MatTheCat (OP)
|
|
July 21, 2016, 07:36:27 AM Last edit: July 31, 2016, 02:17:20 PM by MatTheCat |
|
I just got my account emptied on Kraken then other day. As users of Kraken will know, with the default security settings, when you make a withdrawal, you get this Email: Hi, A withdrawal request has been made for the withdrawal address named b. If you requested this action, great, it was successful. Thanks for choosing Kraken Bitcoin Exchange The Kraken Team Note: if you didn't request this action, your account may be compromised and you should do the following: 1) log into https://www.kraken.com immediately and go to Account > Funding > Withdraw - you may be able to cancel the withdraw if you catch it soon enough. 2) change your password; 3) create a new set of two-factor authentications; 4) create a support ticket letting our support staff know about the incident: https://support.kraken.com. The IP recorded for this action was 5.185.87.61. So basically, Kraken who are in the business of handling Joe Public's money, and therefore must also be in the online security business, have a default security procedure, of not asking Joe for Email verification to confirm withdrawal request, but simply telling him that a withdrawal attempt has been made, and that he has perhaps 45 seconds to cancel it before it is processed!? Needless to say, I contacted Kraken support immediately about this, and here is the Email correspondence so far (basically, 'FU pal, you are bumped): From: Joseph (Kraken Support) < support@kraken.com> Sent: 20 July 2016 23:35 To: Kraken User Subject: [Kraken Support] Re: My Kraken account has just been robbed. ##- Please type your reply above this line -## Joseph (Kraken Support) Jul 20, 15:34 PDT Hi, I'm sorry for your loss. Rather than email confirmations for withdrawals, we have a global settings lock feature that prevents attackers from adding new withdrawal addresses even after they have access to your account (and presumably also your email), and you can be alerted when an add is attempted. You didn't enable this security feature on your account. I need to confirm your identity to get you access (at least to withdraw) with the account again. I'll look to write again in a few days about this. Let me know if there are any questions you have. I'm happy to answer them. Again, I'm sorry for what's happened. Joseph Kraken Client Engagement We are currently working on your request (number 122464). You can give us more information by replying to this e-mail or visiting the support page at https://support.kraken.com/hc/requests/122464. This email is a service from Kraken Support. Delivered by Zendesk. To which I replied: From: Matthew ******* <m************* y@hotmail.com> Sent: 21 July 2016 08:22 To: Kraken Support Subject: Re: [Kraken Support] Re: My Kraken account has just been robbed. So, you have Email verification security features, that I, Joe Public, didn't enable? I would suggest that it is Kraken, who due to dealing in online finance, who are in the online security business, not Joe Public. Kraken is basically the only crypto exchange that doesn't at least operate Email verification as default for withdrawals, one of their customers gets robbed and you turn around and basically say 'Sorry pal, but it's your loss', you never enabled some security feature hidden down the bottom of some sub menu'? I mean seriously, an Email message stating something along the lines off "You have just made a withdrawal....if it really was you, then great, it was successful, if it wasn't then you have perhaps a few dozen seconds to cancel it"? I am not sure which jurisdiction Kraken is based in, but regulated exchange or not, I am sure that Kraken has a Duty of Care to exercise more caution than this, since they are in the business of handling other people's money. It isn't like this is the first incident of this. And since this same thing has happened many times before with Kraken (I googled it), why aren't Kraken insisting on basic Email verification, just every other crypto exchange under the sun does, as a bare minimum? And what about all the spraff you have on your website about getting me to provide as much information possible, in order that you can identify the theft? You haven't asked me for any of that. instead, you have asked me to prove my identification in order to withdraw the remaining few Euro's in my account? On your website, you state that perhaps the theives may have obtained my password from other 'compromised' crypto sites. Perhaps that compromised crypto site is Kraken itself? Somewhere on your servers, is a copy of my Kraken password. One theory I have, is that the theives are operating within Kraken itself. If hackers could compromise an exchange thus gaining access to customers details (including passwords), then 'trusted' members of staff could also access this same information, and using the security loop hole, which for some reason Kraken leaves open, whereby the onus is on the customer to activate Email verification, customer's funds can then be stolen? None of my other accounts have been compromised. Only Kraken. That tells me that the first place to start looking for the rat, would be with Kraken itself. As I stated in my response to Kraken, none of my other accounts have been compromised (ever). Only Kraken, which makes me think that the rat is to be found under the floorboards of Kraken itself.
