Note: Recent news reminds us that attackers continue to be active in the digital currency space, targeting not just companies but individual users. The attackers seem to be basing their targeting on information gathered from places like public digital currency chat rooms and email lists. They then likely combine that information with credential dumps from other services to find re-used passwords and additional personal information. The attackers leverage this data to access email and telephone accounts through a combination of password reuse and social engineering. Please review the below suggestions to ensure that you are well protected.

The digital currency version of this would be about hacking exchanges vs users. Comic courtesy XKCD

Security is the foundation of all we do at Coinbase.

One of the true pleasures of working in security at Coinbase is that I don’t have to convince anyone that security is an existential risk to the business and a core responsibility of ours to our users. That said, we can’t protect our users from everything. There is a useful concept when we talk about the security of complex systems: a shared security model. In this concept, the overall security of the system depends on multiple parties working together. For most users, this makes sense. The long-term secure storage and use of digital currency keys is hard, detailed and unforgiving work. Choosing to share that burden with someone you trust can be a rational way forward.

With this blog post, I’d like to give you an overview of some things you should do to ensure we work together to protect your digital assets.

Fundamentally, we just ask our users to do two things: Protect your access credentials and protect the devices you use to access Coinbase. This may sound easy, but it is not. Attackers continue to target end-users directly and successfully because it allows them to exploit an asymmetry of expertise. Attackers can get very good at credential phishing, or mobile phone compromises or whatever else, and use that expertise to prey on individuals who don’t have the same expertise and haven’t taken measures to protect themselves.

Below are some suggestions that aim to make you a harder target, and some suggestions around leveraging specific Coinbase security features.

First let me be clear: I’m not saying anything groundbreaking here. These are all well known concepts. If you are already paying attention to your personal security, you may be doing everything here. My hope is that some folks who may not be doing everything possible are able to take a pointer or two away from this advice. Additionally, I’m focusing on storing digital currency safely with Coinbase. There are all sorts of other ways to store digital currency, including other services, hardware wallets, applications for various platforms and good old paper wallets. Each method has strengths and weaknesses, and I’m not attempting to cover all of them here. Lastly, if you are storing significant value on Coinbase, you may want to take additional security measures such as using dedicated devices (computers, phones and phone numbers) to access Coinbase.

Security starts with you, so be skeptical.

Phishing is probably the most common way users are compromised. The most common phishing medium is email, but there are also examples of phishing via search engine results poisoning, AdWords and good old- fashioned social engineering. Some of the suggestions below will help to reduce the impact of a successful phish (the password manager suggestion in particular!), but your first line of defense is to always be skeptical. Concrete recommendations include:

Bookmark important websites (Coinbase, email, banks, etc) and only visit those sites from those bookmarks.

Whenever possible, do not click links in emails from important websites, instead use your bookmarks. If you must click a link, make sure you verify the authenticity of the email in question.

If contacted by phone, always seek confirmation of legitimacy before you expose personal information.

Your email address is the center of your security world.

These days, access to an email address is frequently tantamount to access directly to many of your other accounts. Attackers can use password reset functions, they can contact support teams and impersonate users and they can sometimes discover caches of passwords sitting around in your mailbox. You should protect your email addresses to the same level as the most valuable account that uses that email address. This means take all the advice I give in this blog post and do the same things for your email account. If your email provider does not offer security features like MFA, good anti-spam filtering or user-visible audit logs please consider moving to one that does.

Your mobile phone and your phone number are increasingly under attack.

Examples abound of attackers using leaked personal information to socially engineer mobile phone companies into granting access to your mobile account. Attackers then have a number of malicious options around 2fa code interception, account reset, or social engineering your friends. Call your mobile provider and request a PIN or password on your account, ask for a port freeze (so attackers can’t move your phone number to a new carrier) and a SIM lock (so attackers can’t make the phone company take your phone off your account and add theirs). If your mobile provider does not do those things, consider moving to one that does. Google Fi is a great choice here if your phone supports it.

There are a number of guides to securing your mobile device, but there are two basic things you can do to avoid the vast majority of mobile device hacking: buy a phone that will receive timely updates and only download apps from the Google Play store or the Apple App Store. These two basic steps will avoid the vast majority of malicious applications and ensure that you continue to run on the most update to date OS available. If you would like to go the extra mile, there are many more detailed guides on mobile device security (examples for android and ios) that you should also seek out and follow.

