Episode 53 of the Public Key podcast is here! With pig butchering and other crypto-related scams plaguing the industry, we have an in-depth conversation with Philip Martin (Chief Security Officer at Coinbase) to talk about what he and his team are doing to protect customers and the industry as a whole. You can listen or subscribe now on Spotify, Apple, or Audible. Keep reading for a full preview of episode 53.
Public Key Episode 53 preview: Using trust and safety to secure crypto customers at Coinbase
Cyber security and combating emerging cyber threats in the crypto industry appeared to be a complicated problem to have, but what if a simple rubber ducky could be the answer to consumer protection in web3?
In this episode, Ian Andrews is joined by trust and safety practitioner Philip Martin (Chief Security Officer at Coinbase), who describes how Coinbase prioritized security in the early days in order to build a strong foundation of consumer protection and how they implement Multi-Party Computation (MPC) in their crypto wallet infrastructure.
Philip highlights the main cyber security concerns from both a crypto exchange and DeFi perspective and how the industry needs to work with the public sector to combat crypto-related scams like pig butchering.
Quote of the episode
“Pig butchering is an interesting problem. The reason it is interesting is because of the multi-platform problem…If it’s a multiplatform problem, it’s a multiplatform solution, right? So I think the future of working against pig butchering is number one, working with law enforcement that does have the remits to cross platforms in this way, right? They have the ability to open investigations, to subpoena data, to really put the picture together. That’s very, very important here. – Philip Martin (Chief Security Officer, Coinbase)
Minute-by-minute episode breakdown
- (2:15) – Philip describes Coinbase’s approach to building a strong security foundation early on.
- (6:15) – The Coinbase Wallet product and the implementation of Multi-Party Computation (MPC) for added cryptographic security
- (9:40) – How to protect customers from pig butchering and other crypto-related scams happening outside of the platform
- (16:30) – What is the Rubber Ducky System, and how will it save potential victims from losing their crypto
- (19:00) – Understanding the main security concerns with both DeFi and CeFi organizations
- (21:05) – What has Philip excited for the future of crypto and web3
Related resources
Check out more resources provided by Chainalysis that perfectly complement this episode of the Public Key.
- Conference: Chainalysis Links 2023 in Amsterdam (May 9 & 10 – Register Now)
- Website: Coinbase: The easiest place to buy and sell cryptocurrency
- Chainalysis Blog: Lessons from Links: How to Safely Grow the Crypto Industry While Fostering Innovation
- Coinbase Blog: How Smart Cryptography Makes Coinbase More Secure
- YouTube: Chainalysis YouTube page – Links 2023 Content (coming soon)
- Twitter: Chainalysis Twitter: Building trust in blockchain
- TikTok: Newly launched Chainalysis TikTok page
- Website: Chainalysis: We are paving the way for a global economy built on blockchains.
Speakers on today’s episode
- Ian Andrews * Host * (Chief Marketing Officer, Chainalysis)
- Philip Martin (Chief Security Officer, Coinbase)
This website may contain links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively “Chainalysis”). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.
Our podcasts are for informational purposes only, and are not intended to provide legal, tax, financial, or investment advice. Listeners should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with your use of this material.
Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in any particular podcast and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.
Unless stated otherwise, reference to any specific product or entity does not constitute an endorsement or recommendation by Chainalysis. The views expressed by guests are their own and their appearance on the program does not imply an endorsement of them or any entity they represent. Views and opinions expressed by Chainalysis employees are those of the employees and do not necessarily reflect the views of the company.
Prefer to read through the episode? Check out the transcript below.
Ian:
All right. We’re back live from Links with another episode of Public Key. On this episode, I’m joined by Philip Martin, Coinbase chief security officer. Philip, welcome to the show.
Philip:
Thanks for having me.
Ian:
Chief security officer at Coinbase. That sounds like a gigantic role. What are you actually responsible for?
Philip:
Yeah. I own cybersecurity, physical security, privacy, governance, risk, and compliance for technology, and a couple other little areas, business continuity, disaster recovery, some other stuff like that.
Ian:
I’m imagining a pretty busy guy.
