A story of insecurity and bureaucracy „for your security“. Coinbase, Authy, and sending your ID to strangers

I had a bad experience with Coinbase in 2017 when they didn't let me log in anymore to my Bitcoin account. I'm used to having a bad service due to changing mobile phone numbers (or not wanting to give it, or not having one!), but in this case there was an extra unsafe step when a company I didn't sign up with (Authy) requested a copy of my passport. „For your safety“.

  1. I opened an account with Coinbase in 2015 to operate with Bitcoin
  2. I sent them a scan of my passport — which I rarely do. I had read their usage conditions (1, 2) and I agreed with them
  3. I did some small transactions to try it
  4. Two years later, Jan. 2017, I tried to log in again
  5. As part of the login, they tried to send an SMS to a mobile phone I didn't own anymore (I had been travelling and I had a different SIM card for each country)
  6. They offered a way to change my phone number, but they were redirecting me to authy.com, a company I didn't use (I certainly didn't sign up, I had 0 e-mails from them, and I saw no mention of them in Coinbase's terms of service)
  7. Anyhow, I gave Authy my new phone number (landline), and waited some days for the verification process to follow
  8. I got an e-mail from Authy linking to a form in which they (Authy) asked me for:
    • a scanned copy of my passport
    • previous phone numbers I had used
    • which accounts I'm using with Authy ← none, I suppose?
    • when did I use it for the last time
    • mobile phone operator, old and new
    • current location
    • reason for changing phone
  9. And here I am, being asked for my passport by a company I didn't sign up for (Authy), and which I didn't have previous relations with. You should never send your ID to unknown parties, even if they request it „to keep your account safe“, as they did
    • Coinbase was out of the the process. Here lies the problem
    • I had already sent my passport to Coinbase. I trusted Coinbase, not Authy (and this isn't helping). I agreed to Coinbase's TOS (not Authy's). The silent redirection from Coinbase to Authy is bad security and it feels too similar to a phishing attack

Next steps for me:

Next steps for you:

Next steps for Coinbase:

More info and similar cases:

Author: Daniel Clemente Laboreo

Created: 2017-07-21 Fri 03:00