Lawsuit claims Coinbase left basic security holes to sell fixes at a premium

Coinbase faces a new class action lawsuit, claiming it purposefully provides shoddy security to users in order to sell a $29.99 per month membership that would provide better protection — resulting in regular customers’ accounts becoming easy targets for hackers.

Lead plaintiffs Aramik Tarvirdi and Steve Mintz represent Coinbase users in a 10-page complaint filed with the Los Angeles County Court on Friday. They seek compensation for those who lost money allegedly thanks to the crypto exchange’s own vulnerabilities.

The pair also request a trial by jury to determine whether Coinbase violated California’s Unfair Competition Law and a court order that would ban it from marketing or selling Coinbase One — a $360-per-year subscription that would give updated security and compensate users up to $1 million in the event of a hack.

In the lawsuit, Tarvirdi and Mintz allege that Coinbase purposefully left vulnerabilities in its security systems for “ease of use” and in order to upsell Coinbase One. The subscription model — still in beta — is currently only available to a select few, yet it’s unclear what criteria is needed to be invited into the program.

“The design and nature of this business scheme exploits and deceives consumers in two ways,” the lawsuit claims. “First, Coinbase is providing the appearance of account security through a program that does not appear to be operational. Second, Coinbase is incentivised to leave open security vulnerabilities in order to force clients into a subscription program that costs $29.99 per month in order to have heightened security and account protection.”

The lawsuit goes on to explain how Coinbase forgoes cold wallet ‘industry standards’ and instigates a ‘cooldown period’ for transfers to new addresses, which in turn provide easier access for hackers.

“Consumers are then left at the mercy of hackers and other nefarious parties who exploit these vulnerabilities to drain victims accounts in an instant. Common exploits include: sim-swap attacks, two-factor authentication spoofing, man in the middle attacks, cookie stealing, and session hijacking,” (our emphasis).

The main plaintiffs and the users represented in the suit allege “all these attacks had at least one common element, a new address was added to the Coinbase account and the funds or assets were transferred to the new address.”

According to them, Coinbase is more than aware of the vulnerabilities through the subscription program’s own terms — if extra layers of security are available, it suggests these are being withheld from its regular customers in order to save money.

Read more: Bad day for Coinbase: Trailer flop, SEC probe, Cathie Wood dump

Coinbase lawsuit appointed to judge

According to Coinbase, its beta subscription product offers $0 trading fees, dedicated 24/7 customer support, account protection up to $1 million, pre-filled tax forms (form 8949), and premium staking rewards.

It says that only a “limited” audience in the US have access to Coinbase One. Those eligible are notified by email, but users can sign up and try their luck.

In case of a hack, Coinbase One subscribers won’t be eligible for any reimbursement “if you engage in unreasonable, offensive, or dishonest behavior in communicating with Coinbase.” This includes contacting Coinbase employees “outside of official customer support channels.”

“Eligibility, determination of the amount of any Reimbursable Losses, and any interpretation of these Coinbase Account Protection Warranty Terms will be determined by Coinbase in its sole discretion.”

What’s more, if you “initiate any action, suit or claim” against the firm, its employees, or “affiliates,” you won’t receive a penny. At press time, no court hearings have been set. However, judge Stuart M. Rice has been assigned to the case. He was appointed by former governor Arnold Schwarzenegger in 2005.

For more informed news, follow us on Twitter and Google News or listen to our investigative podcast Innovated: Blockchain City.