European expansion will create new jobs and grow the burgeoning Irish crypto economy
The number of Coinbase customers in the European Union (EU) grew faster than any other market in 2017. As we scale, we need to attract the best, most qualified and passionate talent to help us achieve our mission of creating an open financial system for the world.
We explored a variety of cities across the EU, and Dublin was the clear choice. Our new office will help us tap into the city’s diverse talent pool and long-standing support for technological innovation, including a burgeoning cryptocurrency economy. The Dublin team will complement Coinbase operations in London and host a variety of new business-related functions, including roles for which we’re hiring right now.
“Dublin is a talent hotspot for companies like Coinbase as they scale and internationalize critical businesses operations,” said Martin Shanahan, CEO of IDA Ireland, the country’s inward investment agency. “We look forward to welcoming Coinbase into the Irish economy, and helping them access our talented pool of young professionals from the technology and financial services sectors.”
“I am delighted that Coinbase is opening an office in Dublin,” echoed Ireland’s Minister for Financial Services and Insurance Michael D’Arcy T.D. “This decision highlights the competitive offering and attractiveness of Ireland for financial services.”
Expanding our presence in Dublin is one more step along our journey to ensure Coinbase is viewed as a trusted and easy-to-use cryptocurrency platform in Europe. It’s exciting to continue encountering people all over the world who are eager to help us unlock the power of cryptocurrency and accelerate its adoption worldwide. We look forward to harnessing Ireland’s entrepreneurial spirit and contributing to the growth of the Irish technology sector.
Starting today, Coinbase supports ZRX at Coinbase.com and in the Coinbase Android and iOS apps. Coinbase customers can now buy, sell, send, receive, or store ZRX, along with Bitcoin, Bitcoin Cash, Ethereum, Ethereum Classic and Litecoin.
ZRX will be available for customers in most jurisdictions, but will not initially be available for residents of the United Kingdom or the state of New York.
One of the most common requests we hear from customers is to be able to trade more assets on Coinbase. Last month we announced a new process for listing assets, designed in part to accelerate asset addition. We are also investing in new tools to help people understand and explore cryptocurrencies. We launched informational asset pages (see ZRX here), as well as a new section of the Coinbase website to answer common questions about crypto.
Security at Coinbase is a top priority, and we’re always working to make sure our customers’ information and assets are completely protected at every corner. Many of the software security issues we hear about today come from problems that, in hindsight, could have been easily prevented, like outdated dependencies and obvious anti-patterns. Code-review processes are a standard part of many engineering teams, but engineering teams are always trying to move faster and humans can occasionally miss some issues.
Introducing Salus
At Coinbase, we use a combination of human-driven code reviews and automated scans to ensure all our production deployments are as secure as possible — and when the right tools don’t exist to help us do the work we need to, we build them. One of those tools that we recently built is called Salus, a docker container that decides which security scanners to run, coordinates their configuration, and compiles the output into a single report. And today we’re open sourcing it on our Github for other teams to use too.
All software companies leverage open source software, and common languages and frameworks often have security scanners which can tremendously improve security. For example, for Ruby projects, bundle-audit can alert you of known vulnerabilities in the libraries you are using and for Rails, Brakeman will do AST level analysis to identify possible RCEs, SQL injections and more. Tools like these help us to ship faster, and we are tremendously grateful for these open source efforts. It was in this spirit that Coinbase started its open source fund, a token of gratitude for this type of community-oriented work.
To use these tools, a common initial deployment pattern for a security team is to include the scanner into the repository’s test suite. The continuous integration (CI) pipeline will execute both the project’s tests and the scanner. If there is a security issue, the build will fail and the developer can investigate the build logs to identify what needs to improve in their pull request.
However, this strategy quickly fails at company scale where there can be hundreds of repositories, each with their own security scanning configurations. Updating a scanner, or introducing a new scanner, will then require updating every project and quickly you have an O(n) problem. This is where our new tool Salus — named after the Roman goddess of safety — can make a difference.
Salus coordinates security scanning across all the services we deploy at Coinbase. It helps us enforce security policies for each change made to a codebase and ensures there is a quick feedback loop with the developer about potential vulnerabilities.
Architecture of the Salus container
How it works
During each CI build, the repository source code is volumed into the Salus container and Salus begins executing. An individual scanner might conduct static analysis, dependency checks, anti-pattern (e.g. grep) checks, or anything else that improves security.
