Dear Wall Street Daily Reader,
If Coinbase Global, Inc. (COIN) wants to be the TD Ameritrade of cryptocurrency trading, this is not how you go about it.
I can exclusively confirm that on July 1, in a matter of 13 minutes, cyber criminals looted roughly $700,000 worth of virtual currency from the Coinbase account of a 50-year-old father in California, in what can only be described as an easily preventable attack.
What’s even more appalling and scary is the complete lack of response from the company so far.
It doesn’t even have a customer service phone number to call in the event of emergencies like this, which is as much unbelievable as it is unacceptable for a $60 billion market cap company.
If you have a Coinbase account — or own a single share of the stock — you need to spread the word to make sure this issue is addressed. Stat!
Otherwise, you’re just as vulnerable, and your hard-earned capital would be better invested on another platform and/or in another stock.
13 Minutes, 110 Transactions
Here’s the frighteningly rapid timeline of events, as they’ve been retold to me:
- 4:54 pm: Coinbase sent an email about an unknown computer logging into the man’s account. Since the man was driving, he did not see the email until…
- 5:01 pm: Text message received saying the account’s two-factor authorization settings had been changed, which was seen by the man, prompting him to try and take action.
- 5:02 pm: Coinbase sent two more emails saying the same thing — that changes had been made to the account’s two-factor authentication settings.
- 5:03 pm: Father logs into account, notices the criminal has already converted all his non-Bitcoin cryptocurrencies into Bitcoin. He immediately wires out the $170,000 worth of cash in the account to his checking account. This was the only authorized transaction by the account owner.
- 5:04 pm – 5:17 pm: Over the next 13 minutes, the man tried to shut down his account while he watched the cybercriminal complete 110 transfers. Most of the transfers were for small amounts of around $200, and then there was a large one for $630,000.
- 5:18 pm: Coinbase shuts down the account.
At this point, the man tried to find a phone number to contact Coinbase. The only problem? A number doesn’t exist!
That’s right. This company is part of the new breed of all-digital organizations that believes it doesn’t need to provide any type of live customer-service. There’s not even a chat option, as you can easily verify for yourself on the company’s Help page.
Left with no option but to email customer support, the man did just that… and he’s still waiting for an official response from a human.
That’s not a typo. It’s been two weeks now — and he’s received nothing more than an acknowledgement that Coinbase received his emails and created a case number. And that’s after paying over $25k in commissions since opening the account.
When you have an account somewhere worth close to $1 million — and pay hefty commissions for service — is that how you expect to be treated as a customer?
Just the Facts Ma’am
Before any Coinbase bulls try to point the finger at this man, here are some more relevant facts…
The hack was isolated to his Coinbase account, for which he had a unique password.
This wasn’t a classic “social engineering” hack to gain widespread access to the target’s account.
In fact, no attempts were made to log into any of his other online or financial accounts, which include, as you might imagine, meaningful stock investments.
So there was no carelessness on the part of this man that made his Coinbase account uncharacteristically vulnerable to attack.
He was even using anti-virus software, which was current.
Not to mention, his Coinbase history clearly showed he was an investor, not an active trader.
In the roughly five years since opening the account, he estimates he’s only completed about 10 outbound transactions. Again, that’s 10 transactions in five years!
Get With the Digital Times!
Against this backdrop, it’s clear Coinbase could easily have prevented or dramatically limited the attack.
After all, every debit- and credit-card issuer in the world uses readily available tools and technology to identify suspicious activity — in real-time.
In fact, my Chase and Amex credit cards immediately send me a text while I’m at the cash register to authorize a transaction that looks suspicious.
Are these tools not available to Coinbase for some reason?
And what about the fact that two users were logged into the account simultaneously? And most likely, from distant locations.
Coinbase’s system detected it, but then did nothing for 28 minutes.
Most shocking of all is the lack of action after a clear deviation from the user’s “normal” trading activity.
Again, in five years he completed around 10 outbound transactions. But then in 13 minutes, the account suddenly decided to:
- Convert all coins in the account into Bitcoin; and
- Initiate over 100 small transfers out of the account.
Forget cutting-edge artificial intelligence software to detect fraud. I’m pretty sure the ENIAC computer in 1945 could easily have flagged this one — and acted more quickly.
The Official Explanation Excuse
Sadly, this man’s ordeal isn’t the first of its kind. But Coinbase publicly insists such “unauthorized transactions” are rare.
More specifically, the company said that just 0.004% of customers were impacted in 2020 by fraudulent transactions originating from email account hacks, SIM card swap attacks, or other breaches unrelated to Coinbase.
But does “rare” somehow make them acceptable? Not hardly!
And it certainly doesn’t justify having antiquated measures in place to try and prevent them. Or worse, trying to blame users, instead of protecting them.
Consider what Coinbase’s chief information security officer Philip Martin told Yahoo! Finance in the wake of another user account hack: “It has become harder and harder for people to protect their online accounts, given the amount of personal information that has become available to bad actors.”
I don’t know the specific details of that incident, but I do for this one. And it had nothing to do with the user. Way to pass the blame, Mr. Martin.
What’s Next?
When will Coinbase get around to responding to this recent incident? Sadly, I suspect it won’t come until after it’s been sued.
If it really wants to be the trusted financial service provider that it markets itself as, it should immediately restore this man’s account to its original, pre-hack value.
After all, every credit- and debit-card issuer has fraud protection policies in place that put the burden on the company to root out the bad actors and reclaim assets, not the customer.
Spread the Word, Not the Risk
At the end of the day, without a customer service department and only run-of-the-mill security measures, there’s no way for Coinbase to build consumer trust, and thus, staying power. In turn, its shares are doomed.
I say that because it’s easy for consumers to tolerate incompetence when their “diamond hands” are making money. Not so much when they’re getting their teeth and bottom lines kicked in during an asset price collapse.
It’s only a matter of time before that happens, and the pressure mounts on Coinbase to update its security measures to catch up with the times.
If you have a Coinbase account, your crypto investments might be doomed, too. So I’d spread the word about this incident. Heck, why don’t you email the company and ask how it plans to respond to protect your account from the same unfortunate turn of events?
If all you get is crickets for a response, you’ve got your answer.
Ahead of the tape,
Lou Basenese
Editor and Founder, Trend Trader Daily