Cryptocurrency is no more the “currency of criminals” and is slowly expanding its use case beyond the criminal world and the dark web. With the advancement in crypto fame and a lot of talent moving to the blockchain and crypto industry, the crypto- ecosystem has matured and become a lot safer. But there is still one thing that even the best of talent in the crypto industry hasn’t been able to find a solution for- the exchange hacks. Every time the world tries to fathom an exchange hack assuming it to be the last one, another one appears, that too of a larger magnitude and on a stronger system. One of the reasons why Vitalik Buterin wished that centralized exchanges would “burn in hell”.
Crypto Exchanges and their Hacks
Each exchange is different and so is the hack. But there are some similarities noted in every hack that has taken place till. The characteristics that a crypto exchange hack possesses is usually a mix of system and human errors which are knowingly or unknowing still left unanswered. It’s not that the exchanges haven’t attempted to stitch these loopholes but it looks like the hackers just get smarter every time. Some of the characteristics common between most hacks are-
Huge Hot Wallet Crypto Holdings
Anyone who has traded cryptos knows this that each exchange has a hot wallet. The hot wallet (or online wallet) processes transactions on the exchange, without having to move the currencies back and forth between offline cold wallets. However, the hot wallet is one of the primary attractions for an attack. At any one time, an exchange can have hundreds of millions of dollars in cryptocurrencies sitting in a hot wallet making it a good single point for a hacker to attack and loot all the fund. Be it Bittrex, Bithumb, Coinrail or Zaif each of their hacks saw a huge amount of monies lying in the hot wallet.
YOU MIGHT ALSO LIKE: 6 Best Multi-Cryptocurrency Hardware Wallets Reviewed
While there could hundreds of reasons with respect to hardware, architecture, and software that crypto exchange uses, a recent report by ICO Rating which dealt with exchange security spotted four areas where cryptocurrency exchanges are vulnerable. These were –
- Console errors
- User Account Security
- Registrar and Domain Security
- Web Protocols Security
While these issues persist with every exchange at some point it all depended on the type of code vulnerability and/or whether any malicious parties knew about the vulnerability and it is profitable to exploit.
The reason a lot of people in a decentralized world hate centralized exchanges because none of the decentralized exchanges are autonomous. Even behind the most successful exchanges lies a dedicated team working to keep live and error free. For the most part that works well. However, humans are imperfect and so it the trust they carry. The errors committed by humans be its breach of trust, phishing attacks or unknown omission by the security team all could end up in a mess and loss of funds
The rise of Coinbase as a Safe Harbour
Coinbase is the most popular consumer-facing cryptoasset exchange in the United States. Operating since 2011, the company allows users to buy, sell, and store cryptoassets, like Bitcoin and Ethereum. The exchange was founded by former Airbnb engineer Brian Armstrong and was first funded by Y Combinator. In 2012, the other founder Fred Ehrsam, who previously used to work at Goldman Sachs as a trader, joined the company, after which Coinbase launched its buying and selling services. Coinbase’s customer base has expanded to approximately 32 countries and bitcoin transactions and storage in 190 countries worldwide.
In Oct 2018, Coinbase raised $300 million in a Series E round, bringing its valuation to $8 billion, led by Tiger Global Management, with participants including Andreessen Horowitz, Y Combinator Continuity, Wellington Management, and Polychain.
While the world crypto world continues to struggle, Coinbase maniacally pursued compliance with existing regulations and law enforcement, putting it on the right side of the law — another huge asset in a sector that is still in desperate need of regulatory guidance.
All things in place, what has made it Coinbase untouchable to the competition is its on-ramp for mainstream crypto investors as the exchange positions itself as a safe harbor among cryptoasset exchanges. The exchange, as on date, happens to be a sizable exchange that has never been hacked, unlike many of its competitors.
What Makes Coinbase Secure
Security is one of the things Coinbase takes really seriously and is something that most exchanges must take lessons from Coinbase. There certain critical and strategic steps that Coinbase has taken which makes it a fortress that can’t be breached.
