Kraken Chief Security Officer Nick Percoco talks about the security attack and defense experience of cryptocurrency exchanges. This article is derived from Marco Quiroz-Gutierrez’s article “Future of Finance: Kraken’s Percoco breaks down crypto security and explains Americans why are targeted so often by scammers”, compiled, organized and written by Foresight News.
(Recap:Kraken exchange also wants to issue a chain!Rumored to cooperate with Polygon and Matter Labs to develop Layer 2 network)
(Background supplement:Kraken surrenders!Information for users with “transaction volume of more than 20,000 mg” will be provided to the IRS, including transaction records and taxpayer ID numbers.)
existOver a career spanning more than two decades, Nick Percoco has helped companies build cybersecurity. Since Percoco became Kraken’s chief security officer in 2018, he has been helping to formalize its security strategy. Now, he oversees security, IT and fraud at cryptocurrency exchanges.
Fortune Magazine recently spoke with Percoco to discuss in detail why Kraken improves security through friendly hacking and why Americans are particularly vulnerable to malicious attacks.
How did you get started in cryptocurrency? How did you join Kraken?
I have a forensics lab (SpiderLabs, founded by Percoco and now part of Trustwave) that has a lot of GPUs for password cracking. So we do forensic work, we get encrypted archives, we try to decrypt (try to find weak passwords in the environment), but these GPUs sit idle most of the time. Around 2011, 2012, some people in our lab started talking about Bitcoin, like, “Hey, we could use these GPUs to mine some Bitcoin.” They asked if they could do that, and Bitcoin was almost worthless at the time. , and I said, “Yeah, sure. Let’s play around.” And then everyone set up wallets, and we were sending Bitcoin to each other, and it was kind of like exploring the future of currency at that point.
This isn’t really for any kind of investment or long-term strategy, just because “this is really cool. It’s this permissionless technology where you can send money over the internet without having to go through anyone, like blockchain One wallet on the chain to another.” Today, it’s interesting to learn about this technology, but ten years ago, it was more like science fiction. So I was very interested in it, but not really into being a Bitcoin enthusiast. I didn’t say, “I’m going to mine hundreds of Bitcoins or thousands of Bitcoins, I’m not going that route.”
I’ve worked in the security community and the hacker community, and there’s a bit of overlap between the crypto community and the security community. After doing some startup security work, Trustwave was sold to Singtel, and then I worked at Rapid7, another cybersecurity company, helping them go public. Later, I joined an artificial intelligence company and worked for them on security for several years. A friend of mine and Kraken CEO Dave Ripley contacted us. Kraken is recruiting talent to determine security plans. I started chatting with Dave (who was our COO at the time) and was introduced to Jesse Powell, the former CEO and founder of Kraken. In the fall of 2018, I joined Kraken as Chief Security Officer. Today, I work on security, IT and fraud here.
What is the daily work of a Chief Security Officer?
I organized it a bit like a stack, with the least technical stuff at the top and the most technical stuff at the bottom. At the very top of the stack, the people I work with are basically in the world of what we call security policy. We’re constantly thinking: “Where does security planning need to go? What are we seeing? What trends are we seeing? What are the things we can learn from?”
The next level is basically our information security governance group – policies and procedures, security governance requirements, external audits, vendor due diligence and security audits, and customer due diligence.
The next level down is the security operations function within the company, which is our blue team that monitors the detection and response to security incidents, whether they are internal or external to our company. This is a 24/7/365 team within the company. This is very critical for us. When something happens, we need to know in seconds, not three weeks later. When something happens inside or outside the company that concerns us, we know within seconds.
We also have a red team, which is essentially a team of hackers that I recruited to hack us on a regular basis, attack from the outside, from the inside, social engineering, etc. because criminals don’t have any rules and they will. Try every possible angle.
We also have an application security team that checks basically every line of code, whether it’s in our mobile apps or on our website. Every change is scrutinized against every line of code – every dependency we might introduce into the code base is scrutinized. We’re constantly detecting potential vulnerabilities, real vulnerabilities, submitting bug bounty reports, and it’s a cycle of continuous identification and fixing.
