Kraken CEO Jesse Powell recently appeared on an episode of the What Bitcoin Did podcast with host Peter McCormack to discuss a wide variety of topics related to the crypto asset space. With Powell being the head of one of the most successful, longstanding exchanges in the crypto economy, exchange security was one of the key areas of discussion during the interview.
Although Kraken is one of the oldest bitcoin exchanges in existence, it has amazingly not been hacked up to this point in time. While Powell is proud of this achievement, he made it clear during his talk with McCormack that defending against potential hacks is something exchanges must always stay vigilant against.
“I don’t think it should be something you get over,” said Powell. “It’s something that still sits with me for sure.”
Powell added that Kraken’s security protocols have become more robust over time, and they also have to keep an eye on the latest developments in computer security.
“The risk is always there, and there’s just new vulnerabilities emerging as well like Spectre stuff and these supply chain attacks,” explained Powell. “You get more worried about operational security and the security of your personnel.”
During their conversation around exchange security, Powell and McCormack discussed how attackers may be willing to invest large sums of money in their hack attempts, how personnel security has become a main priority, and the types of attacks Kraken has faced in the past.
Attackers are Willing to Invest Money Into Their Hack Attempts
One of the first points Powell made in regard to exchange security was that attackers may be willing to go to great lengths to hack an exchange if the reward is thought to be high enough.
“You could imagine some crazy Mission Impossible style attack where hackers are buying the building across the street from you and putting telescopes in the building to try to see into your office to track keyboard strokes or whatever,” said Powell. “There’s crazy things people could do if they felt like the reward was high enough.”
On the other hand, there’s also the possibility that someone will try to simply walk into Kraken’s offices with a gun one day because they think they’ll be able to instantly gain access to a stockpile of bitcoin through brute, physical force.
“Even though that’s totally not possible, [the attacker] just needs to imagine that it’s possible and try to do it,” noted Powell. “We’re just constantly paranoid.”
Personnel Security is a High Priority
According to Powell, Kraken’s justified paranoia has led to an increased focus on the physical security of their personnel. In this regard, Powell gave a tip of the hat to Casa CTO Jameson Lopp, who has written about how individuals can reclaim their privacy in the surveillance age and launched a bounty for anyone who can break his opsec.
“But, you know, you just make one little trip up somewhere and you get entered into some database and it’s like suddenly you’re everywhere — you have to start all over,” added Powell. “It’s a really hard thing to do.”
Powell went on to explain that hacking an individual who works at an exchange (or even just someone close to that person) can be a key entry point of attack for a hacker, especially since phone companies seem unable to control rampant SIM swapping attacks that have affected bitcoin and altcoin users for years. Even if just someone’s email account is hacked, compromising information in the account may be used for blackmail.
The possibility of blackmail is one reason that monitoring and logging personnel activity as much as possible is a key component of Kraken’s security practices. “There’s a lot of monitoring, really, that goes on,” said Powell.
If anyone within the company does anything suspicious, such as looking into an account that has no associated support ticket, an internal investigation will be launched to make sure everything is aboveboard.
Due to the difficulties around personal privacy and security in today’s age, Kraken recommends that anyone who works at the company doesn’t let anyone know about it, especially on social media. In fact, Kraken doesn’t even think their personnel should make any mention of bitcoin or cryptocurrencies on their social media profiles.
“If you don’t have a need to be publically associated with the company, just don’t do it because it’s painting a target on your back,” said Powell. “These guys are scraping LinkedIn and Twitter, looking for anyone mentioning bitcoin, and then they’ll target them.”
How Has Kraken Been Attacked?
Just because Kraken has never been hacked does not mean there hasn’t been attempts made to steal crypto assets from the exchange platform in the past.
Powell explained that there are always bots scanning for unpatched vulnerabilities on exchange websites, but those who have tried more complex attacks involving social engineering have not gotten very far.
“There have been cases where they’ve called our datacenter and tried to impersonate us and tried to get the person at the datacenter to do things for them,” said Powell. “Fortunately, they were smart enough to not let that happen, but it’s a scary thought.”
According to Powell, Kraken moved to a different datacenter after this event.
“You have to assume you’re going to get hacked at some point, and you just do your best to make sure that the damage can’t be that bad when it happens,” said Powell as the conversation moved on to other topics.