It is fantastic that a company operating with such horrific practices is dead. While we are at it, when can we fix similar issues below with mainstream financial systems that millions of people are still using?
- Social security numbers are used as a secret for identification, despite being in plaintext and having so low entropy as to be guessable, and originally issued on a card literally saying "Not for Identification".
- Every bank check lists the bank account number, which serves as the only information needed for a party to issue a request to withdraw money from that account.
- Credit card numbers are similarly a private number used as a public number, and printed on plaintext on the card.
Is there any effort working on bringing asymmetric encryption to these systems or to replace them that has a reasonable chance of working?
> Every bank check lists the bank account number, which serves as the only information needed for a party to issue a request to withdraw money from that account.
The same principle (i.e. knowing an account number means being able to debit it) works surprisingly well in many European countries for direct debits, and the account number is considered even less of a secret than it is in the US. For example, many freelances routinely print it on their invoices sent out to clients, have it as part of their e-mail signature, or even prominently feature it on their website.
What makes it work is that, under the SEPA Direct Debit framework, the risk of fraud and insufficient funds is 100% on the party initiating the direct debit. An accountholder can literally click a button on their bank's app or website and they get the funds back immediately, no questions asked, within 8 weeks of the original debit date.
This, in turn, means that it is in the initiating party's self-interest to only accept this form of payment in high-trust situations, and not just like a low-fee replacement for credit and debit cards that shifts some amount of fraud risk to the accountholder or their bank.
> What makes it work is that, under the SEPA Direct Debit framework, the risk of fraud and insufficient funds is 100% on the party initiating the direct debit.
It also helps that the accountholder has to allow each party that will debit money from their account. By default, those requests are denied.
"Positive pay" is available for checking accounts in the US, though I've never heard of it used outside of business accounts, and only then by request (and probably extra fees).
As a person you can only send them money. As a business you can initiate a direct debit which withdraws money. However you are attesting that they signed a direct debit agreement with you and provided their account number and agreed on the amount to pay.
This is the same as a credit card - you can charge any card with just the number and a couple of basic details, however if there's a complaint "I found these CC details on a random website" isn't accepted, you need to show the card holder agreed to the charge. If you don't provide the evidence the transaction is reversed.
That is usually not how credit cards work anymore. Sure, you can try to charge any card but if it is issued by a European bank it will very likely be denied and you will be asked to do a Strong Customer Authentication.
Same applies to SEPA direct debit. Here in Sweden most (all?) banks requires the customer to sign digitally before any direct debit mandate is created.
Yes, if you set up a direct debit agreement with a bank you can do that. If you'd actually try what you suggest it will be revoked quickly and charges filed as your identity is known.
> Do you mean that if I know a German bank account number I can just withdraw money for me?
You most likely can't, because if you have to ask this you don't have an agreement with a SEPA Direct Debit originating bank that lets you :)
And even if you decide to open one now: Given the risks involved for the originating bank, they will heavily scrutinize your business case and demand considerable collateral and/or payout time limits.
The thing that’s being missed here is that direct debits can be disputed in the same way a credit card payment can, and by default the customer wins. Their money will be refunded immediately by the bank, who will then go after you to get it back.
Yes and no. Swedish banks for example will just deny direct debits unless the customer has explicitly agreed to let their accounts be charged. So direct debit works differently per country and per bank.
This does have a minor drawback on the service provider side as allowing people to sign up for a service with direct debit is hard to get right, so many services prefer to offer credit card payment even if it is more expensive. There is no way for you to verify that a person signing up is actually the account holder save for doing the "we debited 1c on your account" thing, which takes a few days.
Yes, and that's arguably by design. If you need confirmation of funds, cardholder/accountholder authentication, and a dispute mechanism that doesn't side with the customer in 100% of scenarios, SEPA Direct Debit is probably not the payment method you want.
> the "we debited 1c on your account" thing
This doesn't actually work with SEPA Direct Debits, since there is no such thing as "disputing a reversal" or "compelling evidence": If the accountholder says "funds back, please", the involved banks have to oblige.
In fact, direct debits are so reversible/non-final that it's SOP for bankruptcy managers to claw back all of the last 8 weeks' worth of direct debits drawn on a bankrupt person's or entity's account, which can be quite surprising for debtors.
In other words, it's possibly a better mental model to think of direct debits as a request for a wire in 8 weeks that gets earmarked for approval by default if enough funds are present, but that accountholders can cancel at any point in time, as far as finality (but not liquidity) is concerned.
The main problem is that if the service provider has no proof that they legitimately had a contract signature, the account holder can reverse the transaction for much longer.
> What makes it work is that, under the SEPA Direct Debit framework, the risk of fraud and insufficient funds is 100% on the party initiating the direct debit.
Additionally, you need to have a direct debit agreement with your bank to be able to initiate a direct debit. You need to show at least some legitimate banking history (and a government-issued ID) to get one, and they come with limits on how many and how much you can debit per period, and your bank will terminate the agreement if your reversal rate is higher than normal.
How do you approve a payee with your bank? At the time you grant them permission to debit your account, or at the time of the first payment?
There is no technical channel for the former within the SEPA Direct Debit framework (i.e. the first time the payer's bank learns about a mandate is with the first direct debit), so I'm wondering if this is a different/domestic direct debit scheme.
Traditional banking is sufficiently slow enough that things can be reversed before permanently settled. The "slow" speed of moving money is a feature. It's designed for humans who make mistakes all the time.
