Wei H
Legendary
 Offline
Activity: 1192
Merit: 1001
Chinese translator
|
 |
February 07, 2016, 05:35:30 AM |
|
Finally I added Karken to my favourite.
In English it is spelled Kraken, not Karken. Sorry I typed it too fast. |
|
|
|
|
|
|
|
|
|
Whoever mines the block which ends up containing your transaction will get its fee.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
HPt
Member
Offline
Activity: 70
Merit: 15
|
|
February 07, 2016, 06:35:29 PM |
|
I wonder, whether I am the only one who considers it disturbing that Kraken's two-factor authentication, e.g. for withdrawing funds, can easily be by-passed by simply changing the authentication method. For example, despite having Yubikey enabled for withdrawing funds, it is possible to withdraw funds without possessing the Yubikey (and without knowing the Master key) as follows:
1. Go to Security/Two-Factor Authentication
2. Click on the "Edit/View details" link for Funding
3. Change Method to Password
4. Set a new password (no Yubikey and no master key is required!)
5. Go to Funding/Withdraw
6. Add a new address and withdraw funds to it using the newly set password
So, anyone who is able to log in to a Kraken account or catches a browser with an open Kraken session is able to deplete this account.
I reported this vulnerability to Kraken more than two weeks ago. According to Kraken, this behaviour is intended and can be suppressed by going to Settings/Account and enabling "Global Settings Lock". However, I wonder who is aware of the fact that, without this "Global Settings Lock", the two-factor authentication is completely ineffective.
|
|
|
|
|
Serpens66
Legendary
Offline
Activity: 2926
Merit: 1131
|
|
February 07, 2016, 08:59:17 PM |
|
I wonder, whether I am the only one who considers it disturbing that Kraken's two-factor authentication, e.g. for withdrawing funds, can easily be by-passed by simply changing the authentication method. For example, despite having Yubikey enabled for withdrawing funds, it is possible to withdraw funds without possessing the Yubikey (and without knowing the Master key) as follows:
1. Go to Security/Two-Factor Authentication
2. Click on the "Edit/View details" link for Funding
3. Change Method to Password
4. Set a new password (no Yubikey and no master key is required!)
5. Go to Funding/Withdraw
6. Add a new address and withdraw funds to it using the newly set password
So, anyone who is able to log in to a Kraken account or catches a browser with an open Kraken session is able to deplete this account.
I reported this vulnerability to Kraken more than two weeks ago. According to Kraken, this behaviour is intended and can be suppressed by going to Settings/Account and enabling "Global Settings Lock". However, I wonder who is aware of the fact that, without this "Global Settings Lock", the two-factor authentication is completely ineffective.
Thank you very much for sharing this. I also think this is unacceptable! Where can I read more about the global settings lock ? In the settings is written: "The Global Settings Lock prevents any changes to your account settings and hides the display of sensitive info. See FAQ for more details" But in the FAQ is nothing about it except "Lock your account settings with the global settings lock", which is not helpful at all... edit: I would like to know, what settings exactly are affected and how to deactivate the global settings lock instantly. Dargo, what do you know about this vulnerability and the Lock ? Maybe you should add an additional setting? Like "Activate 2FA for setting changes"? |
Mit Cointracking (10% Rabatt) behältst du die Übersicht über all deine Trades und Gewinne. Sogar ein Tool für die Steuer ist dabei 
Great Freeware Game: Clonk Rage
binance.com hat nun auch SEPA und EUR Paare! Mit dem RefLink bekommst du 5% Rabatt auf die Tradinggebühren!
|
|
|
|
Yunus
|
|
February 08, 2016, 08:00:49 AM |
|
> Where can I read more about the global settings lock ? We have a rather extensive article in the Kraken Help Center covering the Global Settings Locks. It's in the 'Security: Account' section. I think the article does a pretty good job of conveying the purpose of the lock (but please let us know if you think otherwise). It also describes which settings get locked and what can be done to unlock your settings: https://support.kraken.com/hc/en-us/articles/201396877-What-is-the-Global-Settings-Lock- |
|
|
|
|
Serpens66
Legendary
Offline
Activity: 2926
Merit: 1131
|
|
February 08, 2016, 12:28:28 PM |
|
> Where can I read more about the global settings lock ? We have a rather extensive article in the Kraken Help Center covering the Global Settings Locks. It's in the 'Security: Account' section. I think the article does a pretty good job of conveying the purpose of the lock (but please let us know if you think otherwise). It also describes which settings get locked and what can be done to unlock your settings: https://support.kraken.com/hc/en-us/articles/201396877-What-is-the-Global-Settings-Lock-Thank you. I think in combination with an master key, it is okay, to activate settings lock. But as HPt wrote, 1) not everybody knows enough about this settings lock 2) not everybody knows, that without the settings lock, it is easy to bypass the 2FA !!! So I still think Kraken has to do something, to make 2FA secure even without the settings lock. The 2FA method should not be changeable without access to 2FA nor password, except with a masterkey or with support. |
Mit Cointracking (10% Rabatt) behältst du die Übersicht über all deine Trades und Gewinne. Sogar ein Tool für die Steuer ist dabei
Great Freeware Game: Clonk Rage
binance.com hat nun auch SEPA und EUR Paare! Mit dem RefLink bekommst du 5% Rabatt auf die Tradinggebühren!
