By Nick Percoco, Kraken Chief Security Officer

Cybersecurity cannot be an afterthought for a crypto platform. At Kraken, we consider securing our clients’ personal information and cryptoassets to be our highest priority, so we place security above everything. Following October’s Cybersecurity Awareness Month, we’d like to tell you more about our ongoing approach to safeguarding your personal data and cryptoassets.  

Kraken was founded with a security-first mindset in 2011. Our Co-Founders witnessed the Mt. Gox exploit firsthand, as clients lost access to funds they had entrusted to that platform. It was a disaster for thousands of customers and the exchange itself.

We continue to strive to be a secure trading platform where clients can access the cryptoasset ecosystem and invest with confidence. For us, security is a way of life. 

Security is part of our DNA

Security is at the core of Kraken’s global operation. Over our 12-year history, we have consistently invested in our cybersecurity infrastructure, hired some of the brightest talent in the info-sec community and spent countless hours training all of our teams to be “productively paranoid.” 

But security is not just about keeping the crypto we hold on behalf of our clients safe. The personal identifying information we maintain about our clients is just as valuable to malicious actors.

We aim to use the latest standards to encrypt all sensitive account information at both the system and data level. This means your identifying information is always hidden behind a powerful layer of security. After we encrypt your information, we follow a robust set of security procedures and controls that earned us ISO 27001 and SOC 2 certifications.

Why security is a two-way process

We also recognize that our security-first approach is most effective when clients understand the importance of remaining vigilant as they navigate the increasingly digital world we live in. 

Because cybercriminals are constantly evolving their practices to extract personal information from their victims, we have invested significant resources to improve knowledge of good security practices for everyone.

For example, we entered a partnership with popular American scam-baiter KitBoga to creatively raise awareness of the most common crypto-related scams. We were also recognized by the CSO 50 awards for our ongoing efforts to reduce the prevalence of email phishing attacks.  

The role of two factor authentication (2FA) in our security-first approach

While Kraken is continuously striving to protect our client’s assets and personal data, we recognize the importance of clients implementing 2FA to help us in our efforts to maintain the highest level of operational security.

2FA acts as a crucial second layer of defense that further protects your online life. We compare 2FA to having a deadbolt on the front door of your home. Yes, one lock might be sufficient to keep intruders out, but having a secondary lock that requires a different key is a powerful upgrade that further safeguards your home. 

Because this secondary layer of protection is so vital, we believe everyone should enable 2FA on all the accounts and applications they can – especially their personal email.

Our clients have a range of options for enabling 2FA on their Kraken accounts. For example, there are several common authenticator apps that generate one-time passcodes which can be used to authenticate an action – like verifying their account sign-in process. They can also use these passcodes to validate new wallet addresses being created or the initiation of a transaction from their Kraken account.

We actively encourage our clients to go one step further by enabling multiple forms of 2FAs when using our platform. This is known as multi-factor authentication (MFA), as each additional layer creates extra protection for assets and personal information.

Even more secure: MFA and beyond

For those who want an even higher level of protection, we also enable 2FA through physical hardware devices supporting the FIDO2 and WebAuthN standards. Similar to using authentication apps, hardware security devices generate unique keys that authenticate a device or service.

However, these hardware devices are not subject to risks of phishing attacks, like a time-sensitive code can be. These devices use special security chips to securely generate keys that are unique to the authentic web service or mobile app they are designed for. This makes them resistant to common phishing attacks.

Finally, while implementing a 2FA strategy is important, its effectiveness can be reduced by weak password management. Many people still use very common passwords such as password1, spring2023, qwerty or hunter2 to safeguard their accounts. The good news is that it’s easy to create secure passwords; learn how in about three minutes with this quick video:

Eight in 10 people claim to reuse their passwords across different websites. While this may be convenient for a user to remember, it creates a single point of failure for a victim should a cyber criminal compromise an account with this common password. The attacker will then attempt to gain access to all other popular sites and apps and will likely be successful in doing so.

The security of crypto platforms, including ours, and personal cybersecurity hygiene will be vital for cryptoassets to move into mainstream adoption. If you’re interested in learning more about our security approach, click here for more details.