Bitcoin Forum
November 21, 2017, 03:58:17 PM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: More fun with Coinbase  (Read 1347 times)
Tonko
Full Member
***
Offline Offline

Activity: 126


View Profile
March 24, 2013, 07:54:31 PM
 #1

So, I decided to test if I can actually transfer my BTCs from Coibase back to my checking account.

I started with the button saying Send money and it asked for an email address. I typed in my own email address.

At this point I can't, with absolute certainty, claim that I didn't misspell my email address. I just can't. I don't think I did, since I type is so often on a daily basis and it never happened so far. But can I honestly assert that it is a complete impossibility: no.

Then, what is the possibility that a user with a very uncommon variation on my real name at misspelled yahoo.com (like yaoho.com) really exists?
Note also that I never sent any BTC to an actual Bitcoin address.
 
Anyway, a Bitcoin address, somehow mysteriously corresponding to a misspelled email address, popped up from somewhere and spent my BTCs.

I am still waiting on response from an ever so busy Coinbase support. 
1511279897
Hero Member
*
Offline Offline

Posts: 1511279897

View Profile Personal Message (Offline)

Ignore
1511279897
Reply with quote  #2

1511279897
Report to moderator
1511279897
Hero Member
*
Offline Offline

Posts: 1511279897

View Profile Personal Message (Offline)

Ignore
1511279897
Reply with quote  #2

1511279897
Report to moderator
1511279897
Hero Member
*
Offline Offline

Posts: 1511279897

View Profile Personal Message (Offline)

Ignore
1511279897
Reply with quote  #2

1511279897
Report to moderator
Join ICO Now A blockchain platform for effective freelancing
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1511279897
Hero Member
*
Offline Offline

Posts: 1511279897

View Profile Personal Message (Offline)

Ignore
1511279897
Reply with quote  #2

1511279897
Report to moderator
1511279897
Hero Member
*
Offline Offline

Posts: 1511279897

View Profile Personal Message (Offline)

Ignore
1511279897
Reply with quote  #2

1511279897
Report to moderator
camolist
Hero Member
*****
Offline Offline

Activity: 896


View Profile WWW
March 24, 2013, 07:59:04 PM
 #2

So, I decided to test if I can actually transfer my BTCs from Coibase back to my checking account.

I started with the button saying Send money and it asked for an email address. I typed in my own email address.

what does selling bitcoin to your checking account have to do with email?

you go to their sell page type how many to sell and it goes to your bank

no need for an email address. sounds like you instead sent bitcoin to an email (possibly not yours) LOL

Tonko
Full Member
***
Offline Offline

Activity: 126


View Profile
March 24, 2013, 08:06:29 PM
 #3

no need for an email address. sounds like you instead sent bitcoin to an email (possibly not yours) LOL

Are you saying that sending BTC to a non-existent email address and corresponding Bitcoin address appearing out of blue and taking it is something that is to be expected?
I mean, I verified that email address does not exist, neither per Yahoo or Google, and that domain name is some actual shop that doesn't accept Bitcoins.
camolist
Hero Member
*****
Offline Offline

Activity: 896


View Profile WWW
March 24, 2013, 08:12:09 PM
 #4

Are you saying that sending BTC to a non-existent email address and corresponding Bitcoin address appearing out of blue and taking it is something that is to be expected?

no idea. i have never sent to an email address before 

but if you are trying to sell that isn't how you do it anyways  Huh there is quite clearly a sell tab and instead you went to send and entered an email address?

Tonko
Full Member
***
Offline Offline

Activity: 126


View Profile
March 24, 2013, 08:27:12 PM
 #5

but if you are trying to sell that isn't how you do it anyways  Huh there is quite clearly a sell tab and instead you went to send and entered an email address?

Well, ok, I made an error. I expected that sending to my own email address may accomplish the same.

You are making it sound as if  every user mistake should be punishable by the loss of BTCs?!
camolist
Hero Member
*****
Offline Offline

Activity: 896


View Profile WWW
March 24, 2013, 08:31:48 PM
 #6

how do you know they are lost? have you even sent an email (and waited say a business day..it is Sunday after all) before complaining publicly about your own mistake?

forum is filled with complaints that a simple email and waiting a day would have solved


Tonko
Full Member
***
Offline Offline

Activity: 126


View Profile
March 24, 2013, 08:37:52 PM
 #7

how do you know they are lost? have you even sent an email (and waited say a business day..it is Sunday after all) before complaining publicly about your own mistake?

forum is filled with complaints that a simple email and waiting a day would have solved



Okay. Can't argue with that except noticing that a simple:

You cannot send to the email address, only Bitcoin address
or
The email address you are trying to send to doesn't exist

message would have prevented any of this happening.

And, uhm, are you saying that you yourself have every issue with Coinbase resolved in one business day?!
You have merchant account with them and you regularly get deposits from them into your back account?
That would be nice to know.
camolist
Hero Member
*****
Offline Offline

Activity: 896


View Profile WWW
March 24, 2013, 09:15:11 PM
 #8

And, uhm, are you saying that you yourself have every issue with Coinbase resolved in one business day?!
You have merchant account with them and you regularly get deposits from them into your back account?
That would be nice to know.

not sure how coinbase does it but sending to email could be just like paypal where you can send payment to any email address even if they dont have an account... the payment will be waiting to be claimed when they make an account or follow instructions by email. no way for them to know if an email address is real or not


not a merchant account but i've been buying and selling since mid november. 32 transactions in and out of the bank

i've written them 4 times. two for suggestions/good words (got personal replies to both) and two for problems that were solved within a day (both being widespread issues last time they had missing balances and the past week with delayed transactions)

Tonko
Full Member
***
Offline Offline

Activity: 126


View Profile
March 24, 2013, 09:38:44 PM
 #9

not a merchant account but i've been buying and selling since mid november. 32 transactions in and out of the bank

I certainly hope for the similar experience.

