When cryptocurrency exchanges become the victims of cybercriminals, the effects can be really damaging. The first six months of 2020 were pretty harsh for crypto exchanges. As of July 2020, five exchanges lost digital assets worth over $500 million. These attacks ranged from malware attacks to token vulnerability attacks. It is a commonly-held belief that no crypto exchange can be 100% secure.
Large crypto exchanges like Coinbase preside over digital assets worth hundreds of billions of dollars. According to Coinbase reviews, security has always been a key selling point. Most of the time, their security measures work great, but the attackers never sleep.
Furthermore, the perennial problem remains that the attacks are unpredictable. On top of that, such attacks remain non-systematic in nature. But what about Coinbase? Once hailed unhackable, is Coinbase safe enough in 2020?
This article takes a deep dive into the Coinbase security measures. We will go beyond the technical standpoint and look into different aspects of security. For example, we examine organizational security and insurance of assets to ascertain how hardened their system is.
What is Coinbase and how does it work?
Coinbase operates as:
- GDAX- An order book exchange known as Global Digital Asset Exchange (GDAX). This is a trading platform for advanced traders who determine the mid-market price.
- Brokerage- Known as Coinbase, it allows retail investors buy and sell crypto assets at the mid-market prices.
Coinbase offers users a range of products with varied security measures. Lately, the exchange has been critiqued for the recurring “Coinbase Down” issue.
According to the users, whenever Bitcoin price moves, Coinbase faces major outages. Due to the “Coinbase Down” issue, users have been wondering – how secure is Coinbase?
In this article, we will shed light on the Coinbase security aspects of these products separately: the Coinbase.com website and the Coinbase app.
Available across more than 103 countries, both the Coinbase website and app offer an easy, secure, and regulated on-ramp to crypto. A user can connect his bank account to the interface and buy/sell crypto against U.S. dollars or other fiat currencies.
Asset security standards
Coinbase uses the gold standard of cryptocurrency asset security for Coinbase.com or Coinbase app users. That means it places consumers’ assets in the platform’s cold storage system. These assets placed in cold storage remain completely offline. Thus, they are disconnected from the internet and remain secured against hacks.
According to the Coinbase website, it stores 98% of these consumers’ assets in the cold storage system. Thus, only 2% of consumers’ funds remain in the hot wallets and remain insured. We will talk about that later in this article.
To ensure the security of 98% of the customers’ assets, Coinbase deploys a globally-distributed key storage system. As a matter of fact, you don’t have to worry about managing your own private keys. The platform uses paper backups of the keys. These keys remain stored in vaults and safe deposit boxes across the globe. This setup ensures the customers’ keys remain protected against loss and misuse.
Data security standards
Coinbase is not an anonymous service and adheres to strict KYC rules. That answers one question – is Coinbase legit? It is one of only four exchanges with a license in the state of New York under the pilot BitLicense program. Moreover, it holds over 40 licenses to operate in the United States alone.
Thus, Coinbase collects highly sensitive user data. For example a signature, national identity card, tax ID, bank account information, driver’s license, and more. But is Coinbase safe to give ID to? Is Coinbase safe enough to handle such sensitive data?
Coinbase works in compliance with the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Thus, according to our Coinbase review, it has a full-fledged data security set-up in place. The company does not store sensitive data on its servers.
Furthermore, this data remains encrypted using the Advanced Encryption Standard (AES-256). AES-256 is the only publicly accessible cipher. Moreover, it is approved by the National Security Agency (NSA) to protect top-secret information.
After encryption, the data is copied onto papers and FIPS-140 USB drives. These paper backups and USB drives are then stored across geographically-distributed vaults.
Website security standards
The Coinbase website traffic is protected by SSL encryption (https). Furthermore, all the wallets and private keys remain stored using AES-256 encryption.
For the Coinbase login, the security team has deployed a 2-step verification (2FA) system. This adds another layer of security over the username and password. It is mandatory for all users to adhere to this way of logging into the platform.