I agree that it is a feature, but that feature didn't come with any downsides initially when the speed of everything else was also slow. The downsides are now substantial as the customer expects higher speeds. The downsides of not having the option to have final settlement quickly also seems to be a source of many other problems.
We also don't even need to change this aspect of traditional banking in order to add strong asymmetric encryption in front of the system. That would nip most fraud in the bud, and if nothing else save a lot of effort that goes into fraud schemes, prevention, and reversal.
Honestly, I don't really see this. Small personal transactions happen via Cash, Venmo, PayPal, Zelle, etc. without much issue or friction. As far as the general consumer is concerned it is instant.
Large business transactions generally (not always, obviously) do not have the sense of urgency that would require fast settlement. There's some market maker stuff that benefits from fast settlement, but that's not exactly a reason to push whole new system out to everyone.
The biggest "benefits" of crypto are not benefits to the average consumer going about their daily life. Instead of dealing with fraud you'd have to deal with customer service issues for actual customers who forgot/lost their keys. And, honestly, you'd probably have to deal with more fraud. Your phone gets hacked, your keys get stolen, and then what… all your money is irreversibly gone?
You are imagining a false dichotomy where things like fast and final settlement, or self custody are forced onto every user, and pointing out the obvious problems with that scenario. They are not good defaults, but they are great to have as options to protect customers against a fraudulent or over leveraged system. It is a bit like any protected right-- you don't have to directly make use of it for it to be valuable, the real value is in the optionality you have to be able to use it, and the risk that optionality poses to those who would exploit the absence of the right.
Not really. Fast (immutable) settlement is terrible for humans. Self custody is more or less incompatible with our modern world. And despite that, there are ways to do both without crypto—hand someone stacks of cash and keep gold in a safe under the floorboard. Both of these options exist.
You are repeating the same false dichotomy by stating again that final settlement and self custody are bad defaults for the entire world. That isn't want I'm saying, I am saying a choice is better than no choice at all. I'm also not saying anything about crypto. Gold and cash are also useful instruments that should be financial instruments for everyone also.
> The downsides are now substantial as the customer expects higher speeds.
Why would they expect this? It seems like the slowness is the only thing keeping the game from growing legs and walking away from the humans playing it.
Each one of these systems has a better replacement, but not all of the industry has moved to it.
The largest related issue I believe is that the use of “knowledge databases” by credit bureaus (and all of the companies and governments that trust credit bureaus).
Each of these has been solved, but until the last system using the inferior authentication is upgraded, they all remain weak points. I have argued that the US (or each state) should create a digital certificate system similar to Estonia’s “digital residency card” or S Korea’s online transaction signing (although hopefully not implemented as an ActiveX control for Internet Explorer 5).
The EU is actually federating systems like that under an umbrella of regulations and technical services called eIDAS [1]. I haven't been able to use it in too many places yet, but if it takes off (which is a pretty load-bearing "if", to be clear), I think it could be an important step towards making these systems usable internationally.
Especially the US, which seems to prefer to handle ID card issuance at the state or even municipal level, could benefit from a federated approach like that – assuming that people would be willing to trust their local/state government to that extent, in any case.
> assuming that people would be willing to trust their local/state government to that extent
We have too many religious people who fear government ID cards are the “mark of the beast”. We still can’t get all states to migrate to RealID, which includes a digital verification method within the ID (something stronger than a barcode).
This is mostly unique to the US. Where I'm from, we don't use our SSNs as passwords, bank checks and direct debit are simply not a thing, and credit cards have two-factor authentication for online purchases.
2FA for online purchases is, at least in Germany, is not always a thing. I don't know how it's decided, but I'd say only about 50% -70% of online purchases trigger the 2fa of my bank.
"While we are at it, when can we fix similar issues below with mainstream financial systems that millions of people are still using?"
The literal answer to your question is, no, probably not.
It's not that it's impossible, it's that a lot of the technical talent required for doing it at every financial institution that would need to, is deployed elsewhere (some of it in finance, but not in the improving-security part of it).
The lack of identifying numbers causes no end of confusion when I travel with it too, especially in European countries that Apple haven't launched the card in yet.
It got so annoying on a recent trip, I just reverted to using another conventional credit card. The Apple Card is generally fine any time I use tap to pay from the phone, but the physical card simply isn't as reliable as some other cards I have that generally "always work" abroad. I've even had restaurant staff treat me very suspiciously over the blank card.
Its also an odd card in that the physical card itself has no tap-to-pay functions at all; of course Apple want you to use the iPhone it can't operate without to do this part instead. Again though, if I do have to hand over the card, in Europe people will of course try and tap it instead of a swipe and once again confusion reigns.
Oh and if a server drops the card, it makes the most irritatingly loud clang being a small metal object - I would happily go back to plastic for the card!
I went to Europe and used Apple Card almost exclusively with zero issues. Both via Apple Pay on my iPhone as well as using the physical card. Seamless experience.
You think that is bad, every doctors office I have ever dealt with over the phone has just asked for my name, and birthdate. Think of all the friends on social media I can impersonate!
> Every bank check lists the bank account number, which serves as the only information needed for a party to issue a request to withdraw money from that account.
A check is simply a contract -- a promissory note. Like any contract you wouldn't sign it with someone you didn't trust, right?
(Obviously that statement, while true, is risable these days. But I remember a Bogart film in which he was setting a debt at a casino so asked the owner for a check -- he filled in not only the amount but his name, address and bank).