|
|
|
Dargo
Legendary
Offline
Activity: 1820
Merit: 1000
|
|
February 08, 2016, 06:16:24 PM |
|
> Where can I read more about the global settings lock ? We have a rather extensive article in the Kraken Help Center covering the Global Settings Locks. It's in the 'Security: Account' section. I think the article does a pretty good job of conveying the purpose of the lock (but please let us know if you think otherwise). It also describes which settings get locked and what can be done to unlock your settings: https://support.kraken.com/hc/en-us/articles/201396877-What-is-the-Global-Settings-Lock-Thank you. I think in combination with an master key, it is okay, to activate settings lock. But as HPt wrote, 1) not everybody knows enough about this settings lock 2) not everybody knows, that without the settings lock, it is easy to bypass the 2FA !!! So I still think Kraken has to do something, to make 2FA secure even without the settings lock. The 2FA method should not be changeable without access to 2FA nor password, except with a masterkey or with support. I agree with you and HPt that we at the very least need to do more to make people aware of the settings lock. Just so there's no confusion about the issue here, it's only easy to bypass 2fa if you have already gained access to the account. So it's not easy for someone who doesn't have access to the account to bypass the 2fa for login. But I understand how someone who sets 2fa for trading or funding would expect that this isn't easy to bypass even if someone has access to the account, so that either needs to be changed or it needs to be made clearer that the settings lock should be used in conjunction with 2fa for trading or funding in order for these to really improve the security of the account. We will take a look at this issue and do something to address it - thanks for bringing it up! |
|
|
|
|
Mubbashar
Newbie
Offline
Activity: 1
Merit: 0
|
|
February 08, 2016, 06:17:44 PM |
|
|
|
|
|
|
Dargo
Legendary
Offline
Activity: 1820
Merit: 1000
|
|
February 08, 2016, 07:40:52 PM |
|
Here's what happened with the recent site/API issues: There was a technical problem with our funding partner Vogogo. It should have only affected our interface with this funding partner, but unfortunately it affected other systems as well. We've made the necessary adjustment so other systems are no longer affected, but funding through Vogogo will be offline until the technical problems are fixed on their end. Edit: Vogogo is our CAD funding partner, so CAD funding is offline for now and we don't have an ETA for when it will be back online. Funding in all other currencies is operating smoothly.
Thanks for the update, had trouble understanding why the funding service was offline. On a separate note, it's unfortunate that it's happening while fees are lowered. I agree it is unfortunate - I talked to Jesse our CEO and he's open to the idea of extending the free deposits for another 2-4 weeks due to the issues we've had. It's not quite a "done deal" yet, but most likely we'll do that. |
|
|
|
|
SebastianJu
Legendary
Offline
Activity: 2674
Merit: 1082
Legendary Escrow Service - Tip Jar in Profile
|
|
February 08, 2016, 11:02:14 PM |
|
> Where can I read more about the global settings lock ? We have a rather extensive article in the Kraken Help Center covering the Global Settings Locks. It's in the 'Security: Account' section. I think the article does a pretty good job of conveying the purpose of the lock (but please let us know if you think otherwise). It also describes which settings get locked and what can be done to unlock your settings: https://support.kraken.com/hc/en-us/articles/201396877-What-is-the-Global-Settings-Lock-Thank you. I think in combination with an master key, it is okay, to activate settings lock. But as HPt wrote, 1) not everybody knows enough about this settings lock 2) not everybody knows, that without the settings lock, it is easy to bypass the 2FA !!! So I still think Kraken has to do something, to make 2FA secure even without the settings lock. The 2FA method should not be changeable without access to 2FA nor password, except with a masterkey or with support. I agree with you and HPt that we at the very least need to do more to make people aware of the settings lock. Just so there's no confusion about the issue here, it's only easy to bypass 2fa if you have already gained access to the account. So it's not easy for someone who doesn't have access to the account to bypass the 2fa for login. But I understand how someone who sets 2fa for trading or funding would expect that this isn't easy to bypass even if someone has access to the account, so that either needs to be changed or it needs to be made clearer that the settings lock should be used in conjunction with 2fa for trading or funding in order for these to really improve the security of the account. We will take a look at this issue and do something to address it - thanks for bringing it up! I think that is a serious issue and it's good that you try to handle it. There is no reason why it should be allowed to disable a security measure without proving that you are allowed to do so. Kraken is the only exchange who has two 2fa, the other is for trading only. Though that wouldn't help in this case either when the user is holding bitcoins already and not fiat. |
Please ALWAYS contact me through bitcointalk pm before sending someone coins.