The exchange further strengthens the security by limiting the number of Coinbase login attempts. It always asks users to authorize a new device.
Many users find this an annoying security measure, but the Coinbase security team is taking no risks.
Coinbase physical and virtual security standards
The exchange has a security staff of 41 members. The team also includes an Iraq War veteran who assesses the perimeter risks for physical security. On the mathematical, digital front, Coinbase has a Ph.D. cryptographer on the team.
There are checks in place that ensure a user always creates strong passwords for the Coinbase login. Furthermore, these hash passwords are stored in the database using BCrypt. This ensures passwords remain extremely resistant to hacks.
On top of this, the application credentials are kept separate from the database and codebase. Ample preventive measures against CSRF attacks have also been established.
Both the Coinbase app and the website require users to submit identification details. The question of whether it is safe to give ID information to Coinbase has already been answered in the data security standard section above.
Is Coinbase wallet safe?
Remember, as a Coinbase Wallet app user, you remain in complete custody of your digital assets and private keys. It is a non-custodial product, and it generates a 12-word private key for the security of the assets. These keys remain secured with biometric authentication technology and Secure Enclave for Coinbase logins.
Even Coinbase does not have access to this 12-word recovery phrase. So if you happen to lose the seed, you might end up losing your assets.
In early 2019, the exchange announced that Coinbase Wallet users can backup their private keys on Google Drive or iCloud. Furthermore, the cloud accounts will store the AES-256-GCM encrypted copy of the recovery phrase.
However, this step of backing up private keys on centralized servers did receive mixed reactions. And users once again started questioning- is Coinbase Wallet safe?
Some believe that this kind of backup could lead to an increase in attacks on Google Cloud and iCloud. But security researchers believe the feature is safe enough and Coinbase has implemented it the right way.
Coinbase Custody security standards
As a qualified crypto-asset custodian for institutions, Coinbase Custody is now open for custody services to institutions like banks and hedge funds. It became the first-ever crypto custodian to pass SOC1 and SOC2 security valuations. This assures Coinbase Custody security standards are compliant with widely accepted standards.
For utilizing the services of Coinbase Custody, an institution or business is required to pay a setup fee of $100,000. Furthermore, a minimum holding of $10 million needs to be maintained. In 2019, Grayscale Investments, the largest digital currency asset manager, announced that Coinbase would serve as custodian of its cryptocurrency assets.
Multisig vaults (non-functional now)
A couple of years back, Coinbase offered its users a multisig Coinbase vault feature too. Although it no longer supports the creation of new multisig vaults, users can still access their existing Coinbase vaults via third-party software. These vaults are suitable for larger balances and ideal for long term storage.
Organizational level security measures
Most of the crypto platforms have developed circles of hell with their technology. Thus, it has become difficult for attackers to penetrate the security walls. But now these attackers are trying to take down the platforms via social engineering attacks.
Coinbase always boasts about its 41 member security engineer team. As a blockchain security engineer at Coinbase, one needs to perform regular security assessments of blockchain protocols, smart contracts, and other tech. Furthermore, a security engineer is required to advise on the code and architecture of wallet systems and key management frameworks. Thus Coinbase takes additional precautions while employing new resources.
To ensure organizational level security, the exchange conducts criminal background checks of the new hires. Apart from that, all the hard drives remain encrypted and separate passwords are used for every device and service.
Coinbase Bug Bounty Program
Apart from its security team, Coinbase also runs a Bug Bounty Program. Under this program, Coinbase rewards developers for picking out vulnerabilities in the system. In early 2019, Coinbase handed out a massive bug bounty worth $30,000 to developers for identifying a critical vulnerability.
Is it safe to link a bank account to Coinbase?
Most of the crypto enthusiasts ask this question at some point in time.
Before we get to the Coinbase security measures to safeguard your banking details, let us look at how Coinbase operates in the United States. Coinbase is registered with FinCEN as a Money Services Business. On top of that, it must comply with consumer protection laws such as The Bank Secrecy Act, The USA Patriot Act, and more.
