Multiple Kraken Accounts, Robbed/Emptied. Kraken say "Fuck you, its your loss"

[Ibian]

They have something much better than email confirmation, and you know it, and you chose not to use it. Even if they had that you would just bitch and complain that your email has been hacked on top of everything else.

Yes...they have 2FA......just not the kind of 2FA that I like.....some fucking google shit that relies on Smart Phones, as opposed to text messages. But people who enabled 2FA for transactions were also robbed. The thief simply disabled that 2FA, using the password for the account. Only those who had 2FA log-in enabled, were safe from getting their accounts emptied.

If my Email address had also been hacked, which it wasn't, then I would have no option but to admit that my own PC had been compromised, but the fact is, that it wasn't hacked. It wasn't hacked because Kraken never had no record of it sitting on a database that could be 'leaked'.

Yubikey, you cunt. Already mentioned it before too. You deliberately sabotage yourself.

[illyiller]

Any updates on this? I assume Kraken is just saying "screw you" to everyone involved? Seems obvious that there was a leaked database on their end and poor security practices by Kraken allowed accounts to be cleaned out.

Have they even announced anything about this? I only saw this thread by chance.

Have they at least implemented email confirmation by now?

The update from my end, is that I have a Police Complaint number, and that is about it, and yeah, the party line from Kraken is basically, "we are terribly sorry to hear about your loss, but fuck you", regardless of how obvious it was that the security leak was at their end, and how painfully incompetent their security measures are......


.......and on that note...I read on another thread that Kraken's response is to put a 24 hour delay on new withdrawal addresses being verified.      

Really!? Are they trying to piss their customers off on purpose? Are they determined to have some sort of 'security' system in place, that will always allow theft with plausible deniability, and/or the legitimate blaming of the customer? Why not just implement fucking Email verification for all withdrawals, or indeed, go the route of the Chinese exchanges and insist on 2FA via mobile SMS (and no Kraken, I don't want your Google 2FA).

The antics/shenanigans of this exchange defies words....

Damn, sorry to hear this -- although it is what I expected. There really hasn't been much talk at all about this, even though there has been a number of people that have come forward. They have probably successfully brushed it under the rug.

Indeed, email verification is the basic necessary verification that a site should be doing before allowing a withdrawal. There really is no excuse.

[illyiller]

They have something much better than email confirmation, and you know it, and you chose not to use it. Even if they had that you would just bitch and complain that your email has been hacked on top of everything else.

That's really not reasonable, considering Kraken allowed those with 2FA enabled on withdrawals, to have it immediately removed. BTC-E, for instance, enforces a waiting period (2 weeks or 1 month, can't remember) before 2FA can be removed. They send a warning to the email address of the account holder for security, warning that someone is trying to remove the 2FA.

2FA is useless if one can remove it instantly with only account access.

[Ibian]

They have something much better than email confirmation, and you know it, and you chose not to use it. Even if they had that you would just bitch and complain that your email has been hacked on top of everything else.

That's really not reasonable, considering Kraken allowed those with 2FA enabled on withdrawals, to have it immediately removed. BTC-E, for instance, enforces a waiting period (2 weeks or 1 month, can't remember) before 2FA can be removed. They send a warning to the email address of the account holder for security, warning that someone is trying to remove the 2FA.

2FA is useless if one can remove it instantly with only account access.

Are you under the impression that they don't use yubikey for 2fa login? And on withdraws (both bitcoin and fiat) as well? It is much safer than a simple email link. And he chose, willingly and knowingly (unless he decided not to investigate his options, which would be even worse) not to use it.

[ethereumhunter]

in kraken? i thought there a good place? hm its so strange because if we have setup account for security it should be hard to enter the account, unless the admin of the site which have capabilites to look on every account. i curious that should be person who have access to take a look an every account which have big balance. i hope that kraken will be hacked like bitfinex yesterday or kraken been compromised and been hacked by inside person.

[Ibian]

in kraken? i thought there a good place? hm its so strange because if we have setup account for security it should be hard to enter the account, unless the admin of the site which have capabilites to look on every account. i curious that should be person who have access to take a look an every account which have big balance. i hope that kraken will be hacked like bitfinex yesterday or kraken been compromised and been hacked by inside person.

Summary of this thread: guy does a shitty job protecting his money, bitches.

