It's a fair point, and I think you're right to be wary of new services.
We debated offering instant account verification for the reasons you mentioned, but we ultimately went with it for the following reasons:
- we don't store any bank credentials on our servers after the verification completes (or fails), and take care to filter it out of any logs etc
- it allows someone to verify an account and start buying bitcoin in just a few minutes instead of 2-3 days (lowers the hurdle to getting started)
- it's the default in the U.S. for services like Paypal so people are somewhat familiar with it
- for anyone who is uncomfortable with it, the challenge deposit verification is available to them (we make two small deposits to your account and ask you to verify the amounts, which take 2-3 days to arrive)
I think you're right that users should be wary of any site asking for such information, so it's up to each user to make their own decision. We at least wanted to provide it as an option given the above precautions. Anyway, even if you don't agree hopefully this better explains our thought process behind it. We'll continue to evaluate whether to keep it along with help from our lawyers, and I appreciate the feedback - really.
I think it's clear why it's convenient to be able to instantly verify a bank account, and that instant verification is the reason you want account information. What's not clear is why that makes giving bank account information to a startup a reasonable risk.
* Backend by the assets of a very significant stakeholder
* Risk outweighed by benefit
I'm not saying Coinbase is unreasonable. I have no idea how they work under the hood at all. I'm just saying, it is not suddenly O.K. to give bank account information to startups simply because there's a way to use Paypal that also takes that information. Paypal also doesn't have my account information.
Coming from a background of working with security for financial institutions (Banks, Creditcard companies and so on), I'd highly recommend re-evaluating this implementation from a liability perspective.
Feel free to send me a message (contact information in profile), and I can share advise on how the banking and creditcard industry deals with cross authentication and verification.
We debated offering instant account verification for the reasons you mentioned, but we ultimately went with it for the following reasons:
- we don't store any bank credentials on our servers after the verification completes (or fails), and take care to filter it out of any logs etc
- it allows someone to verify an account and start buying bitcoin in just a few minutes instead of 2-3 days (lowers the hurdle to getting started)
- it's the default in the U.S. for services like Paypal so people are somewhat familiar with it
- for anyone who is uncomfortable with it, the challenge deposit verification is available to them (we make two small deposits to your account and ask you to verify the amounts, which take 2-3 days to arrive)
I think you're right that users should be wary of any site asking for such information, so it's up to each user to make their own decision. We at least wanted to provide it as an option given the above precautions. Anyway, even if you don't agree hopefully this better explains our thought process behind it. We'll continue to evaluate whether to keep it along with help from our lawyers, and I appreciate the feedback - really.