A lot of credit for this fortress goes to the security team which is headed by Philip Martin, the Director of Security at Coinbase. Martin has a high-profile background in security and also understands the malicious psychologies. He was previously the founding member of the Palantir security team, a Counterintelligence Agent in the US Army, and holds a whole host of other impressive accomplishments. Philip built and oversees an elite team of cybersecurity experts from Silicon Valley and all around the world to monitor and protect your investments 24/7/365.
The major reason Coinbase has guarded the coins well is that it stores 98 percent of customer funds offline, preventing loss or theft. Coinbase does take things a step further. It not only cold stores the coins but also distributes them geographically around the world in vaults and safe deposit boxes.
With respect to Data security, Coinbase to takes similar precautions. The sensitive data is disconnected from the Internet is split with redundancy and encrypted with AES-256 before being copied onto paper backups and FIPS-140 USB drives. Exactly like the funds, these paper backups and USB drives of sensitive information are also distributed geographically throughout vaults and safe deposit boxes spread around the world.
Digital Currency Insurance and FDIC Insurance for USD Deposits
To give an ultimate shield to user funds, Coinbase has a third-party insurer against theft and hacking of digital assets. In an event of a hack where the team is unable to salvage and protect the assets, the third-party insurer will step in and reimburse users for their loss.
With respect to the US dollar deposits and storage, Coinbase has full FDIC backing by the United States Government. This means if a user account gets hacked, they aren’t going to rely on some insurance company to put up a stink about why they shouldn’t pay out the claim.
Coinbase Bounty Program
When it comes to carrot or stick method, Coinbase chooses carrot. Instead of the hackers trying to steal coins from Coinbase whenever they found weaknesses, they can simply report the loopholes to Coinbase instead, so they can get paid instead. This way, the money they earn is actually clean, and they wouldn’t need to make risky attempts of selling the stolen coins without getting caught. To explain how well this strategy has worked for Coinbase, On the February 14th of 2019, Coinbase paid someone a massive $30,000 bounty for a critical bug that was found on their system.
Security Steps for the Application
As a prevention measure against CSRF attacks, Coinbase uses SQL injection filters for verifying POST, DELETE, and PUT requests’ authenticity. It also limits the rate for some actions on the website, such as login attempts. Coinbase additionally whitelists attributes across models so there are no mass-assignment vulnerabilities.
In terms of security with authentication processes, Coinbase hashes passwords in its database, using crypt along with a 12-cost factor. When a user creates an account or resets his or her password, Coinbase checks for strong passwords. Finally, it stores application credentials separately from the code base and database.
Security Creates Further Business Opportunity: Coinbase Custody
Being sure of its guards and having cracked the security metrics well, Coinbase expanded its business vertical to custody business. Coinbase Custody, today operates as a standalone, independently-capitalized business to Coinbase, Inc. Coinbase Custody was today is a fiduciary under NY State Banking Law. All digital assets are segregated and held in trust for the benefit of our clients. This is an offering which charges a setup fee of $100,000 and a minimum holding of $10million so you can see it is aimed at banks, hedge funds and other financial institutions who would require such a service.
With the points discussed one can easily say that Coinbase is a very safe platform. Just keep in mind that if the crypto ecosystem is growing and becoming more secure, the hackers are getting smarter too. Also like it is widely said nothing is unhackable in today’s world, no one ever knows who is eyeing Coinbase next. But due to Coinbase’s top-notch security, it may just be really hard for hackers to crack them.
Disclaimer The views, opinions, positions or strategies expressed by the authors and those providing comments are theirs alone, and do not necessarily reflect the views, opinions, positions or strategies of CoinGape. Do your market research before investing in cryptocurrencies. The author or publication does not hold any responsibility for your personal financial loss.
Nilesh Maurya has been associated for past 8 years as an Investment Banker with Omega Capital, a bespoke Investment Banking outfit having offices in Mumbai, New York, Singapore, and Dubai. He has been a regular contributor to business publications such as Business India and Market Express and has been a mentor to many start-up companies. Nilesh Maurya has been associated for past 8 years as an Investment Banker with Omega Capital, a bespoke Investment Banking outfit having offices in Mumbai, New York, Singapore, and Dubai. He has been a regular contributor to business publications such as Business India and Market Express and has been a mentor to many start-up companies. Follow him on Twitter at @KoinKing1 or connect with me on linkedin.