Assailants Can Bypass Kraken 2FA Protection on Withdrawals

An interesting discovery was made by a cryptocurrency enthusiasts not too long ago. Most Bitcoin exchange platforms use two-factor authentication as an “extra line of defense”. However, not all of these implementations are safe from bypassing. One person mentioned how Kraken’s 2FA security would protect the login credentials, but it can be bypassed for withdrawals.

Keeping information and funds secure are the two primary objectives of any financial platform in the world, including cryptocurrency exchanges. This is why nearly every platform has added two-factor authentication. Even if somebody’s login and password would be stolen, assailants will not be able to gain access to their account. That is unless they control the device used for 2FA purposes as well.

Bypassing Kraken Withdrawal 2FA Verification

Kraken, one of the world’s largest cryptocurrency exchanges, has implemented 2FA countermeasures quite some time ago. Not just for the login system, but also for any withdrawal requests made by users. Unlike other companies, Kraken uses a 2FA method that forces users to generate new codes manually, rather than having them refresh automatically.

But as it turns out, that measure may not be sufficient to keep user funds safe from harm. In most cases, stolen funds from accounts protected by 2FA are a direct result of user error. Clicking a malicious link on their mobile device may have installed a backdoor, allowing assailants to generate 2FA codes in the background.

Then again, one user tested a different method, in an attempt to determine if 2FA protection on Kraken withdrawals could be bypassed. Assuming the assailant has the login credentials of said user, and can bypass the login with a valid 2FA code, they can then turn off two-factor authentication for withdrawals in the account settings.

This may sound rather reasonable to a lot of people, but it is also very worrying at the same time. Two-factor authentication in the financial world should be mandatory for all services, and not something people can turn off for individual parts of the platform. Kraken maintains an opt-in method for additional security, rather than making it obligatory.

Granted, it remains up to individual users to determine how secure they want to make their account. For people who move funds in and out of exchanges quickly, this may not be such a big deal, but even then, additional security is good to have. People who use Kraken and other platforms like a wallet – which they never should – proper 2FA countermeasures are an absolute must.

Source: Steemit

Header image courtesy of Shutterstock

About JP Buntinx

JP is a freelance copywriter and SEO writer who is passionate about various topics. The majority of his work focuses on Bitcoin, blockchain, and financial technology. He is contributing to major news sites all over the world, including NewsBTC, The Merkle, Samsung Insights, and TransferGo.