Now, let us look at how Coinbase ensures compliance with so many financial services and consumer protection laws. According to the Coinbase website, the banking details like account numbers and routing numbers are stored using AES-256 encryption (bank-level). It also ensures the sensitive data remains protected by using an SSL security layer on its website. Furthermore, no employee can access user data related to their banking transactions.
So, the answer to the question is it safe to link bank account to Coinbase is a simple yes.
Coinbase security soft spots
Undoubtedly, Coinbase offers some advanced security features that none of its competitors offer. But we cannot turn a blind eye to the weak spots.
98% of the cold-storage funds remain uninsured
As per Coinbase’s insurance policy, only the assets in the hot wallets remain covered. That accounts for 2% of the total customers’ assets. That means in an unlikely event if the cold wallets suffer a security breach, 98% of the Coinbase customer assets would not be insured, not to mention the difficulties in recovery.
No fraudulent account transfer alerts
According to the recent reports, 1.543 million XRP has been stolen through fraudulent videos on YouTube. The ledger tracking firm Xrplorer confirmed that 60% of these stolen XRP came from Coinbase users. Furthermore, it warned Coinbase that it must take proactive steps to warn users when they move their funds to scam-related accounts.
Dear @CoinbaseSupport. In the past couple of days, your users have been scammed of more than 230,000 XRP to scams promoted on YouTube.
Isn't it on time you started warning your users when they withdraw to potentially fraudulent accounts? https://t.co/B5crdeZRRn
— Thomas Silkjær (@Silkjaer) August 16, 2020
Coinbase Custody split key issue
One of the unique features of Coinbase Custody is the splitting of offline private keys. This ensures no single entity has complete control over the main wallet. However, a major vulnerability was recently identified where a malicious key holder could change part of the key. If this happens, the full private key will be lost and the exchange could lose access to the funds. Coinbase is yet to address this vulnerability. Thus, we face this question once again- is Coinbase safe?
Coinbase Custody has an insurance limit of $255 million
The institutional crypto custodian provides coverage to hot, warm, and cold storage. But there is a catch. They have an annually-renewed commercial crime policy. According to this policy, there exists an insurance limit of $255 million (per incident and overall).
Coinbase password glitch
A potential vulnerability was uncovered almost a year back. Passwords of close to 3,500 Coinbase users were stored as plain text on an internal server log. Luckily, no outside party got hold of these server logs. Such a circumstance is one reason why people worry about Coinbase being safe.
Coinbase’s reliance on Plaid for banking account verification
According to the Coinbase website, the company relies on Plaid technology for instant bank account number verification. This data is never shared with Coinbase. But Plaid recently faced some turbulent waters as it was alleged to be selling user data to the highest bidder. Plaid denied all these acquisitions.
Is Coinbase Insurance any good?
The Coinbase user must stay aware of the fact that the insurance policy covers all the losses resulting from:
- Breach of Coinbase’s physical security
- Breach of cybersecurity
- Any theft conducted by an employee
The USD funds of U.S. residents enjoy coverage of up to $250,000 from FDIC insurance.
What if Coinbase fails?
When Japan’s leading exchange Mt. Gox collapsed, over 850,000 bitcoins went missing. This could happen again. But Coinbase is different. In the U.S., the exchange stores fiat currencies in custodial bank accounts or U.S. Treasuries, and outside the U.S., fiat remains stored in other custodial bank accounts. Thus, in case Coinbase goes bankrupt, the customers can claim their fiat funds.
However, according to a recent academic paper, Coinbase customers could face issues in reclaiming their assets in the event of insolvency. That is because, like most of the exchanges, Coinbase does not segregate blockchain addresses. The exchange must give this some serious thought.
All in all, our Coinbase review reveals that Coinbase does remain a top-notch, security-hardened exchange in 2020. However, the exchange does get bashed at times for running a well-guarded safe exchange. For example, there are many times when Coinbase user accounts get flagged for suspicious activity and, as a result, their accounts get frozen temporarily. However, such measures are all for the security of the digital assets worth hundreds of billions of dollars.