Coinbase Wallet Users Can Now Back Up Their Private Keys on Google Drive and iCloud. How Safe Is It?

Published at: Feb. 17, 2019

On Feb. 12, San Francisco-based cryptocurrency exchange Coinbase announced that users of its Coinbase Wallet can now back up their private keys on cloud storage, namely on Google Drive and iCloud.

The move has received mixed reaction from crypto community and cybersecurity experts, some of whom seem skeptical about the idea of storing private keys on centralized servers. Others are confident about the new feature, stressing that it entails encryption.

A brief introduction to Coinbase Wallet, formerly known as Toshi

Coinbase Wallet differs from the main app, Coinbase (or Coinbase.com). With the latter, the cryptocurrencies purchased by customer and their private keys are stored by Coinbase. With Coinbase Wallet, in turn, users store their own crypto protected by their unique private keys. Those keys are purportedly secured with Secure Enclave and biometric authentication technology.

Initially, Coinbase developed Toshi, an open-source, mobile-focused decentralized application (DApp) browser and Ethereum (ETH) wallet that launched in April 2017. The project was inspired by Chinese mobile payments app WeChat and had a built-in messaging support and reputation system, enabling users to rate other users and apps within the platform. According to its developers, Toshi aimed to provide financial services to people in developing countries, especially to the unbanked population. It was also allegedly the first wallet to launch crypto collectibles.

A year later, in April 2018, Coinbase merged Toshi with its recently acquired Cipher Browser, a similar decentralized app browser and wallet for the ETH blockchain. Cipher’s creator and only developer, Pete Kim, became the head of engineering at Toshi, joining Sid Coelho-Prabhu, Coinbase’s product lead for the DApp project.

In August 2018, Toshi was rebranded to become Coinbase Wallet. The official announcement read:

“This is not just a new name, but part of a larger effort to invest in products that will define the future of the decentralized web and make that future accessible to anyone. [...] With Coinbase Wallet, your private keys are secured using your device’s Secure Enclave and biometric authentication technology.”

Thus, at the time, Coinbase Wallet supported ETH and ERC-20 tokens management, airdrops, crypto collectibles trading and storage, as well as access to DApps and decentralized exchanges, among others things. According to the firm's Medium entry published at the time, Coinbase Wallet would start supporting Bitcoin (BTC), Bitcoin Cash (BCH) and Litecoin (LTC) “very soon.”

In November 2018, Coinbase Wallet added support for Ethereum Classic (ETC). In February 2019, the exchange’s wallet began hosting BTC. The firm repeated that it is considering adding BCH, LTC as well as other major cryptocurrencies.

More about the new feature: support for Google Drive and iCloud, more cloud storage providers in the feature

Thus, on Feb. 12, Coinbase Wallet declared that its users can now back up their private keys on Google Drive and iCloud.

In the accompanying statement, Coinbase explained that allowing users to upload their keys to a cloud provides a safeguard against lost keys and will help them avoid losing funds should the keys be misplaced:

“The private keys generated and stored on your mobile device are the only way to access your funds on the blockchain. Owners of ‘user-controlled wallets’ like Coinbase Wallet sometimes lose their devices or fail to backup their 12 word recovery phrase in a safe place, thus losing their funds forever.”

Now, users of Coinbase Wallet can store an encrypted copy of the recovery phrase on their cloud accounts. Coinbase notes that neither they nor the cloud services will have access to user funds, as the recovery phrase key is unlocked by a password known only to the user. The backup is reportedly encrypted with AES-256-GCM encryption, which is only accessible through the Wallet mobile app.

Coinbase notes that, in addition to Google Drive and iCloud, they will expand support to other clouds in the future. The feature is an opt-in service that does not replace or supersede the original recovery option.

Interestingly, the feature was rolled out against the backdrop of the QuadrigaCX case. Earlier this month, the Canadian cryptocurrency exchange filed for creditor protection after the sudden death of its founder, who was reportedly the sole executive responsible for the exchange’s keys and cold wallets. Following his death, the exchange has been unable to access $145 million in digital assets it allegedly needs to remain payable.

Community reaction

The new feature received mixed reaction among the crypto community, as some criticized the idea of storing private keys on centralized servers. “You might want to rethink this,” one of the most popular replies to Coinbase’s announcement on Twitter reads. “I don't understand, how do you misunderstand your target audience so bad?” the other one says.

The reaction among Reddit users seems more collected, as many users stressed that the new feature entails encryption. For example, u/CryptoNoob-17 wrote:

“At least it's not unencrypted private keys like what blockchain.info did some time ago by sending private keys as plain text over http. If this keeps some noobs from losing their coins and telling all their friends how stupid cryptocurrency is because they lost it all, I don't see a problem.”

So, is the new feature safe enough? Experts weigh in

Cybersecurity specialists also seem on the fence about the new feature. Taylor Monahan, the founder and CEO of MyCrypto, a noncustodial wallet, told Cointelegraph that trusting users to come up with complicated enough passwords is not a good idea:

“Regardless of the strength of the encryption, the weak link will always be the user selected password (on both their wallet AND their cloud storage account). People simply aren't capable of generating a password with enough entropy, nor do they always use unique passwords for every service.”

