There’s an old saying by cryptocurrency experts that goes a little like this: “if you don’t control your private key, then you don’t really own cryptocurrency.”
This is technically true. What we call Bitcoins or Ethereum is actually simply a key pair where one of the keys is kept secret at all times. This secret is what we call the private key.
Coinbase, like most other centralized exchanges, manages their customers’ private keys for them.
When you open an account with LocalBitcoins, Coinbase, Bittrex or any other popular exchange, you’re actually creating a wallet management ID.
The exchange knows you internally by this ID.
Somewhere, deep down in Coinbase’s secure infrastructure, for each cryptocurrency that you trade there is a private key attached to your ID. This private key allows Coinbase to move the funds on your behalf.
When you request a withdrawal, the funds are moved using the exchange’s private key, which you don’t have access to.
When hackers attack an exchange, it is the private key they’re after!
In early 2018 Coinbase was hacked and over 40 BTC were lost.
At least one of the victims had over 10 BTC stolen due to a flaw in Coinbase’s API system. An API is a set of computer programming functions that customers can execute on Coinbase servers.
These functions allow the customers to move funds, trade automatically and execute many other tasks without ever logging into Coinbase using the main website.
To use an API, a customer uses a secret piece of information called an API key. (Not to be confused with the cryptographic private keys we mentioned earlier.)
Hackers exploited the customers’ API keys to steal their funds. In this case the cryptocurrency private key was never compromised, but functions that manipulated the Coinbase backend using that key were used to defraud the exchange.
There were other incidents at Coinbase, but not directly related to the cryptocurrency backend. Visa deposits, for instance, were being charged twice in February of 2018. This software bug was eventually solved between Visa and Coinbase.
Coinbase is pretty safe, for a centralized exchange that holds so much value within their vaults.
But, for real security, investors should always keep their Bitcoin stored away in offline wallets. As long as the private key is located somewhere far away, not in your secret compartment at home, then no online wallet is 100% safe.
Internet connections themselves are naturally unsafe. No connected device should be considered 100% secure, because hackers are creative and resourceful when it comes to exploiting anything that’s connected to the network.
Secure wallets should, therefore, be kept offline. You can print your private key, generate a paper wallet online or even write the key down using China ink! Any offline solution is safer than wallets that are stored in centralized servers.
Everything we’ve mentioned in this article applies to other centralized cryptocurrency exchanges as well. Bittrex, Bitfinex, Poloniex, Binance, Coinbase, among others, all work similarly. Although their specific internal implementations may vary, they all have one thing in common: they manipulate private keys for the customers.
As long as private keys are kept online, the exchange will never be 100% safe.