|
|
|
|
clardalan
Member
Offline
Activity: 126
Merit: 10
Bitcoin amateur learning by doing
|
|
July 21, 2016, 01:21:31 PM |
|
My Kraken account got emptied 36 hours ago. Lost about 12k Euro of BTC. I am now in discussion with them on this, similar status. Who and how did they compromize my account? I do not know. I did not have the sms verification setup - my mistake. But, the IP that withdrew funds is on the other side of the world (Somewhere in canada/us?) And definitely i was not warned of the transaction prior to it. Only got an email after the funds were sent...
|
Tip/donate LTC: Lf44EehvMzoyjnWqbmsxugomAnRzKawXu
|
|
|
redsn0w
Legendary
Offline
Activity: 1778
Merit: 1043
#Free market
|
|
July 21, 2016, 02:44:29 PM |
|
I just got my account emptied on Kraken then other day. As users of Kraken will know, with the default security settings, when you make a withdrawal, you get this Email: ....
So didn't you have enable the 2FA (with the google authenticator app)? I think, it's better safe than sorry? Especially here in this 'world', the cryptocurrency world that it's not really regulated at all. My Kraken account got emptied 36 hours ago. Lost about 12k Euro of BTC. I am now in discussion with them on this, similar status. Who and how did they compromize my account? I do not know. I did not have the sms verification setup - my mistake. But, the IP that withdrew funds is on the other side of the world (Somewhere in canada/us?) And definitely i was not warned of the transaction prior to it. Only got an email after the funds were sent...
I don't suggest you to use the 2FA with the sms (that I don't think exists on kraken) because your sim mobile can be compromised , I know I'm paranoid but as I said before 'better safe than sorry, and your text messages can be intercepted. I would suggest rather to use the google authenticator app, much more safe than the sms verification. About the Canada/us IP, it is most probable that the attacker used a sort of VPN or proxy to hide his original IP address.
|
|
|
|
NeuroticFish
Legendary
Offline
Activity: 3892
Merit: 6627
Looking for campaign manager? Contact icopress!
|
|
July 21, 2016, 02:53:30 PM |
|
They gave you thw tools (SMS, 2FA) and you didn't use them to protect 12k$ worth of BTC. If this would have pennies, I would have understood. But on this amount... you almost asked for it. Sorry for your loss, it's an extremely expensive lesson about securing your money....
|
|
|
|
MatTheCat (OP)
|
|
July 21, 2016, 04:30:34 PM |
|
My Kraken account got emptied 36 hours ago. Lost about 12k Euro of BTC. I am now in discussion with them on this, similar status. Who and how did they compromize my account? I do not know. I did not have the sms verification setup - my mistake. But, the IP that withdrew funds is on the other side of the world (Somewhere in canada/us?) And definitely i was not warned of the transaction prior to it. Only got an email after the funds were sent...
So within the same timeframe as I was robbed, which suggests to me that Kraken has been compromised...and most likely, from within. Sure, they can say that they have given us the tools to make our accounts more secure, and point out that we haven't made use of them, but what I would say to that is that customer security is primarily their business, and their responsibilty before it is Joe Public's. Even if all they done was straightforward email confirmation before sending any funds, like what practically every other exchange does, then neither your funds, nor my funds would have been stolen. It seems to me that Kraken's default settings are designed to faciliate theft, only for them to be in the position to turn around and say 'but you never used advanced security options so fuck you". Like everything else in crpyto land....dodgy as fuck, and I have zero faith that it isn't Kraken staff themselves who are executing these thefts on 'n00bs' who have not made use of more advanced security features.