Monahan adds that, if hackers realize that an influx of people start using cloud servers to store their cryptocurrency, “we will undoubtedly see an increase in attacks against these cloud storage providers.” She added:

“Players like Coinbase should not be encouraging this type of unsafe behavior. I understand the desire for a better user experience, but the worst user experience is one where people lose all their crypto assets due to theft.”

Hartej Sawhney, co-founder and president at Hosho, a startup protecting investments and providing multiple smart contract services including audit, does not agree that individual users will be targeted by hackers as a result of the new upgrade.

“Hackers tend to want maximum information for minimum effort. This means they will likely attack the heart of a cloud storage service rather than its individual users. Google Drive and iCloud have historically been secure,” he told Cointelegraph, adding that, to him, Coinbase still seems much safer compared to other platforms:

“If anything, cryptocurrency exchanges should take some notes from Coinbase on how to bolster security. Additionally, Coinbase follows robust security features such as multi factor authentication, email confirmation, and an active bug bounty program, making it far more robust than any other crypto exchange.”

Josh Datko and Thomas Roth, members of a team of security researchers who study hardware and software vulnerabilities under the title “Wallet.fail,” also told Cointelegraph that the new feature is safe enough, given that certain precautions are made:

“In our opinion, an user encrypted cloud backup does not significantly increase the risk of compromised given that the password is complex enough, the key derivation from the password to the AES-256-GCM key is sufficient, and there are no implementation mistakes.”

Additionally, Datko and Roth warned that the implementation also matters:

“Unfortunately, while this sounds like a straightforward feature, many organisations have made mistakes here. To the best of our knowledge, we are not aware if this new feature is open source or if Coinbase had this independently reviewed.”

Cointelegraph has also reached out to Coinbase for further comment, but the company has not replied as of press time.

Tags
Related Posts
Bitcoin Cash Faces ‘Slow Death’ After Alleged $30M Hack — Commentator
Altcoin Bitcoin Cash (BCH) has become the subject of intense speculation after a major investor claimed he lost $30 million in a wallet hack. In a now-deleted Reddit post from Feb. 22, the investor, who appears to be Dreamhost founder Josh Jones, said the attacker also stole 1,500 Bitcoin (BTC) worth $14.4 million. Hacker steals reported $45M The hack came in the form of Jones’ SIM card being compromised. So far, he has not confirmed whether this was a so-called “SIM swap,” or whether the funds were commandeered by other means. In the deleted post, Jones appealed to BCH miners …
Bitcoin / Feb. 22, 2020
Fake Tor Browser Steals Bitcoin From Darknet Users, Warns ESET
Major antivirus software supplier ESET has discovered a trojanized Tor Browser designed to steal Bitcoin (BTC) from buyers in the darknet. Fake browser distributed via 2 websites Targeting users in Russia, the fake Tor Browser was distributed via two websites and has been stealing crypto from darknet shoppers by swapping the original crypto addresses since 2017, ESET’s editorial division WeLiveSecurity reported Oct. 18. Created back in 2014, the two fake Tor Browser websites — tor-browser[.]org and torproect[.]org — are mimicking the real website of the anonymous browser, torproject.org. According to the Slovakian software security firm, these websites display a message …
Bitcoin / Oct. 18, 2019
Coinbase Gives Out $30,000 Reward for Detecting Critical Bug
Major United States crypto exchange and wallet service Coinbase has given a $30,000 reward for reporting a critical bug on its system, according to data from Coinbase’s vulnerability disclosure program on HackerOne. The bug, which was reported on Feb. 11, earned the largest reward ever given out by Coinbase on HackerOne. The vulnerability report is not publicly available on HackerOne. While Coinbase has reportedly confirmed that the vulnerability has since been fixed, a spokesperson declined to specify any additional details on the issue, as reported by tech news website The Next Web on Feb. 13. Coinbase’s four-grade reward system implies …
Altcoin / Feb. 13, 2019
Turkish Police Arrest 11 Suspects in Alleged Hack of Cryptocurrency Wallet Accounts
The Cybercrime Department of the Turkish National Police has arrested 11 suspects in an alleged hack of crypto accounts, with victims reporting more than $80,000 in losses, major Turkish newspaper Hürriyet reported Friday, Nov. 2. According to the article, 14 individuals have reported to local prosecution authorities that their crypto wallets were hacked with their Bitcoin (BTC) transferred to other wallets. Following the complaints, the Istanbul police launched an investigation against a group of hackers that had allegedly compromised users’ emails, crypto wallets’ accounts data, and passwords. On Oct. 26, cybercrime unit agents detained 11 people in multiple locations in …
Bitcoin / Nov. 4, 2018
Bounty Hunt Gone Wrong: ‘Unhackable’ Wallet Bitfi Denies It Has Been Hacked
In July, cryptocurrency hardware wallet manufacturer Bitfi’s executive chairman, John McAfee, claimed that Bitfi was “the world’s first unhackable device,” urging security experts to breach its security for a $100,000 bounty. Since then, a number of reports emerged that suggested Bitfi is not, in fact, “unhackable,” only to be dismissed by the wallet service as well as McAfee himself, steadily making the bounty hunt seem like a tasteless PR stunt. What is Bitfi? Essentially, Bitfi is a physical device — or a ‘hardware’ wallet — supporting “an unlimited amount of cryptocurrencies” that costs $120, as per its website. Although no …
Bitcoin / Aug. 7, 2018