Be very, very, very careful about giving any service, ever, information about your actual bank account. This is a much bigger deal than giving a service your credit card information.
(Individual ACH charges may, with some effort, be reversible like a credit card charge, but invalid reversible credit card charges are pretty much all you have to worry about with a stolen credit card, and not all you have to worry about with a stolen bank account).
I trust Brian Armstrong / Coinbase more than Paypal, and Paypal also requires your routing / account number.
Full disclosure: I run http://howdoyoubuybitcoins.com/ and my wife's cupcake bakery, cupsandcakesbakery.com sells cupcakes for bitcoins in San Francisco (9th/harrison)
No idea. Lots. Paypal invests a lot in security. It's not reasonable to simply say, "if Paypal does X, it must be safe to do X"; for that to hold, you have to be putting effort comparable to Paypal's into security. Most startups don't, and can't.
So, I originally signed up with a local bank, which takes 2-3 days (unfortunately). This is the same model that Paypal follows.
Since there is clearly a demand for buying bitcoins _quickly_, I believe Brian is providing both a good UX for those who want to just use their account / routing numbers, while also allowing people to get bitcoins in LESS THAN 10 MINUTES (I bought 1BTC today with coinbase / wells fargo).
I should note that Mint did the same thing in order to get access to transaction history, and they had 5 million registered users as of 2011 (source: http://qr.ae/8QB9G).
If the big banks addressed the need for APIs, startups like Mint and Coinbase could do this in a more sane way, but we're talking about big banks, and in the case of Wells Fargo they actually charge users a monthly fee for using Quicken to talk to their backend.
tl;dr- Mint asked users for bank passwords and got 5 million registrations. Likewise, Coinbase is just providing a "quick" ux path for the people who want to act quickly.
Mint was a read-only consumer of banking information. Nevertheless, the access Mint required from banks was so unusual that they were written up all over the news media for doing that, and apparently operated their own secure data center to hold that information. Further, Mint attested to doing quarterly external audits.
I'm not trying to militate against using Coinbase; I'm just saying, Coinbase and Mint aren't directly comparable for more than one reason.
"Mint attested to doing quarterly external audits?" Really? It seems they didn't, or at least I can't find evidence or mention of it, and Mint support doesn't know about it.
A Hackersafe pen test is not a security audit. A public company SEC-required annual audit is not a security audit either.
There is no audit if there is no public audit statement from the auditor. Without one, whatever security measures were taken cannot be called an audit.
Perhaps some reporters (like the ones that reported on the WMD-based justification for going to war against Iraq) didn't do their jobs properly.
It's not just that Paypal is established; it's also that Paypal has put millions of dollars into its security program. Most startups haven't even seen the amount of money Paypal spends on security in combined revenue and investment.
I trust my banks with all my money. That doesn't mean it's safe to trust any company with my money, simply because banks manage to do it. I don't trust arbitrary banks, either.
I do think that a lot of Hacker News contributors have blinders on, wherein they devalue the work a big, established service has done, and compare smaller, less-established companies favorably to the same, because they have this narrative of young, smart developers "disrupting" old and established businesses. Its useful to remember that sometimes those big, old businesses are not actually brittle and incompetent, and may actually know more than you think.
Don't fall into Dunning-Kruger.
I cannot count the number of times I have heard someone question why I couldn't do something when Google seemed perfectly capable of it. Do I look like I have a couple datacenters and an elite math squad in my pants?
Like I said: ACH transactions can often be reversed; it is reasonable (though not entirely accurate --- in particular, business bank customers have few if any real protections) to model the risks of ACH transfers the way you think of credit cards. The same is not true of your bank account login information.
I don't mean to be harsh, but the fact that you're even asking for banking credentials means I want nothing do with your service, and I feel like actually shouting loudly to everyone I know not to use it either.
There have been far too many shady Bitcoin related hacks/frauds/incidents for this to be something that you should even be encouraging. What protection do your customers have if you do get hacked?
It's a fair point, and I think you're right to be wary of new services.
