Bitcoin. It’s still a thing, apparently. There have been many ”things” in the past, like pet rocks or flagpole-sitting, but unlike those “things”, Bitcoin is defying the trend (and haterz) and is gonna live forever! Problem is that it hasn’t really caught on, and the people who do get interested in the ‘Coin lose it very quickly when they realize how batshit insane the community is to deal with. That’s why a lot of the marketing towards attracting new bagholders has been about how easy Bitcoin is to use.
When looking at Bitcoin’s legendary “ease of use“, no one has cornered the market better than Coinbase. Coinbase is so easy; all you need to do is create an account and link it to your bank. It’s just that simple! Or is it?
I first signed up for Coinbase around April of 2013, when it was the only player in town that could let people buy and sell Bitcoin by linking a bank account. Coinbase was one of the first services, if not the first, that let you just buy Bitcoins with a bank account. And, for the most part, it still is – it is still incredibly difficult for newbies to obtain Bitcoin outside of services like Coinbase or Circle.
So I decided to sign up for another account, just to see what the user experience was like from the start. I’d forgotten how rough it was.
Coinbase has a beautiful website, clean and clearly laid-out, with the sign-up form right in the middle of the front page. (There’s also a link to a standalone form in the top menu, presumably for the sake of completeness.) From there, you enter your email address and desired password (which, oddly, it only asks for once). Then you verify your email address. Done. That’s all you need to create an account; now you have a basic wallet. To test mine, I sent 25 cents from a friend’s old account to the newly-created wallet. I now had enough BTC in my account to buy the first part of an ebook about homemade explosives manufacturing on Silk Road. However, if I wanted to buy Bitcoins from Coinbase to get the second part, I needed to verify my phone. This is mandatory. You cannot get around this step if you want to buy Bitcoins from Coinbase.
If you click “Skip, I’ll do this later”, it just goes back to your wallet. You have to give them a phone number. Why would it want that? To spam me? To send me dirty pictures deep into the night? No, much worse.
Enter 2-Factor Authentication. On a “2FA”-enabled site like Coinbase, you first enter your username/email address and your password, then a random string of numbers is texted to your phone, and when you enter that, it lets you access your account. It sounds simple, and, to a degree, it is. But Bitcoiners are the people who turned buying stuff from Amazon, the site with the “1-Click Checkout” button, into a middleman-heavy descent into madness, so you know they’re going to fuck something up. This is just the start.
The major flaw with 2FA is that, if you lose access to your device (whether by losing the phone or by simply switching numbers/computers/accounts/Yubikeys/etc.), you are permanently blocked from your own account. Coinbase, thankfully, lets you use Authy to change your phone number (we’ll get to that in a second), but what if you forget your old number? Where is the “Forgot your Password?” option then? There is none. And it’s the same in every scenario with standard 2FA. Forgot your phone number? Fucked. Friend threw the phone into a lake, trying to be funny? Fucked. Hardware melted in a mining rig-heated bedroom? Fucked. Switched out hard drives, but had your only key on it and can’t access your account unless you have the key back? Fucked, and on NBC News.
Coinbase has a reset system as Kafkaesque as the FTC trial against BFL, where, yes, a password can be reset, but only if it comes from a known IP address/device. If your phone is gone, and that was the only way to access the account, and the account cannot be opened without the device, then there is a backup, and that’s asking for help from Coinbase, which logically circumvents all these security features in the first place.
That’s how security here has been designed: one way in, by way of M.C. Escher. And if someone else gets access to your 2FA-registered device, you still lose, because it technically wasn’t a security breach! Someone who wasn’t you used your device, registered to you, to access your account and steal your Bitcoins, and you’re left holding the bag because there’s no way to differentiate between you and the thief. (Except IP addresses, which get logged, but these guys could just use Tor or something.)
