I realize it's all startup-y to pat yourself on the back about growth, but aren't you painting a target on your back for those that want to perform the next heist?
Pretending they're tiny and poor isn't a long-term strategy for becoming a mainstream, trusted brand in e-commerce. Security is one front they need to win on, just like every other successful payment processing business; they can't hide and become big at the same time.
Any prominent Bitcoin site is going to be the subject of continuous attacks at this point. If Coinbase has vulnerabilities like Gox did, chances are they'll get found.
That's what mtgox said too, I believe their figure was 98%:
On average 98% of customer bitcoins are held in cold storage...Offline wallets are generated from an offline system and kept in paper format in three separate locations, using a technology based on raid.
But of course, they weren't really in cold storage or offline after all, because somehow they all disappeared...
Not that I mistrust coinbase specifically, but without insurance, audits and regulation (i.e. without a banking license), I'm not sure I'd trust anyone to store significant amounts of money.
Banks that hold large amounts of cash either insure it against fire/flood/theft or self-insure with other assets - what is Coinbase's plan if these cold-storage coins are destroyed, either by malicious attempt or disaster? That link shows the coins are locked away, are apparently not accessible, but how safe are they against actual loss?
As I understand it if security is done correctly then "stealing bitcoins" amounts to breaking strong cryptography. At this point nothing indicates that the elliptic curves or the cryptographic hashes (SHA-256, RIPEMD-160) used in Bitcoin are at risk.
Under the assumption that the crypto used in Bitcoin is safe, there's, for example, nothing an attacker can do to spend the coins in offline wallets. Not even a 50%+1 attack that'd be sustained for days...
If anything, the recent fiasco with Gox (which is more than shaddy) gives me lots and lots of confidence in Coinbase to do "the right thing".
Now I'm not saying they'll never get pirated or anything like that. But Bitcoin implemented correctly seems to be very safe and there are many people out there who have bitcoins which are "sleeping" safely on offline wallets in deep cold storage.
Most people holding bitcoins and most companies like Coinbase only need a fraction of their bitcoins "online" to be able to operate. And even for those bitcoins I take it Coinbase is taking security very seriously.
Yeah, we'd hope they have some serious M-of-N key system in place to safeguard access to the wallets.
The biggest thing that gives me pause about Coinbase is their decision to use MongoDB. There may be a reason, but I certainly can't find one. Their use case is perfect for proper, old-fashioned, reliable RDBMS. They've also had a fair amount of customer service issues, including "we rebooted and our job queues didn't run anymore" problem where they tried to rip that guy off.
Even so, the security of the offline wallet is so important, you'd think their investors will have insisted on some auditing and third party implementation. Maybe some of the big wallets are even partially held by outside people.
