When you try to regain access to your Cracking account, you may be asked to participate in a video call with a support agent to prove that you really are who you say you are.
Last month, the centralized exchange said it caught someone wearing a Halloween-style rubber mask trying to fool the employee on the other end of the line, but it didn’t work.
The attacker had identified a number of red flags during the first round of checks, such as not naming the assets held in the account. These flags resulted in the agent handling the case needing a video call to grant access to the account. During the conversation, the Kraken employee asked a few more questions and checked the identity of the person.
The attacker failed at this stage – dramatically.
“Our agent said, this is absolutely ridiculous. This is a rubber mask that the man is wearing,” said Kraken Chief Security Officer Nick Percoco told Declutter.
The mask did not even resemble the person the attacker claimed to be, Percoco said. The victim was a white man in his early 50s, so it appeared to Percoco that the attacker simply grabbed a mask that vaguely matched the description.
And this isn’t the first time someone has worn a disguise in an attempt to fool Kraken.
“[We] I occasionally see things where people put on a fake mustache,” he said Declutter. “They show it [ID] and it seems close because they wear the same glasses, have a mustache and have blonde hair. We see that every now and then. They never pass.”
“But this is the first time,” he added, “that anyone has gone to the costume store to get a mask.”
To make matters worse, the attacker did not even have credible identification. It was “obviously” photoshopped and printed on cardboard, Percoco explained, albeit with the correct information on it.
While this wasn’t a sophisticated attack, it does point out that even sloppy scammers could potentially gain access to the private data of ordinary people. Even with such an unpolished effort, attackers could find success, according to Percoco.
‘I think we have to [work]”, he said Declutter. “I think people who wear disguises, people who go into another place and get a copy of your ID and then print it out on glossy paper and hold it up… for some exchanges that probably works.”
He claimed that some exchanges do not have the same level of attention to detail that Kraken demands from his team. Percoco specifically points to companies that outsource their support and states that this is more likely to lead to errors.
If he’s right, it means those who use centralized exchanges shouldn’t always rely on the company to fend off bad actors. To protect themselves, Percoco says, users must deploy this two-factor authentication ‘everywhere’ – from your email to far beyond – to prevent malicious parties from obtaining personal information at all costs.
Even with such protection methods in place, a user can still fall prey to phishing scams. For the highest level of security, he recommends using it FIDO2 And access codesthese are hardware keys that allow your phone or laptop to become your password for an account.
“Passkeys are cryptographically tied to the sites and applications you use them with,” he said, “so you can’t be fooled into thinking you’re logging into Kraken.”
Edited by Andrew Hayward
Daily debriefing Newsletter
Start every day with today’s top news stories, plus original articles, a podcast, videos and more.