Kraken is safe, if you are not a dumbass with security. I trust them more than my own bank, personally.

[MatTheCat]

Summary of this thread: guy does a shitty job protecting his money, bitches.

Kraken is safe, if you are not a dumbass with security. I trust them more than my own bank, personally.

U are a fucking clown Ibian.

I know of at least one, highly qualified person who was also robbed on Kraken. Masters in Computer Science, with an illustrious career spanning 30 years in IT.....in his case, he did have 2FA enabled, but only for transactions. Kraken's security configuration allowed this 2FA to be switched off from within the account, allowing the hacker to only need the login password for the account, in order to empty it.

This was a 'significant number' of Kraken accounts that were emptied, all around the same time.

It is clear, that Kraken have been compromised here, yet are passing the blame on to their customers.

What is not clear is whether the individual responsible for Kraken's security is a crook, or just plain stupid.


As is the case with Bitfinex, all Bitcoin exchanges are guilty, until proven innocent and with the exception perhaps of Bitstamp's hack back in 2015, there isn't a single case of crypto exchange shenanigans which has bucked that rule.

Bitcoinica, MtGox, Cryptsy, etc, etc....

[Ibian]

Your highly qualified person is as much of a dumbass as you are. And education is no substitute for intelligence.

[illyiller]

They have something much better than email confirmation, and you know it, and you chose not to use it. Even if they had that you would just bitch and complain that your email has been hacked on top of everything else.

That's really not reasonable, considering Kraken allowed those with 2FA enabled on withdrawals, to have it immediately removed. BTC-E, for instance, enforces a waiting period (2 weeks or 1 month, can't remember) before 2FA can be removed. They send a warning to the email address of the account holder for security, warning that someone is trying to remove the 2FA.

2FA is useless if one can remove it instantly with only account access.

Are you under the impression that they don't use yubikey for 2fa login? And on withdraws (both bitcoin and fiat) as well? It is much safer than a simple email link. And he chose, willingly and knowingly (unless he decided not to investigate his options, which would be even worse) not to use it.

I am aware, but didn't he have 2FA enabled for withdrawals (or transactions, whatever it is)? But it was trivially removed. Correct me if I'm wrong. One could not have known that 2FA withdrawals were useless because Kraken allows it to be instantly removed.

In hindsight, easy to say "should have used 2FA for login, not transactions." But only with hindsight.

[Ibian]

They have something much better than email confirmation, and you know it, and you chose not to use it. Even if they had that you would just bitch and complain that your email has been hacked on top of everything else.

That's really not reasonable, considering Kraken allowed those with 2FA enabled on withdrawals, to have it immediately removed. BTC-E, for instance, enforces a waiting period (2 weeks or 1 month, can't remember) before 2FA can be removed. They send a warning to the email address of the account holder for security, warning that someone is trying to remove the 2FA.

2FA is useless if one can remove it instantly with only account access.

Are you under the impression that they don't use yubikey for 2fa login? And on withdraws (both bitcoin and fiat) as well? It is much safer than a simple email link. And he chose, willingly and knowingly (unless he decided not to investigate his options, which would be even worse) not to use it.

I am aware, but didn't he have 2FA enabled for withdrawals (or transactions, whatever it is)? But it was trivially removed. Correct me if I'm wrong. One could not have known that 2FA withdrawals were useless because Kraken allows it to be instantly removed.

In hindsight, easy to say "should have used 2FA for login, not transactions." But only with hindsight.

If you have 2fa enabled for everything except login, then you are a fucking dumbass. Case closed.

[ThorvaldAagaard]

If there was price for the most stupid comment you have earned it :-)

In Denmark we have 2FA implemented with digital signature called NemID, so when ever I make a transaction moving money I have to use it, but the banks have decided, that as long as you only log in and view the password will be sufficient.

As we all know 2FA is wasting time, and if you log in 10 times a day, just to check current trades, it is much easier just to use password, as you know that if anyone steals your password he/she will only be able to see your current balance, but can't do anything. Then if you decide to trade, withdraw or change any setting the 2FA is required, and should be sufficient.

