 |
September 23, 2016, 12:34:32 PM |
|
So, a friend of mine who got 2FA enabled on Kraken was not able to log on Kraken last days. He did not log into kraken for a few months.
To his surprise he was not able to log in.
So he sent a support case, and support told him that they don't have an account associated with his email.
After, he provided them with past mail conversations, which clearly show he has an account, they started to ask him 7 questions (the usual questions to help to prove ownership)
such as :
"1) Name, date of birth, and phone number on the account?
2) Address on the account? (only answer this question if you verified your account to tier 2 or higher)
3) Describe the government ID you used for tier 3 verification. Just state the country, type of ID, and expiration date - e.g. "German passport 23-08-2018." (only answer this question if you verified your account to tier 3 or higher)
4) The approximate date of your last successful login?
5) Your approximate account balances?
6) Describe the funding activity on the account - e.g. the last 3 deposits or withdrawals made, including dates, amounts and currencies. The more specific you can be, the better. Information about bank deposits or withdrawals is generally better than information about digital currency deposits or withdrawals. You can look up dates and amounts in your bank account or in your digital currency wallet.
7) Describe the trading activity on the account - e.g. the most recent trades you've made, the currencies you typically trade, currencies you don't trade, etc. The more specific you can be, the better.
We're sorry to ask for all this information, but it's a precaution to help protect against fraudulent access to your account. "
He then went on to share that, and about a day later he received this :
"I am sorry to inform you that an attacker managed to login to your account on 08-07-16 16:26, changed your email and executed a withdrawal of all your litecoins on 08-08-16 18:42. We are sorry for your loss.
Since he was able to change your email address, this means he also had access to the email address of your account. You should change your password immediately and also add Two-Factor Authentication, in example with Google Authenticator (if yahoo mail has this option).
Please get back to me after this is completed.
Best regards,"
And later Kraken said :
""He knew your master key and used it in order to bypass the 2FA for login."
Now, things does not add up right now.
My friend did not ever write down the master key aswell, and as far as I know, in order, to get the master key, you need to log on the account, the very same account that is 2FA protected itself.
So this answer is not good already.
Right now it looks like Kraken made errors while answering, and even if the attaquer managed to have access to the email of my friend, I have a hard time to understand how he got hold of the account.
Obviously the master key statement is even feeling like an insult unless I miss some elements, and this is why I am sharing that story right now.
On top of it, the person receive email notifications and is always checking his emails because of business, and guess what, he never noticed any mails from kraken, or any communication that would not be his one.
So if the attaquer got able to access his mail, he never changed the mail password, and there is no evidence of communication that happened.
It makes the whole thing fishy, if you get me, and I am trying to make sense out of it, before he unfortunately proceed with a police complaint about Kraken.
(I hope it's not confusing).
|
