[ANN] KRAKEN.COM - Exchange with USD EUR GBP JPY CAD BTC LTC XRP NMC XDG STR ETH - page 185.

Dargo

legendary

Activity: 1820

Merit: 1000

Quote from: Serpens66 on February 08, 2016, 07:28:28 AM

Quote from: Yunus on February 08, 2016, 03:00:49 AM

> Where can I read more about the global settings lock ?

We have a rather extensive article in the Kraken Help Center covering the Global Settings Locks. It's in the 'Security: Account' section. I think the article does a pretty good job of conveying the purpose of the lock (but please let us know if you think otherwise). It also describes which settings get locked and what can be done to unlock your settings:
https://support.kraken.com/hc/en-us/articles/201396877-What-is-the-Global-Settings-Lock-

Thank you.

I think in combination with an master key, it is okay, to activate settings lock.
But as HPt wrote,
1) not everybody knows enough about this settings lock
2) not everybody knows, that without the settings lock, it is easy to bypass the 2FA !!!

So I still think Kraken has to do something, to make 2FA secure even without the settings lock. The 2FA method should not be changeable without access to 2FA nor password, except with a masterkey or with support.

I agree with you and HPt that we at the very least need to do more to make people aware of the settings lock. Just so there's no confusion about the issue here, it's only easy to bypass 2fa if you have already gained access to the account. So it's not easy for someone who doesn't have access to the account to bypass the 2fa for login. But I understand how someone who sets 2fa for trading or funding would expect that this isn't easy to bypass even if someone has access to the account, so that either needs to be changed or it needs to be made clearer that the settings lock should be used in conjunction with 2fa for trading or funding in order for these to really improve the security of the account.

We will take a look at this issue and do something to address it - thanks for bringing it up!

Serpens66

legendary

Activity: 2940

Merit: 1131

Quote from: Yunus on February 08, 2016, 03:00:49 AM

> Where can I read more about the global settings lock ?

We have a rather extensive article in the Kraken Help Center covering the Global Settings Locks. It's in the 'Security: Account' section. I think the article does a pretty good job of conveying the purpose of the lock (but please let us know if you think otherwise). It also describes which settings get locked and what can be done to unlock your settings:
https://support.kraken.com/hc/en-us/articles/201396877-What-is-the-Global-Settings-Lock-

Thank you.

I think in combination with an master key, it is okay, to activate settings lock.
But as HPt wrote,
1) not everybody knows enough about this settings lock
2) not everybody knows, that without the settings lock, it is easy to bypass the 2FA !!!

So I still think Kraken has to do something, to make 2FA secure even without the settings lock. The 2FA method should not be changeable without access to 2FA nor password, except with a masterkey or with support.

Yunus

sr. member

Activity: 244

Merit: 250

> Where can I read more about the global settings lock ?

We have a rather extensive article in the Kraken Help Center covering the Global Settings Locks. It's in the 'Security: Account' section. I think the article does a pretty good job of conveying the purpose of the lock (but please let us know if you think otherwise). It also describes which settings get locked and what can be done to unlock your settings:
https://support.kraken.com/hc/en-us/articles/201396877-What-is-the-Global-Settings-Lock-

Serpens66

legendary

Activity: 2940

Merit: 1131

Quote from: HPt on February 07, 2016, 01:35:29 PM

I wonder, whether I am the only one who considers it disturbing that Kraken's two-factor authentication, e.g. for withdrawing funds, can easily be by-passed by simply changing the authentication method. For example, despite having Yubikey enabled for withdrawing funds, it is possible to withdraw funds without possessing the Yubikey (and without knowing the Master key) as follows:
   1. Go to Security/Two-Factor Authentication
   2. Click on the "Edit/View details" link for Funding
   3. Change Method to Password
   4. Set a new password (no Yubikey and no master key is required!)
   5. Go to Funding/Withdraw
   6. Add a new address and withdraw funds to it using the newly set password
So, anyone who is able to log in to a Kraken account or catches a browser with an open Kraken session is able to deplete this account.
I reported this vulnerability to Kraken more than two weeks ago. According to Kraken, this behaviour is intended and can be suppressed by going to Settings/Account and enabling "Global Settings Lock". However, I wonder who is aware of the fact that, without this "Global Settings Lock", the two-factor authentication is completely ineffective.

