New Security Recommendations by Coinbase Raise Concerns
In a new and rather surprising piece of news, Coinbase has released a blog post advising their customers to backup their private keys onto their personal cloud services.
The worry over the years is that users may lose their own personal passcodes, and it is better for them to back them up to a place where they can’t be “misplaced”, like the cloud. Google Drive or iCloud would both allow for encrypted options that could only be accessed with the user’s password. This is being advised as an alternative to traditional mobile/desktop wallets or hardware wallets, which are considered to be much more secure.
What’s Wrong with This?
The private keys that are generated and stored on a user’s mobile device are the only way to access funds, and this is a bottleneck or security issue in itself. However, there are several reasons why this is an alarming perspective for leadership to take.
Right away, many users jumped in to point out that cloud hacks occur all the time, and this would technically create a honeypot for thieves to target. Jessie Powell, the CEO of trading exchange Kraken, pointed out:
I am not a fan of training users on bad security. Cloud storage, while convenient, is constantly compromised, especially with all the SIM porting. 99% chance the people who would unwittingly use this do not have passwords strong enough to withstand professional cracking.
The next point of criticism is that this is the least decentralized recommendation you can make. It is one thing that Coinbase is a centralized exchange, but now they are calling their users to store information on a centralized platform? Google and Apple’s data management leaves much to be desired, and as pointed out above, it is increasingly possible they get hacked. Taking action to move your private keys onto the cloud rather than retaining ownership of the keys yourself is the least decentralized thing a user can do.
One final implication I’d like to analyze is the liability with this recommendation. Often times, wealth advisors can make bad recommendations that cost them their career. If the most trusted company in the crypto space makes this poor recommendation and funds are stolen, will users hold them liable for the loss of funds? It seems like a short-sighted recommendation when the security of Google or Apple is so questionable.
Coinbase’s Strategic Significance
In a way, this can be viewed as targeting a certain niche of customer that doesn’t have or want the technical know how to safely store their private keys on their own. Just like a large subset of crypto enthusiasts might only want to buy Bitcoin using a pension fund or ETF, some may be willing to compromise security in order to have increased ease-of-use. Only the most hardcore “idealists” will go through the trouble to properly store their private keys themselves.
These recommendations shortly follow the news that QuadrigaCX has lost upwards of $145 million due to poor private key management, so this is definitely a hot issue. But that doesn’t mean that security should be compromised along the way. Managing your own private keys may be the safest way to do things, in which case, Coinbase is definitely not making the best recommendation here.
The worry of users losing their device or misplacing their private keys is a very real one, and a better solution may be to use their own methods and technology to backup private keys. Forcing unsophisticated users to take security measures into their own hands will likely lead to a compromise of that data. However, by providing a more secure option managed by Coinbase, at least users won’t be as vulnerable to their own poor choices with passwords and other data security measures.