- Approximately 90% of customer funds are stored offline (disconnected from the internet) in bank vaults to prevent theft or loss.
- Wallets (and private keys) are stored using AES-256 encryption.
- We offer two-factor authentication on accounts.
- The site runs entirely over SSL (https).
- We hash passwords stored in the database (using bcrypt with a cost factor of 10).
- We rate limit a variety of actions on the site (login attempts, etc).
- We whitelist attributes on all models to prevent mass-assignment vulnerabilities.
- We use SQL injection filters.
- We verify the authenticity of POST, PUT, and DELETE requests to prevent CSRF attacks.
- We check for strong passwords on account creation and password reset.
- Application credentials are kept separate from the database and code base.
- We use separate passwords for each service.
- Employees are required to encrypt their hard drives, utilize strong passwords, and enable screen locking.
- Employees must pass a criminal background check as part of the hiring process.
If some of that sounded like techno-babble, don't worry, it's all in place to ensure that your account information and bitcoin is safe and sound. In the future, we plan to add some or all of the following before moving out of Beta:
- Offering a guarantee or insurance against loss.
- Quarterly security audits by outsides firms, and disaster drills.
See also:
- The Coinbase Bug Bounty Program