Coinbase CSO Philip Martin knows that security isn’t forever

Security professionals know the only way to truly secure a computer is to encase it in concrete and dump it in the ocean. But short of that, these professionals do what they can—and that includes Philip Martin, CSO at massive crypto exchange Coinbase, who sees his job as a series of carefully considered risks.

Security practitioners, Martin told IT Brew, are here to help businesses “take calculated, knowing, understood risk in the right areas with the right risk treatment implemented around it.”

Go fast and break nothing. When an organization like Coinbase decides to launch an initiative that contains security risks, Martin said, “your job as a security practitioner is to figure out how we can do it safely.”

Martin added that his team seeks to “go fast and break nothing.” To ensure that, they look at solutions like automated testing to ensure that if something breaks, they know about it before a new capability or feature is released.

“It’s about going fast, understanding where the risks are in that innovation, and building mitigations for those risks if they’re to materialize,” Martin said.

What’s got you scared? Martin said supply-chain attacks are top of mind for him, especially given the slew of highly publicized incidents in the cryptocurrency space.

Martin said that cybersecurity professionals have to pay a lot of attention and move carefully—especially as projects and libraries often have few “maintainers” and “don’t necessarily have the best operational hygiene on who can be a contributor, who can commit to things.”

While cryptocurrency platforms can be a prime target for attackers, defensive techniques are largely the same as those utilized by other industries.

“The difference for a company like Coinbase is we see some very sophisticated attacks across the board,” Martin said. “We are, I think, one of the larger targets out there today for bad actors. While it doesn’t change the mechanics or the attack or the defense, what changes is the likelihood of it occurring on the one side; on the other side, the seriousness with which Coinbase takes security.”

Scammers and fraudsters and threat actors, oh my! As with any other financial service, Coinbase users face the risk of scammers and fraudsters. To combat this, Martin’s team focuses on educating users to understand the characteristics of a scam.

Coinbase also features a 48-hour pause for transfers detected as potentially fraudulent. The customer is told their transaction is on hold, but can still go through with it by taking a scam quiz, which determines if the user is under duress or on the phone with a scammer.

“We’ve definitely seen cases where that control and others have prevented scams or malicious transfers,” Martin said. “Almost everything we’ve implemented in this regard has had a very high ROI in terms of improving customer safety and outcomes.”

Traceability as a strength. If a scam does occur, and a customer transfers money off of Coinbase, there’s a record of that transaction on the blockchain. Martin shared that Coinbase will not only work with law enforcement, but other crypto exchanges if there’s a transfer as a result of a crime.

“That means we can, specifically on the threat intelligence side of the house, we can do a lot with tracking that money as it moves through a criminal ecosystem,” Martin said. “Sometimes it means that we are able to recover some of that.”

Martin added that the traceability of crypto is a feature, and one that he feels doesn’t exist in any other monetary instruments—especially as the transactions happen digitally and can be recalled.