Philip:
Sometimes, but I also have a great team, right?
Ian:
Yeah. Yeah.
Philip:
I, of course, just came from the main stage doing a talk and one of the questions that I was asked there was, “How do you sleep at night?” My answer is, “I sleep like a baby because I have a great team of people who are focused on their areas, who understand the intent, who know how to execute.” My day-to-day, I’m not generally in the trenches doing tactically solving problems, or if I am they’re pretty significant problems.
Ian:
Yeah.
Philip:
So yeah, it’s a big job, but it’s a big team.
Ian:
I was recently having a conversation with our CEO, Michael Gronager. I’m a relative newcomer to the crypto space, about two years in. He obviously was working on Bitcoin client code back in 2011, and so I will frequently… When something crazy happens in crypto, I’ll go to him and be like, “I need a little perspective, Michael.”
Philip:
Yeah.
Ian:
Last year was sort of the year of DeFi hacks and we saw billions of dollars exfiltrated from the DeFi ecosystem and I’m like, “Wow, this seems like such a threat to…” Michael’s point back to me was like, “Well, there was once upon a time where that was happening to centralized exchanges.”
Philip:
Yeah.
Ian:
I definitely haven’t seen any headlines about Coinbase suffering a cyber attack, so congratulations.
Philip:
Thank you. I appreciate that.
Ian:
But I imagine this didn’t happen overnight. You’ve been there for a while. Talk about kind of the evolution of how you think about cyber defense and protecting all the assets of your customers. How’s that evolved over time?
Philip:
Yeah, it’s a great question. I’ve been at Coinbase… It’ll actually be seven years next week.
Ian:
Congratulations.
Philip:
Thank you.
Ian:
That’s a huge milestone.
Philip:
It’s been great to see both the space and the company itself evolve. The crazy thing to think about, when I joined Coinbase we were a Bitcoin only. Essentially a wallet with an exchange. That’s it. That was the entirety of the company. It was a hundred people. The great thing about it, though, is that starting from that foundation, even when I joined, when I talked to Brian, our CEO, he would tell stories about the very early days of Coinbase when it was him and a few other people and seeing the attacks come into the site in realtime. Really that experience left him with a deep appreciation for the security of the platform, right?
Ian:
Yeah.
Philip:
He has-
Ian:
Couldn’t ask for more as a chief security officer, is a CEO who understands
Philip:
Yeah. Exactly, viscerally understands and has that feeling of the responsibility to protect what our customers have given us. That really makes my job much easier. I say a lot that most of my peers, most CISOs or CSOs out there, have the conversation “why security” a lot. It’s an important conversation to have. I almost never have to have that conversation. The question is not why security, it’s how security. How, that’s an important conversation too. What are the trade-offs or how do we balance equities?
But no one’s questioning the why we should invest in this thing. Really what that means is that the compounding interest on those investments over the last seven years, really 10 years since the company was founded, really, really pays off when you make the right decisions early. It’s like when you bolt on security to an existing product, it’s sort of like you want to build a safe so you buy a really great safe door and install it. But then right over here, there’s just a drywall wall that if you get a good running start, you could probably run through, right?
Ian:
Yeah. Yeah.
Philip:
That’s what bolted on security looks and feels like instead of doing it right from the beginning, from the foundation up, from pouring the concrete walls to the right kind of rebar, the whole thing. That’s what we’ve been able to do at Coinbase from the very, very beginning, is take the right approach to having an architecture that lends itself to being defended and to do that with the very real specter of attacks in the space. Even if we wanted to forget about security, which we don’t, we would be daily reminded that security breaches happen around the world on a regular basis and we need to be mindful lest we become part of that list.
Ian:
Well, and the product hasn’t stood still.
Philip:
No.
Ian:
This is like… You talk about this idea of, “Oh, we started out with a concrete bunker with rebar reinforced walls.” But you’ve added on to the house a couple times.
Philip:
We have.
Ian:
I think about the Coinbase Wallet, the latest generation. It’s a pretty incredible implementation in terms of this multi-party computation for ease of use, I think, for the end user, but a layer of security that it doesn’t trivialize the asset protection piece.