All the info on your check is just printed there as a convenience to you, or at least used to be. Until ~20 years ago physical checks were still sent back to your bank where they would check the signature, which could take a while! I think since the 72 hour rule went into place (and sending checks physically no longer allowed) the format was set by regulation
The check is a promise to be paid later. You are trusting the check writer that they are good for the money. The bank could refuse to honor the request if there isn’t enough money in the account or they don’t believe the document is legit (looks altered). In the not so old days* you’d have to wait for the check’s bank to accept it before you got your money.
And the writer is trusting you not to modify the check or otherwise fraudulently use the account info (in my parents’ time the check didn’t have account numbers on it so this was less of a risk).
The only backstop the bank offered was to verify the signature against the signature card and refuse the check if it looked suspicious. I think the same is still true today.
* I worked for Atari back when Warner owned them (1980s). Congress had required that companies offer direct deposit, but the minimum was they only had to offer it to you if you banked at the same bank as the company. So Atari’s payroll came out of a small bank in Sunnyvale with only one office. The rest of us got paper paychecks on Friday. Even if you went to the bank before 3 on Friday it wouldn’t be processed until Monday, which meant they’d send the physical checks to Synnyvale to be validated. Warner got to use the float on the money while all that was going on.
Me, many years ago setting up electronic payment.
-OK, it's asking me for my bank account and routing number. These must be pretty secret.
-Oh wow, they're both printed on my checks. Uh...this system works?
> Every bank check lists the bank account number, which serves as the only information needed for a party to issue a request to withdraw money from that account.
Just here point out that the issue is that it's enough to have the bank account number to issue a request to withdraw money from that account, and not that the bank accounts numbers are listed.
I can't echo the general point here strongly enough.
It's tempting to make this all "about crypto."
But crypto's just a technology. Maybe it ends up being a thing, maybe it doesn't. The fundamentals remain, and one of the present fundamentals is that (along with good old fashioned grift) stupid and terrible cybersec practices run rampant still.
I mean you’re right in that, thinking about this on an abstract level, your suggestions seem like no-brainers.
But the current system works well enough in the vast majority of cases. And the fixes to the problems you list would add considerable complexity. I don’t think it’s actually that clear that fixing these problems would have a net positive effect on the world.
The size of the market just for identify theft protection is 10 billion USD [0]. There is 30 billion USD in credit card fraud a year [1]. I don't think that is working well enough, that is a multiple-FTX sized loss of money every single year going into a problem that is fueled mostly by really bad underlying security systems.
>- Social security numbers are used as a secret for identification, despite being in plaintext and having so low entropy as to be guessable, and originally issued on a card literally saying "Not for Identification".
This is by design: millions of Americans believe that the clunkiness of the SSN protects them from tyranny.
When reading crypto clownworld stories like this, it is easy and fun to observe that cryptocurrency is a satire of the real (or "fiat", if you prefer) financial system.
One thinks about crypto as a clownworld only until one had to work with or inside the real financial system.
Techincally, it is in no way better than crypto. The only difference is that in real financial system there is a strong legal cover for all the technical and security fuckups. Like, stealing from bank by exploiting their 10-years old Windows XP ATM connected to the internet is 10-years-in-jail offence, while stealing crypto may be hard or impossible to prosecute in many jurisdictions.
> while stealing crypto may be hard or impossible to prosecute in many jurisdictions.
This is one of the inherent contradictions of crypto. If the ultimate goal of crypto is to create a financial system that is free of government control, then that system must also be free of the justice system because that's the government too.
Asking people whose salaries are paid for with tax dollars to help you recover stolen crypto while simultaneously trying to avoid taxes and government oversight is so ironic.
It's not really a contradiction. People who want financial system free of government control and people who want government to prosecute for crypto crimes are mostly different people.
The latter usually care about 100% APR on dollar and other scammy promises, and not about any real crypto benefits. When they get burned, they want government to step in and regulate.
The former don't care much that system allows to scam people (the "it's your fault if you were scammed" attitude), they care more that it's free from regulations.
> People who want financial system free of government control and people who want government to prosecute for crypto crimes are mostly different people.
Are they? I'm not so sure.
Could you elaborate? The whole selling point of cryptocurrencies seems to be to start from scratch, without those pesky KYC/AML and tax laws.
Traditional banking is not a natural law. It's man-made.
The benefits cryptocurrencies have over traditional banking seem to all come either directly or indirectly from the extent to which they do not have the man-made rules and laws.
Basically: It is hard to send money from A to B because of laws.
The set of people who like cryptocurrency is not small. The number of anarchists is vanishingly small. People want anarchism (complete freedom) and unregulated cryptocurrency until someone else uses that anarchism against them, and then they want regulation, post-facto.
It's not different people. It's the same people at different times; the times they're affected and the times they're not.
> Could you elaborate? The whole selling point of cryptocurrencies seems to be to start from scratch, without those pesky KYC/AML and tax laws.
> The set of people who like cryptocurrency is not small.
There are two sets of people who like cryptocurrency. First ones like crypto because of better yields than traditional bank accounts or investments. But they want to live in a miracle pinky unicorn world where they can have better yields risk-free by having government protections. Other than better yields, they're completely fine with traditional banking system.
Second ones like crypto because it allows for easy money transfer from A to B. These people don't care much about yields, they cannot transfer money via traditional ways for various reasons, and they want governments to stay away from crypto as long as possible.
> It's not different people. It's the same people at different times; the times they're affected and the times they're not.
