Coinbase: Is It Safe?

Coinbase is the most popular cryptocurrency exchange in North America, handling over $1.6 billion worth of trades every day. It’s well known as a beginner-friendly exchange that makes it easy to buy and sell crypto.

Easy is great. But digital security and privacy are always our top concerns. With so many grifters stalking the web these days, you can’t really blame us. Simply put, no one wants to put their money in an exchange that’s a soft target for fraudsters. So where does Coinbase fall on the digital safety spectrum? Can it be trusted to protect your crypto from thieves and malicious hacks?

After all, in the last few years, several major crypto exchanges have been hacked for millions of dollars.1 So this question is more important than ever.

We’ve investigated Coinbase’s security practices and used the app to see how its security protocols work. In this article, we’ll explain what we learned in the process, and whether or not you can trust Coinbase with your crypto.

So let’s get right into it.

Is Coinbase Safe?

The bottom line is that Coinbase is fairly safe compared to other exchanges. It practices all of the standard security practices that we expect of a secure crypto exchange. It keeps most of its crypto in cold wallets, allows you to activate 2 Factor Authentication (2FA), pauses withdrawals to new addresses for 48 hours, and alerts you if a withdrawal to a new address is made.

These are all practices we expect from any crypto exchange before we can regard it as “safe.”

Best of all, Coinbase has never been hacked, which is more than can be said of most exchanges.

Still, there are some risks to using Coinbase, as there are with any crypto app. If an attacker gets access to your Coinbase account, she can transfer all of your crypto to her own wallet.

Sure, the transfer will be delayed, and you’ll be notified through email. But if you miss the email, you can lose all of the crypto in your account. So it’s important to be aware of this risk and to know how to minimize it while using Coinbase.

In the next few sections, we’ll go over some techniques to stay safe while using Coinbase or any crypto exchange.

Now let’s discuss the specific security measures Coinbase uses to keep its crypto secure.

Coinbase Security Practices

Coinbase practices all of the industry standard techniques that are used to minimize the risk of losses from a hack. Here are a few of them:

• Cold wallets: Coinbase keeps over 98 percent of its cryptocurrency in “cold wallets” that are not connected to the internet. This means that if the exchange is hacked, the most crypto that it can lose is 2 percent or less. This should help to protect the exchange from becoming insolvent if it is the victim of an attack, which should (hopefully) allow it to reimburse you if needed.
• Requires 2FA: You can’t use Coinbase without enabling 2 Factor Authentication. This means that an attacker shouldn’t be able to get into your account without stealing your phone. This is in contrast to most exchanges which make 2FA optional.
• 2FA can only be reset by proving your identity: Some crypto exchanges allow you to reset your 2FA with just your email address. But Coinbase requires you to verify your identity before resetting your 2FA. While this can create a hassle if you are unlucky enough to lose your phone, it also makes it extremely difficult for an attacker to reset your 2FA and access your account.
• Email alerts: If you try to withdraw to a new address, Coinbase will pause the withdrawal for 48 hours and alert you that the withdrawal has been attempted. This should help to give you a chance to respond if an attacker gets into your account.
• Personal data is stored off-line: Coinbase stores your photo ID, Social Security number, and other sensitive information off-line, minimizing the chance of this info being leaked or stolen in an attack.
• Organizational security: To prevent attackers from successfully targeting employees, all employees are required to encrypt their hard drives, use screen-locking and strong passwords.
• Web security: Coinbase uses standard web security practices. It uses SSL (Https) for all pages and SQL injection filters to stop cross-site request forgery (CSRF) attacks; it also hashes all passwords using Bcrypt.

Overall, Coinbase has a great security system in place. But it’s not perfect. In the next section, we’ll go over the risks of using Coinbase.

Risks to Using Coinbase

Although Coinbase has excellent security protocols, there are risks to using any crypto exchange.

The most important risk to using Coinbase is the anonymous nature of cryptocurrency itself. If an attacker manages to withdraw crypto from someone’s Coinbase account, it is usually gone forever. Thieves can use “tumbler” services like Tornado.cash to hide the fact that the victim’s crypto is stolen. This can allow them to cash out their stolen loot without anyone being able to prove they got it through an illicit process.