Philip:
Yeah.
Ian:
Talk a little bit about how that came about. How did your organization think about that new feature deployment? Because that’s a big open attack surface area, I would have to imagine. It extends outside of your bunker.
Philip:
Yeah. Sure. Maybe to just beat the bunker analogy to death a little bit here, the trick to expanding that product bunker is not that you build the bunker and then you build the house on top. It’s that you build the bunker and then you build the tools to build the bunker so future bunker expansion is easy.
Ian:
Yeah.
Philip:
You build the preformed wall slabs, you invest in the rebar tying tools, you build your capability to execute within that same construct. That’s what Coinbase has done. The MPC is a great example, right?
Ian:
Yeah.
Philip:
Where back in I’m going to call it 2018 we had just shipped a major update to our cold storage engine in the background, which is the same thing that powers Coinbase Custody. We were very happy about that, but when we get happy about something we want to ask what’s next, right?
Ian:
Yeah.
Philip:
So we asked, “What’s next? What is the next evolution of private key storage in the space?” We were looking around and we started reading about multi-party computation, which at the time was… It was out there but it wasn’t really far out there. It wasn’t nearly as common as it is today.
Ian:
It was more in academic white papers.
Philip:
It was academic white papers. I’ll tell you the moment we actually started looking into it seriously is I was at a conference called Real World Crypto, which just happened this year in Tokyo. I didn’t get to go unfortunately. I saw a talk on multi-party computation and started thinking about its implications in our context, in the context of private key management. It became very clear that this was a very new technology but something we needed to learn a lot about. This goes back to building the tools to build the bunker.
We went on probably an 18-month odyssey within security trying to figure out, “Okay, this seems interesting but let’s learn more about it. What are its applications? What are its downsides? What are the problems? What are the gotchas? What are the issues?” Fast-forward a few years from there, I think it was 2020, we acquired Unbound, a company in Israel specializing in multi-party computation technology, and really accelerated the multi-party computation efforts as a product within Coinbase into the dapp wallet, which is the first place we rolled it out in a public-facing sense. I think you’re going to see multi-party computation in more places, both behind the scenes and in those user-facing roles because, exactly what you said, it is a technology that can be used to simplify the problem for consumers.
Ian:
Yeah. Yeah. It’s awesome to see that. One of the things that I… You touched on consumers. I think one of the biggest challenges right now in crypto is the amount of kind of scam and phishing activity that is happening across the ecosystem. In my own personal experience, I look at my Twitter timeline and I get tagged in 50 a day, tweets, fake AirDrop, and they’re trying to use me with a few thousand followers to promote their thing. They’re not very good at Twitter, I guess, why they’re tagging me in these things, but-
Philip:
It’s a numbers game, man. It’s a numbers game.
Ian:
Yeah, I guess so. I guess so, but even that low level of not sophisticated scam activity seems to be pervasive.
Philip:
Mm-hmm.
Ian:
So Coinbase, again, not getting hacked directly, but I would imagine Coinbase consumers off platform are constantly being targeted. How do you think about that as CSO? Are you extending all the way out to the customer perimeter? Because that I think implies a lot of infrastructure you can’t control or design-
Philip:
Yeah. Yes, absolutely.
Ian:
… or select, right? It’s like it’s the Wild West of my iPhone environment.
Philip:
Yeah. Yes, we have a team within security called Trust and Safety that is sort of what it says on the box, is focused on that consumer trust and safety bit. I think there’s a bunch to unpack in what you’re saying. Well, I’ll just pick on a few things in particular. One is we… Scams come and go, right?
Ian:
Yeah.
Philip:
Scammers are highly innovative. They have been for thousands of years since value was transferred among humans, I’m going to guess. The first chicken changed hands and then a scammer showed up is… I’m going to guess that was about the sequence of events, right?
Ian:
Yeah. Yeah.
