Coinbase: Inside Job is the Biggest Threat
The AMA took place in Bitcoin’s embattled original subreddit, r/Bitcoin, where the moderator Theymos has tirelessly censored alt-coin posts in an attempt to keep the source Bitcoin focused. This resulted in cries of “censorship” by the Bitcoin Community. Theymos reached out to the company to ensure the individuals claiming to be Coinbase, in fact were, and apparently confirmed so.
Throughout the AMA, and in stark juxtaposition to Bitfinex practices, Coinbase multiple times highlighted the importance and sophistication of its cold wallet storage. They noted how many Bitcoin users have trouble storing their bitcoin securely.
“[T]rue offline storage can be a pain in the ass from a usability perspective for an individual,” Coinbase representative Philip-coinbase wrote. “We spend a bunch of our time worrying about coin storage and user security to try to make the experience seamless and secure.”
The team spoke candidly, citing the biggest threat facing Coinbase today as an insider threat.
The team admitted:
“This could be an employee with malicious intent, or a compromised employee machine that allows an attacker to act like an employee. Typically an organization will log all sensitive employee activity to discourage this, which we do, but this is less helpful when malware is acting on the employee’s behalf.”
User Hparker_coinbase, a representative of the security team at the California startup, evoked the company’s use of two-of-three arrangements to ensure a single person does not perform a sensitive action without the approval of others.
“For example, before merging code into our codebase, a pull request will require multiple engineers to approve it with a two factor +1 system,” Hparker said. “Keys required for sensitive actions are constructed with Shamir’s shared secret inside of machines we cannot access, so no single person can use the key. The security team actively tries to find ways to add consensus to any security or financially sensitive actions.”
Coinbase also discussed the insurance policy it has for its hot wallet. “…If Coinbase is breached and the contents of the hot wallet are lost our customers won’t be impacted and the claim process would be handled by Coinbase.” Philip-coinbase wrote. The funds in Coinbase’s hot wallet-currently BTC and ETH- are covered by private insurance.
Coinbase representative Michael wrote that Coinbase has insurance policies specifically tailored for digital currencies, from a syndicate of underwriters.
“This means that even if we lost funds due a compromise of our hot wallet, the insurance policies would pay out and we would be able to cover all customer funds,” Michael-coinbase wrote.
Security Team Trusts Coinbase Enough To Use It
Redditors did not hold back. One asked if the security team was confident enough in Coinbase security to hold all bitcoin in a Coinbase account. Jborrey replied.
“I keep the vast majority of my coins with Coinbase – three reasons,” he said. It’s easier. It’s far better cold storage than he could pull off considering how much time and effort has gone into it. And, he believes in his work.
Others confirmed they keep the majority of their coins in Coinbase, as well. “Before I joined coinbase some years ago I setup my own geographically distributed multi-party cold storage and still store some coins there, mostly for fun at this point,” the member of the security team wrote. “Our cold storage at coinbase is much more paranoid.”
Participants in the AMA also read about Coinbase’s hot wallet insurance. This means that Coinbase will be able cover user balances of BTC and ETH, even in the event of a loss of funds from the company’s hot wallet.
“You are also guaranteed to receive the full balance of your fiat currency wallet (e.g. USD Wallet). Coinbase stores all customer fiat funds in segregated, custodial accounts with each of its bank partners,” Michael wrote. “Coinbase’s banks and regulators know that the funds held in those accounts belong to Coinbase’s customers – not to Coinbase. Even if Coinbase became insolvent, the funds held in those accounts could not be accessed by Coinbase or its creditors. Rather, the funds held in those accounts would be returned in full to Coinbase’s customers.”