SlideShare a Scribd company logo

The Future of ATO

P
pm123008

Slides for my Blackhat 2019 talk, The Future of ATO.

Technology
1 of 26
Download to read offline
The Future of ATO
About Me I’m Philip Martin, the CISO at Coinbase Ex-Palantir, Amazon, Sun and US Army
00 – Intro 01 – A Bit About ATO 02 – Specific Methods SIM Swapping/Porting Account Recovery Abuse Credential Phishing w/advanced features Credential Stuffing Social Engineering Malware Agenda 03 – Wrap Up & Questions
How is ATO happening? Targeted ATO is a Journey ● High end attackers are increasingly targeting victim centers of gravity first ● Attackers frequently have access to email, file storage, social media, control of a phone number The Vast Majority of ATO is Not Targeted ● Less than 10% of the ATO or attempted ATO activity we see we rate as ‘targeted’ ● By far, most ATO we see is based on social engineering, not porting, SIM swapping, etc. SMS 2fa is effective vs most untargeted ATO; targeted ATO can bypass both SMS and TOTP 2fa ● Targeted attackers pivot to seeking seed backups, recovery codes or account recovery. ● Modern credential phishing is just as happy capturing TOTP 2fa as SMS 2fa.
Who is conducting ATO? Economically Motivated ● Looking for the shortest path to money. ● Want to show a positive ROI on attacks ● Tend to focus on one thing that works and repeat till it doesn’t Average skill is low (but stddev is high) ● Most ATO is not technically complex. Most actors are playing a numbers game. ● Some ATO is very complex ● There is little to no actor crossover. Mostly located in poor countries ● Actors tend to be in places like the Philippines, Nigeria and Eastern Europe. Caveat: selection bias. ● A $10k payday from ATO may be enough money to keep an attacker in the black for a long time.
SIM Swapping/Phone Porting Details ● We see SIM swapping more than phone porting these days ● Some SIM swaps last as little as 15 minutes. ● Generally used in highly targeted attacks/presumed HVTs ● Also used to hijack SMS-based account recovery workflows
SIM Swapping/Phone Porting
SIM Swapping/Phone Porting Countermeasures ● Push non-SMS 2FA options ● There are porting and SIM-swapping detection vendors (but this is FAR from 100%) ● Any 2fa is better than no 2fa. Porting/swapping is NOT in most people’s threat models.
Account Recovery Abuse Details ● The abuse of account recovery mechanisms is also a consistent theme when we investigate ATO. ● SMS hijacking or poorly secured recovery email most common ● High criticality accounts depending on the security of lower-criticality accounts is not great.
Account Recovery Abuse Countermeasures ● We require an ID verification w/ selfie step in our account recovery flow. ● We also enforce a recovery waiting period and aggressive customer contact policy during that waiting period.
Credential Phishing w/ 2FA Theft Details ● Credential phishers include integrated 2FA token theft and real-time account connections. ● We require 2FA for several in-app actions (e.g. sending funds) so we see attackers integrating multiple 2FA code collection via fake failures.
Credential Phishing w/ 2FA Theft Countermeasures ● Standard anti-phishing countermeasures (CT Logs, referrer monitoring, etc) help ● Device verification is very effective against these attacks ● Rate limiting is also effective, especially if you can rate limit on things like browser fingerprint.
BONUS - Device Verification Bypasses ● We do see attackers trying to innovate around DV, but it has a petty low effectiveness rate so far. Credential Phishing w/ 2FA Theft
Details ● Increasingly seeing this conducted by broad botnets ○ 2-3 requests per IP ○ global footprint Credential Stuffing
Details ● Increasingly seeing this conducted by broad botnets ○ 2-3 requests per IP ○ global footprint ○ IoT devices (we recently ID’d a toaster trying to login to Coinbase) Credential Stuffing
Countermeasures ● Rate limiting is effective if you can rate limit on specific rare/invalid UAs or other unique behaviors ● 2FA is the ultimate solution. Because we enforce 100% 2FA our users generally see no impact from credential stuffing. Credential Stuffing
BONUS - 100% 2FA ● With about 30m global users, we’re the largest site I know that requires 2FA on all accounts. ● We default to SMS 2FA but also support TOTP and WebauthN. ● Getting folks to move up the 2FA stack is hard, but in-app prompts is key Credential Stuffing
DOUBLE BONUS - Active Deception ● Since 2016, we’ve been running a large scale active deception campaign against credential stuffers/list validators. ● Whenever we detect a campaign, we feed it statistically probable lies. Credential Stuffing
Details ● We see tech support style scams very frequently. ● Traditionally part of a cold calling scheme using call centers in places like India ● Increasingly we’re seeing attacks that bring the users to the attackers instead Social Engineering
Countermeasures ● Screen sharing detection is our main focus. We see fingerprintable differences in things like mouse events, keyboard events, etc. ● We also devote a lot of time to detecting and disrupting the channels scammers use to lure users into their funnel via, e.g. aggressive social media monitoring. Social Engineering
Maps Locations Answer Box Pollution Emerging Social Engineering Techniques
Details ● Banking Trojans and Malspam (Emotet, LokiBot, TrickBot) being repurposed to target cryptocurrency ● This largely shows up as session token theft with connections proxied through the victim system these days, but we’ve also seen clipboard modifiers, javascript injectors and a few others Malware
23
Countermeasures ● For the lower hanging fruit (clipboard modifiers, javascript injectors, etc) there are well-known countermeasures. ● Proxying is much harder. It’s all about flagging behavior changes and injecting friction (we introduce a 48hr hold on transactions that trigger certain rules). Malware
Wrap Up Some of these techniques have or will trickle down ● More and more things are becoming monetizable about our online presence ● Attacks are also getting easier to conduct. Mega-dumps, deepfakes (for ID verification), etc. Attackers constantly innovating ● We need to continue to push the boundary in terms of 2FA normalization and JIT user awareness ● Change the economics of the situation, like using active deception. ATO Prevention is about incentivising good security behavior ● Good security UI/UX can do a lot to enable users and incentivise good security practices. ● More research on global user communication
Any Questions? (BTW, if this sounds like a fun set of challenges then I’ve probably got an open role that you’d love… https://coinbase.com/careers)

