Interview: Nick Percoco, Chief Security Officer, Kraken

The modern age calls for modern financial assets, and the boom of cryptocurrency – most notably that of Bitcoin – shows little sign of abating anytime soon.

More and more users and organizations are investing in cryptocurrency, also giving rise to the growth of various crypto-exchange platforms that allow customers to trade cryptocurrencies or digital currencies for other assets.

One such company in the space is Kraken – one of the largest crypto-exchanges in Europe. Along with providing customers with a seamless crypto-exchange experience, it is also an organization that prides itself on putting data security at the forefront of its crypto-offerings.

To find out more, Infosecurity spoke with the firm’s chief security officer, Nick Percoco, to explore the importance of cybersecurity within crypto-trading.

What roles do security and data privacy play in modern cryptocurrency trading processes?

Client security and privacy is critical to everything an exchange must do: customers need to feel completely confident when they buy or sell their assets. Security and privacy earn trust, which drives mainstream adoption, making crypto accessible and credible.

This starts at the hardware level. For instance, we keep our servers in secure cages under 24/7 surveillance by armed guards and video monitors, and physical access and code deployment are strictly controlled. When it comes to account information, all sensitive data should be encrypted at rest and in transit, and access strictly controlled and monitored. 

At the client level, security protects customer data, not only for privacy, but to keep would-be attackers out of their account. For the best level of protection, there should be several layers of security, including hardware and software two-factor authentication (2FA), device approvals, an account recovery key, the ability to receive exchange notices via PGP encrypted email and the possibility to use a global settings lock. 

How can cryptocurrency and its trading be targeted by malicious actors?

Many established hacks target cryptocurrency wallets that are connected to the internet – known as ‘hot wallets.’ While useful for trading digital assets, both the private and public keys are held online, making them a target for cyber-criminals. The risks largely depend on how seriously wallet holders – an individual, a business or an exchange – have taken security. Just like cybersecurity more broadly, poor password management, for example, or a lack of 2FA, puts wallet owners more at risk than those with better security hygiene.

Keeping digital assets offline, in something called a ‘cold wallet,’ is the single best way for clients to protect themselves from hacks. This also extends to exchanges – here we have to follow our own advice, and only keep a small proportion of total assets (5% at Kraken) – the amount needed to run trading smoothly – in hot wallets. The rest should be securely locked away in cold storage, offline, geographically distributed, segmented and away from any online activity.

Individuals such as retail investors are the most vulnerable to malicious actors, so should also read up on educational resources from trusted sources. At Kraken, we provide guides and videos to help them optimize the security of their holdings, but also their home networks and computers.

“Individuals such as retail investors are the most vulnerable to malicious actors, so should also read up on educational resources from trusted sources”

What steps are key to ensuring that cryptocurrency trading processes are kept secure and protected?

Attack vectors change all the time, so the nature of security has to as well. As in all cybersecurity teams, this requires constant vigilance and frequently updated protocols in response to new threats. It’s absolutely essential to never fall behind, as this gives hackers a key advantage. That’s why Kraken has a large dedicated team of cybersecurity experts, who are entirely focused on keeping the platform safe. This should be a key fixture of any organization that facilitates the trading process. Software should be rigorously tested and code for any new applications or services vetted at every stage, to ensure that any vulnerabilities are identified and fixed long before they come into contact with the production systems.

It sometimes pays to have a friendly insider take on the mindset of an attacker to test your security and protection. At Kraken, for example, our bug bounty program awards anyone who brings potential security flaws in our codebase to our attention, so we can fix them and motivate the finder to disclose it responsibly. As an exchange, we’re also unique in having a group of highly-skilled developers whose sole job is to attack Kraken, every single day, just like a nation state adversary or organized crime group would, to find creative ways to circumvent our controls. It’s an extra step, but one that we expect to see more businesses take as cybersecurity becomes even more complex. 

How will cybersecurity and cryptocurrency intertwine in the coming years?

Kraken hopes its laser-focus on security will set the benchmark for other companies in the industry as it will be an important driver of mainstream adoption and innovation. We also hope that as we drive innovation in this space, what is currently considered an ‘advanced’ method to secure one’s cryptocurrency will become more ubiquitous and easier to use by clients even at the retail investor level.

What’s Hot on Infosecurity Magazine?