Author

Topic: Coinbase has a multi-sig vault. You now control the keys. (Read 3167 times)

hero member
Activity: 662
Merit: 500
It looks like multi-sig vault is the way to go. people loving this idea of having more people involved in the same outlet. Nice one. It was only a matter of time for Coinbase. Cool
I do like this idea, however I think it will be too complicated for many more novice users. I would say that many users who do not have a good technical understanding of bitcoin and/or technology will likely not be able to navigate as to how multi-sig works and how to properly use it

For the less tech-savvy new bitcoin users, I believe the normal 2FA is good enough.
For those looking for better security, it is not very hard for them to learn to use multi-sig, personal wallet and offline wallet.
sr. member
Activity: 280
Merit: 250
scams hunter!
this is one of the best addons now fo exchanges
legendary
Activity: 1036
Merit: 1000
Thug for life!
It looks like multi-sig vault is the way to go. people loving this idea of having more people involved in the same outlet. Nice one. It was only a matter of time for Coinbase. Cool
I do like this idea, however I think it will be too complicated for many more novice users. I would say that many users who do not have a good technical understanding of bitcoin and/or technology will likely not be able to navigate as to how multi-sig works and how to properly use it
hero member
Activity: 647
Merit: 501
GainerCoin.com 🔥 Masternode coin 🔥
I don't think anyone will give up their keys.
You would not need to give up your keys. With multisig vault, there are three keys. One key is controlled exclusively by coinbase, you do not know this key. The second key is known by both you and coinbase and can only be used by coinbase if you correctly enter your password (coinbase will provide it to you upon receipt of your password). The third key is known only to you and coinbase does not have access to it.

In the event that coinbase goes out of business or is otherwise compromised, you can sign a TX with the key that is shared by both you and coinbase and the key that is known by only you to an address controlled by you only. If everything goes as planned then you can use coinbase to transfer bitcoin to an address of your choice when you are ready to do so
sr. member
Activity: 266
Merit: 250
I don't think anyone will give up their keys.
full member
Activity: 210
Merit: 100

You are due capital gains taxes on any gains resulting from the sale of bitcoin regardless of where the coins are held

If ones Bitcoins purchased through an onramp are immediately spent, or lost , or given away, than their are no capital gains to be paid.

Storing BTC in the coinbase vault will expose you to capital gains in the future.
If the coins are lost then you can likely consider them to be "sold" at zero and would be able to claim capital losses. If they are spent at the exact same price they were purchased at then you are correct, no capital gains are necessary as the coins would be sold at the same price as they were purchased
hero member
Activity: 658
Merit: 501

You are due capital gains taxes on any gains resulting from the sale of bitcoin regardless of where the coins are held

If ones Bitcoins purchased through an onramp are immediately spent, or lost , or given away, than their are no capital gains to be paid.

Storing BTC in the coinbase vault will expose you to capital gains in the future.
full member
Activity: 210
Merit: 100
It is a cool idea but I prefer a paper wallet. I don't want to depend on being able to access coinable servers to use my bitcoin. As was pointed out above it is a nice way for less savvy people to have a secure way to store their assets.  

You don't need access to coinbase servers to transfer your coins. With their creative arrangement they can go completely out of buciness and you can still recover your coins.

My concern more has to do with theft by governments through taxation. Coins stored with coinbase in their vault will be subject to taxation and capital gains taxes when they appreciate. (I plan on paying this if I have any coins but others may not want to for many reasons.)

Multisig paper wallets seem like a better option for those that are savvy, or some of the new hardware coming out like -
http://mycelium.com/entropy
and other hardware wallets can help secure people.
You are due capital gains taxes on any gains resulting from the sale of bitcoin regardless of where the coins are held (although one tax issue that has not been addressed is how TX fees should be treated for tax purposes).

I think this setup is an interesting idea, however I don't think many people who are not tech savvy are going to understand how this works and could potentially make mistakes that end up costing them a lot of money
sr. member
Activity: 406
Merit: 250
AltoCenter.com
It looks like multi-sig vault is the way to go. people loving this idea of having more people involved in the same outlet. Nice one. It was only a matter of time for Coinbase. Cool
legendary
Activity: 1232
Merit: 1001
mining is so 2012-2013
It is a cool idea but I prefer a paper wallet. I don't want to depend on being able to access coinable servers to use my bitcoin. As was pointed out above it is a nice way for less savvy people to have a secure way to store their assets.  

You don't need access to coinbase servers to transfer your coins. With their creative arrangement they can go completely out of buciness and you can still recover your coins.

My concern more has to do with theft by governments through taxation. Coins stored with coinbase in their vault will be subject to taxation and capital gains taxes when they appreciate. (I plan on paying this if I have any coins but others may not want to for many reasons.)

Multisig paper wallets seem like a better option for those that are savvy, or some of the new hardware coming out like -
http://mycelium.com/entropy
and other hardware wallets can help secure people.

