This has always been my #1 reason I'll never get into crypto. My bank has insurance, my physical assets aren't accessible to people on the internet. I likely won't lose my entire life savings simply because I either forget my password or I use one, single, vulnerable device, ever. (Yes, I fully realize you crypto-millionaires took a small risk and won big, and kudos to you)
The benefit of institutions is that they are able to plan for failure within their system. Yes, this comes with some costs attached, but the costs associated with decentralized and nearly unregulateable commodity markets have not even begun to surface.
You've never had a bank take your checking account assets and freeze them on a payday because they suspected "Fraud."
The bank is Judge, Jury, and Executioner -- and I'm still fighting with US Bank, over a year later, to get the 40K that they have of mine, but, I'm honestly at the point where I don't think I'll ever see that cash again.
If you can lose your currency by forgetting a password or using the wrong device then you set things up incorrectly IMO. There are good ways of doing things where your keys stay on a device, or are only exposed to an offline machine with no network or persistent storage.
Obviously it gets a little more technical, that's why services that manage the keys for you are so popular.
It's not a deficit because everyday users can use a service that handles private keys for them. Managing private keys and signing transactions is not the level of the tech stack that nontechnical folks were ever meant to be on.
It's like complaining that REST APIs aren't user friendly.
My point is for someone who understand how keys work a bit better (like a lot of people here) there are better ways to set things up.
Yes, the crypto people got a lot of things wrong. One is the idea that you have to trust banks. You don't. There's a whole system in place that protects us from banks, or anybody else, behaving badly. It's called 'civilisation'.
Do you think bank insurance is free? You seem to think crypto can't have insurance or maybe that it'll be costly while ignoring that bank insurance is something you are paying for. It's not free and the bank isn't doing you a favor.
Sure that's the point. Individuals can make a judgement call over who they think is least likely to lose their keys, themselves or Coinbase. Many of those crypto "banks" are insured.
and how many people have had money locked up by the very institutions that exist to protect those assets? I trust me _way_ more than I trust nameless corporations.
Are you not aware of cold storage? Do you think people store millions on their laptops? Smart people use traditional means to store their crypto, literally paper in banks, custodians with insurance, actual vaults, etc, etc.
Cold storage just means that you key is kept offline, but the whole system is on the internet. The central part of crypto is the blockchain, which holds all your assets.
So if someone is able to guess your key, or just happen to find it, or if the encryption has been defeated by a leap in computing or algorithms, they will have access to your crypto without needing to access your key.
First off no one is guessing your key, do the math, it's ridiculously impossible. Secondly if someone finds your key that's your problem, its the same as any real life key, it's not magic. 3rdly no leap in computing, even quantum is going to change the fact that no one is guessing your keys. And bitcoin does not require the internet, it only needs to communicate with other nodes, there is even a blockstream satellite you can use right now without internet access. This level is technical ignorance is pretty astounding.
you can use shamir secret sharing or other similar stuff (like multisignature wallets), so that you need m of n keys.
Thus someone accessing some of your keys would not help them at all (and other things can be helpful lile time locks in combination with other features)
No, it gives you more options to handle security in a more robust way and how you see fit. There is no "purpose" of crypto - it's a tool and a tool that has more options than current popular asset protections can offer.
Interestingly, my location has some monero ATMs that take cash, and the 10% or so fee (and apparently - various vulnerabilities) seems well worth it for what is by all measures a quite low effort hands-off way to get money that is quite anonymous, at least for most low key purposes, such as small recreational drug orders etc.
My understanding, and this may be wrong since I don’t actually have Monero, is it’s not since US customers are subject to KYC. While the transaction on the blockchain would be obfuscated, the Exchange as the sender/receiver would still have the withdraw and deposit addresses since they were one of the parties of the transaction.
Further transactions after withdrawing would be difficult to discern, but an exchange could be used to track an approximation of how much Monero you own.
A cash based ATM purchase would be more difficult to track since no KYC is involved.
Monero itself is not KYC, sorry if I worded that poorly above.
The transactions to and from Kraken can definitely be tracked since they would have a record of the actual wallet address you sent your funds to. As for things that happen after that money hits your wallet - you’re right they wouldn’t be able to track it.
I checked the Monero subreddit just to see if my understanding of it tracked with what people who actually own it say and it looks like they agree that transferring from a KYC exchange does allow tracking for transactions coming out or into the exchange.
I also didn't say you transfer directly into Kraken. Instead, you would use at least 1 or 2 other wallets before transferring into Kraken, because that bypasses their scanning.
