Coinbase
98% of customer funds are stored offline
Offline storage provides an important security measure against theft or loss.
We distribute bitcoin geographically in safe deposit boxes and vaults around the world.
Sensitive data that would normally reside on our servers is disconnected entirely from the internet.
Data is then split with redundancy, AES-256 encrypted, and copied to FIPS-140 USB drives and paper backups.
Drives and paper backups are distributed geographically in safe deposit boxes and vaults around the world.
2-Step Verification on All Accounts
In addition to your username and password, you’ll enter a code from your mobile phone, adding an extra layer of security for your account.
Organization
Coinbase employees must pass a criminal background check as part of the hiring process.
We use separate passwords and two-step verification with each device and service.
Employees are required to encrypt their hard drives, utilize strong passwords, and enable screen locking.
Application
We use SQL injection filters and verify the authenticity of POST, PUT, and DELETE requests to prevent CSRF attacks.
We rate limit a variety of actions on the site (login attempts, etc).
We whitelist attributes on all models to prevent mass-assignment vulnerabilities.
Authentication
We hash passwords stored in the database (using bcrypt with a cost factor of 12).
We check for strong passwords on account creation and password reset.
Application credentials are kept separate from the database and code base.
Manage your portfolio
Buy and sell popular digital currencies, keep track of them in the one place.
Recurring buys
Invest in digital currency slowly over time by scheduling buys daily, weekly, or monthly.
Vault protection
For added security, store your funds in a vault with time delayed withdrawals.
Mobile apps
Stay on top of the markets with the Coinbase app for Android or iOS.
How is Coinbase insured?
Digital Currency
Coinbase prioritizes the security of our customer’s funds, all digital currency that Coinbase holds online is insured. If Coinbase were to suffer a breach of its online storage, the insurance policy would pay out to cover any customer funds lost as a result. Coinbase holds less than 2% of customer funds online. The rest is held in offline storage.
Please note that the insurance policy covers any losses resulting from a breach of Coinbase’s physical security, cyber security, or by employee theft. This insurance policy does not cover any losses resulting from the compromise of your individual Coinbase account. It is your responsibility to use a strong password and maintain control of all login credentials you use to access Coinbase.
For more on securing your account, see here.
Digital currency is not legal tender, is not backed by the government, and digital currency accounts and value balances on Coinbase are not subject to Federal Deposit Insurance Corporation or Securities Investor Protection Corporation protections.
Cash Balances
U.S. Customers
Coinbase stores all customer fiat currency (government-issued currency) in, custodial bank accounts, or in U.S. Treasuries.
Non-U.S. Customers
Coinbase stores all customer fiat currency (government-issued currency) in segregated, custodial bank accounts.
Cash balances held in your Coinbase accounts belong to you – not Coinbase.
If you are a United States resident, your Coinbase USD Wallet is covered by FDIC insurance, up to a maximum of $250,000.
Even if Coinbase were to fail as a business, the funds held in the custodial bank accounts could not be claimed by Coinbase or its creditors. The funds held in those accounts would be returnable to Coinbase’s customers.
Digital Currency Balances
Coinbase secures customer digital currency through a combination of secure, online servers and offline (“cold”) storage. Coinbase maintains 98% or more of customer digital currency in cold storage, with the remainder in secure online servers as necessary to serve the liquidity needs of our customers.
Coinbase maintains commercial criminal insurance in an aggregate amount that is greater than the value of digital currency we maintain in online storage. Our insurance policy is made available through a combination of third-party insurance underwriters and Coinbase, who is a co-insurer under the policy.
The policy insures against theft of digital currency that results from a security breach or hack, employee theft, or fraudulent transfer.
Our policy does not cover any losses resulting from unauthorized access to your personal Coinbase or Coinbase Pro account(s). It is your responsibility to use a strong password and maintain control of all login credentials you use to access Coinbase and Coinbase Pro. Digital currency is not legal tender and is not backed by the government. Digital currency, such as Bitcoin, Litecoin, and Ethereum, is not subject to Federal Deposit Insurance Corporation (“FDIC”) or Securities Investor Protection Corporation protections.
Cash Balances
Cash balances, such as U.S. Dollars, British Pounds, Euros, customers store with Coinbase are held as a balance in your Coinbase or Coinbase Pro account(s). For U.S. customers, Coinbase combines your balance with the balances of other customers and holds those funds in custodial accounts at U.S. banks and/or invests those funds in liquid U.S. Treasuries in accordance with state money transmitter laws. For non-U.S. customers, funds are held as cash in dedicated custodial accounts. All custodial pooled amounts are held separate from Coinbase funds, and Coinbase will neither use these funds for its operating expenses or any other corporate purposes.
To the extent U.S. customer funds are held as cash, they are maintained in pooled custodial accounts at one or more banks insured by the FDIC. Our custodial accounts have been established in a manner to make available pass-through FDIC insurance up to the per-depositor coverage limit then in place (currently $250,000 per individual). FDIC pass-through insurance protects funds held on behalf of a Coinbase customer against the risk of loss should any FDIC-insured bank(s) where we maintain custodial accounts fail. FDIC insurance coverage is contingent upon Coinbase maintaining accurate records and on determinations of the FDIC as receiver at the time of a receivership of a bank holding a custodial account.