I am not ashamed to admit I am less tech savy. So, this seems like I good option for me.  I moved half my bitcoin there.  Though.... as pointed out, I would still like to see better tech come in the future.  Things are are even safer, even easier, and even more private.  So I think that when these things come, things like better hard wallets or paper wallets, then I will start to use them. 
hero member
Activity: 658
Merit: 501
It is a cool idea but I prefer a paper wallet. I don't want to depend on being able to access coinable servers to use my bitcoin. As was pointed out above it is a nice way for less savvy people to have a secure way to store their assets.  

You don't need access to coinbase servers to transfer your coins. With their creative arrangement they can go completely out of buciness and you can still recover your coins.

My concern more has to do with theft by governments through taxation. Coins stored with coinbase in their vault will be subject to taxation and capital gains taxes when they appreciate. (I plan on paying this if I have any coins but others may not want to for many reasons.)

Multisig paper wallets seem like a better option for those that are savvy, or some of the new hardware coming out like -
http://mycelium.com/entropy
and other hardware wallets can help secure people.
newbie
Activity: 16
Merit: 0
It is a cool idea but I prefer a paper wallet. I don't want to depend on being able to access coinable servers to use my bitcoin. As was pointed out above it is a nice way for less savvy people to have a secure way to store their assets. 

yeah, new way should be developed to protect our BTC, or nothing is safe.
sr. member
Activity: 406
Merit: 250
It is a cool idea but I prefer a paper wallet. I don't want to depend on being able to access coinable servers to use my bitcoin. As was pointed out above it is a nice way for less savvy people to have a secure way to store their assets. 
member
Activity: 80
Merit: 10
too late, it should have done, nobody like to abandon their keys
legendary
Activity: 1232
Merit: 1001
mining is so 2012-2013
I think this is a great option for the less tech savvy to be able to have something close to cold storage and it's great that coinbase is leading the way on this. W/o discounts for buying w/ BTC and wallet services that are impervious to theft, you won't have mainstreet coming anywhere near crypto aside from bulls orchestrating panic buying frenzies.
This is an incredibly complicated non solution for a simple matter of a 50 some digit number.

It also has elements of danger in it, based on the specific (unknown, unknowable likely) internals of accounting on the coinbase side.

Here is my take on it.

"I'm worried!  I have a 54 digit number that is my private key.  Someone could find it!  Someone could take all my money!"

"No problem, I have just the solution for you.  Trust me.  Just get MORE PEOPLE INVOLVED WITH YOUR PRIVATE KEY!"

.....

Really?


It is multi-sig, not just a single private key on a user's desktop and on their hard drive where if either system is compromised then it is gone.  Because the private key is split and then divided into multiple places it is actually more safe because now multiple computers have to be compromised.  It isn't exactly trusting more people with your private key, it is trusting more people with part of your private key.  Meaning multiple places now have to be compromised instead of just one. 

Take the famous Klee hack a couple months ago.  He had the private keys on a file on his desktop.  Over 1 million USD worth of coins were stolen.  The only thing that didn't get stolen were the ones with 2FA.  That is because the process of transferring the money was divided up between multiple computers (or in his case a computer and phone) so the hacker couldn't get to some of his funds.  

As one poster said with Coinbase's new system a hacker will now have to

1. gain access to your regular password
2. gain access to your phone for 2FA (if this is enabled and it should always be enabled on any site when possible)
3. gain access to your vault passphrase
4. gain access to your phone again for 2FA
5. then have the original owner of the account not get any of the test messages or emails sent by Coinbase asking to cancel the transaction with a single click.  

After 48 hours if the owner of the account owner hasn't canceled the transfer, then and only then it goes through.  

To me this combination of steps that a hacker must now go through seems to make it just about impossible, less somebody is actually held by force against their own will.

This is just for the normal multi-sig account.  They have another that a person can set up where Coinbase doesn't even have a single key and multiple outside computers controlled by the client would have to be compromised.

The 2nd possible route for a person to lose their funds is for a person to find the private keys and public keys (all are needed) printed up and theoretically well hidden by the client.  Then also discover the exact pass phrase for decoding the vault's key which had been encrypted with the passphrase.  Then download the opensource program from Github and use it to transfer the funds.  This again would take such a serious combination of skillset.  A skill set that would include intelligence, physical theft, and hacking knowledge.  It is easy to find a person that has one of these, but not all three.  It again is very unlikely.  