Protect the computers that you use to access Coinbase.

Comic courtesy XKCD

Malware here can be the end of the line for your account security. Modern banking malware includes keylogging features, browser integration to facilitate session cookie theft and the ability for the attackers to proxy connections through your computer. We’re also starting to see indications that traditional banking malware is beginning to target cryptocurrency users. There are a few things you can do to lower your chances of being a victim:

Make sure your operating system and applications are up to date. Your operating system can update itself (guide for windows and osx). Your applications are more difficult to handle, but the best option I’ve found for individuals is PSI from Flexera.

Avoid installing software from unknown or shady sources. This includes “free” or cracked versions of commercial software. Free cheese generally comes with an attached mousetrap. Pay attention to warnings from your operating system or anti-virus! Browser plugins are also a risky install, make sure you always install browser plugins from the official browser plugin repo for your browser.

Install reliable Anti-virus software. This may be a controversial recommendation, but credible anti-virus software can help save you if all else fails. There are a number of options on the market. I personally like MalwareBytes, but there are plenty of anti-virus bake-offs to review.

Find and follow a reasonable hardening guide for your operating system (examples: windows, osx)

Manage your access credentials effectively.

Your passwords are your first line of defense against attackers.

Your passwords should be long, random and unique. I strongly recommend that you use a password manager like Lastpass or 1Password to help you achieve those goals. There may be some passwords you don’t want to put in a password manager (for example, the master password for your password manager), for those, I recommend you adopt an XKCD-style password. As a bonus, if you use a password manager you are much less like to fall victim to credential phishing. Password managers generally look at the URL of the page you are visiting to decide what credential to use. A phishing site is not going to have the same URL as the actual site in question, so your password manager won’t populate your password into the login form. On Coinbase, we provide a password strength meter that is backed by a password evaluation service. Our password meter should give you a reasonably accurate idea of the strength of your password based on an online-style attacker, that is someone who is guessing passwords against coinbase.com.

Use multi-factor authentication (MFA). On Coinbase you have a few choices for MFA: you can get an SMS message, you can setup a TOTP application (like Google Authenticator) or you can use the Authy app. Unlike most sites, we take an opt-out approach to MFA. Once you verify your phone number with us as part of our initial on-boarding, we automatically enroll you in SMS-based MFA. SMS-based MFA isn’t great for a number of reasons and we’re actively moving away from it, but it is the only MFA some people can use. If you are able, you should upgrade your MFA to TOTP.

Pick the right Coinbase storage product for your security needs.

Your Wallet is quick and easy. For many users, it’s the only storage product they ever use. You should keep funds in your wallet to which you need immediate access. Funds over that immediate access threshold should be shifted to one of the Coinbase vault products.

A Group Vault requires 2-of-3 or 3-of-5 co-signers to approve a withdrawal. You can either have Coinbase manage the keys, or each signer can manage their own. If you have Coinbase manage the keys, we will require each signer to click a link to approve a withdrawal and we will impose a 48-hour waiting period, where we broadcast communications to all signers every 24 hours. If signers manage their own keys, we will generate a multisig address and one key per signer. We will give the signer a copy of the key and we will ask the signer for a password with which we will encrypt and keep a copy of the key. To approve withdrawals, signers can supply their password on coinbase.com or generate the transaction themselves.

An Individual Vault is a vault only you control. As before, either Coinbase can manage the keys or you can. If Coinbase manages the keys, you need to add an alternate email address you control as a second approver. For maximum security, the two email address need to be entirely separate. They should not be recovery emails for each other, they should not have the same password and they should not share a recovery phone number. In a perfect world, the second email address is only used for approving coinbase vault operations. When you initiate a withdrawal, there is a 48 hour delay and we broadcast notifications to all known methods of communication we have with you. If you manage the keys, Coinbase generates a 2-of-3 multisig address, we keep one key, we encrypt another key with a password we request from you and we both get the encrypted blob, and we give you the 3rd key. To approve transactions, you can visit Coinbase and supply your vault password, or you can use our open source tool to create transactions yourself.

Security, true security, is very hard.

It is rooted in a mindset and set of day-to-day practices that are difficult to maintain. Technology and attacker tactics are evolving so we must always continue to evolve our concepts around what it means to be secure. To survive, you must adapt a layered approach to security: be secure in your mindset, secure in your devices and secure in your authentication tokens.