That's your assumptions about some people. Sure, from my side it's also only assumptions and personal anecdata, but most of the guys I know that use crypto for something useful wants government to stay away from it as far as possible, despite all the scams around. Some of them lost money on FTX, and that didn't change their position.
I see what you mean. I guess in my mind "people who like cryptocurrency" like it for reasons other than its bigger-fool value proposition.
Yes, I agree that there are many many people out there who don't care one bit for e.g. bitcoin itself, but would be perfectly happy buying a regulated ETF that tracked the price of bitcoin.
I implicitly did not count these people as "liking cryptocurrencies". What they like is money, in particular fiat money.
> These people don't care much about yields, they cannot transfer money via traditional ways for various reasons, and they want governments to stay away from crypto as long as possible.
These are the people I was referring to, who want "no regulation" when they want to do something fine, but "full regulation" if and when they get screwed.
They want insurance only when things go poorly, and see insurance as a waste of money the days when they don't have accidents.
Sure. Plenty of financial regulation is newer. Crashes and frauds just in the last 100 years have created lots of new laws.
But the thing is people want fast and anonymous payments, but don't acknowledge that traditional banking isn't doing that so well (especially in the US) because of laws people want even more.
E.g. given the choice of easier international payment or fighting mob money laundering, people will say the latter.
Well, they'll say both, but cryptocurrencies only even try to do the former. (Failing, because it's anything but easy for almost everyone)
As for your HTTPS analogy: mass surveillance is less law enforcement and more spy agency shit.
Even for messaging, the messages are rarely the harm. For money the moving of money is the harm.
Being free of government control doesn't imply lawlessness. I wouldn't want the government to control jeans manufacturing, but if someone steals your jeans, that's still a crime. There are laws against theft, and crypto and jeans are just different kinds of property.
> I wouldn't want the government to control jeans manufacturing
Of course you do. You want asbestos to be banned in the clothes you buy. You want labelling of material to not be lies. You want child labour banned. You want slavery banned. You want trademark protection. You want the factory to not dump toxic waste in the nearby river.
And you say "well, of course I want that, but not... I dunno..." and give some hypothetical. Well, the same with cryptocurrency. If you think you want to get rid of all financial regulation, including AML/KYC, then I don't think you've thought about the issue for more than a fleeting moment.
I literally said the laws should apply to all kinds of property equally - yet you think I "want to get rid of all financial regulation"? I hope you enjoyed building that strawman and then tearing it down
You're putting words in my mouth. I never used the word "regulated" at all. I said "controlled" - meaning the government should not be the sole entity allowed to own and operate a factory that produces jeans. (I hope that's not the contentious point here.) I believe jeans manufacturing should be regulated by the government, but not controlled by the government. And even if the government gives up control, it does not give up its ability to regulate.
Do you agree that, even though the government does not itself manufacture a pair of jeans using taxpayer money, the government can still prosecute theft of those jeans? If so, it should not be a stretch to understand that even though the government does not issue a certain private sector money, it can still prosecute theft of that private sector money.
So in this analogy the government should regulate cryptocurrency mining (production), import, export, domestic transfer, exchange, disposal, loans, etc…?
In other words, you're saying that cryptocurrencies should be treated as goods, not monetary instruments?
I'll give you the benefit of the doubt and say that's not quite what you mean. It sounds like you (and I've heard this from other pro-cryptocurrency advocates) want to carve out a new type of asset, basically with the exact purpose to avoid all existing legislation.
This common argument says that it's just like money, but should not be regulated as currency. It's actually much more like a commodity, but should not be regulated like one. It can act as a security, but should definitely not be regulated like one.
Commodities are subject to sales tax/VAT at delivery. Cryptocurrency's delivery is instant, or never. That's not clever avoidance, that's just trying to eat your cake and have it too.
> It sounds like you want to carve out a new type of asset
That's not what I'm saying either. Crypto is just mundane property (like jeans), and property already has plenty of legislation around it. Existing laws work just fine. For example, capital gains applies equally as much to jeans as crypto (if for some reason your jeans appreciated 100x in value and you sold them).
The original comment I replied to claimed crypto should be entirely free of the justice system - THAT would actually be a new legal classification. Afaik the government has never before exempted any kind of property from theft laws. I only posted to point out that inconsistency.
The word property encompasses more than just what sales tax laws apply to, no? For example, I'd consider an old-school physical stock certificate a kind of property, and subject to theft laws but not sales tax.
As far as classifying it more specifically, I don't have strong opinions. Gensler says BTC is a commodity and ETH is a security--that sounds fine to me, ship it. I'll let the regulators regulate.
I'm just pushing back against this idea that private sector money must exist outside of the law and outside of the justice system—because the anarchy approach is clearly absurd.
> The word property encompasses more than just what sales tax laws apply to, no? For example, I'd consider an old-school physical stock certificate a kind of property, and subject to theft laws but not sales tax.
Sure, but then you're either saying that cryptocurrencies are securities (not commodities), and to be regulated as such, or you want to harmonize laws on commodities and securities.
So your analogy with jeans is not very clear to me. Cryptocurrency (a security?) is just like jeans (a commodity)?
> I'm just pushing back against this idea that private sector money must exist outside of the law and outside of the justice system—because the anarchy approach is clearly absurd.
I entirely agree with this. But like I said cryptocurrencies try to play a language game to avoid being classified as anything that's currently regulated, in order to be as unregulated as possible.
E.g. the reason people use bitcoin instead of western union to send money (to the extent that they do) boils down to the laws that exist to prevent, investigate, and "reverse" crimes. The laws were written such that they can be enforced by the (needed) middleman. Bitcoin doesn't (for this transaction) require a middleman, so the law, the implementation of the intention, doesn't fit well.