In a stock brokerage account, this isn’t possible, because stocks cannot be withdrawn from a brokerage account. Instead, the only option for the thief is to sell your stocks and transfer the cash to his bank account. While hackers can sometimes get away with doing this, it is much more difficult to do in a stock brokerage account than in a crypto account because bank accounts are not anonymous.

So crypto exchange accounts are inherently more risky to use than stock brokerage accounts, and this is an important fact to be aware of.

Another risk to using Coinbase is that it allows text messaging to be used for 2FA. If you choose to use text instead of an authenticator app, an attacker could transfer your phone service to his own phone and receive your 2FA code without having your physical phone. But these attacks are exceedingly rare.

Thankfully, it’s pretty easy to protect against these risks and threats. In the next section, we’ll discuss some ways that you can help to stay safe while using Coinbase.

How to Stay Safe When Using Coinbase

There are several tips and tricks you can use to protect your crypto while using Coinbase. Here are the ones we believe to be most important.

• Use an authenticator app: Instead of using SMS text messaging to receive your 2FA code, consider using an authenticator app to receive it. An authenticator app isn’t tied to your phone number, so an attacker can’t take control of it by transferring your phone service to his own device.
• Use a strong password: Use a long password that is made up of capital and lowercase letters, numbers, and special characters. In general, the more complex your password is, the more costly it is to crack.
• Scan email attachments with an antivirus program: One of the easiest ways for an attacker to get into your account is to infect your computer with malware and use it to spy on you. Attackers often use email to deliver the malware, so make sure to scan any file attachments you receive through email. On Windows, you can do this by right-clicking the file and selecting “scan with (program name).”
• Check the URL: Every time you log in, check the URL at the top of the page. Make sure it says “Coinbase.com” and not something misspelled like “Conbase.com” or “Coinbase.net!” Also, check the lock icon to the left of the URL to make sure that you have a secure connection.
• Consider moving your crypto off the exchange: If you are holding your crypto long term and not trading it, consider withdrawing it into a private wallet. When used correctly, private wallets are much more secure than exchanges, because they don’t use usernames and passwords. If you’re not sure which wallet to use, we have a guide to choosing the right crypto wallet.
• Consider using a Coinbase vault: If you have large amounts of crypto and don’t want to withdraw it into a wallet, consider putting it into a Coinbase vault. We’ll talk more about this in the next section. But basically, a Coinbase vault is an account with added security.

By following these tips, you can help to limit the risks of using Coinbase or any crypto exchange account. Now let’s talk about Coinbase Vault.

Coinbase Vault

A Coinbase Vault is a special account with added security. If you don’t want to withdraw your crypto into a private wallet, putting it into a Coinbase vault is an alternative strategy to better protect your crypto from being stolen.

You can create a Coinbase Vault by navigating to Coinbase.com/vault and pushing the “create your vault” button. Once your vault has been created, you can move any crypto into it from within the Coinbase webapp (this can’t be done with the mobile app). Any crypto in the vault is subject to a 48-hour withdrawal delay, even if the withdrawal address has been used in the past.

In addition, you can designate an “approver” that must co-sign any withdrawal from your vault. For example, you can designate your spouse, attorney, parent, or any other person you trust as an approver.

Once you’ve made this designation, no crypto can be withdrawn from the vault without it being co-signed by the approver. This can help to prevent a withdrawal in case your personal account is compromised, since the attacker would also need to compromise the approver’s account to make the withdrawal.

There is a sense in which using Coinbase Vault is still not as secure as using an external wallet. After all, it requires you to trust Coinbase to keep your crypto safe, whereas a wallet puts your crypto completely under your control.

Still, if you don’t feel comfortable holding large amounts of crypto in your personal possession, using Coinbase Vault is a viable alternative that is generally safer than keeping it in a regular exchange account.

Final Words on Coinbase Safety

Coinbase is an excellent app for crypto beginners. And it’s extremely secure and safe. It does all of the things we expect in a crypto app. It offers 2FA, holds almost all of its crypto in cold wallets, and alerts you when a withdrawal to a new address is made. Most importantly, Coinbase has never been hacked.

But as with all exchanges, using Coinbase is not totally without risk. Now you know what those risks are and how to stay safe when using it.

Coinbase is only one option among many when it comes to beginner crypto exchanges, so you may want to check out our Crypto.com review or Kraken review for other options.