Philip:
They’ve shown to be durably innovative over the years, over the centuries. So the individual scams, they come and go, but the… What we are really focused on is how do we make consumers more resistant to scams writ large? We have to… Of course we have to engage with the scam of the day, which today is, of course, pig butchering, but it’s more about how do we give consumers… Not just Coinbase consumers, really consumers writ large, the skills and abilities to exist safely in this online world, this online… The key element of this online world is velocity.
Ian:
Yeah.
Philip:
Things happen fast on the internet, so how do we give people the skills and abilities… Coming at this a different way, we all learned growing up when we go on vacation, put your lights on a timer, stop the newspaper delivery. We all learned don’t walk down dark alleys. We learned don’t count your money in public. We learned all these skills to be safe in the physical world. No one at my kitchen table, I’m going to bet your kitchen table too, told me about password safety, about two-factor authentication use, about scam resistance online. We just didn’t learn these things.
Ian:
Yeah. I have three young kids and I’m trying to explain those concepts to them.
Philip:
Good. Good, good.
Ian:
It’s not landing
Philip:
You know what? Well, neither did the physical stuff the first time’s you heard it, right?
Ian:
that’s true.
Philip:
It’s a repetition game.
Ian:
Yeah. Yeah, yeah.
Philip:
You’re doing the right thing. I hope people are doing more and more of this, is giving people those skills and abilities. But the reality is right now what we have is a whole ecosystem of internet users who just have not learned the same skill sets that, as users of crypto, you and I take a little bit for granted now because we’ve learned it through hard experience, either ours or those we’ve seen. My mission, then, on the trust and safety side is how do we help those people build those skills so that they can be safe consumers of not just cryptocurrency, but an increasingly online world? Because without them, people are going to fall prey to scams that move like that on the internet.
Ian:
Yeah. You mentioned pig butchering.
Philip:
Yeah.
Ian:
We’ve had a couple guests on to talk on that topic in the past. We had Alastair McCready, who’s the editor for Southeast Asia for VICE News, and he’s done some incredible investigative reporting into the industrial scale operation behind these scams. More recently, we had two district attorneys, Alona Katz from Manhattan and Erin West from Santa Clara County who are on the front lines of victims and doing some amazing work to try and help people recover funds and shut some of this down. When you think about pig butchering in the context of all the threats that you’re dealing with, where does that sit today And how are you trying to tackle that?
Philip:
Yeah. Pig butchering is an interesting problem. The reason it is interesting is because it’s a multi-platform problem.
Ian:
Okay. Tell me more about that.
Philip:
What does Coinbase see when a pig butchering scam occurs? Well, we see the very end of it. We see a person sign up or log in to their account and move money.
Ian:
Yeah.
Philip:
Now, maybe that money is going to a scam address that we can tag and we can stop the transaction, but maybe it’s going to a brand new address that we’ve never seen before. That looks like everyone else doing their day-to-day thing. That’s very-
Ian:
Yeah. There’s nothing anomalous in that transaction.
Philip:
Because we see the very end slice of it. Now, if you go to the very beginning, what does Match.com see or Tinder or where all these initial interactions are happening? Well, they see two people matching and taking a conversation to a third platform, a WhatsApp or Telegram or whatever. There’s nothing necessarily suspicious about that.
Ian:
Yeah. Very normal behavior there too.
Philip:
Right?
Ian:
Yeah.
Philip:
Then in the middle, what do we see? Well, WhatsApp doesn’t see anything, but maybe they see a certain phone number is associated with a pig butchering scam that’s reported by somebody. Okay, they can play whack-a-mole with those, but that’s not going to get you very far very fast. So each piece of the puzzle in isolation is very difficult for any of these platforms to action because the activity looks relatively normal. It’s only when you start stitching it together that you get the picture of the scam. I think that’s what makes this particularly difficult for any one platform to solve, is that none of us are seeing, or that none of us that can see it, WhatsApp can’t or Signal or Telegram or whatever.
Ian:
Yeah.
Philip:
None of us that can see it are seeing enough of it to durably say pig butchering-
Ian:
Right.