But people who call this "savings" are ignoring why the law exists. There was never an intention to punish or burden western union. It was an intention to safeguard (or track, or whatever) the movement of money.
…or commodities, or securities, or whatever a given cryptocurrency should be classified as.
I agree that theft is theft. But movement of financial instruments and commodities is also already covered by the law.
In some countries your primary home is exempt from capital gains (or taxed lower than capital gains). But that doesn't mean that you can take your physical stock certificates, stack them in the form of a shed, sell it, and thus avoid capital gains. Yet this is basically what cryptocurrencies try to do, all while saying that they're "more efficient". It's not, it's just word games.
You're pushing the jeans analogy a little further than I intended. Every analogy has its limits.
Is it a security? A commodity? I don't know! But neither does the US government. The CFTC and SEC are fighting a turf war. The CFTC calls them commodities. The SEC calls (most of) them securities. The IRS has created a brand new category called "digital assets". Who is right? If the government can't tell you, I sure can't.
I can infer there must be some legal justification for the current treatment. Even if you think Coinbase is playing fast and loose with the law, the old school players like Fidelity also don't charge sales tax on bitcoin, and I guarantee you they're not going to risk their core business over crypto. I am curious now how their lawyers would answer some of your questions.
Anyways it's been an interesting conversation, thanks for sticking around after the thread died. You've given me some stuff to think about.
You're being silly, but I'll humor you. The world "control" has multiple meanings.
In the communist sense: the government should not control the means of production for jeans or crypto.
In the social welfare sense: the government should "control" whether people are allowed to steal others' jeans and crypto, and the government should "control" whether you can abuse children in connection with your jeans or crypto company.
You can play with the meaning of the word, but whatever meaning you choose, jeans and crypto shouldn't be treated any differently.
That conclusion doesn't necessarily follow. A significant portion of the economy functions with limited government intervention, as the government sucks at managing the economy. However, money is an exception in this regard, and many cryptocurrency advocates argue that it could be better managed outside of government control. This does not imply that a justice system is unnecessary; rather, it emphasizes diverse roles of government.
In other words, one can agree with certain roles for government (e.g. justice system) while not agreeing with others (e.g. managing money). I don't see the irony or the contradiction.
> A significant portion of the economy functions with limited government intervention, as the government sucks at managing the economy.
This just isn't true, government participation can be found throughout the entire US economy. Import and export controls, labor force participation and visas, a massive small business loan portfolio, R&D investments in things like clean technology (e.g. Tesla was initially funded by a government clean energy grant), on and on and on. The assertion that the government just lets the economy run itself is laughable.
> In other words, one can agree with certain roles for government (e.g. justice system) while not agreeing with others (e.g. managing money). I don't see the irony or the contradiction.
It's not a question of what the ideal role of government should be, the question hinges on the government's legitimacy and ability to do things like collect taxes (which is an important function of a government). Lots of participants in crypto believe that taxation is theft and that government is an inherently wasteful entity, all while continuing to enjoy the largely invisible benefits that government policy and enforcement provides them. This is the contradiction.
EDIT: The government is the only reason that FAANG and other tech companies aren't bringing in foreign software developers who will work for $15/hr en masse. You know that if they could, they 100% would.
There's a difference between a little intervention here and there, and government having a literal monopoly over something (e.g. money creation).
> Lots of participants in crypto believe that taxation is theft and that government is an inherently wasteful entity, all while continuing to enjoy the largely invisible benefits that government policy and enforcement provides them. This is the contradiction.
What you've described are anarchists. They are a small minority and certainly do not advocate for more government involvement. Most Bitcoin advocates simply think that Bitcoin is much needed competition to government money (fiat) while still believing in a government-run justice system.
> EDIT: The government is the only reason that FAANG and other tech companies aren't bringing in foreign software developers who will work for $15/hr en masse. You know that if they could, they 100% would.
If you really believe that, I can see why Bitcoin would make you nervous.
I think the contradiction is that if you don't allow the government access to the financial system then there is little it can do for you to get your money back or investigate financial crimes.
The still living members of the Silent Generation would disagree. They still don't trust banks and the banks have once again proven themselves to be untrustworthy.
> The still living members of the Silent Generation would disagree.
Never heard of them. They are incredibly effective at living up to their name.
> They still don't trust banks
Neither do I. I also don't trust my cell phone provider or the grocery store or the company that makes the web browser I use.
> the banks have once again proven themselves to be untrustworthy.
That's because they are. That's why we have a system of laws and regulations in place which kinda work at keeping them from screwing over most people, most of the time. But not always and not everyone. It is a work in progress.
My impression is that there is a lot more auditing going on in the conventional financial system. Not to say that it's not bad, but there are at least some (legit) outside eyeballs on your system.
My financial company has amazing enforcement around code quality, deployments strategies, separation of concerns, testing enforcement, escalation, approvals, backups, minimum security standards, vulnerability remediation and so much more. All of this is aimed at being able to keep compliant at scale. It's a large burden, but it's one you take when you hold people's money.
Stupid & Evil are best friends - if you're looking for one, the other is often nearby. There's going to be a mix of incredibly stupid and incredibly crooked behavior all through this. It's not a surprise that this "genius" is a delusional, pathetic dolt who couldn't operate a frozen banana stand properly, much less a multi-million dollar company. It's also not a surprise that he truly thinks he's innocent on all charges, because he's that much of an idiot.
