Kraken: Is It Safe?
Can you trust Kraken to keep your crypto out of the hands of hackers and scammers? Let’s find out.
Kraken is the ninth-largest cryptocurrency exchange in the world, with over $1.8 billion worth of crypto trades done through its app each day. It’s known throughout the world for its low fees and great coin selection, but you may wonder if Kraken is safe and secure.
In this article, we’ll consider Kraken’s security practices. We’ll discuss whether Kraken is safe and what risks you may be taking by using it. We’ll also go over a few tips to help keep your Kraken account secure.
Is Kraken Safe?
The bottom line is that Kraken is a very safe and secure exchange. It keeps most of its crypto in cold wallets, away from the possible grip of cybercriminals. It also requires two-factor authentication (2FA) through an authenticator app or YubiKey, sends email alerts when withdrawals are made, and engages in many other security practices that help protect users’ crypto.
Kraken has excellent security, but that doesn’t mean using Kraken is completely without risk. In the next few sections, we’ll go over Kraken’s security practices in detail, and we’ll also talk about some risks of using Kraken that you should definitely be aware of.
FYI: There’s a lot to keep track of when it comes to keeping your crypto safe. We’ve published a guide that explains in detail how to keep your crypto secure: Everything You Should Know to Invest in Crypto Safely.
First, here are the security measures Kraken takes to keep your crypto secure.
Kraken Security Practices
There are multiple practices Kraken uses to make sure cyber criminals can’t run off with your crypto. Here are a few of them:
- Mandatory 2FA. One of the most effective ways to prevent account hacks is to enable 2FA. Once 2FA is enabled, you’re required to enter a code from your phone every time you log in or make a withdrawal. That provides an extra layer of protection in case your password is stolen or your email account is compromised. Most exchanges allow 2FA, but Kraken goes one step further by making it mandatory for all withdrawals.
- No text SMS option for 2FA. Despite the effectiveness of 2FA, there is one major security loophole in it: Many people choose to receive their 2FA code through text messaging, which potentially allows an attacker to intercept the code by switching the victim’s phone service to a device under the attacker’s control. That’s why SMS text is not allowed as an option for 2FA on Kraken. Instead, users need to download an authenticator app or use a hardware device such as YubiKey.
- Withdrawal alerts. Each time someone makes a withdrawal using your account, Kraken will send you an email alerting you that a withdrawal has been initiated. There is a button in this email that allows you to instantly lock your account and stop the withdrawal.
- Global settings lock (GSL). Sometimes attackers will try to circumvent security by turning off 2FA and other features through global settings. To prevent this, Kraken features a global settings lock that freezes settings for a specific period of time. If you set your GSL to seven days, for example, then it will be impossible to change any security settings without waiting seven days. That should give you time to alert Kraken staff if someone tries to change your security settings without your permission.
- Real-time monitoring. Kraken monitors all transactions on the platform, and it has a detection algorithm that searches for and identifies unusual transactions that may be caused by hackers. If an account appears to have been compromised, then Kraken will freeze it and block all withdrawals until the user contacts customer service to verify that the account has not been compromised.
- Encryption. Names, email addresses, and other sensitive data are encrypted before being stored. That should help prevent personal information from being stolen.
- HTTPS. To help prevent man-in-the-middle attacks, all pages in the Kraken web app use HTTPS. Data you send to the server is encrypted before being sent. Data sent to you is decrypted on your device when it is received.
- 24/7 chat support. If you think your account may have been compromised, then you can contact customer service via chat directly through the app. Staff is on hand 24 hours a day, seven days a week to investigate issues.
- Cold wallets. Despite all these security practices, it is still possible that an attacker could breach Kraken’s security and steal crypto. To minimize losses if that occurs, Kraken keeps 95 percent of its crypto offline in cold wallets. That means that even if an attacker succeeds at stealing crypto, they will get only 5 percent of the total assets of the exchange. That should prevent Kraken from going bankrupt, which will help ensure you get reimbursed if the exchange is hacked.
Pro Tip: Kraken has a wide variety of coins available, and some of its coins can be used to access decentralized exchanges (DEXs) that provide even more coin choices. But not all coins are legitimate; some are scams. Check out How to Determine If a Crypto Coin Is Safe for some tips on how to distinguish between the two.
Kraken has excellent security practices, but it isn’t 100 percent safe. In the next section, we’ll consider some risks of using Kraken.
Risks of Using Kraken
Despite all the steps Kraken uses to protect your crypto, there are still ways an attacker can get into your account and steal it. That is true of any crypto exchange, not just Kraken.
Here are a few risks to using Kraken:
- If your phone is stolen, then your 2FA may be compromised. If you lose your phone or someone steals it, then the person who has your phone will have access to all your 2FA codes, including the ones to your Kraken account.
- Authenticator apps store keys in the cloud. Google Authenticator and other authenticator apps often store keys in a cloud storage system. If the storage system ever becomes compromised, then the keys could be revealed, giving the attacker access to all codes.