Recommended

CSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserCSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserguestb1956e
 
Man in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactionsMan in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactionsDaveEdwards12
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityYellowSlice1
 
Login cat tekmonks - v4
Login cat tekmonks - v4Login cat tekmonks - v4
Login cat tekmonks - v4TEKMONKS
 
Login cat tekmonks - v4
Login cat tekmonks - v4Login cat tekmonks - v4
Login cat tekmonks - v4Rohit Kapoor
 
Protecting Your Business From Cybercrime
Protecting Your Business From CybercrimeProtecting Your Business From Cybercrime
Protecting Your Business From CybercrimeDavid J Rosenthal
 
Web Security
Web SecurityWeb Security
Web SecurityBharath Manoharan
 
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...TigerGraph
 

Recommended

CSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserCSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserguestb1956e
 
Man in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactionsMan in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactionsDaveEdwards12
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityYellowSlice1
 
Login cat tekmonks - v4
Login cat tekmonks - v4Login cat tekmonks - v4
Login cat tekmonks - v4TEKMONKS
 
Login cat tekmonks - v4
Login cat tekmonks - v4Login cat tekmonks - v4
Login cat tekmonks - v4Rohit Kapoor
 
Protecting Your Business From Cybercrime
Protecting Your Business From CybercrimeProtecting Your Business From Cybercrime
Protecting Your Business From CybercrimeDavid J Rosenthal
 
Web Security
Web SecurityWeb Security
Web SecurityBharath Manoharan
 
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...TigerGraph
 
LoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityLoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityRohit Kapoor
 
Stop losing your NFTs - introducing ZenGo ClearSign Firewall for web3
Stop losing your NFTs - introducing ZenGo ClearSign Firewall for web3Stop losing your NFTs - introducing ZenGo ClearSign Firewall for web3
Stop losing your NFTs - introducing ZenGo ClearSign Firewall for web3Ouriel Ohayon
 
