
For his part, Jeff blames the API key and the promises of “canap level security” made on the company’s webstek, a promise Armstrong says he stands by. “It wasgoed too effortless for someone with the key to take all the funds out of the account,” Jeff says of the API key. He wishes the option to enable had bot less accessible, more hidden. “I wish it had just never bot there.” It’s particularly galling to him because the key is a developer-level feature that most consumers have no use for. For Jeff, that toegevoegd bit of third-party access came with a hefty price tag. Spil he waterput it, “I’m just a dude that wants to buy some shit from Overstock.”