|
|
|
|
tmltd
|
|
February 09, 2016, 01:36:54 AM |
|
Is Kraken BTC user wallet a BitGo instant type for withdrawals from Kraken, so that when the transaction gets into blockchain and the recipient is a BitGo instant type wallet address it will need 0 confirmations?
|
|
|
|
Dargo
Legendary
Offline
Activity: 1820
Merit: 1000
|
|
February 09, 2016, 05:31:30 AM |
|
Is Kraken BTC user wallet a BitGo instant type for withdrawals from Kraken, so that when the transaction gets into blockchain and the recipient is a BitGo instant type wallet address it will need 0 confirmations?
Yes we offer this service but it's an option you have to select in your account. Here are the directions for making deposits and withdrawals with BitGo Instant: How to make instant withdrawals Go to Funding > Withdrawal > Bitcoin and select “BitGo Instant”. Add the address you want to send to (it must be an address from your BitGo wallet or from a BitGo Instant partner). Select the address, enter the amount, and send! (Note that we charge a fee of ฿0.0005 + 0.1% for this service, which just covers our costs in providing it.) How to make instant depositsGo to Funding > Deposit > Bitcoin and generate a new address (old addresses beginning with the number “3” can also be used). Send your deposit to this address from any wallet that supports BitGo Instant (from a BitGo wallet or from a BitGo Instant partner). You will need to select the transfer as a BitGo Instant transfer before you send - if it is sent as a regular transaction, you will have to wait for the usual 6 confirmations before the funds are available for trading). |
|
|
|
|
Kn_os
Legendary
Offline
Activity: 1055
Merit: 1002
|
|
February 09, 2016, 08:07:45 PM |
|
Dear Kraken, please consider to remove mounthly btc withdraw limits? There are no exchange who have such a "strange" withdraw rules.
|
|
|
|
|
Kn_os
Legendary
Offline
Activity: 1055
Merit: 1002
|
|
February 10, 2016, 12:13:58 AM |
|
Error 502
|
|
|
|
|
|
emmettoc
|
|
February 10, 2016, 01:49:44 AM |
|
NO response at all from your support over 48 hours!!!
Please refund my money as soon as possible.
|
|
|
|
|
Dargo
Legendary
Offline
Activity: 1820
Merit: 1000
|
|
February 10, 2016, 04:47:10 AM |
|
NO response at all from your support over 48 hours!!!
Please refund my money as soon as possible.
If you PM me your ticket number I can check with support. |
|
|
|
|
|
emmettoc
|
|
February 10, 2016, 05:26:13 AM |
|
NO response at all from your support over 48 hours!!!
Please refund my money as soon as possible.
If you PM me your ticket number I can check with support. I sent a message. Please check it. Thanks. |
|
|
|
|
Dargo
Legendary
Offline
Activity: 1820
Merit: 1000
|
|
February 10, 2016, 06:03:21 AM |
|
NO response at all from your support over 48 hours!!!
Please refund my money as soon as possible.
If you PM me your ticket number I can check with support. I sent a message. Please check it. Thanks. The deposit should be released now. |
|
|
|
|
will7am
Legendary
Offline
Activity: 973
Merit: 1000
|
|
February 10, 2016, 09:48:08 AM |
|
I've really lost faith in Kraken over the past few months, first there was CloudFlare problems (caused by utter incompetence on the part of Kraken) and public code leakage, now I'm having withdraw problems and getting no support after 24 hours of waiting. I get a copy and paste reply saying that you're all busy, which is not good enough.
My ticket number is 77711.
|
|
|
|
pawel7777
Legendary
Offline
Activity: 2422
Merit: 1559
|
|
February 10, 2016, 10:33:55 AM |
|
Just wondered, do Kraken have any action plan of what to do if/when hard fork of Bitcoin is about to happen?
Will you be supporting both forks (until there's a clear winner), will you lock deposit or withdrawals? Will you suspend BTC trading all together? Or will you just announce which fork you intend to support and carry on as usual?
|
|
|
|
|
Yunus
|
|
February 10, 2016, 11:09:58 AM |
|
I've really lost faith in Kraken over the past few months, first there was CloudFlare problems (caused by utter incompetence on the part of Kraken) and public code leakage, now I'm having withdraw problems and getting no support after 24 hours of waiting. I get a copy and paste reply saying that you're all busy, which is not good enough.
My ticket number is 77711.
An agent has been assigned to your ticket and we are looking into solving the problem ASAP. We are sorry about the delays you (and others) are experiencing. |
|
|
|
|
|