Of course, as mentioned earlier, you at least have the option of pairing your account to a new device, but that’s another can of worms. First, you enter your old phone number, then the new one. You then wait 2-3 days for Authy to do… something. Along the way, they will spam you with emails about the process. I know this because when I changed my phone number earlier this year, I went through that process. Over three days, I got six separate emails telling me the same thing: you requested a phone change, so now we’re going to bug you to death.Those “We’re reviewing your petition” emails? Exact same, each one. Literally no difference except the date. They had to tell me the exact same message three times in a row. And, somehow, my spam folder (!) had three more of the things.
This is assuming you have a phone number, which I didn’t last year after moving from Boise to Boston and ending my service with T-Mobile. Two weeks after the move, I finally had some free time to get a new phone number. But during that interim, I was completely locked out of my account and had no control over my own (Bitcoin) finances. I’m sure if that happened with a real bank, I’d have recourse. But here, none. All roads in Coinbase security lead to delays and waiting, and there’s not a damn thing you or I can do in the meantime.
So after this Authy business, I can finally get back into my account. There, I’m stunned by something:
Coinbase is only encrypted with 128-bit encryption. 256-bit AES is the security standard Satoshi himself set as the Bitcoin algorithm for encryption; it is currently the strongest and most secure digital lock and key out there. AES is, if not the highest cryptography standard, at least one of the highest, approved by the NSA for protecting the highest of high-level national secrets. The fact that this Bitcoin “bank account” doesn’t even try for that level of security is odd, especially since I saw this recently when ordering a Game Informer subscription for my little sister:
GameStop has a top-grade encryption standard for buying magazines, but Coinbase, a Bitcoin bank that operates in an industry known for being robbed a lot, does not. Heh.
Coinbase then asked me to create a “Vault”. This article by Coinbase (which I swear has graphics done in MS Paint) explains that the Coinbase Vault is just another way to store coins, but with more security features than a regular wallet. Those features are mainly a system that sends multiple emails confirming any transaction from the vault, and each of those emails being able to cancel any order. The vault is a fucking annoyance to the nth degree. This video is their official look at the vault. Besides not describing what in the hell the vault even is, it has this bit:
The vault basically applies 2FA to transactions. You enter the amount you want to send and who you want it sent to. You confirm by email, yes, I want this sent off. You then confirm again, this time by phone, yes, I want this amount sent off. You then wait for 48 hours, during which you can cancel at any time – in Bitcoin-land, there are no chargebacks (it’s a feature!), so this weird Rube Goldberg time-bomb is the closest you can get if someone else starts spending your Vault coins.
By contrast, with an actual bank vault, I go through a minor security check – “Can I see some ID, and do you have your key on you?” – get my shit, and am done. Which leads to the weirdest thing about security on Coinbase: it is really fucking good at confirming my identity. When I signed up, it confirmed my identity by asking me things like “What street did you live on in Boise?” “What county is your car currently registered in?” “What car do you drive?” What did you do last summer?” Intensely personal shit that tells me they have access to verification materials that far exceeds the basic “Can I see some ID?” security check I’d get at a regular bank vault. I, at that point, had not even mentioned my hometown was Boise, or even hinted at anything related to that kind of information, and yet it knew I was from there. That is advanced security.
In the end, I just named my vault “DA VAULT!” and moved on.
Along with the 48-hour Vault wait, there’s another shitty delay to verify that you’re a big boy and ready for “Level 2 Verification” status, granting you the ability to buy or sell a massive quantity of ‘Coin at once. To do this, it tells you, ”Buy some Bitcoin and wait at least 30 days.”
I’ll repeat that. ”Buy some Bitcoin and wait at least 30 days.”
I have no idea how any bank, let alone any currency, could thrive by telling its customers, “Buy something, and then don’t use the account for a month.” So I decided to ask Coinbase’s tech support about it:
I have no idea how sitting around and waiting for 30 days to be verified makes me a trusted user or protects my account, especially since I’ve already been verified via the world’s pickiest security system, which knows more about my own childhood than I do. Maybe because the account is not being used, there’s no risk I’ll do something stupid (like use it), and possibly get into trouble? Is that the rationale?