|
|
|
|
Newcoins2020
|
|
July 21, 2016, 05:36:48 PM |
|
They gave you thw tools (SMS, 2FA) and you didn't use them to protect 12k$ worth of BTC. If this would have pennies, I would have understood. But on this amount... you almost asked for it. Sorry for your loss, it's an extremely expensive lesson about securing your money.... On OP's defense. I did enable 2FA on my account and for some reason you get locked out so quickly which is why i had to disable it, then withdraw and then enable it again. Very complicated and this was advised by a kraken employee...
|
|
|
|
NeuroticFish
Legendary
Offline
Activity: 3892
Merit: 6627
Looking for campaign manager? Contact icopress!
|
|
July 21, 2016, 07:14:28 PM |
|
They gave you thw tools (SMS, 2FA) and you didn't use them to protect 12k$ worth of BTC. If this would have pennies, I would have understood. But on this amount... you almost asked for it. Sorry for your loss, it's an extremely expensive lesson about securing your money.... On OP's defense. I did enable 2FA on my account and for some reason you get locked out so quickly which is why i had to disable it, then withdraw and then enable it again. Very complicated and this was advised by a kraken employee... Woah, complicated and strange too. First guess would be that your or Kraken's time was not correctly sync-ed with Google's for the 2FA. But if that would happen to me, I'd try to move to another exchange/wallet.
|
|
|
|
redsn0w
Legendary
Offline
Activity: 1778
Merit: 1043
#Free market
|
|
July 21, 2016, 07:52:43 PM |
|
They gave you thw tools (SMS, 2FA) and you didn't use them to protect 12k$ worth of BTC. If this would have pennies, I would have understood. But on this amount... you almost asked for it. Sorry for your loss, it's an extremely expensive lesson about securing your money.... On OP's defense. I did enable 2FA on my account and for some reason you get locked out so quickly which is why i had to disable it, then withdraw and then enable it again. Very complicated and this was advised by a kraken employee... Woah, complicated and strange too. First guess would be that your or Kraken's time was not correctly sync-ed with Google's for the 2FA. But if that would happen to me, I'd try to move to another exchange/wallet.People should start to realize that an exchange isn't the right place to keep bitcoin or FIAT money, an exchange should be used only to 'change' your bitcoin for fiat or viceversa (or also altcoin). Mt.gox docet....
|
|
|
|
NeuroticFish
Legendary
Offline
Activity: 3892
Merit: 6627
Looking for campaign manager? Contact icopress!
|
|
July 21, 2016, 08:55:00 PM |
|
They gave you thw tools (SMS, 2FA) and you didn't use them to protect 12k$ worth of BTC. If this would have pennies, I would have understood. But on this amount... you almost asked for it. Sorry for your loss, it's an extremely expensive lesson about securing your money.... On OP's defense. I did enable 2FA on my account and for some reason you get locked out so quickly which is why i had to disable it, then withdraw and then enable it again. Very complicated and this was advised by a kraken employee... Woah, complicated and strange too. First guess would be that your or Kraken's time was not correctly sync-ed with Google's for the 2FA. But if that would happen to me, I'd try to move to another exchange/wallet.People should start to realize that an exchange isn't the right place to keep bitcoin or FIAT money, an exchange should be used only to 'change' your bitcoin for fiat or viceversa (or also altcoin). Mt.gox docet.... Own wallet and cold storage are very good places to store value. And I agree that value should not be kept on online wallets or exchanges. But I think that the richer ones, beside the money the have in cold storage, keep big amounts on exchanges or at hand to be able to speculate and earn big. Or just play on the exchange very often. And there are the ones not very good at computers which find online wallets just fine: they're less often hacked than ordinary computers, they are always at hand and some have very good reputation. And people forget easily ...
|
|
|
|
MatTheCat (OP)
|
|
July 26, 2016, 02:04:48 PM |
|
The latest pish from Kraken on my complaint: Joseph Joseph (Kraken Support) Jul 22, 08:34 PDT
Hi,
I'm sorry for your loss. I've had bitcoin lost in services that disappeared or claimed they got hacked. It's terrible.
Yes, we could do more to protect our users' accounts from their own credentials being compromised. This is being discussed internally, though I suppose it doesn't help you now.
