Tonko (OP)
|
|
March 24, 2013, 07:54:31 PM |
|
So, I decided to test if I can actually transfer my BTCs from Coibase back to my checking account.
I started with the button saying Send money and it asked for an email address. I typed in my own email address.
At this point I can't, with absolute certainty, claim that I didn't misspell my email address. I just can't. I don't think I did, since I type is so often on a daily basis and it never happened so far. But can I honestly assert that it is a complete impossibility: no.
Then, what is the possibility that a user with a very uncommon variation on my real name at misspelled yahoo.com (like yaoho.com) really exists? Note also that I never sent any BTC to an actual Bitcoin address. Anyway, a Bitcoin address, somehow mysteriously corresponding to a misspelled email address, popped up from somewhere and spent my BTCs.
I am still waiting on response from an ever so busy Coinbase support.
|
|
|
|
camolist
|
|
March 24, 2013, 07:59:04 PM |
|
So, I decided to test if I can actually transfer my BTCs from Coibase back to my checking account.
I started with the button saying Send money and it asked for an email address. I typed in my own email address.
what does selling bitcoin to your checking account have to do with email? you go to their sell page type how many to sell and it goes to your bank no need for an email address. sounds like you instead sent bitcoin to an email (possibly not yours) LOL
|
|
|
|
Tonko (OP)
|
|
March 24, 2013, 08:06:29 PM |
|
no need for an email address. sounds like you instead sent bitcoin to an email (possibly not yours) LOL
Are you saying that sending BTC to a non-existent email address and corresponding Bitcoin address appearing out of blue and taking it is something that is to be expected? I mean, I verified that email address does not exist, neither per Yahoo or Google, and that domain name is some actual shop that doesn't accept Bitcoins.
|
|
|
|
camolist
|
|
March 24, 2013, 08:12:09 PM |
|
Are you saying that sending BTC to a non-existent email address and corresponding Bitcoin address appearing out of blue and taking it is something that is to be expected?
no idea. i have never sent to an email address before but if you are trying to sell that isn't how you do it anyways there is quite clearly a sell tab and instead you went to send and entered an email address?
|
|
|
|
Tonko (OP)
|
|
March 24, 2013, 08:27:12 PM |
|
but if you are trying to sell that isn't how you do it anyways there is quite clearly a sell tab and instead you went to send and entered an email address? Well, ok, I made an error. I expected that sending to my own email address may accomplish the same. You are making it sound as if every user mistake should be punishable by the loss of BTCs?!
|
|
|
|
camolist
|
|
March 24, 2013, 08:31:48 PM |
|
how do you know they are lost? have you even sent an email (and waited say a business day..it is Sunday after all) before complaining publicly about your own mistake?
forum is filled with complaints that a simple email and waiting a day would have solved
|
|
|
|
Tonko (OP)
|
|
March 24, 2013, 08:37:52 PM Last edit: March 24, 2013, 09:01:32 PM by Tonko |
|
how do you know they are lost? have you even sent an email (and waited say a business day..it is Sunday after all) before complaining publicly about your own mistake?
forum is filled with complaints that a simple email and waiting a day would have solved
Okay. Can't argue with that except noticing that a simple: You cannot send to the email address, only Bitcoin address or The email address you are trying to send to doesn't exist message would have prevented any of this happening. And, uhm, are you saying that you yourself have every issue with Coinbase resolved in one business day?! You have merchant account with them and you regularly get deposits from them into your back account? That would be nice to know.
|
|
|
|
camolist
|
|
March 24, 2013, 09:15:11 PM |
|
And, uhm, are you saying that you yourself have every issue with Coinbase resolved in one business day?! You have merchant account with them and you regularly get deposits from them into your back account? That would be nice to know.
not sure how coinbase does it but sending to email could be just like paypal where you can send payment to any email address even if they dont have an account... the payment will be waiting to be claimed when they make an account or follow instructions by email. no way for them to know if an email address is real or not not a merchant account but i've been buying and selling since mid november. 32 transactions in and out of the bank i've written them 4 times. two for suggestions/good words (got personal replies to both) and two for problems that were solved within a day (both being widespread issues last time they had missing balances and the past week with delayed transactions)
|
|
|
|
Tonko (OP)
|
|
March 24, 2013, 09:38:44 PM Last edit: March 24, 2013, 10:08:55 PM by Tonko |
|
not a merchant account but i've been buying and selling since mid november. 32 transactions in and out of the bank
I certainly hope for the similar experience. Because, technically, they can't send to email address without having (AFAIK unknown) method of matching email addresses to Bitcoin addresses. So they either: a) send all email BTC transfer requests to their own Bitcoin address and wait for a claim (in unknown format) that provides them with a corresponding Bitcoin address to ultimately transfer to, or b) have somebody hacked into their system, who provides Bitcoin address in such a case. This would be a bad security breach. Assuming they are doing any sort of email to Bitcoin address matching, then typing your own email address makes perfect sense: they have both on record in their database. Can be considered as a way to sell @ Market, even if, by now, I see my own stupidity in expecting such kind of user-friendly shortcuts at this stage. Their site shows the email transfer in question as a transaction that was recorded in a certain block and went to a certain Bitcoin address (which I never specified). The transfer was Complete instantly. Which is why all this makes me worried. One of the rare cases where I would prefer to see their vastly more 'popular' Pending status on transaction. Feel like a beta tester now .