Moreover, it’s pointless to try and find out why I need to wait 30 days for this, because even Coinbase’s staff don’t know. And I’m not trying to beat up poor “Rosey” up there; she’s just doing her job. The problem seems to be that info isn’t being told to staffers. And if they don’t know, how the hell am I supposed to? And if I’m not supposed to, what else am I, the customer, not supposed to know? Is there no Coinbase fraud protection, if (when) that (inevitably) happens (when they get hacked because of their low-grade encryption)? No FDIC-insured deposits, or even something remotely akin to that?
Nope. But they have a referral program!
Coinbase is insured for their losses, not yours, through Aon. If your shit gets stolen, you’re screwed, but if they get robbed, they’re good to go! As for fraud protection, there is nothing. I have heard that they cover up to $100 (!) in losses, but I cannot verify that. Hell, I can’t even link to anything, because there is nothing to link to. That’s disturbing to me, because to sign up for this account, I had to send in pretty personal details, like my address, my phone number, my SSN, current bank account info, etc. Besides the fact that they don’t have fantastic encryption in an industry where the biggest bank, Mt. Gox, crashed and burned earlier this year, hackers grab shit all the time from these Bitcoin services. And you’re telling me there is nothing to keep me, the customer, safe?
When looking into their fraud protection, I started out by simply Googling “coinbase fraud”. The first thing that popped up? A site called CoinbaseFraud.com, which aggregates complaints about the company from various sources. Not really a big deal, since these kinds of sites pop up all the time from people who think they’ve been “robbed” by “The Man”, but in an industry where 1 out of every 16 Bitcoins have been stolen, those complaints may hold water down the line. Especially since a lot of them weren’t super outrageous crazy-babble like on r/Bitcoin; it was mostly just “I ordered 1 BTC and never received it.”
At this point, I’d like to point out something slightly unrelated: I have, in the span of about 5-8 minutes of creating and setting up my account, gotten six emails.When I signed up for a real bank account and a credit card with HUECU, I got two:My fear of being spammed has come true, albeit in a slightly different way. Why do there need to be six separate emails? What, exactly, does that accomplish? The first email verified my email address. The second asked me to subscribe to “The Coinbase Blog”, which brags about its 197K subscribers, because Bitcoin has apparently become a YouTube-like race for subscribers. The third is an email I get every time I do anything like buy or sell on the site, meaning you will get 2 emails for each transaction going forward. The fourth is a promotional thing that I’ll get to in a bit. The fifth email was when, during the creation of “DA VAULT!”, I needed to verify my 2FA and then add an email address to my phone number for my username to work. It’s fucking stupid, and I still don’t understand it. The last email just confirms the vault was set up.
What did the real bank’s email do? The first email confirmed I created an account and asked me to confirm my email. When I did, it just sent me to the login, then my account page. This may have had something to do with the fact that I already verified everything the first time. The second email confirmed I had applied for a credit card, linked to the account I just created. It told me I’d get a call in a few days to verify things, and I may need to come into the bank to do so. I didn’t have to, though, because they verified everything on their own since all my info was linked to the main bank account, something Coinbase seemingly cannot do (although, to be fair, Authy was able to see I had two accounts with the same number and linked them).
Back to that fourth Coinbase email: as a promotional deal, I got $1 in BTC for creating an account. Excited to put this towards a future heroin addiction, I waited for it to verify (Coinbase waits for six confirmations from the blockchain before it deposits funds).