I don't think the origin of the theft is internal because no accounts with login 2FA enabled were compromised, and the thefts could have theoretically been much larger if an attacker had access to Kraken's database including 2FA secrets.
Can you confirm that you've been able to log in and change your password already?
Joseph Kraken Client Engagement In my previous correspondence with this weasel faced bag of shit, I stated that I believed that the most likely source of the 'hackers' would be within Kraken itself. There is another report within this thread of someone who was also just using the default Kraken security settings and lost a much larger amount than I did within the same time period. And note also what I have highlighted in red. 'The thefts' suggests that many Kraken users who didn't have 2FA enabled, were also hit, which to me suggests again that it isn't so much individual computers that have been hacked and had passwords logged, but Kraken that has been compromised, either from within, or from outside. Notice how this cunt continues to highlight the fact that I have been fucked and my loss has nothing to do with Kraken.....of course, I don't expect at all to get my money back here, but I will press this as far as it is feasible for me to do so....'Duty of Care' springs to mind. Handling large amounts of the public's money yet not even implementing a level of security as basic as that which even most internet discussion forum's implement, seems to me to be 'negligent', to say the least......or deliberately structured to facilitate theft with plausible deniablitly, at worst.
|
|
|
|
MatTheCat (OP)
|
|
July 26, 2016, 11:08:11 PM |
|
My reply to the above.........next step will be to file complaint with financial ombudsman. Obviously I don't expect to see any light at the end of this tunnel but this exchange needs to have complaints piling up in various jurisdictions imo. Matthew ********* Reply| Today 00:06 Kraken Support ( support@kraken.com) Hello. You may say that you don't think the origin of the theft is internal because no accounts with 2FA enabled were compromised, but I say that if my PC was compromised, then surely more than just my Kraken account would have been compromised? But the fact is, only my Kraken account has been compromised, and you have just admitted that other accounts (without 2FA enabled) were compromised and I indeed know from correspondence I have had on social media, that other Kraken accounts were compromised within the same time frame as my account was emptied, and that lots of Kraken customer money was 'stolen'. Sorry, but everything seems to be pointing towards the rats scurrying around at Kraken's end, not at your customers end. At this point, I am not entirely clear on the jurisdiction under which Kraken operates, but I would dare say that as soon as an online business starts recieving customer funds, that they have a duty of care to protect those funds, and that Kraken in this case have been negligent at best, or fraudulent at worst. Even if I really was stupid enough to download some spyware that logged my Kraken password, had Kraken even so much as implemented an Email verification system, as does every other crypto exchange on the internet, then the theives who I believe are operating at Kraken's end, would not have been able to empty my Kraken account, because they wouldn't have the password to my registered Email account. With all this in my mind, I would like to know when I can expect Kraken to refund the funds (in Euros) that were removed from the account without my permission. Matthew.
|
|
|
|
adamstgBit
Legendary
Offline
Activity: 1904
Merit: 1037
Trusted Bitcoiner
|
|
July 27, 2016, 05:14:24 PM |
|
People should start to realize that an exchange isn't the right place to keep bitcoin or FIAT money, an exchange should be used only to 'change' your bitcoin for fiat or viceversa (or also altcoin). Mt.gox docet....
sure, but exchanges should also realize that they arnt e-wallets. allowing unprotected accounts to withdraw btc to any address without email confirmation, is probably a practice ALL exchanges should review... Its hard to place blame on kraken,its a gr8 exchange and they have lots of neat features like that "account lock down" feature mat should have used. but i think there is still some room for improvement. its pains me to hear these stories every once in awhile.
|
|
|
|
NeuroticFish
Legendary
Offline
Activity: 3892
Merit: 6627
Looking for campaign manager? Contact icopress!
|
|
July 27, 2016, 05:31:11 PM |
|
My reply to the above.........next step will be to file complaint with financial ombudsman. Obviously I don't expect to see any light at the end of this tunnel but this exchange needs to have complaints piling up in various jurisdictions imo.