|
|
|
|
MPOE-PR
|
|
March 25, 2013, 12:32:24 AM |
|
So wait just a second here. The Coinbase security paradigm is that if I send them email FORGED to have your email as a "sender" they will happily let me spend your BTC? Are you kidding me?
|
|
|
|
Tonko (OP)
|
|
March 25, 2013, 12:51:05 AM Last edit: March 25, 2013, 01:39:51 AM by Tonko |
|
So wait just a second here. The Coinbase security paradigm is that if I send them email FORGED to have your email as a "sender" they will happily let me spend your BTC? Are you kidding me?
From what I know so far, it does seem that their 'send to email' feature is a security hole waiting to be exploited. Granted, it wouldn't be super easy to create many permutations on email misspellings and request funds, but not impossible either. It is a security hole, one way or another. Any hacker worth anything should have come up with a truckload of ideas for an exploit upon my very first post. There should be an additional handshake (pass phrase?!) requiring an email (even if invalid) to prove its claim to coins.
|
|
|
|
Tonko (OP)
|
|
March 25, 2013, 03:24:33 AM |
|
Ok, I am going to call official Mea Culpa on this.
Julian from Coinbase was very fast to respond, explain the issue and restore my BTCs.
I can't say that I wouldn't want even more warnings and 'you are about to..., are you sure' popup or tooltip questions (that all have a convenient 'Don't show this again' checkboxes) in any similar situations, yesterday or in the future, but for now it is all just an user error.
|
|
|
|
camolist
|
|
March 25, 2013, 03:54:54 AM |
|
Ok, I am going to call official Mea Culpa on this.
Julian from Coinbase was very fast to respond, explain the issue and restore my BTCs.
I can't say that I wouldn't want even more warnings and 'you are about to..., are you sure' popup or tooltip questions (that all have a convenient 'Don't show this again' checkboxes) in any similar situations, yesterday or in the future, but for now it is all just an user error.
glad it all got worked out. and on a Sunday evening! wish people would give support a try before running to the public So wait just a second here. The Coinbase security paradigm is that if I send them email FORGED to have your email as a "sender" they will happily let me spend your BTC? Are you kidding me?
whatttttt from within the account you can send btc to either address or email (think coinapult.com...is that still a thing?
|
|
|
|
MPOE-PR
|
|
March 25, 2013, 10:00:13 AM |
|
Ok, I am going to call official Mea Culpa on this.
Julian from Coinbase was very fast to respond, explain the issue and restore my BTCs.
I can't say that I wouldn't want even more warnings and 'you are about to..., are you sure' popup or tooltip questions (that all have a convenient 'Don't show this again' checkboxes) in any similar situations, yesterday or in the future, but for now it is all just an user error.
Well ok so don't leave us in the dark, what exactly was it? whatttttt from within the account you can send btc to either address or email (think coinapult.com...is that still a thing?
From what OP said I gathered that somebody spent his BTC by using a similar email? Anyway, now I reread and am confused.
|
|
|
|
Tonko (OP)
|
|
March 25, 2013, 12:53:18 PM Last edit: March 25, 2013, 01:35:09 PM by Tonko |
|
Well ok so don't leave us in the dark, what exactly was it?
Sending to an unknown email address (because of misspelling) automatically creates an account with Coinbase which also gets a newly created Bitcoin address. BTCs are them transferred to that address and marked as 'spent' in the detailed UI that the sender can see (as I did). To (re)claim BTCs you must contact their support. I don't know what exactly would have happened if, for example, you knew or guessed at the misspelling and tried to open an account using the same address in order to steal those BTCs. To create a new domain and email account in a hurry is probably not a big deal for competent hackers. It is probably much harder if it is an existing domain but you don't control that domain. Certainly too much effort for a pitiful amount that I transferred.
|
|
|
|
Tonko (OP)
|
|
March 27, 2013, 09:28:44 PM |
|
Grrr Always something!
Now there is a problem showing correct balances and my balance is 0.00.
Can't they have a problem where my balance would we 1000.00 BTCs, even if it is error?
|
|
|
|
|