Crooks typically believe and disbelieve their own bullshit simultaneously, which is even more nonsensical, but that's just criminal thinking at work. None of this is particularly confusing to criminal prosecutors, just the same ol' same ol'. SBF is going to jail, and if he doesn't switch his plea soon he's really going to jail...
It is hard to accept, at least for me sometimes, that the answer to the question "Are those people stupid or fraud?" is more often than not is "both". It does explain a lot so.
This sounds like your standard startup-y security stack. Bonus points for trying to use your cloud provider's hardware key storage and keeping secrets in 1password. It ain't great but you could do worse.
(I've worked at startups and we did better. No access to the cloud provider without a time-based escalation. Secrets in secrets managers. Passwords rotated regularly. Mandatory 2FA. Signed commits. But it would probably still look god-awful if we were a finance company!)
What's particularly astounding about the case of FTX is that it was rolling in cash (unlike many startups), and yet never cared enough to throw money at hiring tons of security-minded staff and engineers
Yeah have often thought the same but presumably they wouldn’t have been able to keep pulling all these shenanigans/fraud if they had proper security staff.
If you read through some of the other parts of the thread, there are stories where they fired competent people as soon as they called attention to these kinds of issues.
Very good point. Spending the money on security engineers at a crypto company sounds like a no-brainer to me. They have a lot of good ideas and the work is essential.
(Demanding that crypto keys be stored in Google Drive is the kind of suggestion you'd make if you were planning on stealing all the money, I guess.)
> The Forbes survey also revealed that FTX did not have a SOC audit and was hoping to get these certificates in Q4 2022 or Q1 2023 from Prescient Assurance LLC, but given the firm’s collapse in November, it is unlikely they got them or will do so.
I get such an incredible volume of malicious crypto spam on Discord and Twitter every single day. They're constantly creating new sites as things get banned, new accounts with legitimate-looking traffic, custom art and even videos for the fake "airdrops" they're planning. And FTX is just keeping their billions of dollars unencrypted in S3 buckets. Hey scammers, wouldn't hacking into that be a better use of your time???
Imagine if you were an employee at this company with access to these keys. They're so disorganized, you could have stolen tens or millions of dollars in crypto and even right now after auditors have gone through everything, still no one would know you had done it. That anyone had done it.
How ethical are you really? Could you actually resist that temptation? Do you think all your co-workers could too?
Exactly. If you have the skills to get hired at a place like FTX, a below-the-radar amount like ten million dollars isn’t an utterly life-changing amount of money. Not something worth risking years of freedom.
While this is flatout insane, it does not speak toward crypto's security directly. If you personally decide that you want a company to hold your crypto that's your decision and a poor one at that. You have the ability to create your own wallet and hold your funds in it securely. Some exchanges like Coinbase even have wallet apps so the transition is super easy to make.
Wallet "apps" are not secure. It's an illusion of security. Unless the source is open AND verifiable there is no reason to trust it more than trusting FTX.
I 100% guarantee that there will be a major hack, from a major app, at some point in the future where it turns out that all seed generation was not in fact random. Honestly, it's probably already happened multiple times and they just haven't gotten caught. Those stories where people claim that all their crypto got stolen even though they never shared their seed—you know the stories that everyone always dismisses as, "You must have let someone else see it." Well, some of those are probably true.
When you generate a private key through an app you are 100% trusting that the person who published that version of that app did not do something trivially easy like decide to generate all seeds from a known incremented input. You'd never know. And if that person caught caught internally the company is far more likely to cover it up, because otherwise they will collapse overnight.
I've never heard of a crypto wallet that was not open source. The coinbase one certainly is.
That doesn't mean there won't be hacks and backdoors though.
You also need to build them from the codebase yourself if you want to be completely sure that you're running the code that's visible (though maybe there's a better way to verify this with Android/iOS apps?)
How do I know the code running on my iPhone is the same as what is on Github? I don't.
There is every incentive for someone to cheat here. There is very little risk, and the potential reward is basically infinite. I can slip a few lines of code in that grant me access to every wallet generated. Worst case I get caught and fired. Best case no one ever knows.
Assuming your employer isn't in on it and you get caught, what are they going to do? Seriously, think about it. If they acknowledge this in anyway the company is OVER. The best course of action is fire you, push a new release and just pray that you don't drain the wallets of the victims in a way that raises too much suspicion.
You either generate seeds from source you audited or maybe trust a hardware wallet that has been sufficiently audited. App-based wallets get new releases on a daily basis. The security is a joke.
I agree there's a problem here, but the verification problem exists for every app on your iPhone that isn't released by Apple.
Maybe I'm just clueless, but what solution could exist to verify that the code running on your phone doesn't differ from a given codebase (that also can't be faked)?
We can build Brave for any platform, which happens to have a wallet, but there's still no way of knowing whether what I built matches what's on the apple store. At least on Android there's F-Droid, which builds and releases from the source. Seems like that's as close as we can get to user-friendly and verifiable right now.
My solution is Safe[0] with multiple signers (different software/hardware for each one). Probably overkill, but when you are your own bank...
One more thing you can do is audit the source code of open source projects you use, and build them yourself where possible.
For example, Metamask is source-available and you can add it to your browser from the git repo rather than the chrome extension store.
You can also add it from the chrome extension store and inspect the source to ensure all files match the build, before adding any private key material to it.
I was arguing in a comment recently[1] that browser extensions should be required to be source-available, and the chrome store should take a role in verifying the bundle matches the build process defined with the source code.