To update a scanner or experiment with new scanners, we update the Salus container. Since each CI build pulls and runs the latest container, all builds immediately inherit these changes. If issue are found, the build fails and the scanner’s output is shown to the developer immediately so that they can self service their fix.
###### Salus Scan v1.0.0 for engineering/proxy ######
Use `link_to('<link>', target: '_blank')` for rendering links so that the appropriate security features can be applied.
overall => failed
Salus also compiles reports about the results of each scanner and which dependencies are being used by a project. At Coinbase, we consume these reports into our logging pipeline to allow us to quickly identify which projects might be using a package that recently had a vulnerability released and from there, we can efficiently move into incident response mode.
Screenshot of Kibana displaying the results of Salus scans.
Salus can be run out of the box with strong default configuration but also support powerful customization to ensure that you can pick which scanners will run, which scanner will fail builds when finding issues, and where to send reports. We use this functionality at Coinbase so that we can enforce a global security policy for all projects, but also apply special configuration at the repository level if a certain project needs it.
For local customization, multiple configuration files can be concatenated. For example, if a project’s dependency is carrying a CVE with no available patch and we have confirmed that the vulnerability is not exploitable, we can use a local configuration file to ignore this concern.
docker run --rm -v $(pwd):/home/repo coinbase/salus --config "https://salus-config.internal.net/salus-global.yaml file://local-salus-config.yaml"
Pointing to remote configuration files also allows a security team to introduce new security policies into an organization and identify where there are gaps without failing builds and surprising developers. A scanner can run in soft mode, Salus will provide data on repos that are not compliant, and then those projects can be patched before enforcing a new, higher global security policy.
Salus currently runs the following checks:
CVE checks for Ruby gems and Node modules via BundleAudit and NSP respectively.
Reports which Ruby gems, Node modules, Go packages and Python packages are used by the repo.
Pattern matching on regular expressions of your choice — for example, this could look for the use of poor cryptographic primitives or potentially dangerous code like React’s dangerouslySetInnerHTML.
Try the tool
If you manage many repositories in your infrastructure, or want a single command to run all relevant scanners on your codebase, you may want to consider running Salus during your test suite. Salus is an important tool to us, and we plan to expand it over time to cover more languages and types of static analysis. If you have feature requests for Salus, or would like to discuss use cases, please see our repository.
The new USDC stablecoin is fully collateralized by US dollars and supported by Coinbase and Circle as co-founding members of the CENTRE Consortium
Starting today, Coinbase customers in supported jurisdictions can buy, sell, send and receive the USD Coin stablecoin (USDC) at Coinbase.com and in the Coinbase iOS and Android apps. US customers outside New York state can buy and sell, and customers around the world can send and receive. More geographies will be available in the future.
This is the first time Coinbase has supported a stablecoin, which is fundamentally different from other cryptocurrencies. Unlike bitcoin or ether, a USDC is meant to represent a single US dollar (USD) that does not move up or down relative to its reference currency. One USDC is a 1:1 representation of a US dollar on the Ethereum blockchain.
Each USDC is 100% collateralized by a corresponding USD held in accounts subject to regular public reporting of reserves. The underlying technology behind the USDC was developed collaboratively between Coinbase and Circle, in our capacity as partners and co-founders of the new CENTRE Consortium.
The advantage of a blockchain-based digital dollar like USDC is easier to program with, to send quickly, to use in dApps, and to store locally than traditional bank account-based dollars. That’s why we think of it as an important step towards a more open financial system.
Use cases for USDC today include:
Improved send and receive. Two Ethereum wallets can quickly send and receive any amount of USDC at any time of day. Large transfers for business purposes become as easy as small e-commerce payments. Consumers can use the Coinbase app to send USDC to someone, while remaining confident the value is stable.
Use in dApps and exchanges. There is a burgeoning ecosystem of crypto dApps, exchanges, and blockchain-based games. A USDC follows the ERC20 standard, which means it can be used with any app that accepts tokens based on that standard. The USDC can thus be used as a stable digital dollar to buy items in the crypto ecosystem, from Cryptokitties to tickets for blockchain-based games.
A programmable dollar. For developers and fintech companies, a digital dollar like USDC is easier to program with. For example, given the private keys for USDC, a program can easily send and receive them back and forth using the public Ethereum blockchain.
Today’s launch is made possible by the collaboration between Coinbase and Circle, as co-founders of the new CENTRE Consortium. Both Coinbase and Circle operate with a compliance-first approach and a track record of security. That’s why we believe CENTRE is uniquely positioned to offer USDC to people who want to take advantage of the benefits of stablecoins.