LoginCat - Mini Presentation
LoginCat - Mini PresentationLoginCat - Mini Presentation
LoginCat - Mini PresentationRohit Kapoor
 
Login cat tekmonks - v5 (mini)
Login cat tekmonks - v5 (mini)Login cat tekmonks - v5 (mini)
Login cat tekmonks - v5 (mini)Rohit Kapoor
 
How to Create 80% of a Big Data Pilot Project
How to Create 80% of a Big Data Pilot ProjectHow to Create 80% of a Big Data Pilot Project
How to Create 80% of a Big Data Pilot ProjectGreg Makowski
 
Understanding the Card Fraud Lifecycle : A Guide For Private Label Issuers
Understanding the Card Fraud Lifecycle : A Guide For Private Label IssuersUnderstanding the Card Fraud Lifecycle : A Guide For Private Label Issuers
Understanding the Card Fraud Lifecycle : A Guide For Private Label IssuersChristopher Uriarte
 
Fraud is rampant Six key Principles for security
Fraud is rampant Six key Principles for securityFraud is rampant Six key Principles for security
Fraud is rampant Six key Principles for securityStrategic Treasurer
 
What is an IDO How can IDO be attacked.pdf
What is an IDO How can IDO be attacked.pdfWhat is an IDO How can IDO be attacked.pdf
What is an IDO How can IDO be attacked.pdfcoingabbar
 
CYBER CRIME
CYBER CRIMECYBER CRIME
CYBER CRIMEamani kadope
 
5 ways
5 ways5 ways
5 waysOliviaJune1
 
A Novel Approach for E-Payment Using Virtual Password System
A Novel Approach for E-Payment Using Virtual Password SystemA Novel Approach for E-Payment Using Virtual Password System
A Novel Approach for E-Payment Using Virtual Password Systemijcisjournal
 
Non custodial wallets enable private, p2 p crypto trading in 2021
Non custodial wallets enable private, p2 p crypto trading in 2021Non custodial wallets enable private, p2 p crypto trading in 2021
Non custodial wallets enable private, p2 p crypto trading in 2021AmniAugustine
 
13.02 Network Security
13.02 Network Security13.02 Network Security
13.02 Network SecurityAnjan Mahanta
 
Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!Halo Metrics
 
#CYBER SECURITY.pptx
#CYBER SECURITY.pptx#CYBER SECURITY.pptx
#CYBER SECURITY.pptxsiddhantkpatil2905
 
Bi
BiBi
BiHabibah Mat
 
How to Secure Your Mac Based Law Practice
How to Secure Your Mac Based Law PracticeHow to Secure Your Mac Based Law Practice
How to Secure Your Mac Based Law PracticeRocket Matter, LLC
 
Under thehood
Under thehoodUnder thehood
Under thehoodDarius Povilaitis
 
LoginCat from TekMonks
LoginCat from TekMonksLoginCat from TekMonks
LoginCat from TekMonksRohit Kapoor
 
Sgsits cyber securityworkshop_4mar2017
Sgsits cyber securityworkshop_4mar2017Sgsits cyber securityworkshop_4mar2017
Sgsits cyber securityworkshop_4mar2017Anil Jain
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

More Related Content

Similar to The Future of ATO

LoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityLoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityRohit Kapoor
 
Stop losing your NFTs - introducing ZenGo ClearSign Firewall for web3
Stop losing your NFTs - introducing ZenGo ClearSign Firewall for web3Stop losing your NFTs - introducing ZenGo ClearSign Firewall for web3
Stop losing your NFTs - introducing ZenGo ClearSign Firewall for web3Ouriel Ohayon
 
LoginCat - Mini Presentation
LoginCat - Mini PresentationLoginCat - Mini Presentation
LoginCat - Mini PresentationRohit Kapoor
 
