James: I’m always excited to hear what’s being done at Coinbase, I’m a big Coinbase fan, I did a video about glorious Coinbase because, in the light of Mt. Gox, it’s just been great to see some sort of rock-solid presence in the United States, but we spoke a little bit earlier about what you’re up to, but it sounds like most right now you’re concerned about security.
Charlie: We’re always concerned about security, the reason why I joined Coinbase is that I realized Coinbase was doing something very important for Bitcoin and whatever is good for Bitcoin is good for Litecoin. Bitcoin is kind of blazing the trail and Litecoin following behind, so I’m working at Coinbase and I’ve been trying to improve security, one of the two security issues we have is kind of securing the customers’ funds and securing our own funds. To secure our own funds we have to do we use cold storage, it’s geographically spread out so there’s no risk. It’s not like someone can storm our office and steal all the funds because we don’t have all the keys, that makes us safe.
James: So that’s basically a multi-signature wallet, what would be the term?
Charlie: Let’s say it’s like five of ten, for example, that means you have 10 people spread over the world that have keys, it’s like show me your secret. So they have shared so if five of them come together and take their shares and combine them they can get a private account
Tai: Is that the reason why I have to wait four days before I can get the Bitcoins from a non-technical perspective.
Charlie: Because of the banking issues, also because of risk and fraud, Coinbase is right between an irreversible currency – Bitcoin and a reversible one which is the US dollar, so if you said you want to buy Bitcoins we’re going to do an ACH debit on your bank account, that takes like three or four days right so before the money gets to us we can’t give you Bitcoins.
James: Same as if you hand someone a check.
Charlie: But then the good thing about Coinbase is that we will give you the price that we agreed, you walk right in what we agreed on, not when the check clears, it’s when we give you the amount of Bitcoin we agreed on, even after we get the money, fraudsters can still reverse it, which sucks so that’s why we have a lot of cancelled transactions that people are upset about because we determined that this user is high risk, we have to cancel transaction because even if we get the money it’s possible that you can reverse that after you get the Bitcoin.
Leon: Can you speak about what causes somebody to be high risk, some of my friends, I refer them to Coinbase and they got there they bought some Bitcoins and they were flagged as high risk and then it was reversed and the price went up and then they’re upset, they complain about it on Reddit.
Charlie: But if the reverse happens, which is 50% of the time and I can attest to that, they won’t be complaining. Even when the price comes down we still cancel the transaction, we don’t care.
Leon: Can you speak to why was my friend flagged high risk?
Charlie: He’s a fraudster? I can’t tell you too much because whatever I tell you the scammer can use it, there are various signals that we use to determine. It’s not one hundred per cent obviously.
Leon: Because I know my friends are not a fraudster
Charlie: We try to be overly cautious because it hurts us, we make 1% off transactions so if there’s more than 1% of Bitcoins are scammed, we lose money, so we have to keep fraud rate below 1% and we have to be extra cautious. If a legitimate user got their transaction cancelled due to high risk they can contact our customer support and try to convince us that they’re not the fraudster. Most of the times if they manage to convince us we actually push that transaction through at the original price.
Tai: We are in the US and so we can get the Bitcoins from Coinbase but what about people outside the US, are they able to get in touch with the Coinbase and buy Bitcoins from you guys also?
Charlie: Right now we only support US bank’s because we’re doing ACH debits, so you need a US bank account, international customers can use our wallet service they can use Coinbase wallet to pay merchants.
Tai: But they’re not able to purchase Bitcoins directly from Coinbase?
James: If they have an American bank account, they can, so I have friends overseas buying Bitcoins with their American bank account and the ACH, isn’t that’s a Federal Reserve branch right? The actual ACH, American Clearinghouse, strangely they clear almost all the check.
Charlie: That’s right the Federal Reserve does do all the clearing.
James: Do you get nervous if someone says has a Coinbase account, they’re going to slap over 1000 Bitcoins just using a quick login password? Do you monitor those transactions any more so than you would one dollar transactions? I can log in to my Coinbase account with my password on my computer then I can send an enormous amount of money inside the Coinbase system instantly, is that a concern at all?
Charlie: If it’s fraudulent and it’s inside the Coinbase system, we can do something about it, but if it’s fraudulent and it’s sent outside our control then there’s not much about it we can do. We recommend users with a high balance to make sure they have two-factor like a phone or Google Authenticator, when you log in or when we send Bitcoins we would ask you for two-factor code to make sure the hacker doesn’t have your password, by default if you try to send more than 100 dollars a day on Coinbase, we’ll ask you for two-factor.
James: I love that; it’s made me more comfortable.
