Topic: Coinbase has a multi-sig vault. You now control the keys. (Read 3167 times)

For the less tech-savvy new bitcoin users, I believe the normal 2FA is good enough.
For those looking for better security, it is not very hard for them to learn to use multi-sig, personal wallet and offline wallet.

this is one of the best addons now fo exchanges

I do like this idea, however I think it will be too complicated for many more novice users. I would say that many users who do not have a good technical understanding of bitcoin and/or technology will likely not be able to navigate as to how multi-sig works and how to properly use it

You would not need to give up your keys. With multisig vault, there are three keys. One key is controlled exclusively by coinbase, you do not know this key. The second key is known by both you and coinbase and can only be used by coinbase if you correctly enter your password (coinbase will provide it to you upon receipt of your password). The third key is known only to you and coinbase does not have access to it.

In the event that coinbase goes out of business or is otherwise compromised, you can sign a TX with the key that is shared by both you and coinbase and the key that is known by only you to an address controlled by you only. If everything goes as planned then you can use coinbase to transfer bitcoin to an address of your choice when you are ready to do so

I don't think anyone will give up their keys.

If the coins are lost then you can likely consider them to be "sold" at zero and would be able to claim capital losses. If they are spent at the exact same price they were purchased at then you are correct, no capital gains are necessary as the coins would be sold at the same price as they were purchased

If ones Bitcoins purchased through an onramp are immediately spent, or lost , or given away, than their are no capital gains to be paid.

Storing BTC in the coinbase vault will expose you to capital gains in the future.

You are due capital gains taxes on any gains resulting from the sale of bitcoin regardless of where the coins are held (although one tax issue that has not been addressed is how TX fees should be treated for tax purposes).

I think this setup is an interesting idea, however I don't think many people who are not tech savvy are going to understand how this works and could potentially make mistakes that end up costing them a lot of money

It looks like multi-sig vault is the way to go. people loving this idea of having more people involved in the same outlet. Nice one. It was only a matter of time for Coinbase.

I am not ashamed to admit I am less tech savy. So, this seems like I good option for me.  I moved half my bitcoin there.  Though.... as pointed out, I would still like to see better tech come in the future.  Things are are even safer, even easier, and even more private.  So I think that when these things come, things like better hard wallets or paper wallets, then I will start to use them. 

You don't need access to coinbase servers to transfer your coins. With their creative arrangement they can go completely out of buciness and you can still recover your coins.

My concern more has to do with theft by governments through taxation. Coins stored with coinbase in their vault will be subject to taxation and capital gains taxes when they appreciate. (I plan on paying this if I have any coins but others may not want to for many reasons.)

Multisig paper wallets seem like a better option for those that are savvy, or some of the new hardware coming out like -
http://mycelium.com/entropy
and other hardware wallets can help secure people.

yeah, new way should be developed to protect our BTC, or nothing is safe.

It is a cool idea but I prefer a paper wallet. I don't want to depend on being able to access coinable servers to use my bitcoin. As was pointed out above it is a nice way for less savvy people to have a secure way to store their assets. 

too late, it should have done, nobody like to abandon their keys

It is multi-sig, not just a single private key on a user's desktop and on their hard drive where if either system is compromised then it is gone.  Because the private key is split and then divided into multiple places it is actually more safe because now multiple computers have to be compromised.  It isn't exactly trusting more people with your private key, it is trusting more people with part of your private key.  Meaning multiple places now have to be compromised instead of just one. 

Take the famous Klee hack a couple months ago.  He had the private keys on a file on his desktop.  Over 1 million USD worth of coins were stolen.  The only thing that didn't get stolen were the ones with 2FA.  That is because the process of transferring the money was divided up between multiple computers (or in his case a computer and phone) so the hacker couldn't get to some of his funds.  

As one poster said with Coinbase's new system a hacker will now have to

1. gain access to your regular password
2. gain access to your phone for 2FA (if this is enabled and it should always be enabled on any site when possible)
3. gain access to your vault passphrase
4. gain access to your phone again for 2FA
5. then have the original owner of the account not get any of the test messages or emails sent by Coinbase asking to cancel the transaction with a single click.  

After 48 hours if the owner of the account owner hasn't canceled the transfer, then and only then it goes through.  

To me this combination of steps that a hacker must now go through seems to make it just about impossible, less somebody is actually held by force against their own will.

This is just for the normal multi-sig account.  They have another that a person can set up where Coinbase doesn't even have a single key and multiple outside computers controlled by the client would have to be compromised.

The 2nd possible route for a person to lose their funds is for a person to find the private keys and public keys (all are needed) printed up and theoretically well hidden by the client.  Then also discover the exact pass phrase for decoding the vault's key which had been encrypted with the passphrase.  Then download the opensource program from Github and use it to transfer the funds.  This again would take such a serious combination of skillset.  A skill set that would include intelligence, physical theft, and hacking knowledge.  It is easy to find a person that has one of these, but not all three.  It again is very unlikely.  

The last way a person could get to the coins that I have found out about is a person's computer is compromised when setting up the vault.  That is all a hacker need in that scenario.  It is by far the weakest and easiest target, but for this to happen a hacker needs to know that a client will create a vault on a certain computer and be sitting around waiting for that to happen hoping the client along the way doesn't notice the computer is compromised.  The easiest way to thwart this too, which is very easy is to boot with an Ubuntu live DVD, log into Coinbase and create the vault.  The hardest part of that is that Coinbase doesn't (yet) support Firefox when making the vault but will soon so in addition to booting with Ubuntu, then a person will have to install Chrome on Ubuntu before setting up the vault.  And while this part is starting to get complicated, it is by no means nearly as complicated as securely creating cold storage which again involves creating keys on an offline computer running a fresh copy of Linux with a fresh Bitcoin wallet/program/client installed and then transferring them to a live computer, a process that has to be repeated each and every time for each transaction.  

Coinbase only holds one of the 3 keys.  The user has one.  The third is created half by a code from coinbase that when combined with a passphrase unique to that vault is created client side.  That code is also available on github via opensource and is actually quite complicated.  Coinbase doesn't ever see the passphrase for creating the second key at anytime.  So, no Coinbase does not have two keys.  They can't move the coins even if they wanted too.

I'll def. be trying this out.

This is an incredibly complicated non solution for a simple matter of a 50 some digit number.

It also has elements of danger in it, based on the specific (unknown, unknowable likely) internals of accounting on the coinbase side.

Here is my take on it.

"I'm worried!  I have a 54 digit number that is my private key.  Someone could find it!  Someone could take all my money!"

"No problem, I have just the solution for you.  Trust me.  Just get MORE PEOPLE INVOLVED WITH YOUR PRIVATE KEY!"

.....

Really?

The issue that people raised over at reddit is that you have to trust the javascript code for local encryption/decryption...

I think this is a great option for the less tech savvy to be able to have something close to cold storage and it's great that coinbase is leading the way on this. W/o discounts for buying w/ BTC and wallet services that are impervious to theft, you won't have mainstreet coming anywhere near crypto aside from bulls orchestrating panic buying frenzies.