Thank you very much for sharing this.
I also think this is unacceptable!

Where can I read more about the global settings lock ? In the settings is written:
"The Global Settings Lock prevents any changes to your account settings and hides the display of sensitive info. See FAQ for more details"
But in the FAQ is nothing about it except "Lock your account settings with the global settings lock", which is not helpful at all...
edit: I would like to know, what settings exactly are affected and how to deactivate the global settings lock instantly.

Dargo, what do you know about this vulnerability and the Lock ?
Maybe you should add an additional setting? Like "Activate 2FA for setting changes"?

HPt

member

Activity: 70

Merit: 15

I wonder, whether I am the only one who considers it disturbing that Kraken's two-factor authentication, e.g. for withdrawing funds, can easily be by-passed by simply changing the authentication method. For example, despite having Yubikey enabled for withdrawing funds, it is possible to withdraw funds without possessing the Yubikey (and without knowing the Master key) as follows:
1. Go to Security/Two-Factor Authentication
2. Click on the "Edit/View details" link for Funding
3. Change Method to Password
4. Set a new password (no Yubikey and no master key is required!)
5. Go to Funding/Withdraw
6. Add a new address and withdraw funds to it using the newly set password
So, anyone who is able to log in to a Kraken account or catches a browser with an open Kraken session is able to deplete this account.
I reported this vulnerability to Kraken more than two weeks ago. According to Kraken, this behaviour is intended and can be suppressed by going to Settings/Account and enabling "Global Settings Lock". However, I wonder who is aware of the fact that, without this "Global Settings Lock", the two-factor authentication is completely ineffective.

Wei H

legendary

Activity: 1193

Merit: 1001

Chinese translator

Quote from: ?? on ??

Quote from: Wei H on February 06, 2016, 08:41:42 AM

Finally I added Karken to my favourite.

In English it is spelled Kraken, not Karken.

Sorry I typed it too fast.

Wei H

legendary

Activity: 1193

Merit: 1001

Chinese translator

Finally I added Karken to my favourite. Also I would like it to be translated to Chinese and I'm available to do this if you're interested in it.

Check my service thread also: https://bitcointalksearch.org/topic/since-2014-referral-bonus-weis-english-chinese-translation-services-1005465

Dargo

legendary

Activity: 1820

Merit: 1000

Quote from: vleroybrown on February 05, 2016, 07:47:23 PM

Setup a SynapsePay account but cannot deposit USD into Kraken due to Insufficient Documentation with no other directions. This doesn't seem like ACH linkage between US banking accounts.

You're right, it's not an ACH linkage. It's a wire deposit. First you have to activate your Synapse account with Kraken (Go to Funding > Deposit > USD > SynapsePay in your Kraken account and follow the instructions). After the account is activated (this can take up to 3 working days I believe), you then go again to Funding > Deposit > USD > SynapsePay in your Kraken account. There you choose an account (one of the bank accounts you've set up with Kraken to use for SynapsePay) and the amount you want to deposit. Then you click "Review Deposit" and "Confirm Deposit." You will then be taken to a screen that shows you the wire details you need to use to send the wire. The details include a reference number that you must include in the wire. Also, you must send the amount that you indicated. If you tell us in the form that you are going to send $5,000 but then send us a wire for $4,500 this will definitely delay things.

I hope this helps clear things up. If not, contact us through support or feel free to DM me with questions. I agree that the documentation is insufficient, so I'll look at getting some better documentation up in our support center.

vleroybrown

hero member

Activity: 1223

Merit: 506

This is who we are.

Setup a SynapsePay account but cannot deposit USD into Kraken due to Insufficient Documentation with no other directions. This doesn't seem like ACH linkage between US banking accounts.

