Coinbase Thinks It’s a Good Idea to Backup Private Keys to the Cloud

On Tuesday (February 12th), cryptocurrency exchange Coinbase said that the Coinbase Wallet app for iOS and Android had been enhanced such that it was now for users to backup an encrypted copy of their private keys to the cloud (iCloud in the case of iOS users and Google Drive in the case of Android users).

Exactly one week after launching Bitcoin (BTC) support on Coinbase Wallet (formerly known as "Toshi"), Coinbase announced that it was "introducing cloud backup for your private keys on Coinbase Wallet". Here is the tweet Coinbase sent out:

According to the blog post by Coinbase Wallet Product Lead Siddharth Coelho-Prabhu, this new feature "provides a safeguard for users, helping them avoid losing their funds if they lose their device or misplace their private keys."

Coinbase thinks although it is great that Coinbase Wallet allows users to experience "the full power of an open financial system" (i.e. " storing their own funds and accessing them anywhere in the world"), this power comes with "great responsibility." Since private keys, which are "generated and stored on your mobile device", are "the only way to access your funds on the blockchain" and owns of non-custodial wallets such as Coinbase Wallet "sometimes lose their devices or fail to backup their 12 word recovery phrase in a safe place, thereby "losing their funds forever," it would be a good for users of Coinbase Wallet to use cloud backup for their private keys, and it is now providing a feature that enables just that.

The new opt-in cloud backup feature provides "the ability to store an encrypted copy of your recovery phrase on your personal cloud account." You will, of course, need to come up with a strong password and a way to remember it somehow, but if "you lose your device or get signed out of the app," you will be able to "easily regain access to your funds with the combination of your personal cloud account (iCloud or Google Drive) and your password."

Coinbase wants you to know that this backup is "encrypted with AES-256-GCM encryption and accessible only by the Coinbase Wallet mobile app." And of course, if you lose the password for this backup, the support staff of Coinbase or your cloud service provider will not be able to help you since they don't keep a copy of this password:

"Coinbase will not have access to your password or funds at any time, preserving your privacy and control. Your cloud backup provider will also not have access to your funds, as only you know the password that decrypts your encrypted recovery phrase."

Although this feature currently only "supports iCloud on iOS devices and Google Drive on Android devices," Coinbase plans "to add support for other cloud services in the future."

Coinbase also wants to remind users that this feature is completely optional and needs to be explicitly activated. Also, it recommends that users also "backup their passphrase manually" after cloud backup activation and "activate Two-Factor Authentication on your personal Google or iCloud accounts to make those accounts harder for attackers to compromise."

Amongst experienced long-time investors in crypto, especially those who strong believe in its ideas of decentralization and self-sovereignty, the reactions on Twitters were quite negative. Here are a few examples:

 

Featured Image Credit: Photo via Pexels.com

Coinbase Says Recent Zero-Day Attack Targeted Staff, Not Investors

Neil Dennis

Coinbase sought to reassure investors on Thursday over concerns that customer accounts may have been targeted in an attack that exploited a recent Firefox zero-day.

The San Francisco-based cryptocurrency exchange said that the attack, discovered on Monday, had targeted Coinbase employees and that the exchange and its customers' accounts were untouched.

Software Vulnerabilities

A zero-day is a vulnerability in computer software that can remain unknown to those who provide and use that software for several days or weeks, yet - if discovered by hackers - can provide the opportunity to exploit that weakness for mischief or profit.

Coinbase's cyber security team, led by Philip Martin, discovered the zero-day vulnerability in Mozilla's Firefox software and reported it immediately to the web browser provider, which then issued a patch to rectify the fault.

However, the zero-day event may have lasted for weeks, according to Google engineer Samuel Gross who helped develop the patch. He reported on Twitter that he had reported a bug in Firefox to Mozilla in mid-April.

Coinbase Security on the Alert

While it remains unclear how soon attackers noticed the vulnerability and how extensively the bug was exploited, Coinbase detected the attack on its staff before the hackers could dig deeper into the back-end network from where they could have stolen funds from the exchange.

Philip Martin explained on Twitter that the security team "walked back" the entire attack and reported the zero-day to Firefox. He added the team was working with other organizations to "continue burning down attacker infrastructure and digging into the attacker involved".

He continued: "We’ve seen no evidence of exploitation targeting customers. We were not the only crypto org targeted in this campaign. We are working to notify other orgs we believe were also targeted.

Martin concluded: "If you believe you have been impacted by this attack or you have more intel to share and want to collaborate with us on a response, please reach out to [email protected]"

Growing Problem

Zero-day attacks are on the increase. A 2018 survey by the Ponemon Institute called the State of Endpoint Security Risk report, said respondents reported that 37% of cyber attacks launched against their companies were zero-day events. This was a 48% increase from 2017.

Meanwhile, 63% of the survey's respondents said that the frequency of zero-day attacks had increased over the previous 12 months.