Even if Kraken has a thief inside, it will be hard to find and prove. And until that will happen (if ever), they will clearly deny everything and blame on you. And they do have a point: their DB should contain also the 2FA seeds and then the thief could have emptied all the accounts. But this is unusual: not too greedy and pretty smart thief, the blame can go on you for not protecting the account and it can look like you were actually hacked locally. I said at start too that's your fault, remember? Yes, you have a point too: too big of a coincidence that others got "hacked" in the same way at the same time. The actual big problem is that Kraken should take you seriously and investigate more on this. But until proven otherwise, both parts are "innocent". Edit: spelling
|
|
|
|
MatTheCat (OP)
|
|
July 27, 2016, 06:07:51 PM |
|
My reply to the above.........next step will be to file complaint with financial ombudsman. Obviously I don't expect to see any light at the end of this tunnel but this exchange needs to have complaints piling up in various jurisdictions imo.
Even if Kraken has a thief inside, it will be hard to find and prove. And until that will happen (if ever), they will clearly deny everything and blame on you. And they do have a point: their DB should contain also the 2FA seeds and then the thief could have emptied all the accounts. But this is unusual: not too greedy and pretty smart thief, the blame can go on you for not protecting the account and it can look like you were actually hacked locally. I said at start too that's your fault, remember? Yes, you have a point too: too big of a coincidence that others got "hacked" in the same way at the same time. The actual big problem is that Kraken should take you seriously and investigate more on this. But until proven otherwise, both parts are "innocent". Edit: spelling M8, lots of Kraken accounts were emptied on the 20th July 2016 ( https://cointelegraph.com/news/enable-2fa-kraken-accounts-compromised-funds-stolen), some are even claiming that they had 2FA enabled, only for the hackers to disable it with the account password and then empty the account. As I have already stated many times. Had Kraken done what Finex, or Stamp, or even BTC-E do, and sent me an Email asking me to confirm my transaction, then there would be no problem, cos the hacker(s) didn't have access to my Email account, mostly cos the 'hacker' is more likely than not operating at Krakens end, as opposed to having infiltrated my PC and having access to all my passwords and log in details. I am not a tech expert, but accounts on one exchange, that operates a default security policy of no secondary confirmation for extractions, hit all on the same day, tells me that the problem is within Kraken itself........and this has happened before (2014 I think), and they still never learned. Willful negligence at best, intentional fraud at worst......if things are going so well at Kraken, selectively robbing their own customers and then blaming the customers for it would be one way to pay the bills. That is the only logical explanation I can think off for Kraken having not already implemented Email confirmation for all withdrawals at the very least.
|
|
|
|
NeuroticFish
Legendary
Offline
Activity: 3892
Merit: 6627
Looking for campaign manager? Contact icopress!
|
|
July 27, 2016, 06:13:44 PM |
|
Even if Kraken has a thief inside, it will be hard to find and prove. And until that will happen (if ever), they will clearly deny everything and blame on you. And they do have a point: their DB should contain also the 2FA seeds and then the thief could have emptied all the accounts. But this is unusual: not too greedy and pretty smart thief, the blame can go on you for not protecting the account and it can look like you were actually hacked locally. I said at start too that's your fault, remember? Yes, you have a point too: too big of a coincidence that others got "hacked" in the same way at the same time. The actual big problem is that Kraken should take you seriously and investigate more on this. But until proven otherwise, both parts are "innocent". Edit: spelling M8, lots of Kraken accounts were emptied on the 20th July 2016 ( https://cointelegraph.com/news/enable-2fa-kraken-accounts-compromised-funds-stolen), some are even claiming that they had 2FA enabled, only for the hackers to disable it. As I have already stated many times. Had Kraken done what Finex, or Stamp, or even BTC-E do, and sent me an Email asking me to confirm my transaction, then there would be no problem, cos the hacker(s) didn't have access to my Email account, mostly cos the 'hacker' is more likely than not operating at Krakens end. I am not a tech expert, but accounts on one exchange, that operates a default security policy of no secondary confirmation for extractions, hit all on the one day, tells me that the problem is within Kraken itself. Oh, it looks like I didn't know the whole story. Apologies. If also 2FA accounts were emptied then it's a clear matter and you have all the ways to sue them for stealing from you. And fyi, if it's an inside job, the secondary confirmation can be bypassed too with some (php) skills. But it's harder than only getting the DB.
