Caratteristiche di sicurezza Kraken takes a comprehensive approach to security. Our experts have built in a number of sophisticated measures to prevent the theft of any money or information. Theft, of course, isn't the only threat: it's also essential that a professional exchange offer financial stability, with full reserves, healthy banking relationships and the highest standards of legal compliance.
Described below are just some of our public security practices. The list is not complete — you can be assured that our security measures go beyond what we’re willing to make public.
Coin Storage All new deposits go directly to cold wallets — that is, wallets that are completely isolated from any online system.
The vast majority of coins are stored in cold wallets, with complete air-gap isolation.
A limited number of coins are stored in semi-cold wallets — on protected machines with locked drives.
Only the coins that are needed to maintain operational liquidity are stored in hot (online) wallets.
All wallets are encrypted.
User Account Security Two-factor authentication is available for account login, making deposits and withdrawals, ordering, and actions that can be performed using API keys.
Protection against leakage of user information: login or password recovery attempts will not reveal any account information, including confirmation of the existence of an account.
PGP/GPG for email encryption and email signature/verification.
Isolated, highly secure system for uploading account verification documents.
Global settings lock feature that, when enabled, prevents tampering of user account information by an attacker who has gained access to the account.
System Security Kraken's servers reside in locked racks, in a locked private cage, inside a top-tier professional data center: this means armed guards, video surveillance, retina scans, the works.
Data is encrypted wherever possible, and systems are both redundant and isolated from one another.
Data is replicated in real time and backed up on a daily basis.
We currently use Cloudflare, among other measures, for protection from Distributed Denial of Service attacks.
Our office is wired with separate networks for separate purposes. The system our agents use to access your uploaded account verification documents cannot be used for anything else. Support tickets are on a completely separate system, and so on.
Our staff has been thoroughly reviewed, and multiple sign-offs are required for anything remotely sensitive.
Financial Security We maintain full reserves — a "bank run" is an impossibility.
Customer funds reside in a bank account separate from our operations account, and fees are transferred on a daily basis.
Customer funds cannot be borrowed to fund operations, nor can they be lent, even for margin trading on our own platform.
We have solid relations with our bank, and an agreement is in place allowing us to wind down our account in an orderly fashion, should our relationship ever come to an end.
We are pursuing multiple banking partnerships to build in some financial redundancy — so that even should the above situation come to pass, our daily operations will not be interrupted.
Legal Compliance Bitcoin's legal status is still being defined, but Kraken takes a highly proactive and informed approach to ensuring legal compliance.
Our approach is to operate conservatively, entirely within the bounds of current law, and to constantly monitor regulatory developments so that we can anticipate changes before they occur.
Our compliance measures are designed by a five-member team of legal advisors, including a full-time General Counsel who is responsible for constantly evaluating our legal stance in the face of regulatory developments.
Your Security Practices
What You Should DoWhile our security practices go a very long way toward protecting your personal information and keeping your money safe, there are a few things we strongly recommend you do yourself in order to make your account as secure as possible.
Choose a long password or, better yet, a long passphrase.
Set up two-factor authentication, at least for logging in, making withdrawals, and the Master Key. Two-factor authentication makes it much more difficult for anyone other than yourself to gain access to your account. Instructions for setting up two-factor authentication are provided below.
Pay attention to the monster cartoon on the login page, and stop to investigate if you notice that the cartoon has changed unexpectedly. The monster cartoon is explained in the FAQ section here.
Set up PGP/GPG for your email account so that you can verify automated messages sent by us, and so that you can send/receive encrypted content in case any sensitive information needs to be communicated. See setup instructions below.
Send your verification documents only via the form we provide, rather than via email or in a support ticket.
Set up two-factor authentication on the email account associated with your Kraken account.
Once you have your account settings settled, we recommend that you use the global settings lock, especially if you go on vacation or won't be able to monitor the email associated with your account for a period of time.
Two-Factor AuthenticationTwo-factor authentication greatly increases the security of your account by requiring a second passcode in addition to the standard username and password. Google Authenticator or Yubikey should be used to generate dynamic passcodes for maximum security.
Before you set up two-factor authentication, you’ll need to decide on a method for generating dynamic passcodes. (We offer a static passcode option, but this isn't recommended.) The most common methods are via the Google Authenticator application (for Android, iOS, BlackBerry, etc.) or with a dedicated Yubikey device.
https://code.google.com/p/google-authenticator/ http://en.wikipedia.org/wiki/Google_Authenticator http://www.yubico.com/To set up two-factor authentication in your Kraken account, go to the Two-Factor Authentication tab. Click "setup" and choose the two-factor option you want. TOTP requires less maintenance, but is less secure, while HOTP requires more maintenance and is more secure. For most users, however, the difference is marginal compared to the benefits gained from using two-factor authentication in the first place. For more information:
http://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm http://en.wikipedia.org/wiki/HOTPSelecting the "Password" option gives you a static passcode, which is much less secure than a dynamic one. Not recommended unless you have a special reason for preferring it.
Complete the setup process by following the given instructions. Be careful about changing some of the default options, as setup failures may result (see warnings provided in the instructions).
You should also set up two-factor authentication for the Master Key. This increases security for such critical functions as resetting passwords and requesting two-factor authentication bypass codes.
PGP/GPG Encryption
PGP (Pretty Good Privacy) and its fully compatible GPL-licensed alternative GPG (Gnu Privacy Guard or GnuPG) are the standard for encryption/decryption of email. Setting up PGP/GPG will allow you to:
Verify automated messages from Kraken, so that you can be sure they came from us and haven't been tampered with en route.
Send and receive encrypted content, safely communicating sensitive information with support staff.
One popular method for encrypting email uses the Mozilla Thunderbird email client with the Enigmail plugin. The basic steps:
Download and install the Thunderbird client:
https://www.mozilla.org/en-US/thunderbird/ Install GnuPG and the Enigmail plugin:
http://www.enigmail.net/home/index.phpOnce you've got everything set up, you’ll give us your public key and import our keys. We have two — one for verifying automated email (found here) and one for communicating encrypted content with Kraken support staff (available soon).
If you’re a MacOS user, we recommend GPGMail, a new GPG plugin for Apple Mail:
https://gpgtools.org/gpgmail/index.htmlFor more information about PGP/GPG, see the links below.
https://en.wikipedia.org/wiki/Pretty_Good_Privacy http://en.wikipedia.org/wiki/GNU_Privacy_Guard https://en.wikipedia.org/wiki/Public-key_cryptography