Tai: I like that two-factor authentication, what other security features that are you working on to secure even more? Anything else or is it under wraps?
Charlie: There are various things we’re working on, even with two-factor, it’s not immune to hacking, so one of the most dangerous hacks right now our phishing attempts where you can send an email with a link, like a scared email saying there’s something wrong with your account, you might lose your coins, please login, click on this link, you could go to this link, it takes you to Coinbass.com instead of Coinbase.com and it looks exactly like Coinbase, then they ask for your phone number, name, password and two-factor token, so you type it in and thinking that you’re logging into Coinbase, in reality, you’re not.
Tai: They can instantly turn around and resend that two-factor token.
Charlie: Exactly if they’re really good and they can just log in themselves as you.
Tai: So what can a user do if they receive an email from Coinbase? How do they know that’s an authentic email coming from you guys?
Charlie: The basic security measure is to never click on links from emails, because you never know what you’re downloading, if you get an email from Coinbase, just go directly to the homepage. Another thing that I’ve recommended friends to do is to use the password the tools like LastPass or 1password, Keepass that let you generate very complicated and unique password to different sites, they also have extensions where they will pre-fill your user password on sites and if the URL is wrong, they won’t refill. So that’s a clear indication that you’re on a vicious site, you will never have to copy and paste or type in the passwords.
Tai: I know that KeePass, they recommend that you hit copy and paste and don’t even type, so you can just mouse over the website name that you have in KeePass or the key of the password manager and you just ctrl-c, ctrl-v =.
Charlie: That’s dangerous too because you could paste into a vicious website, personally I use LastPass and I think it’s really good, I have two-factor on all my passwords.
James: Can you set up LastPass on a computer?
Charlie: They do have offline ways you can get to your passwords, in terms of security there are various things we can do with two-factor, right now two-factor is good, but it’s not 100%, because we have issues where they managed to steal your password from a keylogger let’s say and then they figure out your cell phone provider they call your cell phone provider and say I want to request a change, forward all calls, SMS and then they use social engineering to trick their customer service reps, then even with two factor you can get screwed because even though you have your physical device, they forward all your calls
Leon: Would apps like Google Authenticator more secure?
Charlie: Yea, that’s more secure because it’s an app, we’re thinking of different ways to make things more secure where you physically have the device or maybe like a hardware token so there are various things, it also makes it harder for that user and put more cumbersome.
James: Would you have a relationship with a company like Trezor?
Charlie: Possibly we’re waiting for them to release their device
James: We’re all waiting for that.
Charlie: It’ll be interesting where we get can take it from here, because my password in my bank account is six, it doesn’t matter because you log into my bank account, there’s not much you can do that I can’t reverse so but with Bitcoin websites whoever gets in they can steal everything.
James: That is the one instance where legacy banking just wins hands down, I put my money in the bank I sleep very well at night, Bitcoin offers a billion advantages but that one line of securities is going to be the discussion for the next few years
Charlie: We tell people that we keep up to 97-98% of our coins in cold storage.
James: And Andreas come in to pull some files
Charlie: He moved ten per cent of the points and we moved it for him
James: When I read about it, it didn’t mention it was 10%.
Charlie: Well, that random account has 10% of our funds.
Tai: I’m glad that you said because then now I feel a lot better after what Andreas Antonopoulos said about doing the security audit for you guys.
James: So they ended up moving almost all of your funds?
Tai: I wish that was my account they randomly moved.
Charlie: So having like 97% is cold storage is great, but one problem is people don’t realize even though we have all this in cold storage, you still have to secure your own keys. If someone manages to log in as you and has your username password and your two-factor token, from our point of view, he is you because he has all your credential information.
So if he steals all your money, we can’t really reimburse you. If we reimburse everyone, we’d be bankrupt, then they feel like they got lied. So like I said there are two parts, securing our coins which we do with 97% in cold storage and securing the user part, where we make it really hard for the users to get access.
James: If you just simply insisted that everybody uses Google Authenticator, are you eliminated a lot of problems or not?
Charlie: Yes, because SMS is so easy and we kind of want to support people that don’t have smartphones.
Leon: Yeah that’s increasingly smaller and smaller number of people.
James: You’re doing a significant percentage of transactions via SMS, is there a way to measure it?
Charlie: I’m talking about people who want to log in with a two-factor, there’s just a lot of people who don’t have a smartphone.
Tai: Any final thoughts James?
James: No thank you for putting this together, this is great.
Tai: Because they’re about to start.
James: Let’s meet the mystery man behind the camera.
Tai: Thanks guys for joining us on this video presentation and thanks to Charlie for taking the time out here to help clarify this a security issue and help us secure our wallets okay so any last words to your audience? Alright.