USDC will be coming to Coinbase Pro in the coming weeks, and is already supported on Coinbase Wallet, a user-controlled wallet where people can store ERC20 tokens.
Learn more about USDC and stablecoins in this video.
The UK could compromise its fintech sector with “very blunt instrument” regulation currently under consideration, a new report from several industry entities warns.
‘Ashamedly Geared Around Bitcoin’
As local news outlet the Telegraph reports October 29, the report criticizes plans to award more power to regulator the Financial Conduct Authority (FCA) and says treating all cryptoassets in the same way as Bitcoin was counterproductive.
“Bad regulation is worse than no regulation at all,” the Telegraph quotes it as reading, adding that the extant proposals are “ashamedly geared around Bitcoin.”
Politicians had lobbied for wider FCA jurisdiction in September, six months after the regulator had launched a dedicated “task force” with the remit of formalizing the domestic space.
Far from increasing security and consumer protection, however, one of the report’s authors argues a laissez-faire attitude would be considerably more beneficial for a sector which is only just beginning to mature.
“It is a very blunt instrument approach and I haven’t seen this in other countries,” Patrick Curry, chief executive of the British Business Federation Authority (BBFA) commented about the plans.
The use of this technology is still a voyage of discovery and these technologies are being refined for different types of use. My concern is the law of unintended consequences.
Overreaching?
The government had pledged to make London a home for fintech in the coming years, sounding out concerns that Brexit would make the city an unattractive place for innovative newcomers.
At the same time, the Bank of England has said it is open to the concept of a self-issued national digital currency while also claiming that cryptocurrency poses “reputational risks.”
“Crypto-assets also raise concerns related to misconduct and market integrity,” Deputy Governor Sam Woods wrote in June.
Many appear vulnerable to fraud and manipulation, as well as money-laundering and terrorist financing risks.
What do you think about the UK’s cryptocurrency regulation plans? Let us know in the comments below!
After a quiet start to 2018 and a significant contraction in the middle of the year, there is a considerable increase in Korean won (KRW) cryptocurrency trades. Despite this increase, the “kimchi premium” that existed in 2017 has yet to surface in cryptocurrency exchanges in South Korea.
KRW Cryptocurrency Trading Increases Since the Start of Q4 2018
Since the start of October 2018, the cryptocurrency trading volume in South Korea has spiked. A chart by CryptoCompare shows KRW trading volumes on certain days in October accounting for almost 50 percent of the total market share.
This recent trend is a marked departure from the norm established at the beginning of 2018. For most of the year, KRW cryptocurrency trading volume remained stagnant until the middle of the year when it contracted significantly. From June all the way to September, virtual currency trading volume in the country appeared to shrink.
Image courtesy of Finder.com.au / CryptoCompare.
Exchange Hacks and Stock Market Trouble
This significant shrinkage in KRW cryptocurrency trading volume came after a series of hacks against virtual currency exchanges in the country. In June 2018, both Coinrail and Bithumb suffered cyber-attacks leading to the theft of millions in cryptocurrency.
In response, these platforms suspended deposits and withdrawals, severely limiting trading until they could resolve the issues. With Bithumb being one of the largest exchanges in the country, such a move would have an effect on local trading volume
Some observers believe that one primary reason for the upswing in KRW cryptocurrency trading is the current turbulence in the stock market. Investors are reportedly moving to Bitcoin, which appears a lot more stable than the more traditional assets.
The Situation in South Korea
In mid-2018, the country recognized virtual currency exchanges as legal entities. This move, in many ways, legitimized the burgeoning cryptocurrency economy in the country — seeing as these platforms constitute a significant portion of the digital currency ecosystem.
While the country continues to be a haven for virtual currency commerce and blockchain technology, financial regulators remain resolute on the ICO ban. Earlier in October, Bitcoinist reported on comments made by the FSC chairman to Parliament. According to the FSC chief, the uncertainties surrounding ICOs makes regulating them potentially problematic. The comments from the top financial regulator come despite persistent calls for a reversal of the ICO prohibition.
Do you think an increase in trading volume in South Korea could provide enough liquidity to spark the next significant Bitcoin price rally? Let us know your thoughts in the comment section below.
Images courtesy of Shutterstock, Finder.com.au / CryptoCompare.
An astute Malwarebytes forums user recently noticed that a crypto price tracker application, called CoinTicker, covertly installed backdoors in Mac computers.
