When trying to regain access to your Kraken account, you may be asked to jump on a video call with a support agent to prove you are actually who you say you are.
Last month, the centralized exchange said it caught someone wearing a Halloween-style rubber mask attempting to fool the worker on the other side of the call—but it didn’t work.
The attacker had raised a number of red flags during the first round of checks, such as failing to name the assets that the account held. These flags caused the agent working the case to require a video call to grant access to the account. During the call, the Kraken worker asked some more questions and checked the person’s ID.
The attacker failed this stage—in dramatic fashion.
“Our agent was like: This is absolutely ridiculous. This is a rubber mask the guy's wearing,” Kraken Chief Security Officer Nick Percoco told Decrypt.
There are deepfakes and then there’s this guy. He’s trying to gain access to a @krakenfx client’s account. Nice try, buddy! pic.twitter.com/gFD9LUM2D4
— Nick Percoco (@c7five) October 15, 2024
The mask didn’t even look like the person the attacker was claiming to be, Percoco said. The victim was a Caucasian male in his early 50s, so it appeared to Percoco that the attacker simply grabbed a mask that vaguely fit the description.
And this isn’t the first time someone has worn a disguise in an attempt to fool Kraken.
“[We] see things, from time to time, where people put on a fake mustache,” he told Decrypt. “They show [ID] and it looks close because they wear the same style glasses, have a mustache, and have blonde hair. We see that from time to time. They never pass.”
“But this is the first time,” he added, “that someone has gone out to the costume store to get a mask.”
To make matters worse, the attacker didn’t even have a believable ID. It was “clearly” Photoshopped and printed onto card stock, Percoco explained, albeit with the correct information on it.
While this wasn’t a sophisticated attack, it highlights that even sloppy scammers can potentially gain access to the private information of everyday people. Even with such an unpolished attempt, Percoco believes, attackers could see success.
"I think it must [work]," he told Decrypt. "I think people wearing disguises, people who breach another place and get a copy of your government ID, and then print it out on glossy paper, holding that up… for some exchanges, that probably works."
He claimed that some exchanges do not have the same level of attention to detail that Kraken demands from its team. Percoco specifically points to companies that outsource their support, claiming that this is more likely to lead to mistakes.
If he’s correct, then this means that those using centralized exchanges shouldn’t always rely on the company to fend off bad actors. To protect themselves, Percoco says, users should deploy two-factor authentication “everywhere”—from your email to well beyond—to prevent bad actors getting any personal information at all costs.
Even with such protection methods employed, a user can still fall for phishing scams. For the top level of security, he recommends using FIDO2 and passkeys, which are hardware keys that can turn your phone or laptop into your password for an account.
“Passkeys are cryptographically bound to the sites and the applications you're using them with,” he said, “so you can't be duped into thinking you're logging into Kraken.”
Edited by Andrew Hayward