We debated offering instant account verification for the reasons you mentioned, but we ultimately went with it for the following reasons:
- we don't store any bank credentials on our servers after the verification completes (or fails), and take care to filter it out of any logs etc
- it allows someone to verify an account and start buying bitcoin in just a few minutes instead of 2-3 days (lowers the hurdle to getting started)
- it's the default in the U.S. for services like Paypal so people are somewhat familiar with it
- for anyone who is uncomfortable with it, the challenge deposit verification is available to them (we make two small deposits to your account and ask you to verify the amounts, which take 2-3 days to arrive)
I think you're right that users should be wary of any site asking for such information, so it's up to each user to make their own decision. We at least wanted to provide it as an option given the above precautions. Anyway, even if you don't agree hopefully this better explains our thought process behind it. We'll continue to evaluate whether to keep it along with help from our lawyers, and I appreciate the feedback - really.
I think it's clear why it's convenient to be able to instantly verify a bank account, and that instant verification is the reason you want account information. What's not clear is why that makes giving bank account information to a startup a reasonable risk.
* Backend by the assets of a very significant stakeholder
* Risk outweighed by benefit
I'm not saying Coinbase is unreasonable. I have no idea how they work under the hood at all. I'm just saying, it is not suddenly O.K. to give bank account information to startups simply because there's a way to use Paypal that also takes that information. Paypal also doesn't have my account information.
Coming from a background of working with security for financial institutions (Banks, Creditcard companies and so on), I'd highly recommend re-evaluating this implementation from a liability perspective.
Feel free to send me a message (contact information in profile), and I can share advise on how the banking and creditcard industry deals with cross authentication and verification.
Given the horrible security record of Bitcoin trading platforms, there is no way in hell I will give my bank account details to one. There are so many amateurs in the field that I cannot take any of them seriously.
Well, don't use bitcoin then? The reason why there are so many services is because there is demand. Certain people will continue using bitcoin, no matter what (unless better alternative comes along). In the long run the more stable and secure services will survive.
And there has been some bitcoin services which have been pretty stable and solid all the time. They just don't get in to the news...
"And there has been some bitcoin services which have been pretty stable and solid all the time. They just don't get in to the news..."
As far as I am concerned, it's just a matter of time before the trading platforms get hacked. Tens of thousands of dollars, if not hundreds of thousands, have been stolen in Bitcoin hacks. Online banking is not easy for large banks to defend; I have little confidence that an indie team can perform as well as a major bank.
It seems like these services are moving to a model where they get their user's trust by storing the majority of funds offline, which means they cannot be hacked remotely.
Btw, mtgox for example employs something like 15 people nowadays, and they mostly focus on the security I guess. (At least they are not focusing on new features, since the service has been the same for last year or so...)
Edit: And you are sure that they will all get hacked? You sure have faith in the big organisations...
A valid concern - we have a fallback option of verifying two small credits amounts to your account if you are uncomfortable with the first option. It just takes a bit longer (2-3 business days) so we wanted to provide both options. Hope it helps.
Your company seems really interesting, and I'm considering setting up a merchant-account, but I'd STRONGLY advise you to drop the bank login feature.
I know it took a lot of code to write. And I know you convinced yourself it's an advantage. But it's not.
It's making people run from your site.
Look at the comments here, and these are from FRIENDLY people.
Many many many others will see that in your blog article, and decide not to sign up for an account, and you'll never even know.
They won't write an article, they won't email you, they'll just decide you're skeevy, and abort.
You're already working with one tech that people thing is a bit "iffy".
That means you need to do EVERYTHING POSSIBLE to make EVERY other bit of your service seem 10,000% above board.
Asking for bank login credentials, EVEN AS AN OPTION, torpedos that.
You're probably thinking to yourselves - "Maybe we should make the Credit Card primary, and make this secondary?"
Just don't.
I know you spent a long time writing this, and I really wish it were a good idea, but I'd really suggest you just comment out the feature.
You can always put it back in a year or three if you really really want, once your service has inertia, and is already more trusted. But even if Square or Stripe asked for that, it'd scare people away, and lose customers.
It's just a bad idea right now.
I want you guy to do well. Please kill that feature.
It's not like he's blazing new ground here. People have already done this with Mint. When it launched TechCrunch was full of comments exactly like yours.
Actually, I don't think Coinbase is hurting themselves. Sure, smart people are running away, but the muppets[1] are happy to enter their bank passwords. But they're hurting their own customers by training them in unsafe practices. I guess it's a lost cause if Paypal does the same thing, though.