Login cat tekmonks - v5 (mini)
Login cat tekmonks - v5 (mini)Login cat tekmonks - v5 (mini)
Login cat tekmonks - v5 (mini)Rohit Kapoor
 
How to Create 80% of a Big Data Pilot Project
How to Create 80% of a Big Data Pilot ProjectHow to Create 80% of a Big Data Pilot Project
How to Create 80% of a Big Data Pilot ProjectGreg Makowski
 
Understanding the Card Fraud Lifecycle : A Guide For Private Label Issuers
Understanding the Card Fraud Lifecycle : A Guide For Private Label IssuersUnderstanding the Card Fraud Lifecycle : A Guide For Private Label Issuers
Understanding the Card Fraud Lifecycle : A Guide For Private Label IssuersChristopher Uriarte
 
Fraud is rampant Six key Principles for security
Fraud is rampant Six key Principles for securityFraud is rampant Six key Principles for security
Fraud is rampant Six key Principles for securityStrategic Treasurer
 
What is an IDO How can IDO be attacked.pdf
What is an IDO How can IDO be attacked.pdfWhat is an IDO How can IDO be attacked.pdf
What is an IDO How can IDO be attacked.pdfcoingabbar
 
A Novel Approach for E-Payment Using Virtual Password System
A Novel Approach for E-Payment Using Virtual Password SystemA Novel Approach for E-Payment Using Virtual Password System
A Novel Approach for E-Payment Using Virtual Password Systemijcisjournal
 
Non custodial wallets enable private, p2 p crypto trading in 2021
Non custodial wallets enable private, p2 p crypto trading in 2021Non custodial wallets enable private, p2 p crypto trading in 2021
Non custodial wallets enable private, p2 p crypto trading in 2021AmniAugustine
 
13.02 Network Security
13.02 Network Security13.02 Network Security
13.02 Network SecurityAnjan Mahanta
 
Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!Halo Metrics
 
How to Secure Your Mac Based Law Practice
How to Secure Your Mac Based Law PracticeHow to Secure Your Mac Based Law Practice
How to Secure Your Mac Based Law PracticeRocket Matter, LLC
 
LoginCat from TekMonks
LoginCat from TekMonksLoginCat from TekMonks
LoginCat from TekMonksRohit Kapoor
 
Sgsits cyber securityworkshop_4mar2017
Sgsits cyber securityworkshop_4mar2017Sgsits cyber securityworkshop_4mar2017
Sgsits cyber securityworkshop_4mar2017Anil Jain
 

Similar to The Future of ATO (20)

LoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityLoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated Cybersecurity
 
Stop losing your NFTs - introducing ZenGo ClearSign Firewall for web3
Stop losing your NFTs - introducing ZenGo ClearSign Firewall for web3Stop losing your NFTs - introducing ZenGo ClearSign Firewall for web3
Stop losing your NFTs - introducing ZenGo ClearSign Firewall for web3
 
LoginCat - Mini Presentation
LoginCat - Mini PresentationLoginCat - Mini Presentation
LoginCat - Mini Presentation
 
Login cat tekmonks - v5 (mini)
Login cat tekmonks - v5 (mini)Login cat tekmonks - v5 (mini)
Login cat tekmonks - v5 (mini)
 
How to Create 80% of a Big Data Pilot Project
How to Create 80% of a Big Data Pilot ProjectHow to Create 80% of a Big Data Pilot Project
How to Create 80% of a Big Data Pilot Project
 
Understanding the Card Fraud Lifecycle : A Guide For Private Label Issuers
Understanding the Card Fraud Lifecycle : A Guide For Private Label IssuersUnderstanding the Card Fraud Lifecycle : A Guide For Private Label Issuers
Understanding the Card Fraud Lifecycle : A Guide For Private Label Issuers
 
Fraud is rampant Six key Principles for security
Fraud is rampant Six key Principles for securityFraud is rampant Six key Principles for security
Fraud is rampant Six key Principles for security
 
What is an IDO How can IDO be attacked.pdf
What is an IDO How can IDO be attacked.pdfWhat is an IDO How can IDO be attacked.pdf
What is an IDO How can IDO be attacked.pdf
 
