I recently cancelled my Coinbase debit card. I signed up when it was announced, using it for a small number of recurring transaction in because of the generous rewards, cashback in the form of cryptocurrency of my choice. In August 2022, I started seeing transactions I didn't recognize, and began searching for a way to dispute them.
I learned that Coinbase has no visible support articles on how to dispute Card transactions, and no "happy path" for it through their support channels. The transaction history has a large "Contact Support" button, but the subsequence screen (at time of writing) does not have a way to report the specific transaction. The only way forward with support is to send an email, but there are no instructions on what information to provide. The top result for "coinbase card hacked" on Google refers to online Coinbase accounts, not their Card product specifically, and the page explaining how to report an unauthorized transaction refers to bank transfers, not Card payments. It refers people to a decision tree which is not aware of Coinbase Card. I reported my card stolen, locking it and requesting a new physical card.
Less than 6 hours after I requested a new card, I spotted a new batch of transactions I didn't recognize. My takeaway: Coinbase Card is unsafe. Newly shipped cards are cracked before arriving in the mail. Coinbase and its vendors have failed to secure Coinbase Cards, and have failed to adequately respond to a problem that has existed for over a year. I believe that an upstream vendor for the debit cards has been hacked, beginning in or around October 2021. Numerous reports began surfacing on reddit:
/r/coinbase 36 points (96%) 69 comments 2021-10-14T14:54:30Z /r/coinbase 19 points (95%) 36 comments 2021-10-15T18:48:03Z /r/coinbase 66 points (99%) 113 comments 2021-10-15T23:18:43Z /r/cryptocurrency 51 points (92%) 47 comments 2021-10-16T02:07:42Z
Coinbase issues the cards through Pathward, formerly known as MetaBank. Pathward has 991 complaints on the Better Business Bureau website over the past 3 years and 100% response rate by the business — I consider BBB a low-value signal, but the company is clearly monitoring reports and attempting to reactively manage its reputation.
Debit cards also limit your fraud liability but require you to report your lost or stolen card within two business days to limit your liability to $50. If you report after two business days but before 60, your liability goes up to $500. If just your debit card number is stolen and not the card itself, you are not liable for unauthorized charges, as long as you report them within 60 days of receiving your statement.
Coinbase owes its users a better response and a higher degree of confidence. It has not communicated clearly to its users about the risks they're subjected to, and it has not focused on putting customer safety first. Coinbase has never proactively communicated the increase in fraud, and has made no public statements acknowledging the problem or explaining how they will protect their users. Instead, they've seemingly ignored the problem for over a year, without even offering appropriate support channels.