As I am a user of many exchanges I have had the possibility to compare them and Kraken are an absolute winner in designing the worst security implementation of all of them seen from a user perspective
I have compared

Poloniex
BitFinex
BitMex
Yobit
Gatecoin
Bittrex
OKCoin
Yunbi
Bitstamp
LocalBitcoins
Bleutrade
Coinbase
Tether
BitCurex

To me it is clear that the kraken team lack a security expert as the current implementation looks like a design by programmers and not by a security expert

Have a nice day

[Ibian]

New no activity account guy who doesn't take his own bank security seriously and with experience on a dozen exchanges saying kraken has the worst security, including recently hacked bitfinex who will apparently reduce all user accounts by more than a third. Thanks for your contribution.

[illyiller]

New no activity account guy who doesn't take his own bank security seriously and with experience on a dozen exchanges saying kraken has the worst security, including recently hacked bitfinex who will apparently reduce all user accounts by more than a third. Thanks for your contribution.

But wouldn't you agree that Kraken's security implementation isn't very good? I don't see why they don't add a second layer of authentication on withdrawals. Email confirmation is very standard. The emails I associate with my exchange accounts have strong passwords and 2fa, which protects me in the case that my exchange account and 2fa token are compromised.

BTC-E also, for instance, warns users on 2fa activation that not enabling 2fa on login is insecure. While it would be nice if this were widespread knowledge, it apparently isn't. Ideally, Kraken would give such a warning, if it didn't simply enforce 2fa on login in the first place.

[Ibian]

New no activity account guy who doesn't take his own bank security seriously and with experience on a dozen exchanges saying kraken has the worst security, including recently hacked bitfinex who will apparently reduce all user accounts by more than a third. Thanks for your contribution.

But wouldn't you agree that Kraken's security implementation isn't very good? I don't see why they don't add a second layer of authentication on withdrawals. Email confirmation is very standard. The emails I associate with my exchange accounts have strong passwords and 2fa, which protects me in the case that my exchange account and 2fa token are compromised.

BTC-E also, for instance, warns users on 2fa activation that not enabling 2fa on login is insecure. While it would be nice if this were widespread knowledge, it apparently isn't. Ideally, Kraken would give such a warning, if it didn't simply enforce 2fa on login in the first place.

Get a fucking yubikey and use it.

I get it. It's new, it's different, it's fucking scary. It also works, is convenient, and most probably more secure than your 2fa email. And it is dumb as shit not to use it.

[illyiller]

New no activity account guy who doesn't take his own bank security seriously and with experience on a dozen exchanges saying kraken has the worst security, including recently hacked bitfinex who will apparently reduce all user accounts by more than a third. Thanks for your contribution.

But wouldn't you agree that Kraken's security implementation isn't very good? I don't see why they don't add a second layer of authentication on withdrawals. Email confirmation is very standard. The emails I associate with my exchange accounts have strong passwords and 2fa, which protects me in the case that my exchange account and 2fa token are compromised.

BTC-E also, for instance, warns users on 2fa activation that not enabling 2fa on login is insecure. While it would be nice if this were widespread knowledge, it apparently isn't. Ideally, Kraken would give such a warning, if it didn't simply enforce 2fa on login in the first place.

Get a fucking yubikey and use it.

I get it. It's new, it's different, it's fucking scary. It also works, is convenient, and most probably more secure than your 2fa email. And it is dumb as shit not to use it.

I'm not really aware of this yubikey. Are you saying it's more secure than using Google 2fa on my devices? Why? It sounds like there's no difference in convenience, either.

I'm talking about email confirmation in addition to 2fa. Because, why not?

[Ibian]

New no activity account guy who doesn't take his own bank security seriously and with experience on a dozen exchanges saying kraken has the worst security, including recently hacked bitfinex who will apparently reduce all user accounts by more than a third. Thanks for your contribution.

But wouldn't you agree that Kraken's security implementation isn't very good? I don't see why they don't add a second layer of authentication on withdrawals. Email confirmation is very standard. The emails I associate with my exchange accounts have strong passwords and 2fa, which protects me in the case that my exchange account and 2fa token are compromised.

BTC-E also, for instance, warns users on 2fa activation that not enabling 2fa on login is insecure. While it would be nice if this were widespread knowledge, it apparently isn't. Ideally, Kraken would give such a warning, if it didn't simply enforce 2fa on login in the first place.

Get a fucking yubikey and use it.

I get it. It's new, it's different, it's fucking scary. It also works, is convenient, and most probably more secure than your 2fa email. And it is dumb as shit not to use it.