How does Kraken support customers affected by the scam?
Many customers are deceived through phishing websites, fake websites or fraudulent websites. Customers are wandering outside of our ecosystem and interacting with these sites at any given time, so we have dedicated staff responsible for it — on average, we take down three to four sites, social media accounts, and other scams every day website.
What are some examples of common cryptocurrency scams?
Many times, these scams are very low-tech. They are more like social engineering than what one might call hacking. What usually happens in these cases is that someone befriends them, makes them feel they can trust them, and starts telling them to do things they don’t quite understand, and then their funds are stolen. It might go something like this, “Oh, there’s going to be an airdrop and we’re registering wallets to get tokens, so you need to go into your wallet and provide us with a mnemonic phrase. And then we’ll register you, and once you register you’ll You can get $10,000 worth of airdrop tokens.” And people did that, and about 10 minutes later, the wallet was wiped out and they were kicked out of Discord.
There are other very low-tech scams that are actually just investment scams, where people see a legitimate-looking investment website and end up sending their money to the company, which steals their money.
Can you talk about your experience tracking down a vulnerability and what the process was like?
Here’s an example: We have a customer who is having issues with their account. They claimed to be talking to our support staff. They said someone logged into their account and withdrew funds from it. In speaking with our support staff, they mentioned the mobile app they were using and the way they described it didn’t match our mobile device experience.
So the support staff asked them to send some screenshots of the mobile app. Sure enough, this is not our mobile app. It has the same name, and it has our logo, but it’s not ours. This is just a very basic Kraken application. We then asked where they downloaded the app from and it turned out they were using a store you can download apps from on the side. It’s not like Google Play or the App Store, where there are a lot of crypto apps.
How is cybersecurity in the United States different from that abroad?
Criminal groups tend to target U.S. citizens more. The main reason is that in the United States, it is easier for criminal groups to obtain victims’ identity information. In the United States, there is the concept of data aggregators. As long as you pay, you can basically find any information about any individual. You can find all their past addresses, family members, email addresses, phone numbers, and other sensitive information. Overseas, this is a bit difficult due to some privacy laws.
As a criminal, if I wanted to target people active in the cryptocurrency space, I would probably find them on social media. They may be very active on crypto Twitter. I could do some research and determine who they are, but if they’re outside the United States, that might be difficult. The reality is that as a criminal, I might find one person, but I wouldn’t necessarily target him — I might target family members who live in the same house and who might not be as savvy with security. Once I get into that family member’s computer, I’m on the same network as the person I want to track.
How will artificial intelligence affect cybersecurity?
Artificial intelligence enables blue teams to scale. For example, you can train an AI model to detect potentially malicious activity in a larger data set. With traditional tools, you typically have to apply more static rules. With artificial intelligence, these rules don’t have to be so static, it can be more consistent with human logic – like if you had a human review a log file, maybe be able to determine if something looked suspicious, rather than just a simple set of rules. Rule sets may miss it, humans can detect it, but only at a certain speed. You can’t feed a human a billion logs an hour, but you can feed an artificial intelligence a billion logs an hour. I think that helps the defense.
On the attacker side, artificial intelligence is also assisting. For example, deep forgery of video calls and voice changes. From a scammer’s perspective, it allows victims to lower their defenses. In fact, our red team does just that. They took all the films I’ve ever done, or parts of them, and fed them into the AI. They created my voice to call different employees and ask them to do things to see if the employees would actually do it, because it sounded exactly like me. When I hear these simulated sounds, it sounds a little weird. It makes me cringe a little because it’s like my voice, but not exactly the same.
What does this mean for the future of finance?
I think the future of finance is a world where no matter who you are or where you live, you have the freedom to transact with anyone in your world in a permissionless way, and that’s the promise of cryptocurrency. That’s what we’re here to do, to enable people to do that. There are a lot of people on this planet who are disadvantaged from being able to do these things using traditional financial systems, so the promise of cryptocurrency is to allow people to do that.