Philip:
… consistently every single time. If it’s a multi-platform problem, it’s a multi-platform solution. Really, I think the future of working against pig butchering is, number one, working with law enforcement that does have the remit to cross platforms in this way. They have the ability to open investigations, to subpoena data, to really put the picture together. That’s very, very important here, but also to make sure that each platform is thinking hard about how, “Okay, great, we don’t have the full picture, but what can we see? What indications can we come up with? Are there certain ways that the transactions work or certain behavioral differences that we can tease out here that we can even make the problem 1% better?” I think that’s an important piece here.
Ian:
It seems like such an important problem to solve. I mean, the scale… It’s hard to get a really great estimate on the scale of these operations, but because, like you said, it’s this multi-platform problem, you’re not seeing all the funds flow consistently through one set of addresses. But a number of people have suggested to me this is sort of billions of dollars a year that is flowing out of victims’ wallets into Myanmar, Laos, Cambodia, which is a staggering amount of money.
Philip:
No. And look, the specific details of pig butchering are almost immaterial because pig butchering is just a confidence scam. It’s a specific implementation of a confidence scam.
Ian:
Right. That’s right.
Philip:
Even if we shut it down, there’ll be another confidence scam that shows up later. The thing we have to fix, in addition to investing in how do we warn people, how do we spot the signs, how do we make it harder, how do we fix the geopolitics of it… There’s a bunch of stuff to fix, but if we fix all that, all we’re doing is telling the attackers, “Okay, that scam’s done. Next one.” The ultimate fix here is educating consumers.
Ian:
Yeah.
Philip:
I said something on the main stage. I’m going to repeat it here because it’s the most useful suggestion I have to get to an educated consumer, and it is this. Sometimes you’re talking to somebody, maybe it’s parents, maybe it’s friends, whatever, and you want to tell them how to be careful, how to not get scammed. You’re going to give them a bunch of specific advice. Maybe they’re listening, maybe they’re not, maybe they’re paying attention, maybe they don’t care, or maybe the scammer is going to overcome those objections. That’s all fine. What you need to give them, though, is you need to give them a rubber ducky. This is what you should do. Give them a rubber ducky. Tell them, “When you’re about to make a financial decision, what I want you to do is take the rubber ducky, put it on your desk, stare that rubber ducky straight in the eyes and explain what you’re about to do out loud to that rubber ducky.”
Ian:
Oh, I love this.
Philip:
If you feel like that rubber ducky is judging you, the thing you’re about to do is probably not what you should be doing and you need to call somebody and talk it through.
Ian:
That’s incredible. I love this advice. I’m getting all my family members rubber duckies for their financial decisions.
Philip:
This comes from this side this concept in computer science called rubber ducky debugging, which is very similar. You’re solving a problem, it’s just not working and you’re like… Because you’re so involved in it. What the rubber ducky does is it takes you out of the problem a little bit and you have to think about what you’re doing. You’re out of the urgency, which is what scammers create. You’re out of the urgency, you explain the problem and then frequently that gives you the perspective to see the thing for what it is, which is really what we want to do. We want the potential victim to take a step back, see the situation for what it is, “Oh, someone that randomly messaged me out of the blue is asking that I send this money to this place to do this thing I’ve never heard about. That doesn’t sound right.” Right?
Ian:
Yeah. Yeah.
Philip:
That’s the best suggestion I have.
Ian:
That’s amazing. You mentioned… You called it Coinbase Wallet earlier, the dapp wallet.
Philip:
There’s two different products, just to be clear.
Ian:
Oh. Yeah, yeah.
Philip:
The Coinbase Wallet is different. It is the literally the Coinbase Wallet, you download that as a separate app.
Ian:
Yeah.
Philip:
Dapp wallet is actually part of the Coinbase retail app.
Ian:
Got it.
Philip:
Dapp wallet uses MPC behind the scenes to deliver part of the service for you, specifically with interfacing with apps.
Ian:
Thank you for clarifying. Where I was going with this was you’re obviously recognizing the interest of your customers to move crypto from within the Coinbase Custody infrastructure off to DeFi protocols. DeFi has been one of the biggest growing areas of crypto, certainly in finance overall over the last couple years. I have to imagine as a security professional that terrifies you a little bit, like DeFi feels like the Wild West in terms of the hacks that occur and smart contract vulnerabilities, infrastructure risks, particularly when you start thinking about bridging assets across ecosystems. Any advice for consumers who are going down that path in terms of how they’re approaching that? So less the confidence scam, but more the like, “How do I know this lending, borrowing protocol or this DEX that I’m going to go use is actually safe before I connect my wallet and transmit some funds?”