CYBER CRIME
CYBER CRIMECYBER CRIME
CYBER CRIME
 
5 ways
5 ways5 ways
5 ways
 
A Novel Approach for E-Payment Using Virtual Password System
A Novel Approach for E-Payment Using Virtual Password SystemA Novel Approach for E-Payment Using Virtual Password System
A Novel Approach for E-Payment Using Virtual Password System
 
Non custodial wallets enable private, p2 p crypto trading in 2021
Non custodial wallets enable private, p2 p crypto trading in 2021Non custodial wallets enable private, p2 p crypto trading in 2021
Non custodial wallets enable private, p2 p crypto trading in 2021
 
13.02 Network Security
13.02 Network Security13.02 Network Security
13.02 Network Security
 
Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!
 
#CYBER SECURITY.pptx
#CYBER SECURITY.pptx#CYBER SECURITY.pptx
#CYBER SECURITY.pptx
 
Bi
BiBi
Bi
 
How to Secure Your Mac Based Law Practice
How to Secure Your Mac Based Law PracticeHow to Secure Your Mac Based Law Practice
How to Secure Your Mac Based Law Practice
 
Under thehood
Under thehoodUnder thehood
Under thehood
 
LoginCat from TekMonks
LoginCat from TekMonksLoginCat from TekMonks
LoginCat from TekMonks
 
Sgsits cyber securityworkshop_4mar2017
Sgsits cyber securityworkshop_4mar2017Sgsits cyber securityworkshop_4mar2017
Sgsits cyber securityworkshop_4mar2017
 

