A story of insecurity and bureaucracy „for your security“. Coinbase, Authy, and sending your ID to strangers

I had a bad experience with Coinbase in 2017 when they didn't let me log in anymore to my Bitcoin account. I'm used to having a bad service due to changing mobile phone numbers (or not wanting to give it, or not having one!), but in this case there was an extra unsafe step when a company I didn't sign up with (Authy) requested a copy of my passport. „For your safety“.

1. I opened an account with Coinbase in 2015 to operate with Bitcoin
2. I sent them a scan of my passport — which I rarely do. I had read their usage conditions (1, 2) and I agreed with them
3. I did some small transactions to try it
4. Two years later, Jan. 2017, I tried to log in again
5. As part of the login, they tried to send an SMS to a mobile phone I didn't own anymore (I had been travelling and I had a different SIM card for each country)
6. They offered a way to change my phone number, but they were redirecting me to authy.com, a company I didn't use (I certainly didn't sign up, I had 0 e-mails from them, and I saw no mention of them in Coinbase's terms of service)
7. Anyhow, I gave Authy my new phone number (landline), and waited some days for the verification process to follow
8. I got an e-mail from Authy linking to a form in which they (Authy) asked me for:
   • a scanned copy of my passport
   • previous phone numbers I had used
   • which accounts I'm using with Authy ← none, I suppose?
   • when did I use it for the last time
   • mobile phone operator, old and new
   • current location
   • reason for changing phone
9. And here I am, being asked for my passport by a company I didn't sign up for (Authy), and which I didn't have previous relations with. You should never send your ID to unknown parties, even if they request it „to keep your account safe“, as they did
   • Coinbase was out of the the process. Here lies the problem
   • I had already sent my passport to Coinbase. I trusted Coinbase, not Authy (and this isn't helping). I agreed to Coinbase's TOS (not Authy's). The silent redirection from Coinbase to Authy is bad security and it feels too similar to a phishing attack

---

Next steps for me:

• [X] talk with Coinbase to change/remove my old phone number. They are the ones I signed up with, and they have my passport and they verified my account. I tried to log in again but they won't let me use a phone from a different country to the country of my previous SIM card (and they have different processes for landline and cellphone too, so I'm not sure it'll work).
  • update m7.2017: I had contacted them, they didn't reply. I tried months later because they upgraded their system; now I had to use a borrowed phone number (that's bad security too!), get a new code, resend my passport, do a photo of myself, redo and resend everything 4 more times, wait some days, get more codes (again asking for the borrowed phone), then receive an e-mail with a confirmation link to register a device, and then I could log in! After 6 months. By this time I had already created my own BTC wallet with electrum. Anyway, after this odyssey, I could change my login method to Google Authenticator (which means: a python program onetimepass with which I create my own codes! Yay!)
• [X] abandon CoinBase (even at a small BTC loss), and use alternatives
  • update m7.2017: even after being able to log in; I'm not happy with their service. I'll use electrum instead

Next steps for you:

• [ ] don't use Coinbase, look for a different company
• [ ] always resist to giving your ID. If sending your scanned ID is a valid proof of your identity, then they can prove they are you by sending it to a third party. In other words, they can supplant you
• [ ] if you send it, write a remark over the photo (a watermark): a text like „for use in ThisCompany on May 2019 only“. If they reject digitally edited photos, add your notes physically (e.g. a post-it) and do a scan without digital edition. If they still demand pristine scans, it's more than they need and it's time to stop business with that company (with a public announcement like this one, I would suggest…)
• [ ] you'll call me crazy if I say this but… did you ever think about sharing your phone number only with your friends?

Next steps for Coinbase:

• [X] take Authy out of the business process which handled my case. Make it totally optional for users like me, who didn't even sign up for Authy
  • m7.2017: it seems they did this? https://www.reddit.com/r/Bitcoin/comments/6f0hhb/coinbase_recommendation_migrate_from_authy_to/
• [ ] allow verification and checks through a landline number from any country, instead of making users go through so many layers of restrictions, waiting periods, reverifications and different companies. SMS is not safer than landline (both can be re-routed, and BTC stolen)
• [ ] implement verification methods not related to phones (telephones are not required for Bitcoin. A computer is enough). You can do two-factor authentication or send OTP codes to e-mail and it's easier (it doesn't change if you live abroad) and as safe as SMS (including: you probably use it in the same device as your browser). Make it possible to run Coinbase without phone (passport scan, webcam photos, valid e-mail, bank account verifications not enough?)
• [ ] consider doing complex verifications via a short call with a human; that would be good service
• [ ] contact me in case they want to add anything to this article?

More info and similar cases:

• http://www.buttcoinfoundation.org/if-coinbase-is-the-future-of-bitcoin-then-i-want-off-this-ride/, different case to mine, but same experience

---