Kraken is still cheaper while doing that than paying a 10% fee for an ATM.
have not used kraken, but the convenience i am talking about is that someone who has never used any cryptocurrency and does not hold any, can simply walk in there with cash and have monero a minute later, ready to use. but it is true that for many people that convenience is not worth a whole 10%, especially if they somewhat know what they are doing.
You still need to create a wallet, key, etc. and that is not easy to do for beginners without an exchange like Kraken. Most DNMs use temporary addresses so it's not a good idea to try to transfer directly from a bitcon ATM to a DNM.
If you pay somebody anonymously, how do they know that the payment they've received is yours and not somebody else's? This is something I've always wondered about anonymous payments. I don't see how they can work in practice.
Several ways to do this, but a simple one: You can generate a unique address where you would know where the payment possibly came from, but nobody looking on-chain could deduce the sender.
To add to the previous response, for your wallet you can create multiple sub-accounts or sub-addresses, that can be used to specifically track payments. You can also use integrated addresses, which tags an encrypted payment id to go with it.
Additionally the sender can prove they sent a specific transaction output to you, without exposing information where it came from.
They might have cameras, in any case they are in malls so you will be on those cams anyway. Though as someone downthread remarked, thanks to covid it's no problem to be masked.
You might be missing the point. It's not about being a random person at the mall getting caught by the camera. It is about the single individual at the exact time making a transaction from an "anonymous" crypto account that is the point.
> However, when reviewing the code behind the admin interface, we found that it contains a hash of a default factory setting administration key. We purchased multiple used ATMs from different sources and our investigation revealed that each had the same default key configuration.
A used device should contain no PII, or any other data of the previous owner.
However, using default settings is a sane choice when preparing a device for second hand sale. Yes, even if these default settings are insecure; that is solely the responsibility of the new owner.
It would be interesting to compare this with other low-hanging fruit attack vectors. If you already have physical access, what velocity controls are there in place to prevent me from just repeatedly running cash through the ATM to clear out the entire wallet? vmception is right that long game attacks are way more interesting.
Doubtful. That'd require a custom bill mechanism, and Kraken noted that they're using a standard, off-the-shelf bill acceptor -- the same type you'd find in a vending machine.
So you basically need access to a cash business for a supply of fresh bills. Also for how long do they keep the serial numbers? After a certain amount of time it is possible for the same bill to enter the machine legitimately.
How is this "biased toward FUD"? The article is written and published by Kraken, one of the largest cryptocurrency exchanges. They've discovered valid vulnerabilities and I'm not sure how it's FUD.
and do what? the article lacks any inspiration, like it says you can get into the admin panel, but what does the admin panel let you do? can you change a subtle address to get some of the bitcoin fees for yourself? raise the fees to 100%?
the article then mentions some stuff like access to the bootloader, which of course means you could flash a more capable admin panel into that lets you do way more like take everyone's bitcoin
I mean all of that tells me that you could do whatever you really want. Never mind the admin panel, even if it won't let you change the wallet, overwriting the firmware would certainly allow you to change the wallet where Bitcoins go.
> the article then mentions some stuff like access to the bootloader, which of course means you could flash a more capable admin panel into that lets you do way more like take everyone's bitcoin
I was just wondering why they would spend so much time talking about the lower effort stuff, if it doesn't do anything. I'm sure it does something bad, but I can't go over to my convenience store and say "someone might change the convenience fee to a slightly higher percentage!" to get them to do anything, if thats the extent of the attack surface for just the admin panel if its already surveilled, so its useful to be able to say exactly why
I can imagine social engineering would allow a fake technician to come and service the machine though, with a hat and a voluntary personal mask mandate not being conspicuous right now. It would look so much more official to have a bunch of cables and computer doing a firmware flash lol.
"Commonly used" is not referring to the number, or usage, of Bitcoin ATMs out there. It is referring to the fact that a large fraction of the existing Bitcoin ATMs are
"General Bytes BATMtwo (GBBATM2)" machines.
You notice these in other countries quite a bit. Makes it super easy to buy crypto with local currency. Makes it easier to travel with more than 10k cash... no declarations at the airport, no risk of being robbed of cash.
Makes it easier for locals to send and receive money from abroad.
There's a bunch of them where I live (I'm in LA area though), including the 7-Eleven right down the street from my house. I used it when I was first trying to learn about Bitcoin but haven't used it for a practical reason yet; financially, it makes more sense to use Local Coin Swap if you don't need physical cash.
The benefit of institutions is that they are able to plan for failure within their system. Yes, this comes with some costs attached, but the costs associated with decentralized and nearly unregulateable commodity markets have not even begun to surface.