A recent blog post from Malwarebytes’ Thomas Reed, Director of Mac & Mobile, explains how a contributor on the Malwarebytes forum going by the name 1vladimir noticed an app called CoinTicker was secretly installing two different backdoors onto computers after download.
Just spent my Sunday afternoon and evening analyzing some new Mac malware and working on a blog post. The life of a security researcher… 😄
According to Reed, the webpage for application to the program heralds itself as “the best crypto-currency ticket for Mac,” since it lets users check out the prices of selected virtual currencies from the Mac menu bar.
A cryptocurrency “ticker” app has been found to be installing not one but two backdoors. Both backdoors are open-source projects: EvilOSX and EggShell. (Thus the name OSX.EvilEgg… 🙂) #macOS#malwarehttps://t.co/DQxvqgWFys
The website displays information about prices for a number of supported cryptocurrencies, including Bitcoin (BTC) 00, Ethereum, and Monero.
Despite the seemingly innocent intentions on the surface, Reed explains how the application is “actually no good in the background,” since it, “downloads and installs components of two different open-source backdoors” upon launch.
Mac users are certainly not a stranger to crypto-related malware. In early July, Bitcoinistreported on a situation in which MacOS users who were chatting about cryptocurrencies on Slack and Discord were being targeted by attacks in an effort to get them to share malicious scripts.
Utilized to Gain Access to Cryptocurrency Wallets?
Reed explains how the backdoor components are called Eggshell and EvilOSX. He posts several screenshots in the blog post to show how the malicious programs embed themselves into a computer.
Lawrence Abrams of Bleeping Computersays the downloaded backdoors are customized versions of EggShell and EvilOSX that were taken from a now-offline GitHub repository.
Going further, Abrams writes how the EggShell and EvilOSX backdoors automatically start once a user logs into the Mac computer.
Reed notes how EggShell and EvilOEX are known as “broad-spectrum” backdoors that are able to be used for a number of different purposes.
He admits to not knowing for certain what the malware’s creator had in mind, but writes “it seems likely” it was being used to try and get access to a person’s digital currency wallet to steal funds.
Was the Application Even Remotely Legitimate?
According to the blog post, Reed first thought the scenario with CoinTicker was an example of a supply chain attack. This is where a “legitimate app’s website is hacked to distribute a malicious version.”
A Malwarebytesblog post from May 2017 details the story behind a supply chain attack on the Transmission torrent app, where it was hacked first to install the KeRanger ransomware, and then again to install the Keydnap backdoor.
However, Reed also muses the CoinTicker application might never have been legitimate from the start.
He points out how the website’s domain for the app, coin-sticker.com, was registered in mid-July and is not even the same name as the actual application.
Overall, Reed made a point about how the malware does not require anything other than “normal user permissions,” citing the scenario as a
Perfect demonstration that malware does not need such privileges to have high potential for danger.
What do you think about the situation with CoinTicker and the backdoor it has installed on Macs? Have you ever used the application? Let us know in the comments!
Images courtesy of CoinTicker, Shutterstock, Twitter (@thomasareed)
Today we’re proud to announce that Coinbase Custody has obtained a license under New York State Banking Law to operate as an independent Qualified Custodian. Coinbase Custody will operate as a Limited Purpose Trust Company chartered by the New York Department of Financial Services (NYDFS).
Coinbase Custody is an institutional-grade service optimized for storing large amounts of cryptocurrency in a highly secure way. For our customers, operating under a New York State Trust Company is more than just a new license — it’s an important piece of regulatory clarity that will allow us to compliantly store more assets and add new features like staking.
Coinbase Custody Trust Company will operate as a standalone, independently-capitalized business to Coinbase Inc. and will be held to the same compliance, security and capital requirements as traditional fiduciary custodial businesses like the DTC. This means customers can trust that the company has met the rigorous banking standards of NYDFS regarding capitalization, anti-money laundering procedures, confidentiality, security and storage. The trust charter also designates Coinbase Custody as a fiduciary under New York State Banking Law.
As crypto continues its maturation as an asset class and more eligible financial institutions and hedge funds enter the space, Coinbase is committed to delivering products and services that are tailored to their unique needs. Coinbase Custody delivers the trusted storage service that our clients require to fully immerse themselves in the potential that crypto assets provide. We look forward to delivering more assets and features over the coming months.
All assets trusted to Coinbase Custody are stored offline and protected by industry-leading security practices and insurance. For more information, visit https://custody.coinbase.com.