Atdhe

sr. member

Activity: 326

Merit: 250

Atdhe Nuhiu

Yes, I just realised it now. There must be some glitch. Was resolved with disabling 2FA for funding. Still it is weird.

Yunus

sr. member

Activity: 244

Merit: 250

Quote from: Atdhe on February 05, 2016, 01:47:53 PM

Geez,
I tried to withdraw quite a lot of BTC, it says Permission denied.

Were BTC payouts also affected? Wtf is that?

Nobody is responding tickets.

77012 ticket.

It could be an issue with your 2FA settings for funding - have you checked them? I will get an agent to reply to #77012

Atdhe

sr. member

Activity: 326

Merit: 250

Atdhe Nuhiu

Geez,
I tried to withdraw quite a lot of BTC, it says Permission denied.

Were BTC payouts also affected? Wtf is that?

Nobody is responding tickets.

77012 ticket.

Yunus

sr. member

Activity: 244

Merit: 250

Quote from: sadprince on February 05, 2016, 08:07:36 AM

Dear support,

please take a look at request number 74217.

There is no answer during 3 days. (Your request (number 74217) is currently marked as "Pending".)

Thank you!

Hi sadprince, sorry about this, we will have an agent get back to you soon - thanks for your patience!

sadprince

newbie

Activity: 28

Merit: 0

Dear support,

please take a look at request number 74217.

There is no answer during 3 days. (Your request (number 74217) is currently marked as "Pending".)

Thank you!

unholycactus

legendary

Activity: 1078

Merit: 1024

Quote from: Dargo on February 04, 2016, 03:43:47 PM

Here's what happened with the recent site/API issues: There was a technical problem with our funding partner Vogogo. It should have only affected our interface with this funding partner, but unfortunately it affected other systems as well. We've made the necessary adjustment so other systems are no longer affected, but funding through Vogogo will be offline until the technical problems are fixed on their end. Edit: Vogogo is our CAD funding partner, so CAD funding is offline for now and we don't have an ETA for when it will be back online. Funding in all other currencies is operating smoothly.

Thanks for the update, had trouble understanding why the funding service was offline.
On a separate note, it's unfortunate that it's happening while fees are lowered.

Dargo

legendary

Activity: 1820

Merit: 1000

Here's what happened with the recent site/API issues: There was a technical problem with our funding partner Vogogo. It should have only affected our interface with this funding partner, but unfortunately it affected other systems as well. We've made the necessary adjustment so other systems are no longer affected, but funding through Vogogo will be offline until the technical problems are fixed on their end. Edit: Vogogo is our CAD funding partner, so CAD funding is offline for now and we don't have an ETA for when it will be back online. Funding in all other currencies is operating smoothly.

Morecoin Freeman

hero member

Activity: 854

Merit: 503

Legendary trader

So a period of free trading for everyone once things work smoothly?

SebastianJu

legendary

Activity: 2674

Merit: 1083

Legendary Escrow Service - Tip Jar in Profile

Really... kraken wants to play the big guy, buying up the competition but they fail with the most basic things which are the very basis of their company. Do they live in the clouds, not getting near their fundament anymore?

I only can imagine that they never thought about that buying up competition might bring a heavy serverload and that they would need to compensate with more servers.

And in the meantime my coins are stuck and i can't do anything. Great.

If you don't come with a convinceable solution then i will think twice risking to use you again.

Dargo

legendary

Activity: 1820

Merit: 1000

Hi all - apologies for the site/API connectivity issues. The current status is that we are working to fix, but don't have an ETA at this time. The best way to get updates on this kind of issue is to follow us on twitter:

https://twitter.com/krakenfx

We understand that the instability in recent weeks is unacceptable and it's our top priority to address it.

Vaagar

hero member

Activity: 639

Merit: 500

How long does it takes? Need to withdraw some Euro´s -.-

Topic: [ANN] KRAKEN.COM - Exchange with USD EUR GBP JPY CAD BTC LTC XRP NMC XDG STR ETH - page 185. (Read 628889 times)