It's alarming to me that this is not already the state of things, but as it is it perverts incentives for extension developers to a horrific degree.
> from a major app, at some point in the future where it turns out that all seed generation was not in fact random. Honestly, it's probably already happened multiple times and they just haven't gotten caught
Bitpay's "copay" wallet used only 64-bits of randomness for the nonces in their signatures, making it trivial to recover the user's private keys.
That wallet was "open source" -- but it doesn't much matter if its open source if no one competent is reading or reviewing the code.
They never announced the vulnerability-- they fixed it and the person who introduced it quietly parted ways with the company (he surfaced again later as part of conman Wright's team, ... I'm not sure if that increases my estimate the the vulnerability was intentional or if it was just incompetence).
And then there are the M of N keys schemes where one can have multiple parties holding the keys. Example: Three keys, any two can sign transactions. You have one somewhere safe(in a safe) and one on your hardware wallet. And the bank has one for your account. The bank can't do anything without you also signing the transaction. You can always sign transactions on your own with both your keys.
I was confused, since this is kind of old news, but it looks to be news because it's part of a new report, which you can see if you scroll wayyyy up to the beginning of White's twitter thread and the link to the court document filed by John J. Ray's team at FTX:
As the tweet points out the bad practice and doesn't comment on the good practice how _should_ one store their keys? Specifically the tweet states that using a secret manager or password vault is a problem, so what is the solution?
I think that if you, an individual who owns some crypto, wants to store your key in a password vault, that's probably fine, as long as you accept the risks (you've done your due diligence and trust your password manager is secure enough for your expected risk factor, etc).
But if you're an exchange handling billions of dollars of customer assets, the requirements should probably be higher. The text implies that many employees at the company had access to the password vault, for example. Also, shared password vaults that I've seen tend to have functionality like the ability to share a password externally (something you probably don't want!), relatively low logging abilities (while it would probably be a good idea to track each and every time a crypto key was accessed and who acccesed it), etc.
At least that's my guess at what they meant — perhaps someone had deeper knowledge and can share that.
A normal pattern is to tier storage into a hot wallet and a cold wallet. Hot wallet is used for daily operations and can have lower security, but has a very low percentage of value, so that if hacked the exchange and eat the loss. The cold wallet can have very very high security measures such as multisig, physical security, geographic distribution, etc, and only needs to be periodically accessed.
Analogy in a old bank with cash or gold is hot wallet = cash that tellers have on hand, cold wallet = vault in the back that has everything else.
Yep. You can also put cold funds behind a multisig, which to use the vault in the back of the bank example, would require two managers to turn a key at the same time to open the vault.
Probably incompetence. Or maybe, done this way to create doubt if/when they decided to take the money and run. "Who did it? Who had access to the keys?""Uh, everybody.."
How should the keys be stored? Not excusing them, but this isn't as straightforward to resolve as people think. That being said, not having any access controls is cringe. Really?
Wait, what? Private keys were stored in unprotected plaintext files regularly opened by multiple people at the company? WTF?
That crosses the line and goes deep into "willful negligence" territory, in my view.
The physical equivalent would be stacking customer assets like dollar bills and gold bars in big piles inside a heavily trafficked room that has no lock.
The term "irresponsible" doesn't quite do justice to it.
> That crosses the line and goes deep into "willful negligence" territory, in my view.
A lot of people are making the assumption that gross incompetence reigned supreme with FTX, and that does seem like the likeliest explanation, but another potential explanation is deeply devious criminal activity.
They could have preplanned this behavior. If they were ever caught doing anything really bad, they had "plausible deniability" by being so loosy-goosy with security and best practices. Everybody from a rogue employee to hackers could be blamed by them if the shit ever hit the fan and they could have some kind of defense that they were so disorganized that they didn't really know what happened.
You might be able to distinguish this by looking at how SBF's own personal crypto funds were managed. If he knew enough to manage his own crypto in a saner way, then you could probably make a case that dysfunction in FTX was by design because he knew better and didn't do it.
> A lot of people are making the assumption that gross incompetence reigned supreme with FTX, and that does seem like the likeliest explanation, but another potential explanation is deeply devious criminal activity.
> According to the report, another employee in the exchange’s legal department was “summarily terminated after expressing concerns about Alameda’s lack of corporate controls, capable leadership and risk management.”
> Alameda wasn’t even clear on what its own positions were, “let alone hedging or accounting for them,” Ray's document reads. A June 2022 portfolio summary, which was supposed to show Alameda’s makeup of crypto positions, was reportedly fabricated after employees were allegedly instructed by an unnamed higher-up to “come up with some numbers? Idk.”
> At one point, according to the report, Bankman-Fried told employees:
> “Alameda is unauditable. I don’t mean this in the sense of ‘a major accounting firm would have reservations about auditing it’; I mean this in the sense of ‘we are only able to ballpark what its balances are, let alone something like a comprehensive transaction history.’ We sometimes find $50m of assets lying around that we lost track of; such is life.”
---
I'm not sure "devious" is the right word choice. Criminal activity - yes. I suspect they knew they were criminals to some degree but were grossly incompetent when it came to managing it.
It feels more like a constant stream of lies to support the ongoing fraud rather than devious.
> We sometimes find $50m of assets lying around that we lost track of; such is life.
I want that life. No, seriously, let me find even just $5M laying around, just once.
I mean, what do you need to have between your ears to even remotely consider losing, and then finding, 50 millions of someone else's money as normal? Such is life? Where? Other than in government agencies, of course.