From BofA's guidelines on online privacy and security [1]:
"Protect your Online ID and Passcode. You should always guard your Online ID and Passcode from unauthorized use. If you share this information with someone, all transactions they initiate with the information are considered as authorized by you, even for transactions you did not intend for them to make."
That's the standard option that all other monetary services use when they want to ACH transfer to or from your bank account. Using that mechanism will make your service much more familiar and acceptable to people, whereas asking for a username and password raises huge red flags.
I only know of one other service that asks for bank account usernames and passwords: mint.com. And they frequently have to deal with customer concerns about the security of doing so, even though they very explicitly say they only provide read-only access. Your service doesn't even have that guarantee.
So: drop the username and password thing, and only support the standard verify-two-small-transfers option that every other service uses.
Paypal also asks for your bank username and password for instant verification. The process looks identical to the one displayed here so I would imagine that is where this came from.
I'm not saying I would trust giving my bank details out in general, especially with these bitcoin businesses, but I have to say that when I wanted to open a business account with paypal and I was faced with either waiting days or instant verification, I took the instant option even while knowing it was probably a bad idea.
With the dubious security reputation Bitcoin already has, you're already on thin ice with regards to this sort of thing. My gut says that by asking for banking passwords, you hurt yourself more than you help yourself.
If you're looking to get users into the door more quickly, you could borrow a page from LendingClub, who will let you deposit from a credit card, but only when opening a new account, not afterwards.
It's not a problem for me, but I'm thinking bigger. IMO we need very strict rules to keep normal users from compromising themselves, and there's a sort of herd immunity that comes from everybody following these rules. No service should ask for anyone's password to another service, ever. Even if OAuth isn't available, just say no.
Unlike others here, I'm really excited about this feature! Buying bitcoins is one of the hardest steps for new people getting into it, so if you can provide a faster and easier way to do it, then good!
That said, you should absolutely ensure your security is top-notch. You should also be getting frequent public security audits.
Yhea....no. Because they are in YC doesn't mean nothing. Really it could be the NASA or the FBI or whatever. If there is money in it (specially untraceable money like bitcoin) someone will hack it.
I'm not sure I like this handwavey security argument. There are lots of services handling money that don't get hacked, at least not in ways that cause a loss of said money. Treating being hacked as a foregone conclusion is rather bad practice.
Its a poor argument to try to excuse the Bitcoin community's abhorrent record with security (sans the actual Bitcoin protocol, which is quite secure).
Mint asked for bank passwords, and had 5m registered users as of 2011. They sold for $170 million. I believe Coinbase is copying common UX patterns which have been proven to be palatable with users.
Coinbase is neither Mint nor Paypal. We have no idea if they will survive 6 months, and we can't trust they don't store credentials on their servers, even though they say they do. Have they been security audited? Or do we just take a one-line comment on Hacker News as the truth?
If they reach a level of legitimacy, then maybe it might fly with some users. But I personally think it's way too premature to ask for usernames and passwords for banks, especially given how much fraud, hacking, security problems, and monetary loss associated with Bitcoin companies.
On one hand, they're getting pretty good authorization with the credit matching part, not sure of the legal details of the un/pw bit. That's also going to help a bit with the miskeyed account number problem.
On the other hand, return rates on WEBs are bad, and the number of people who will revoke their authorization is pretty high. (Even if they have to make a signed statement under penalty of perjury, it happens.) And they have 60 days to do it. It's going to be hard for them to reverse a return even if they have all their auths in line.
On the gripping had, there's the low daily limit. That limits their risk to any particular account, but it's possible that someone would wind up contesting a bunch of charges all at once, say after they got their bank statement.
edit:
I'd love to see their underwriting documentation and just how they're explaining this to their bank. And I'd love to see their bank's comfort level in 60 days.
From some of the other comments, it sounds like (asking for bank passwords) is a semi-common practise [in the US]. Is that accurate? I'm absolutely stunned that anyone could think that (a) it's a good idea, and that (b) anyone would be so unbelievably stupid to actually provide them!
I can't imagine the banks are thrilled with this either - and if they're not actively blocking this sort of activity, they probably should be. I'd be careful that providing your password doesn't invokes various liability clauses in your banking agreement.