|
|
|
|
ThorvaldAagaard
Newbie
Offline
Activity: 11
Merit: 0
|
|
July 28, 2016, 12:05:16 AM |
|
I my case the robber logged in, and changed the 2FA I had activated on trading - I had not 2FA on login. Then used all my dollars to buy ETH and sent that and the ETH I had to an external wallet. All within 5 minutes. I was driving in France and just saw the mail after 30 mins. I had not used the userid/password on other exchanges, and know my pc is not compromised. What really surprised me that Kraken does allow change of 2FA without using 2FA, and secondly allow withdrawals without any extra check like locked wallet, email-confirmation, IP-restrictions or 2FA. The Kraken security is so bad implemented, that I am missing words. Unfortunately I had not made any withdrawals, so I didn't know. Worst of all was to see my almost 500 ETH sitting in the new wallet for 6 days, before seeing it being traded at shapeshift yesterday, and knowing its just lost. But anyone that has been hacked are welcome to write me at thorvald@blockchainheroes.com so we can all get a better view on how this could happen. And the Kraken statement that no one with 2 FA activated was hacked is a lie, but the one who did the job knew that it was possible to deactivate 2FA on trading without having access to 2FA. And using that no one with 2FA was hacked is a bad argument, as the data exposed might just give access to the login information needed, but with 2FA on login, the hacker could not log in. I am not saying this is an inside job, but I do think that someone had access to the user-database and thus could figure out what accounts to attack. And just seeing that all attacks was made around the same time tell me that this is not a coincidence. If it just was us users throwing around with our passwords, why would the hackers make a coordinated attack on Kraken. Best regards Thorvald
|
|
|
|
NeuroticFish
Legendary
Offline
Activity: 3892
Merit: 6627
Looking for campaign manager? Contact icopress!
|
|
July 28, 2016, 09:39:38 AM |
|
I've got some new ideas: 1. Join and gather all the info guys. 2. Use social media (but please do it nicely, else you clearly lose). It makes visible for many other customers that there are problems there and will force Kraken to do something useful on this. I started with this: https://twitter.com/neuro_fish/status/758596711883374592Good luck!
|
|
|
|
ThorvaldAagaard
Newbie
Offline
Activity: 11
Merit: 0
|
|
July 28, 2016, 03:18:24 PM |
|
|
|
|
|
MatTheCat (OP)
|
|
July 28, 2016, 11:05:57 PM |
|
I've got some new ideas: 1. Join and gather all the info guys. 2. Use social media (but please do it nicely, else you clearly lose). It makes visible for many other customers that there are problems there and will force Kraken to do something useful on this. I started with this: https://twitter.com/neuro_fish/status/758596711883374592Good luck! Indeed. I think a collection of all the different cases should be gathered together.....I can perhaps get a website knocked together, that could act as a pasteboard for all the different accounts of people having been robbed by Kraken, or someone operating with back end access to Kraken. I intend to press ahead with a pushing a complaint through financial ombudsman etc, even though I know they are gonna turn around and tell me that Kraken is foreign and unregulated, therefore there is nothing that they can do, etc etc.....however, I do suspect that somewhere in the legal framework of any of the countries where Kraken bases it's operations, there is a 'Duty of Care', that Kraken must abide by in order to protect their customers funds. Despite this sort of thing having happened before, Kraken still opt to not even insist on something as simple as Email verification. This is inexplicable and inexcusable, and in my case, certainly would have prevented the theft from occuring. The lax security, and the security breach is with Kraken, not with their customers. I am pretty sure if these cases ever got in front of a judge that this would be the conclusion that the courts would come to as well.
|
|
|
|
thimo
|
|
July 29, 2016, 12:37:43 AM |
|
you have got scammed dude
|
i can rent this1
|
|
|
|