Coinbase Thinks It’s a Good Idea to Backup Private Keys to the Cloud

On Tuesday (February 12th), cryptocurrency exchange Coinbase said that the Coinbase Wallet app for iOS and Android had been enhanced such that it was now for users to backup an encrypted copy of their private keys to the cloud (iCloud in the case of iOS users and Google Drive in the case of Android users).

Exactly one week after launching Bitcoin (BTC) support on Coinbase Wallet (formerly known as "Toshi"), Coinbase announced that it was "introducing cloud backup for your private keys on Coinbase Wallet". Here is the tweet Coinbase sent out:

According to the blog post by Coinbase Wallet Product Lead Siddharth Coelho-Prabhu, this new feature "provides a safeguard for users, helping them avoid losing their funds if they lose their device or misplace their private keys."

Coinbase thinks although it is great that Coinbase Wallet allows users to experience "the full power of an open financial system" (i.e. " storing their own funds and accessing them anywhere in the world"), this power comes with "great responsibility." Since private keys, which are "generated and stored on your mobile device", are "the only way to access your funds on the blockchain" and owns of non-custodial wallets such as Coinbase Wallet "sometimes lose their devices or fail to backup their 12 word recovery phrase in a safe place, thereby "losing their funds forever," it would be a good for users of Coinbase Wallet to use cloud backup for their private keys, and it is now providing a feature that enables just that.

The new opt-in cloud backup feature provides "the ability to store an encrypted copy of your recovery phrase on your personal cloud account." You will, of course, need to come up with a strong password and a way to remember it somehow, but if "you lose your device or get signed out of the app," you will be able to "easily regain access to your funds with the combination of your personal cloud account (iCloud or Google Drive) and your password."

Coinbase wants you to know that this backup is "encrypted with AES-256-GCM encryption and accessible only by the Coinbase Wallet mobile app." And of course, if you lose the password for this backup, the support staff of Coinbase or your cloud service provider will not be able to help you since they don't keep a copy of this password:

"Coinbase will not have access to your password or funds at any time, preserving your privacy and control. Your cloud backup provider will also not have access to your funds, as only you know the password that decrypts your encrypted recovery phrase."

Although this feature currently only "supports iCloud on iOS devices and Google Drive on Android devices," Coinbase plans "to add support for other cloud services in the future."

Coinbase also wants to remind users that this feature is completely optional and needs to be explicitly activated. Also, it recommends that users also "backup their passphrase manually" after cloud backup activation and "activate Two-Factor Authentication on your personal Google or iCloud accounts to make those accounts harder for attackers to compromise."

Amongst experienced long-time investors in crypto, especially those who strong believe in its ideas of decentralization and self-sovereignty, the reactions on Twitters were quite negative. Here are a few examples:

 

Featured Image Credit: Photo via Pexels.com

Liquidators Take Charge of Cryptopia: Here Are Cryptopia’s Big Mistakes

Phil Carroll is a Blockchain researcher and enthusiast who has been following the market for over 5 years now. He has been working as a freelance chain analyzer and as a technological content writer for whitepapers etc. In his spare time, he likes to write about topics that involve Bitcoin, Blockchain and cryptocurrencies.

Although cryptocurrencies themselves are incredibly secure, the exchanges that facilitate their movement have been far more problematic.

2018 set a record for the most crypto exchange hacks in history, and the efforts of bad actors are becoming more expansive and more expensive with time. Now, another crypto exchange has been brought down by a hack.

The Slow Descent of Cryptopia

The New Zealand-based Cryptopia endured a hack on January 14 that cost the company $16 million worth of digital assets including Ether and ERC-20 tokens. In the immediate aftermath of the breach, Cryptopia took its site offline posting a message indicating that the website was under maintenance.

At the same time, Cryptopia contacted police authorities who worked to identify the perpetrators and to attempt recovery of the stolen assets. A few days later, the company acknowledged the data breach and admitted that they incurred “significant losses.”

Eventually, Cryptopia came back online, providing trading limited trading opportunities while continuing to experience banking issues. This reduced functionality prevented many users from cashing out their tokens.

For a while it seemed as if it is going to recover from the hack. However, after making efforts to reduce costs and develop a profitable business model, Cryptopia decided that it was in the best interest of all stakeholders to liquidate the exchange. In a statement, Grant Thornton, Cryptopia’s assigned liquidator, conveyed their intention “to find the solution that is in the best interests of customers and stakeholders.”

Take Note of the Mistakes

In some ways, Cryptopia made many correct moves in attempting to repair their exchange after such a significant breach. However, the mistakes made prior to it were ones that can’t be overlooked.

Mistake #1 – Exchange Security

Obviously, whenever a crypto exchange is hacked, there is well-deserved scrutiny of its cybersecurity practices.

In this case, it’s speculated that the exchange stored users’ private keys, the most prominent line of defense again an intrusion, on a single server that was vulnerable to a hack. In this scenario, hackers could easily access and record users’ private keys and then delete the information, making it inaccessible to users and to the exchange.

It’s estimated that hackers gained access to 76,000 different wallets, and, according to analysis , “none of which were smart contracts“. Without access to their accounts, Cryptopia was powerless to stop hackers from draining funds from the exchange.

“What surprises me the most is the negligence in relation to the security of the entire chain of work with the exchange's wallets.” noted Serge Vasylchuk, CEO of CODEX Exchange . “It was possible to prevent a hack for Cryptopia if they would take three must-have measures seriously. First, to ensure maximum isolation from external influences and from accidental internal interference. Second, to backup private keys on a regular basis, on a well-protected physical copy”.

CODEX has been effusive in their security efforts. After deploying multi-stage security audit to ensure the integrity of their users’ accounts and funds, it received a 10/10 security rating from Hacken security team, CoinMarketCap's data accountability and transparency partner. It may be expensive, but it’s necessary for protecting digital assets, something that is critical in crypto markets.

To put it simply, the Cryptopia hack was predicated on lax security standards, and it could have been avoided or greatly diminished if the company embraced industry best practices for guarding user and company accounts.

Mistake #2 – Poor Community Transparency

Of course, technological oversights, while frustrating, are bound to happen from time to time. However, crypto exchanges have full control over their response. They decide their level of transparency and community investment, and their decisions in this regard can have cascading consequences.

Most notably, the company began by issuing a false statement to users. The website was not undergoing “unscheduled maintenance,” a misleading statement that is becoming a code for more problematic events.

While Cryptopia rightly contacted authorities to report criminal activity, the company’s updates were few and far between, leaving their users and the greater internet to speculate about the event and the state of their holdings.

Finally, when the exchange eventually relaunched, it was mostly unusable, appearing in a “read-only” format that prevented users from actually accessing the platform’s functionality.

Communication is always a choice, and exchanges that choose not to fully inform their userbase are doing them and the greater crypto community a disservice. “Of course, after such negligence it is difficult to tell users about the funds lost,” added Vasylchuk. “but the lack of timely communication only worsens the situation when there are people waiting for explanation.”

Conclusion

Crypto exchanges are a crucial part of the digital currency ecosystem. Investors and traders need to be able to trust them and their ability to protect digital assets.

Cryptopia’s liquidation adds it to the list of exchanges that have misbehaved and have been punished for their actions.

Of course, it doesn’t have to be this way. Exchanges can learn from these mistakes. They can prioritize and enforce robust security standards while emphasizing transparency and communication throughout the process.

It’s the only way forward, and it’s one that exchanges need to learn now before they are the next ones making the news.