Philip:
That’s a great question and is unfortunately also an unanswerable question.
Ian:
Yeah.
Philip:
Because I don’t without doing a lot of work upfront, without actually going and looking at the code and spending a considerable amount of time understanding the interactions and the various pieces and then keeping up with that after the fact and future updates. I don’t expect anyone to understand that, but here’s the interesting thing. This question I think hits a little bit different post sort of SVB and Signature, but couldn’t you ask the same question about a bank?
Ian:
Totally. Absolutely.
Philip:
But the reality is we don’t ask the questions to banks, so why not? Well, maybe the answer is we should more, but the reason we don’t is because there’s this history. There’s a history of regulators building regulations, of banks complying with them, and then banks that operate not losing consumer funds or when at risk being backstopped by FDIC. So we don’t ask the question about like, “Okay, how is this bank investing? What is their held-to-maturity versus available-for-sale? What does the mix look like, et cetera, et cetera?” I think the reason we ask this about DeFi and not about a bank is, number one, there are more risks in DeFi today, but I think we are moving toward a world of more standards where we can put faith in standards and the application of those standards.
That’s how we’re truly going to get consumers to a place where they can make reasonable choices about where their funds should go, not very tactically. You’re a consumer, you have a choice between three different loan DeFi protocols and you want to use one of them. Which one do you use? Well, I think what I would do if it’s me wanting to do this is I would look at some of the basic signs I would look at for any business. I would look at, “Well, what’s their history been like? How long have they been around? How much money has moved through it historically? Is it… If it was going to be a rug pull, would they have already pulled? What do I know about the founding team? Are they anonymous? Are they not anonymous? Are they in a high rule of law country so they have consequences if they do something wrong?” The same sort of stuff I might do for any business I would do for a DeFi protocol if we’re the very tactical.
Ian:
Yeah. Yeah. No, I think that’s great advice. You can reputationally vet, not… Don’t just leap into the thing that your friend told you about and claimed he made a ton of money on.
Philip:
Or if you do so… Look, I’m a security guy so I’m going to come with… I have a particular view on the world, but my view on the world is it’s all risk. Not in a bad way. Not like everything is risky. It’s all risk, right?
Ian:
Yeah.
Philip:
So how much risk can you afford to take with that thing that your friend told you about? Yeah, sure, five, 10, 50 bucks in there? Sure, no problem. That’s not going to hurt much if I lose it. 5000, 50,000, 500,000?
Ian:
I’m going to be very sad
Philip:
I’m going to be very sad. My diligence level should approach my sadness level.
Ian:
Yeah.
Philip:
Potential sadness, potential diligence, that should be on the same proximate level.
Ian:
Yeah. Yeah. That’s amazing. Let’s end on a high note. As you look forward in the future as far as you can see into the crypto crystal ball, what gets you really excited rather than what are you worried about? I’m sure you get the worried about question from everybody as a security guy, but what are you excited about?
Philip:
Totally. I’m excited about the fact that I have no idea what’s coming. Go back to early days of the internet where it was… The critique at the time was like, “This is just a catalog but on a computer, so what am I… Why would I do this?” They were right. That’s what it was. I in high school ran a small business building websites, and I will tell you I built catalogs on the internet. It was boring. It ain’t boring now.
Ian:
Yeah.
Philip:
Right. Could I… High schooler Philip back in the day, but could I have predicted where… No, of course not. Not even a little bit. I’m sure there are very smart people who could have and probably did do so at the time. I don’t know what’s coming in cryptocurrency and blockchain over the next call it five, 10 years, but I’m excited for what it’s going to be.
Ian:
Yeah. Well, that’s a great place to end. Philip, thanks so much for joining us.
Philip:
Thank you.
Ian:
Yeah.