How does Coinbase handle security?

Last Updated: Feb 12, 2014 05:47PM PST
We take careful measures to ensure that our website and user bitcoin is as secure as possible. Below you can read about some of the security measures we have in place:
 
  • Approximately 90% of customer funds are stored offline (disconnected from the internet) in bank vaults to prevent theft or loss.
  • Wallets (and private keys) are stored using AES-256 encryption.
  • We offer two-factor authentication on accounts.
  • The site runs entirely over SSL (https).
  • We hash passwords stored in the database (using bcrypt with a cost factor of 10).
  • We rate limit a variety of actions on the site (login attempts, etc).
  • We whitelist attributes on all models to prevent mass-assignment vulnerabilities.
  • We use SQL injection filters.
  • We verify the authenticity of POST, PUT, and DELETE requests to prevent CSRF attacks.
  • We check for strong passwords on account creation and password reset.
  • Application credentials are kept separate from the database and code base.
  • We use separate passwords for each service.
  • Employees are required to encrypt their hard drives, utilize strong passwords, and enable screen locking.
  • Employees must pass a criminal background check as part of the hiring process.

If some of that didn't make any sense, don't worry, it's all in place to ensure that your account information and bitcoin is safe and sound. In the future, we plan to add some or all of the following:
 
  • Offering a guarantee or insurance against loss.
  • Quarterly security audits by outsides firms, and disaster drills.

See also:
 


Still need help? Email Us or Post a Public Question