The only way I would ever consider doing this, is if I set up a new bank account, preferably with a different bank from my usual transactions, where I specifically put funds for this purpose. In which case, it's probably not worth the hassle.
A while ago I wrote that perhaps the greatest contribution the Bitcoin experiment will make to humankind is to teach you and me and our neighbors more about the realities of economics. And later I added that the Bitcoin experiment will also contribute to greater understanding of attack surfaces and online crime. Many of the ideas about how to mine Bitcoins, store Bitcoins, and trade with Bitcoins as a medium of exchange illustrate both the strengths and weaknesses of any other medium of exchange in a world full of human beings. Seeing the discussion of Bitcoins here on Hacker News reminds me of early online discussions in the 1990s of online payment systems such as PayPal, and the arguments beforehand that PayPal wouldn't have to invest a lot of time and effort (as it eventually did) building defenses against theft and fraud. If a weakness in a system is attached to a lot of money, the way to bet is to bet that someone will go looking for that weakness, even if you haven't thought of it.
This prompts a question for all the security-knowledgeable persons who participate here on Hacker News, a question once asked of the inventor of Pretty Good Privacy (PGP). How expensive do you think it would be for the United States National Security Agency (or a comparable organization from another national government) to crack a Bitcoin store, given that we know that some Bitcoin caches have already been cracked? And if the organization storing Bitcoin data held personal bank account data too, how attractive a target might it be to thieves?
Lots of people here are right to question the security given the track record of ... well, pretty much everyone involved in BitCoin trading, but I work at a company that has looked into using this type of instant bank account verification and it's not quite as ridiculous as some people are assuming.
To pull money from your account, they are using ACH (Automated Clearing House) sometimes called e-check. The standard way to confirm an ACH relationship is to make two small deposits known as microdeposits into the customers account, and then the customer needs to come back and confirm the amounts.
This requires waiting for what's usually a daily process to send the ACH micro deposits, then waiting until they show up in the customer's account. Thus, the customer needs to wait several days before they can add funds.
Another option is to use a service like By All Accounts which logs in on the users behalf to their their bank account and confirms that they actually have access to the bank account they are trying to draw from and confirms sufficient funds.
Once either of these happens, then the company can pull from your bank account. This is great if you're setting up something like automatic bill pay or hooking up a scheduled deposit into an investment account.
So if you trust this BTC dealer as much as your credit card company or stock broker, this is a reasonable method to get money to them. If you don't trust them, then you probably don't want to give them money anyway.
Can you actually buy anything legitimate with BTC yet?
When I was last involved (2 years ago), the entire economy seemed to be an amusing dance between get rich quick miners / speculators and a relative handful of early adopters and pool operators siphoning cash off of the former.
Check out https://en.bitcoin.it/wiki/Trade to see a long list of pretty much all the services that allow you to trade in bitcoins.
My personal favorites:
http://bitmit.net - an auction site that allows you to buy and sell goods with bitcoins.
http://coindl.com - Download digtal files, and pay the content creator in bicoins. Many downloads have "pay as much as you want" pricing. These micro-transactions are only really possible with bitcoin.
Bitcoin Magazine - There is so much drama in the bitcoin world, and they do a great job of summarizing it and making it fun to read about.
It is a certain hippie thing trying to get bitcoin accepted directly, but the exchanging process is getting better, faster and easier all the time so I don't know how much would it matter... If bitcoin is really easy to liquiditate to usable currencies, it doesn't matter that much if the purchase happens with bitcoin or with conversion process. (example: polish anonymous debit card)
Why is the spread so high on the buy/sell orders? Mt.Gox currently has Ask: $9.99 Bid: $9.92 while Coinbase has Ask: $11.27 Bid: $10.05. This is an effective 12% fee on purchases in addition to the 1% fee you already charge.
Glad to see USD/BTC exchange getting easier again. With mining GPU requirements continuing to rise, it is becoming less feasible for most people to mine for bitcoins, and purchasing them will be the only feasible way of acquiring them, especially if difficulty levels continue to rise.
I just went to the comments section to see how many people would be warning about giving away your banking credentials to another shady bitcoin site. Glad to see I wasn't disappointed.
(Individual ACH charges may, with some effort, be reversible like a credit card charge, but invalid reversible credit card charges are pretty much all you have to worry about with a stolen credit card, and not all you have to worry about with a stolen bank account).