Those risks apply to the traditional banking system as well. Someone could phish your login and password. Someone could steal your checks. Someone could open a policy with Progressive Insurance, provide a stolen account number, and pay their premiums out of your bank account while conducting progressively larger insurance fraud. Your bank could get hacked. Your bank could go bankrupt.
We dealt with an identity theft issue around the same time that I was conducting some crypto transactions with Coinbase, and the difference in security was stark. My bank hides 2-factor auth behind an obscure account setting. If someone steals your account number, they can start making direct withdrawals immediately just by entering it into an ACH form that doesn't do trial deposits. The bank relies on you keeping an eye on your statements to notice this, and they won't reimburse any fraudulent charges over $1000.
Meanwhile, Coinbase defaults to 2-factor auth. They send you an e-mail if you login from a machine whose IP & browser fingerprint doesn't match one you've logged in before. They do trial deposits for ACH linking. They send you an e-mail whenever someone initiates an ACH deposit or withdrawal from your account. There's a mandatory waiting period (1 week I think) before the funds are available. I suspect they would suck just as much as my bank if you did get hacked (I've heard horror stories), but the proactive security measures give me a lot more confidence than the mainstream financial industry.
Account security best practices are orthogonal to how your assets are handled behind the scenes. The SEC isn't regulating securities because someone might log into your account, they regulate them because someone at Coinbase could be deceiving investors or hiding risk.
Money doesn't appear magically from nowhere. If someone is offering you return for holding your cash, it's not just sitting there. The risk is implicit in whatever they're doing to turn your N money into NM money: there is no way to absolutely guarantee that M is >0.
But with regards to this subthread specifically - the risks that the OP points out are account security best practices, and common to both Coinbase and traditional banks. If you're going to point them out as reasons that your capital is at risk, you also have to point out that your capital is at risk with traditional financial institutions.
That's moot. It's totally reasonable for the SEC to not regulate account security best practices and still regulate the company implementing those practices making off with your cash. A Ponzi scheme whose website has mandatory 2FA is not somehow better. The SEC was never designed to protect against all kinds of risks.
We dealt with an identity theft issue around the same time that I was conducting some crypto transactions with Coinbase, and the difference in security was stark. My bank hides 2-factor auth behind an obscure account setting. If someone steals your account number, they can start making direct withdrawals immediately just by entering it into an ACH form that doesn't do trial deposits. The bank relies on you keeping an eye on your statements to notice this, and they won't reimburse any fraudulent charges over $1000.
Meanwhile, Coinbase defaults to 2-factor auth. They send you an e-mail if you login from a machine whose IP & browser fingerprint doesn't match one you've logged in before. They do trial deposits for ACH linking. They send you an e-mail whenever someone initiates an ACH deposit or withdrawal from your account. There's a mandatory waiting period (1 week I think) before the funds are available. I suspect they would suck just as much as my bank if you did get hacked (I've heard horror stories), but the proactive security measures give me a lot more confidence than the mainstream financial industry.