Turns out, in order to get my $1, I need to verify my bank account. And, if I don’t do it within 30 days, the money goes back to Coinbase, in the same way that if you don’t collect your tip on Reddit, it goes back to the original tipper. To quote a fellow shill:
You see, if your tipee doesn’t claim their Bitcoin in 21 days it goes back into your tipping pool. Wouldn’t it be nice that if you tipped that waitress at Denny’s, she doesn’t spend that
$20 $10 $5$2.80 and instead of her being able to save it for a rainy day, it just found it’s way back to your wallet? That’s how bitcoin works! No chargebacks but we can still have takebacks! (Source)
The bank verification, by the way, is basically the same as PayPal’s. Either you can “Instantly Verify” (which has never worked on this site, I’ve tried on three separate occasions), where Coinbase logs into your bank account with your real bank’s username and password, or you check your account in 2-3 days and see what amount of pennies were withdrawn and re-deposited.
Five days after I made the account, I get the time to verify. I’m excited, since this is the first time I get paid for doing anything Buttcoin related, even if it is just a dollar. I’m seeing it more as a dollar-off coupon for some counterfeit art on Silk Road 3. I look at my account, see that the amounts are there, and enter them. I expect my precious $1 to be there. It isn’t. And a week later, it still hasn’t shown up. I don’t know why. The complaints I read from CoinbaseFraud.com immediately popped into my mind.
During the writing of this article, Coinbase announced ”USD Wallets”, which allow users to hold actual money in their accounts and, if they so desire, “instantly” convert them over to Bitcoin. Currently, this has only been released in select states to users who have verified their wallets.
Deciding to give them one more shot, I tried their new-fangled USD system. It really reinforced the fact that these people have no idea what the fuck the word “instant” means.
First, some good news: Coinbase’s USD Wallets are FDIC secured. I think. They say on their page:
Customer funds stored in Coinbase USD Wallets are held with an FDIC-insured financial institution.
Yet their user agreement hasn’t been updated at all to include anything on USD Wallets, and therefore there isn’t any info on who the institution in question is. Moreover, the fact that they haven’t updated their user agreement is both ridiculous and shady, because it presents no clarity on the legal aspects of using the wallet, nor any sort of restitution should something happen to your actual money. So there is no way to verify whether or not it’s like that $100 insurance rumor from before, or even the amount it’s insured up to. We can assume $250,000, because that’s the FDIC mandate, but can we really be sure if it’s not even on their ToS?
Barring that, how does it work? To use the “USD Wallet”, you must deposit cash from your linked bank account. I didn’t want to put more than $1 into this, but the minimum is $10:
“Your funds will arrive in 4 business days,” it says. Fine. I can almost accept that. But accounting for the weekend, four business days ended up being nearly a week:
This implies that they’re doing nothing at all on Tuesday itself, despite the fact that there is no defined cutoff time, and everything is supposed to be automated. If I want my “instant” Internet bucks before my sister gets her Game Informer magazine (ordered at the same time, mind you), I need to order on Sunday or Monday only. Otherwise, I don’t get my funbux until next fucking week. Currency of the fucking future.
I got my Surprise Rubles, and then tried to figure out, on my own, how the fuck to convert them to funbux. I was expecting a button on the USD wallet page that said “Convert USD to BTC” or something, because I keep forgetting this is the same community that gave use the multi-step way to buy stuff on iTunes, Gyft. Turns out in order to convert, I needed to go to the “Buy” tab and enter the amount in my USD wallet I wanted to convert.
It was confirmed and transferred in a little under a minute. Still not instant, but by far the fastest time I’ve dealt with so far with Coinbase.
There were no instructions on how to convert them. The only thing in the FAQ was what USD wallets even were. I had to ask their customer support. (Who, by the way, are pretty great.)
So, in the end, it took me a little under two months to get my Coinbase account up and running, and a week more to add cash to the account. I started this article started at the beginning of November with the intention of getting this done ASAP. Instantly, if you will.
Meanwhile, in the UK, the Brits have set up a system that sends money anywhere, anytime, for just a few pennies per transaction. NPR’s Planet Money did a test by having the 50-year-old man who set up the system send his daughter £10 for a beer in New York via text, while he was in his home in London. She got it in 15 seconds, an entire ocean away.