The last way a person could get to the coins that I have found out about is a person's computer is compromised when setting up the vault.  That is all a hacker need in that scenario.  It is by far the weakest and easiest target, but for this to happen a hacker needs to know that a client will create a vault on a certain computer and be sitting around waiting for that to happen hoping the client along the way doesn't notice the computer is compromised.  The easiest way to thwart this too, which is very easy is to boot with an Ubuntu live DVD, log into Coinbase and create the vault.  The hardest part of that is that Coinbase doesn't (yet) support Firefox when making the vault but will soon so in addition to booting with Ubuntu, then a person will have to install Chrome on Ubuntu before setting up the vault.  And while this part is starting to get complicated, it is by no means nearly as complicated as securely creating cold storage which again involves creating keys on an offline computer running a fresh copy of Linux with a fresh Bitcoin wallet/program/client installed and then transferring them to a live computer, a process that has to be repeated each and every time for each transaction.  
legendary
Activity: 1232
Merit: 1001
mining is so 2012-2013
Quote
Multisig Vaults for individuals feature the 'two-of-three' key structure, where Coinbase and the customer retain one key each, and Coinbase will keep a third shared key that is encrypted by the user's passphrase.

Coinbase holds 2 of the 3 keys. That doesn't work for me because I still have to go through them to get my money out.

Coinbase only holds one of the 3 keys.  The user has one.  The third is created half by a code from coinbase that when combined with a passphrase unique to that vault is created client side.  That code is also available on github via opensource and is actually quite complicated.  Coinbase doesn't ever see the passphrase for creating the second key at anytime.  So, no Coinbase does not have two keys.  They can't move the coins even if they wanted too.
legendary
Activity: 1330
Merit: 1000
Bitcoin
I'll def. be trying this out.
legendary
Activity: 2926
Merit: 1386
I think this is a great option for the less tech savvy to be able to have something close to cold storage and it's great that coinbase is leading the way on this. W/o discounts for buying w/ BTC and wallet services that are impervious to theft, you won't have mainstreet coming anywhere near crypto aside from bulls orchestrating panic buying frenzies.
This is an incredibly complicated non solution for a simple matter of a 50 some digit number.

It also has elements of danger in it, based on the specific (unknown, unknowable likely) internals of accounting on the coinbase side.

Here is my take on it.

"I'm worried!  I have a 54 digit number that is my private key.  Someone could find it!  Someone could take all my money!"

"No problem, I have just the solution for you.  Trust me.  Just get MORE PEOPLE INVOLVED WITH YOUR PRIVATE KEY!"

.....

Really?
sr. member
Activity: 252
Merit: 250
Skoupi the Great
The issue that people raised over at reddit is that you have to trust the javascript code for local encryption/decryption...
legendary
Activity: 1568
Merit: 1001
I think this is a great option for the less tech savvy to be able to have something close to cold storage and it's great that coinbase is leading the way on this. W/o discounts for buying w/ BTC and wallet services that are impervious to theft, you won't have mainstreet coming anywhere near crypto aside from bulls orchestrating panic buying frenzies.
legendary
Activity: 1232
Merit: 1001
mining is so 2012-2013
I was reading more about it on Reddit and Coblee was going back and forth answering questions to doubters.  It seems like the only way you can have this account compromised is in making it.  If your computer is infected when setting up the multi-sig vault, that could be a big problem. 

If your computer is clean during creation and you don't touch the account, nobody can steal your keys, not even the government and/or hacker doing everything they can to force Coinbase into moving them.  It is just about as good as cold storage (but varies a little bit, but is much, much easier to create).  If you are moving money out frequently then there seems to be some debate on if a serious hacker might be able to compromise the account, but even in that case, they still need to get your 2FA device and the owner of the account would have to miss emails and text messages being sent to them that there will be a withdrawal in 48 hours.  A person can click a link from the text message or email to immediately cancel the transaction foiling the attacker. 

I am convinced and have decided to put half of my Bitcoin in Coinbase's multi-sig vault. 

For extra precaution, a person can boot ubuntu on a live DVD, use that to log-in to Coinbase when creating the vault (Chrome will needed to be added as Firefox isn't supported just yet).  I just happen to have one of those DVD's in a box next to my computer right now, and even if a person doesn't have one, they are pretty easy to make.
legendary
Activity: 3598
Merit: 2386
Viva Ut Vivas
We all need to move toward multi-sig...great way for a lot of people to get their feet wet.
legendary
Activity: 1232
Merit: 1001
mining is so 2012-2013
http://www.coindesk.com/coinbases-new-multisig-vault-gives-users-control-keys/

Some people over at reddit are complaining about this saying it isn't safe.  As now there is a risk that the keys might be transferred over the internet and be intercepted.  

I personally like the idea of knowing that Coinbase only has 1 of 3 keys stored in their database.  It makes me feel safer.  Just think had this been implemented at Gox.  Or at a dozen of other exchanges/services that had hot wallets "hacked" and all the money disappeared.  

I also feel a lot more comfortable with a company that designs a product so they can't have control over it.  I feel like they are just going to be that much less likely to steal it and there is less risk of them getting hacked.  Now a person would have to compromise Coinbase one time to get their key on the Coinbase end, and in between or on my end compromise my key/password and/or be live in the Coinbase system as I am logging in.    

Any thoughts?
Jump to: