How Does Coinbase Protect Customers’ Funds?

We met Charlie Lee, the inventor of Litecoin, at the 2014 Texas Bitcoin Conference and sat down with him to discuss how Coinbase secures customers’ funds to avoid another Mt. Gox fiasco.

The interview was conducted by myself and the glorious James D’Angelo from the World Bitcoin Network with Leon Fu behind the camera.

Coinbase Security

James D’Angelo:  Yeah, I mean I’m always excited to hear what’s being done at Coinbase. I’m a big Coinbase fan.

I did a video about glorious Coinbase because certainly in the light of Mt. Gox and all of that it’s   just been great to see some rock solid presence in the United States.

But we spoke a little bit earlier about what you’re up to. It sounds like mostly right now you’re concerned about security.

Charlie Lee:  Yeah, we’re always concerned about security.

The reason why I joined Coinbase is because I realized Coinbase was doing something very important for Bitcoin and whatever is good for Bitcoin is good for my company.

James D’Angelo:  That’s true.

Charlie Lee:  Bitcoin is kind of blazing the trail and litecoin is following behind.  I’m working at Coinbase.  I’ve been trying to improve the security. The two security issues we have are to secure the customers’ funds and securing our own funds.

Securing our own funds, we use cold storage; we use an mm keys that’s geographically spread out.

So there’s no risk, it’s all like someone can’t storm our office and steal all the funds cause we don’t have all the keys. So, that makes it safe.

James D’Angelo:  So that’s basically multi-signature wallet? Is that would be the term? Or is mm actually different?

Charlie Lee:  Kind of, it’s a little bit different. Let’s say it’s like 5 of ten for example that means you have 10 people spread all over the world that have keys.

James D’Angelo:  Ahh, right, right, a mirror’s secret

Charlie Lee:  A mirror’s secret, that’s right. So they have shares, if 5 of them come together and take their share and combine them, they can get a private key.

Tai Zen:  Is that the reason why I have to wait 4 days before I can get the bitcoins because they have to get the keys?

Charlie Lee:  No, that’s not the reason.

Tai Zen:  No, I’m asking this from the non-technical perspective.

Charlie Lee:  That’s because of the banking issues, also because of risk in fraud.

Coinbase is right between an irreversible currency bitcoin and the reversible one which is the US dollar. So, if you say you wanted to buy bitcoins, we’re going to do an ACH debit on your bank account, which takes 3 or 4 days. So before the money gets to us, we can’t give you bitcoins yet.

Tai Zen:  Okay, so basically, you’re waiting.

James D’Angelo:  It’s the same as if you hand someone a check.

Charlie Lee:  Yeah

Tai Zen:  In other words funds should clear.

Charlie Lee:  Exactly, the good thing about Coinbase is that we’ll give you the price that we agreed on.

Tai Zen:  Yeah you locked in the price

Charlie Lee:  It’s not when the check clears, it’s when we actually give you the amount of bitcoins we agreed on. Even then, even after we get the money, fraudsters can still reverse it, which sucks.

That’s why we have a lot of cancelled transactions that people are upset about because we algorithmically determine that this user is high risk and we have to cancel the transaction because even if we get the money it’s possible that you can reverse that after you get the bit coins.

How Coinbase Deals With
High Risk Transactions

Leon Fu:  Can you speak about what causes somebody to be high risk?

Because some of my friends, I refer them to Coinbase and they bought some bitcoins and they were flagged as high risk. And then it was reversed and the price went up and then they’re upset.

Charlie Lee:  One thing about that is if the transaction was reversed due to high risk and the price goes up, they’re upset, they complain about it and I’ll read it. But if the reverse happens, which happens half the time, I can attest you that it happens a lot.

James D’Angelo:  That’s actually the problem in the last few months, more than 50% of the time.

Charlie Lee:  Oh yeah, when the price goes down, we still cancel the transaction, we don’t care what happens to the price.

Leon Fu:  Can you speak what causes to be, why was my friend flagged as high risk?

Charlie Lee:  Because he’s a fraudster, maybe?  LOL!

Leon Fu:  I don’t think he is.  LOL!

Charlie Lee:  I can’t tell you too much because whatever I tell you, scammers will…

Leon Fu:  Use it, yes.

Tai Zen:  We understand.

Charlie Lee:  Exactly, so, there are various signals that we use to determine. I mean it’s not 100%, obviously.

Leon Fu:  Yeah because I know my friend is not a fraudster, they wouldn’t try.

Charlie Lee:  We try to be overly cautious because it hurts our bottom line. We make 1% out of the transaction. So, if there’s more than 1% of bitcoins scammed, then we lose money.

We have to keep fraud rate below 1% so we have to be extra cautious. So, if legitimate users got their transaction cancelled due to high risk, they can contact our Customer Support and try to convince us that they’re not fraudsters.

James D’Angelo:  I’ve seen that, I’ve seen that work.

Charlie Lee:  Most of the times if they manage to convince us we actually push that transaction through at the original price.

Tai Zen:  Now, I know that we are in the US so we can get the bitcoins from Coinbase, what about people outside the US, are they able to get in touch with Coinbase and buy bitcoins from you guys also?

Charlie Lee:  Right now we only support US banks because we do ACH debits so you need a US bank account. International customers can use our wallet service. They can use Coinbase wallet to pay for merchants.

Tai Zen:  But they are not able to purchase bitcoins directly from Coinbase.

Charlie Lee:  In order to buy and sell you need a U.S. bank account.

James D’Angelo:  If they have an American bank account they can. My friends’ overseas buying bitcoins with their American bank account. And the ACH, that’s the Federal Reserve branch right? The actual ACH, the American Clearing House. Strangely, they clear almost all the checks.

Charlie Lee:  Yeah that’s right. The Federal Reserve does the ACH clearing.

How To Prevent
Common Hacks Against
Coinbase Clients 

James D’Angelo:  So, legacy banking still remains and do you guys get nervous if someone has a Coinbase account and say they’re going to slap over a thousand bitcoins just using a quick login password, do you monitor those transactions any more so than you would over a 1 dollar transaction?  I mean an internal Coinbase transaction.

Charlie Lee:  What do you mean? Like you send a thousand bitcoins outside of Coinbase?

James D’Angelo:  I can login to my Coinbase account with my password on my home computer right? Then I can send an enormous amount of money inside the Coinbase system, instantly. Is that a concern at all?

Charlie Lee:  If it’s fraudulent and it’s inside the Coinbase system, there’s something we can do about it. But if it’s fraudulent and it’s sent outside our control, then there’s not much we can do about it.

So we do recommend users with a high balance to make sure they have two factor like a phone or Google authenticator where when you login or when you send bitcoins that we would ask you for a two factor authentication to make sure it’s not the hacker who just stole your password.

This is something that we worked on that by default, if you try send more than 1 hundred dollars a day out of Coinbase, we will ask you for two factor token.

James D’Angelo:  I like that; it’s made me comfortable all the more.

Tai Zen:  Yeah, I like that two factor authentication also. What other security features are you working on to secure even more? Anything else? Or is it under wraps?

Charlie Lee:  There’s various things we’re working on. Even with two factor it’s not immune to hacking. One of the most dangerous hacks right now is phishing attempts.

Hackers send you a scare email saying there is something wrong with your account, you might lose your points, please login, click on this link. You click on this link and it takes you to Coinbass.com instead of Coinbase.com and then it looks exactly like Coinbase.

It will ask you for your phone number, name and password and also two factor token.  So, you type it in thinking that you’re logging in to Coinbase but in reality you’re not.

James D’Angelo:  And they can instantly turn around and resend that two factor token.

Charlie Lee:  Exactly, if they’re really good they can easily turn that around and login themselves as you.

Tai Zen:  So, what can a user do when they receive an email from Coinbase? How do they know that that’s an authentic email coming from you guys and not from a scammer?

Charlie Lee:  Well, the basic security measure is to never click on links from emails. Because you’ll never know where you’re downloading, where you’re going. You can download like a virus on your computer.

So, if you get an email from Coinbase, just go directly go to Coinbase.com from your website. Another thing that I’ve recommended for friends to do is to use password tools like Lastpass or 1password or Keypass that lets you generate very complicated passwords that are unique to different sites.

Also, some have extensions where they will prefill your username and password on correct sites, and if the URL is wrong, they won’t prefill. That’s a clear indication that you’re on a phishing site.

Because you’re like why is it prefilling?

You’ll never have to copy and paste or type in a password into a random website. Because they will know that the URL is wrong and they won’t prefill your information.

James D’Angelo:  That’s good. I haven’t heard of that.

Tai Zen:  I know that with Keypass they recommend that you hit copy and paste and don’t even type it in. So, you can just mouse over the website name and you’re having keypass or the password manager and you just hit Control C then Control V.

Charlie Lee:  That’s dangerous too because you could paste it into the phishing website.

Tai Zen:  Oh you can?

Charlie Lee:  Yeah, because you don’t know right? I use Lastpass personally and I think it’s really good. I have two factor on my last password that’s a wrong password.

James D’Angelo:  Can you do something like setup Lastpass on a computer that’s not online? So, I would say Coinbase.com, put in my password.

Charlie Lee:  They do have offline basic password capability.

James D’Angelo:  Cause that would add one extra level up because of the keyloggers and all that.

Charlie Lee:  In terms of security there are various things we can do with two factor. Right now two factor is good but it’s not 100% secure. Because we had issues where they manage to steal your username and password from like key logging let’s say.

And then they figure out your cell phone provider, and they call your cell phone provider and say I want to request a change of number or to forward all calls to something else and forward all SMS.

James D’Angelo:  I’ll forward all calls.

Charlie Lee:  Yeah and they manage to use social engineering to trick the Customer Service Reps and do authenticate.

James D’Angelo:  I didn’t think about to forward all calls.

Charlie Lee:  Yes, even with two factor, you can get screwed because even though you physically had your device, they forwarded all SMS and calls.

James D’Angelo:  Right, right, I forgot about that. I haven’t seen that in like 20 years.

Leon Fu:  With apps like Google authenticator our words, it’s on an app, was that more secure?

Charlie Lee:  Yeah, that’s more secure because it’s through the app. We’re thinking of different ways to make things more secure. Where you have to physically have your device or maybe like a hardware token.

So there are various things to make things more secure. It also makes it harder for the user or more cumbersome.

James D’Angelo:  Would you have a relationship with a company like Trezor?

Charlie Lee:  Possibly yeah, I’m waiting for them to release their bitcoin hardware wallet.

James D’Angelo:  I know, we’re all waiting for that.

Charlie Lee:  Yeah, definitely, it’ll be interesting when we can take it from them. My password to my bank account is 6 characters…

James D’Angelo:  It looks like a password

Charlie Lee:  Yeah, it doesn’t matter, because if you log in to my bank account there’s not much you can do that you can reverse. But with bitcoin websites, whoever gets in, they can steal everything unless you’re really locked out.

James D’Angelo:  Yeah, I mean that is the one instance where legacy banking just went it’s hands down. Everything else,

Leon Fu:  Yeah, it’s insured.

James D’Angelo:  I put my money in the bank; I sleep very well at night. Fortunately, I have no other offer big one offers of billion advantages. But that one line of security is going to be the discussion for the next few years.

Charlie Lee:  Yeah like we help people keep up to of 98% of our coins in cold storage.

James D’Angelo:  Yeah and you have Andreas come in and pull some files.

Charlie Lee:  He moved 10% of our coins

James D’Angelo:  Wow!

Charlie Lee:  And we moved it for him.  He randomly picked an account that had 10% of our funds.

James D’Angelo:  You know when I read about it, it didn’t mention it was 10%. I got the feeling that it was some kind of a small amount.

Tai Zen:  Yeah, he said one account, a random account so I didn’t know it was that much.

Charlie Lee:  Yeah, that random account had 10% of the funds.

James D’Angelo:  It’s awesome, this has been great.

Tai Zen:  Yeah, I’m glad that you said it because then now I feel a lot better about you know after what Andreas Antonopoulos said about doing the security audit for you guys.

James D’Angelo:  So they ended up moving almost all of your funds [Tai Zen].  LOL!

Charlie Lee:  Almost all.  LOL!

Tai Zen:  I wish. I wish that was my account.  LOL!

James D’Angelo:  It was your account they moved, sorry you only had 10% I’m up at around 11.5.  LOL!

Charlie Lee:  So having 97% of bitcoins in cold storage is just great. But one problem is people don’t realize even though we have all those in cold storage, you still have to secure your own keys, right?

If someone managed to log in as you and has your username, password and your two factor token, from our point of view, he is you because he has all your credentials, all your information.

So, if he steals all your money, we can’t really reimburse you. If we reimburse everyone who had this happen to them, we will be bankrupt. Then they feel like they got lied to because we have so much in cold storage.

James D’Angelo:  Right, so there’s a huge incentive for you guys to make this more idiot proof.

Charlie Lee:  Yeah, like I said there’s two parts in securing our coins which we do with the 97% cold storage and in securing the user part making it really hard for a user to get hacked.

James D’Angelo:  Now, if you would just simply insist that everybody use Google authenticator, are you eliminating a lot of problems or not?

Charlie Lee:  Yes, we will be eliminating some of it.

James D’Angelo:  I think so too

Charlie Lee:  The reason why we’re not doing it is because SMS is so easy for Google. We kind of want to support those people that don’t have smart phones.

Leon Fu:  That’s an increasingly smaller number of people.

Charlie Lee:  Yeah, it’s increasingly smaller…

James D’Angelo:  You’re doing a significant percentage of transactions via SMS?  Is there any way to measure it?

Charlie Lee:  We have measurements on it.

James D’Angelo:  I’m surprised, I’m really surprised.

Charlie Lee:  No, I’m talking about people who want to log in with a two factor on a dumb phone.

James D’Angelo:  I’m surprised

Charlie Lee:  There are still a lot of people who don’t have smart phones.

Tai Zen:  Well, any final thoughts James?

James D’Angelo:  No, thank you for putting us together. I mean this has been great.

Tai Zen:  Because they are about to start and I know the background noise

James D’Angelo:  And it’s great to meet the mystery man (Leon Fu) behind the camera who’s hiding right now.

Leon Fu:  Hi, it’s me

Tai Zen:  So, thanks guys for joining us on this video presentation and thanks Charlie Lee for taking the time out here to help clarify these security issues and help us secure our wallets. So, any last words?

James D’Angelo:  No

Tai Zen:  To your audience?

Leon Fu:  Cool

===============================================

Click the link below to watch part 3 (and last part) of our conversation with Charlie as he talks about how Coinbase removes the volatility for businesses who like to accept Bitcoin.

Part 3 – How Does Coinbase Remove Price Volatility For Businesses Who Accepts Bitcoin?

You can support and donate to our efforts on our donations page.

Be sure to also donate Bitcoins and support the work of James D’Angelo and the World Bitcoin Network at his BTC address:   1javsf8GNsudLaDue3dXkKzjtGM8NagQe

One thought on “How Does Coinbase Protect Customers’ Funds?”

Leave a Reply