Recently uploaded

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 

Recently uploaded (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 

The Future of ATO

  • 2. About Me I’m Philip Martin, the CISO at Coinbase Ex-Palantir, Amazon, Sun and US Army
  • 3. 00 – Intro 01 – A Bit About ATO 02 – Specific Methods SIM Swapping/Porting Account Recovery Abuse Credential Phishing w/advanced features Credential Stuffing Social Engineering Malware Agenda 03 – Wrap Up & Questions
  • 4. How is ATO happening? Targeted ATO is a Journey ● High end attackers are increasingly targeting victim centers of gravity first ● Attackers frequently have access to email, file storage, social media, control of a phone number The Vast Majority of ATO is Not Targeted ● Less than 10% of the ATO or attempted ATO activity we see we rate as ‘targeted’ ● By far, most ATO we see is based on social engineering, not porting, SIM swapping, etc. SMS 2fa is effective vs most untargeted ATO; targeted ATO can bypass both SMS and TOTP 2fa ● Targeted attackers pivot to seeking seed backups, recovery codes or account recovery. ● Modern credential phishing is just as happy capturing TOTP 2fa as SMS 2fa.
  • 5. Who is conducting ATO? Economically Motivated ● Looking for the shortest path to money. ● Want to show a positive ROI on attacks ● Tend to focus on one thing that works and repeat till it doesn’t Average skill is low (but stddev is high) ● Most ATO is not technically complex. Most actors are playing a numbers game. ● Some ATO is very complex ● There is little to no actor crossover. Mostly located in poor countries ● Actors tend to be in places like the Philippines, Nigeria and Eastern Europe. Caveat: selection bias. ● A $10k payday from ATO may be enough money to keep an attacker in the black for a long time.
  • 6. SIM Swapping/Phone Porting Details ● We see SIM swapping more than phone porting these days ● Some SIM swaps last as little as 15 minutes. ● Generally used in highly targeted attacks/presumed HVTs ● Also used to hijack SMS-based account recovery workflows
  • 8. SIM Swapping/Phone Porting Countermeasures ● Push non-SMS 2FA options ● There are porting and SIM-swapping detection vendors (but this is FAR from 100%) ● Any 2fa is better than no 2fa. Porting/swapping is NOT in most people’s threat models.
  • 9. Account Recovery Abuse Details ● The abuse of account recovery mechanisms is also a consistent theme when we investigate ATO. ● SMS hijacking or poorly secured recovery email most common ● High criticality accounts depending on the security of lower-criticality accounts is not great.
  • 10. Account Recovery Abuse Countermeasures ● We require an ID verification w/ selfie step in our account recovery flow. ● We also enforce a recovery waiting period and aggressive customer contact policy during that waiting period.
  • 11. Credential Phishing w/ 2FA Theft Details ● Credential phishers include integrated 2FA token theft and real-time account connections. ● We require 2FA for several in-app actions (e.g. sending funds) so we see attackers integrating multiple 2FA code collection via fake failures.
  • 12. Credential Phishing w/ 2FA Theft Countermeasures ● Standard anti-phishing countermeasures (CT Logs, referrer monitoring, etc) help ● Device verification is very effective against these attacks ● Rate limiting is also effective, especially if you can rate limit on things like browser fingerprint.
  • 13. BONUS - Device Verification Bypasses ● We do see attackers trying to innovate around DV, but it has a petty low effectiveness rate so far. Credential Phishing w/ 2FA Theft
  • 14. Details ● Increasingly seeing this conducted by broad botnets ○ 2-3 requests per IP ○ global footprint Credential Stuffing
  • 15. Details ● Increasingly seeing this conducted by broad botnets ○ 2-3 requests per IP ○ global footprint ○ IoT devices (we recently ID’d a toaster trying to login to Coinbase) Credential Stuffing
  • 16. Countermeasures ● Rate limiting is effective if you can rate limit on specific rare/invalid UAs or other unique behaviors ● 2FA is the ultimate solution. Because we enforce 100% 2FA our users generally see no impact from credential stuffing. Credential Stuffing
  • 17. BONUS - 100% 2FA ● With about 30m global users, we’re the largest site I know that requires 2FA on all accounts. ● We default to SMS 2FA but also support TOTP and WebauthN. ● Getting folks to move up the 2FA stack is hard, but in-app prompts is key Credential Stuffing
  • 18. DOUBLE BONUS - Active Deception ● Since 2016, we’ve been running a large scale active deception campaign against credential stuffers/list validators. ● Whenever we detect a campaign, we feed it statistically probable lies. Credential Stuffing
  • 19. Details ● We see tech support style scams very frequently. ● Traditionally part of a cold calling scheme using call centers in places like India ● Increasingly we’re seeing attacks that bring the users to the attackers instead Social Engineering
  • 20. Countermeasures ● Screen sharing detection is our main focus. We see fingerprintable differences in things like mouse events, keyboard events, etc. ● We also devote a lot of time to detecting and disrupting the channels scammers use to lure users into their funnel via, e.g. aggressive social media monitoring. Social Engineering
  • 21. Maps Locations Answer Box Pollution Emerging Social Engineering Techniques
  • 22. Details ● Banking Trojans and Malspam (Emotet, LokiBot, TrickBot) being repurposed to target cryptocurrency ● This largely shows up as session token theft with connections proxied through the victim system these days, but we’ve also seen clipboard modifiers, javascript injectors and a few others Malware
  • 23. 23
  • 24. Countermeasures ● For the lower hanging fruit (clipboard modifiers, javascript injectors, etc) there are well-known countermeasures. ● Proxying is much harder. It’s all about flagging behavior changes and injecting friction (we introduce a 48hr hold on transactions that trigger certain rules). Malware
  • 25. Wrap Up Some of these techniques have or will trickle down ● More and more things are becoming monetizable about our online presence ● Attacks are also getting easier to conduct. Mega-dumps, deepfakes (for ID verification), etc. Attackers constantly innovating ● We need to continue to push the boundary in terms of 2FA normalization and JIT user awareness ● Change the economics of the situation, like using active deception. ATO Prevention is about incentivising good security behavior ● Good security UI/UX can do a lot to enable users and incentivise good security practices. ● More research on global user communication
  • 26. Any Questions? (BTW, if this sounds like a fun set of challenges then I’ve probably got an open role that you’d love… https://coinbase.com/careers)