In a surprising new feature addition, Coinbase has added functionality for users to store their private keys in the cloud.
The new opt-in feature will allow users to store a password-protected encrypted file containing a user’s private keys using either their Google Drive or iCloud accounts.
Considering the multitude of hacks we have seen on these cloud services over the past few years and the fact that most users use common or the same passwords across accounts, this new feature may open up a new way to steal crypto assets.
This is a terrible idea and encrypting with a user chosen password is even worse. Most people cannot choose/remember strong passwords and generally reuse passwords. pic.twitter.com/uezbhz1Rfe
— DJ Booth (@djbooth007) February 12, 2019
Not your keys, not your Bitcoin
It is well known in the crypto ecosystem that if a user does not have complete control of their private keys, then there is always a chance they could have all their funds stolen. If a hacker can get access to this cloud file and then crack the user-chosen password, then they would have the full ability to move any coins stored in this wallet to their own wallet.
Coinbase was recently praised for releasing an update for the Coinbase Wallet app where users could choose to be fully custodial and hold on to their own private keys (held on a user-controlled device). This update allows users to be self-sovereign by taking possession of their own coins (away from Coinbase’s custody).
Holding your own private keys is absolutely best practice in the crypto ecosystem. This means you don’t have to worry about potential hacks or compromises (like the recent QuadrigaCX scandal) and also prevents custodial holders from imposing any form of censorship over transactions the user may be trying to make.
However, holding your own private keys does come with risk. If these keys are ever compromised, then an attacker can swipe all of your funds out of your wallet, and Coinbase will not be able to help retrieve stolen funds.
A terrible idea
This new cloud feature will now open the door for a new attack vector to target Coinbase users who choose to store their private keys in the cloud. The developer behind the Tallycoin project, DJ Booth, commented back to the Coinbase news by saying: “This is a terrible idea and encrypting with user-chosen password is even worse. Most people cannot choose/remember strong passwords and generally reuse passwords.”
Coin Rivet’s own chief reporter Oliver Knight also tweeted that he thinks this is a bad move, saying: “Hacker’s eyes will be lighting up at the prospect of private keys being held on cloud storage.”
Hacker's eyes will be lighting up at the prospect of private keys being held on cloud storage. https://t.co/qJznpFlUis
— Oliver Knight (@KnightCoinRivet) February 13, 2019
Only time will tell if this solution provides any real safeguard for users who obviously would be better storing their coins in the full custody of Coinbase rather than in their own wallet with private keys stored in the cloud. My advice would be to not turn on this additional feature and reduce possible attack vectors that may comprise your hard-earned funds.
Disclaimer: The views and opinions expressed by the author should not be considered as financial advice. We do not give advice on financial products.