These guys even offer a "2fa" option that is a static password. That's unheard of. This is security snake oil. A static password is something you know, not something you have (like a 2fa token on a phone).
All we're saying to Kraken is: remove bad security options that confuse users. Stop offering fake 2fa. Send email confirmation for withdrawal like every other exchange out there. Enforce 2fa on login, so 2fa on withdrawal can't be disabled without access to the token. These are basic, basic issues that make Kraken look laughable in this space.
people have been telling them this for years. i'm not sure why they haven't done anything about it by now. maybe they think that having all the security "options" is a valuable sell point to their customers. they haven't learned yet -- keep it simple, stupid. maybe all these recent "phishing attacks" on their customers will open their eyes.