I'm not really aware of this yubikey. Are you saying it's more secure than using Google 2fa on my devices? Why? It sounds like there's no difference in convenience, either.

I'm talking about email confirmation in addition to 2fa. Because, why not?

Then go look it up. This is the internet, there is no limit to the information you have at your fingertips.

[MatTheCat]

Bump.

Kraken customer accounts continue to be emptied. Kraken continues to be 'sorry for your loses', but erm, read the small print and weep (and fuck off).

Made my complaints to numerous LEA, can't believe these fuckers aren't getting investigated....these thefts are coming from within.

[marky89]

New no activity account guy who doesn't take his own bank security seriously and with experience on a dozen exchanges saying kraken has the worst security, including recently hacked bitfinex who will apparently reduce all user accounts by more than a third. Thanks for your contribution.

But wouldn't you agree that Kraken's security implementation isn't very good? I don't see why they don't add a second layer of authentication on withdrawals. Email confirmation is very standard. The emails I associate with my exchange accounts have strong passwords and 2fa, which protects me in the case that my exchange account and 2fa token are compromised.

BTC-E also, for instance, warns users on 2fa activation that not enabling 2fa on login is insecure. While it would be nice if this were widespread knowledge, it apparently isn't. Ideally, Kraken would give such a warning, if it didn't simply enforce 2fa on login in the first place.

Get a fucking yubikey and use it.

I get it. It's new, it's different, it's fucking scary. It also works, is convenient, and most probably more secure than your 2fa email. And it is dumb as shit not to use it.

I'm not really aware of this yubikey. Are you saying it's more secure than using Google 2fa on my devices? Why? It sounds like there's no difference in convenience, either.

I'm talking about email confirmation in addition to 2fa. Because, why not?

Then go look it up. This is the internet, there is no limit to the information you have at your fingertips.

Yubikey has the same weakness that Google 2fa has: the counterparty has your token, and it can be compromised. It isn't any safer than Google 2fa, so I'm not sure what you're getting at here. The issue is about email confirmation on top of 2fa. Saying "use 2fa" doesn't really address that. This is just basic security, basic user authentication. Confirm by email and 2fa.

[Ibian]

New no activity account guy who doesn't take his own bank security seriously and with experience on a dozen exchanges saying kraken has the worst security, including recently hacked bitfinex who will apparently reduce all user accounts by more than a third. Thanks for your contribution.

But wouldn't you agree that Kraken's security implementation isn't very good? I don't see why they don't add a second layer of authentication on withdrawals. Email confirmation is very standard. The emails I associate with my exchange accounts have strong passwords and 2fa, which protects me in the case that my exchange account and 2fa token are compromised.

BTC-E also, for instance, warns users on 2fa activation that not enabling 2fa on login is insecure. While it would be nice if this were widespread knowledge, it apparently isn't. Ideally, Kraken would give such a warning, if it didn't simply enforce 2fa on login in the first place.

Get a fucking yubikey and use it.

I get it. It's new, it's different, it's fucking scary. It also works, is convenient, and most probably more secure than your 2fa email. And it is dumb as shit not to use it.

I'm not really aware of this yubikey. Are you saying it's more secure than using Google 2fa on my devices? Why? It sounds like there's no difference in convenience, either.

I'm talking about email confirmation in addition to 2fa. Because, why not?

Then go look it up. This is the internet, there is no limit to the information you have at your fingertips.

Yubikey has the same weakness that Google 2fa has: the counterparty has your token, and it can be compromised. It isn't any safer than Google 2fa, so I'm not sure what you're getting at here. The issue is about email confirmation on top of 2fa. Saying "use 2fa" doesn't really address that. This is just basic security, basic user authentication. Confirm by email and 2fa.

What it's about is having something to complain about. The site is safe if you use the security options they have.

It's a choice. Stick your ass in the air and wait to be raped, or keep your pants on.

[MatTheCat]

What it's about is having something to complain about. The site is safe if you use the security options they have.

It's a choice. Stick your ass in the air and wait to be raped, or keep your pants on.

Put ya money where ya mouth is then, and go store some BTC on Kraken....

.....sure the thefts continue (how the fuck they keep it so quiet I really don't know), but if you use the security options they have, your funds are safe.....


......safe until Kraken offer you some Sorries for your Loses that is.