While I agree with most of this, keeping a small number of things secure for yourself is far easier than doing it for thousands/millions of accounts in an automated way. That's true of almost everything in software. For instance, just because I know how to use a password manager doesn't mean it's easy to get my whole family using a password manager. They were clearly dysfunctional and there may be some of this at play but Occam's Razor says it was just easier to store less securely.
I think that is what is so hilarious about the situation. The US is forever creating situations where companies want to be first in and fastest scaling at any cost, offering free everything to begin.
If they were a bank they would realize their growth is beyond their competence and bring in boring big bank security experts with some of the huge profits on the even more massive holdings.. But there were no legal profits on holding all these assets because they promised to be something better than a bank, making its money from risking your assets, so that was just done illegally leaving no above the table accounts for legitimate operation costs. (A friend of SBF with an illegal loan will obviously keep your keys safe.)
How could an honest company that takes negligence seriously compete? It is like the opposite of regulations as barrier to entry. How do you sell things for less than the Mafia's laundering operation?
> While I agree with most of this, keeping a small number of things secure for yourself is far easier than doing it for thousands/millions of accounts in an automated way.
Of course, but the qualifier I used is "make a case".
Obviously, nobody can ever read SBF's mind, but the government might have enough to prosecute him from this angle if they could prove that he knew better from his behavior with his own holdings, but didn't do things in a certain way for FTX's holdings.
You sound shocked! shocked! to find gross incompetence going on in a place where the accounting system is an Excel spreadsheet manually maintained by the CEO himself, with entries like "Hidden, poorly internally labled fiat@ account" (sic) purportedly worth $8 billion.
Private keys in plaintext in the shared Google Drive that the entire company has access to? That is the least surprising news I've heard today.
I wonder if this reaction is so strong because the readership here are generally more knowledgeable on software and software security than banking. If there was a Hacker News for banking experts, they probably had this reaction to the "accounting" spreadsheet SBF released previously.
Yeah, this is sort of the teleological view. I think Hanlon's razor is a great first guess when trying to figure out people's motivations, but this inverse is probably more appropriate when thinking about what your defenses/reactions should be.
Right. My comment is a reverse of that, expressed in a similar form to Clarke's Law that "Sufficiently advanced technology is indistinguishable from magic."
My understanding from that document is that the bankruptcy managers are just beginning to piece together an accounting of what happened to the money at FTX, and even that accounting is incomplete because personal laptops belonging to executives are being held back by Bahamian authorities. So “FTX wasn’t hacked” is just a hypothesis at this point. Hacking probably wasn’t the major contributing factor to the exchange’s financial problems would probably be a more accurate statement.
I mean FTX had over 300 million dollars moved out of company funds, without company authorization, by parties unknown, and with insufficient monitoring to even know it happened until third parties let them know. So kind of depends on your definition of hacked, I guess.
One way to look at FTX is as a horse race between multiple catastrophic failure modes. In this case the financial malfeasance "won". Maybe in another universe where interest rates stayed low for another year we'd see FTX go down to a hack instead.
Ah sorry, I just meant that light-heartedly. I wasn't assuming ill intent of the parent at all - just FTX. I'll be more careful. Tone doesn't always carry well over the internet.
Ah thanks. I obviously misread you, but alas that probably means many others would as well - particularly when the comment doesn't contain enough information to convey intent.
Both are bad. Crime is bad, but this is an argument for making software engineering more like a medical doctor's guild. Some things simply should not be done. There is an expectation of competence for some things like finance and medicine.
Storing your keys in plain text is hardly software engineering. Plenty of people who don't know the first thing about coding do it all the time.
This is a failure of security and risk management. Making a guild or licensing requirements for software engineers may or may not be a good idea, but it wouldn't have addressed this problem.
But even if it would have in the abstract, FTX played fast and loose with so many other rules, I wouldn't expect them to abide by those either.
Hmm. That is a valid argument for me. You are right. In practical terms, the main issue lies with risk assessment ( and leadership basically running a scam ), but should a person implementing their ideas know better?
I know what the real answer is, but I am curious of the response.
Basically yeah. Medical doctors will not do some thing for fear of losing their license to practice. One could argue storing data like this in plain text is malpractice.
I'd suggest "Vulnerability in Breadth", since increasing your attack surface and number of points of failure is a good way to ensure something goes wrong.
The test of all these security exploits are in the exploiting. In practice, you can run wild and nothing will happen. My HN password was 000000 for years.
I think the general rule is "move fast and break things" unless you are handling money or healthcare. That said, some financial and health-tech firms do seem to fly by the seat of their pants.
So an attacker could have created a totally anonymous wallet, transferred the assets there and then nuked the wallet? Then those assets would be made irretrievable?
Also they stole all the money their depositors entrusted to them. Doesn’t matter if you forgot to lock the vault if you sent all the money to alameda anyway.
Hey, and just like legacy/fiat currencies, it has made a tiny subset of often nefarious actors inexcusably rich while doing nothing for society, but for Good Reasons, right? Such an improvement!
- Social security numbers are used as a secret for identification, despite being in plaintext and having so low entropy as to be guessable, and originally issued on a card literally saying "Not for Identification".
- Every bank check lists the bank account number, which serves as the only information needed for a party to issue a request to withdraw money from that account.
- Credit card numbers are similarly a private number used as a public number, and printed on plaintext on the card.
Is there any effort working on bringing asymmetric encryption to these systems or to replace them that has a reasonable chance of working?