Because, technically, they can't send to email address without having (AFAIK unknown) method of matching email addresses to Bitcoin addresses.

So they either:
a) send all email BTC transfer requests to their own Bitcoin address and wait for a claim (in unknown format) that provides them with a corresponding Bitcoin address to ultimately transfer to, or
b) have somebody hacked into their system, who provides Bitcoin address in such a case. This would be a bad security breach.

Assuming they are doing any sort of email to Bitcoin address matching, then typing your own email address makes perfect sense: they have both on record in their database. Can be considered as a way to sell @ Market, even if, by now, I see my own stupidity in expecting such kind of user-friendly shortcuts at this stage.

Their site shows the email transfer in question as a transaction that was recorded in a certain block and went to a certain Bitcoin address (which I never specified).
The transfer was Complete instantly. Which is why all this makes me worried. One of the rare cases where I would prefer to see their vastly more 'popular' Pending status on transaction.

Feel like a beta tester now  Undecided.
MPOE-PR
Hero Member
*****
Offline Offline

Activity: 756



View Profile
March 25, 2013, 12:32:24 AM
 #10

So wait just a second here. The Coinbase security paradigm is that if I send them email FORGED to have your email as a "sender" they will happily let me spend your BTC? Are you kidding me?

My Credentials  | THE BTC Stock Exchange | I have my very own anthology! | Use bitcointa.lk, it's like this one but better.
Tonko
Full Member
***
Offline Offline

Activity: 126


View Profile
March 25, 2013, 12:51:05 AM
 #11

So wait just a second here. The Coinbase security paradigm is that if I send them email FORGED to have your email as a "sender" they will happily let me spend your BTC? Are you kidding me?

From what I know so far, it does seem that their 'send to email' feature is a security hole waiting to be exploited.
Granted, it wouldn't be super easy to create many permutations on email misspellings and request funds, but not impossible either.
It is a security hole, one way or another.

Any hacker worth anything should have come up with a truckload of ideas for an exploit upon my very first post.

There should be an additional handshake (pass phrase?!) requiring an email (even if invalid) to prove its claim to coins.  
Tonko
Full Member
***
Offline Offline

Activity: 126


View Profile
March 25, 2013, 03:24:33 AM
 #12

Ok, I am going to call official Mea Culpa on this.

Julian from Coinbase was very fast to respond, explain the issue and restore my BTCs.

I can't say that I wouldn't want even more warnings and 'you are about to..., are you sure' popup or tooltip questions (that all have a convenient 'Don't show this again' checkboxes) in any similar situations, yesterday or in the future, but for now it is all just an user error.
camolist
Hero Member
*****
Offline Offline

Activity: 896


View Profile WWW
March 25, 2013, 03:54:54 AM
 #13

Ok, I am going to call official Mea Culpa on this.

Julian from Coinbase was very fast to respond, explain the issue and restore my BTCs.

I can't say that I wouldn't want even more warnings and 'you are about to..., are you sure' popup or tooltip questions (that all have a convenient 'Don't show this again' checkboxes) in any similar situations, yesterday or in the future, but for now it is all just an user error.

glad it all got worked out. and on a Sunday evening! wish people would give support a try before running to the public


So wait just a second here. The Coinbase security paradigm is that if I send them email FORGED to have your email as a "sender" they will happily let me spend your BTC? Are you kidding me?

whatttttt  Huh from within the account you can send btc to either address or email (think coinapult.com...is that still a thing?

MPOE-PR
Hero Member
*****
Offline Offline

Activity: 756



View Profile
March 25, 2013, 10:00:13 AM
 #14

Ok, I am going to call official Mea Culpa on this.

Julian from Coinbase was very fast to respond, explain the issue and restore my BTCs.

I can't say that I wouldn't want even more warnings and 'you are about to..., are you sure' popup or tooltip questions (that all have a convenient 'Don't show this again' checkboxes) in any similar situations, yesterday or in the future, but for now it is all just an user error.

Well ok so don't leave us in the dark, what exactly was it?

whatttttt   from within the account you can send btc to either address or email (think coinapult.com...is that still a thing?

From what OP said I gathered that somebody spent his BTC by using a similar email? Anyway, now I reread and am confused.

My Credentials  | THE BTC Stock Exchange | I have my very own anthology! | Use bitcointa.lk, it's like this one but better.
Tonko
Full Member
***
Offline Offline

Activity: 126


View Profile
March 25, 2013, 12:53:18 PM
 #15


Well ok so don't leave us in the dark, what exactly was it?


Sending to an unknown email address (because of misspelling) automatically creates an account with Coinbase which also gets a newly created Bitcoin address.
BTCs are them transferred to that address and marked as 'spent' in the detailed UI that the sender can see (as I did). To (re)claim BTCs you must contact their support.

I don't know what exactly would have happened if, for example, you knew or guessed at the misspelling and tried to open an account using the same address in order to steal those BTCs. To create a new domain and email account in a hurry is probably not a big deal for competent hackers. It is probably much harder if it is an existing domain but you don't control that domain. Certainly too much effort for a pitiful amount that I transferred.
Tonko
Full Member
***
Offline Offline

Activity: 126


View Profile
March 27, 2013, 09:28:44 PM
 #16

Grrr Always something!

Now there is a problem showing correct balances and my balance is 0.00.

Can't they have a problem where my balance would we 1000.00 BTCs, even if it is error?
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!