- Your login can be phished. An attacker may pose as a representative of Kraken to get you to reveal your login information. That is often done by creating very authentic-looking emails. Within the email is a link to a fake site where you can “login.” When you enter your credentials, they are recorded and used to gain access to your account. Once the attacker has access to the account, they reset your 2FA or turn it off. Enabling GSL may help catch this kind of attack, but, if you miss the email warning that your settings have been changed, then the delay period may pass without you noticing your account has been compromised.
- Your PC can be infected with malware. If an attacker manages to infect your PC with malware, then they can spy on whatever you are doing and even record your keystrokes. That may allow them to record your login info and use it to gain access to your account.
FYI: This article focuses entirely on Kraken’s security, but you can read all about our hands-on experience with the exchange in our complete Kraken review.
Kraken has top-notch security systems in place compared to what we’ve seen in the industry, but it can still be compromised using the methods outlined above. In the next section, we’ll discuss some ways to defend yourself against these attacks.
How to Stay Safe While Using Kraken
There are a few ways to protect yourself against the attack vectors discussed in the previous section.
Use YubiKey or another hardware 2FA system. If you can afford a YubiKey or other hardware 2FA device, then it can greatly enhance the security of your 2FA codes. A YubiKey is a separate device used to generate a 2FA code. It tends to be less of a target than your phone, and your YubiKey may never need to leave your house if you access your account only from home. YubiKeys can be purchased for as little as $25, although ones with more features can go up to the $60 range.
Make sure to enable GSL. Global settings lock is optional on Kraken, so make sure you enable it. Set the time delay for global settings changes to long enough for you to catch the alert email if an attacker gets into your account.
Check the URL. Each time you log in to the Kraken web app, check the URL at the top of the screen to make sure it says https://www.kraken.com. Fake websites usually have a slightly different spelling of the URL, such as https://www.kracken.com.
Scan files you receive through email or use a different PC for exchanges. To help prevent malware infections, use an antivirus program to scan all attachments you receive through email. For an even more secure option, use a dedicated PC to access your crypto exchanges. In other words, always open emails on a separate PC from the one you use to access exchanges. That way, if the device you use to open emails becomes infected, your exchange login credentials should still be safe.
Consider withdrawing your crypto. Crypto exchanges will always be prime targets for hackers, so one of the most effective ways to protect your crypto is to withdraw it from the exchange into a private wallet — specifically into a hardware wallet that can’t be infected with malware. If your exchange account gets hacked, then your crypto should still be safe. If you need help choosing a wallet, we have a rundown of the best crypto wallets.
There is no strategy that is 100 percent effective at protecting your crypto, but following these practices should greatly reduce your chances of getting hacked or having your crypto stolen.
FYI: Looking to invest in more than just crypto? Head to our in-depth Robinhood review. We discuss everything you need to know about setting up and using the popular investing platform.
Kraken Safety Closing Thoughts
Kraken is an excellent crypto exchange, featuring very low fees and a great coin selection. It’s one of the safest exchanges around, with mandatory 2FA, global settings lock, withdrawal alerts, real-time monitoring, and more.
But no crypto exchange is completely safe. We’ve considered some ways a Kraken account can be compromised, and we’ve offered some tips for how to prevent these attack methods from being effective.
If you don’t think Kraken is the best crypto exchange for you, then check out our top three crypto exchange reviews.
Before we wrap up, let’s cover the most frequently asked questions about Kraken safety.
Frequently Asked Questions About Kraken Safety
Is your personal data safe with Kraken?
Yes. Many people wonder if providing personal information to Kraken as part of the identity-verification process is safe. Kraken encrypts all personal data before storing it, so, in most cases, a hacker couldn’t read the data even if they obtained it. Kraken also watermarks images, making them unusable even if an attacker were to somehow crack the encryption.
How long do Kraken withdrawals take?
A withdrawal of cryptocurrency from Kraken can take up to 10 minutes. You should receive an email immediately that tells you the withdrawal is happening. If the withdrawal was not authorized, then you can click the link in the email to freeze your account and block it. Otherwise, it should be broadcast to the network within about 10 minutes.
Bank transfers of cash can take up to two business days to be processed by the banking system.
Is Kraken safer than Binance?
Both Binance and Kraken are extremely safe exchanges, and they use similar security protocols. It’s difficult to say whether one is safer than the other.
Can U.S. citizens use Kraken?
Yes. Some folks worry that Kraken may be unlicensed to operate in the U.S., but Kraken holds a Money Services Business (MSB) license from the U.S. Financial Crimes Enforcement Network (FinCEN) and is also legal in every state except New York and Washington. If you live in New York or Washington, you may want to try Coinbase instead. Here is our analysis of Coinbase crypto exchange.
Is Kraken regulated?
Yes. Kraken is regulated by FinCEN throughout the U.S. and by financial regulatory authorities in each state, except in states where there is no crypto regulation. For more information on U.S. crypto regulations, read our guide to crypto regulation in the U.S.