Coinbase Points the Finger

While the best case scenario for cybersecurity is to stop attacks before they happen, Coinbase is planning for the worst. 

The company is seeking to patent a system for “database recovery” in the event of a failure. Basically, if a database fails, this tech allows Coinbase users to access their data on a remote device. 

Here’s how it works: First, Coinbase encrypts the user’s data in a database. If a database failure happens, the data is sent – still encrypted – to the user device or account. The system then sends the encrypted data, signed by the user with some form of digital signature, to what Coinbase calls a “recovering server.” The server verifies the validity of the digital signature, decrypts it with a recovery key and sends it back to the user. 

Coinbase defines a failure as more than just a cyberattack, noting that a failure could be anything from a power outage to a disc or hardware crash. The company said its tech is particularly effective when a database is updated frequently and “old data becomes useless.” 

“Distributed database recovery saves the need to manage an expensive centralized backup system by storing/updating the database user record on the user’s machine,” the company noted. 

Like any consumer-facing fintech, Coinbase deals with a large amount of personal customer data and a large number of transactions per day. But helping customers keep hold of their data may be a priority given some of the security breaches the platform has faced over the years. In February, a hacking group that has targeted more than 130 other tech companies went after Coinbase, stealing the login credentials of one of its employees to try and gain access to its internal systems.

“These days, the benefit (of Coinbase’s patent) is basically ransomware attacks,” Raman noted. “That’s the big, topical reason. What they’re patenting is a specific method to make sure that only the right person can unlock from backup.” 

But one bug (or, potentially, a feature) with Coinbase implementing this technique is that it could shift the blame for security breaches away from Coinbase, Ali Allage, CEO of BlueSteel Cybersecurity, told me. By giving the customer the ability to take hold of their data in the case of a database failure, the company could be putting the onus on them to manage the aftermath of a targeted attack. 

Coinbase attempting to point the finger wouldn’t be surprising, given the company is already claiming no responsibility for a recent security breach which cost one user $96,000 in cryptocurrency. (The user is suing Coinbase for the breach, alleging its handling of the matter violated state laws.)

“I’m a little skeptical, because it feels like it came about because they’re looking for cost savings measures and a way of offsetting liability,” said Allage.