SlideShare a Scribd company logo

The Future of ATO

P
pm123008

Slides for my Blackhat 2019 talk, The Future of ATO.

Technology
1 of 26
Download to read offline
The Future of ATO
About Me I’m Philip Martin, the CISO at Coinbase Ex-Palantir, Amazon, Sun and US Army
00 – Intro 01 – A Bit About ATO 02 – Specific Methods SIM Swapping/Porting Account Recovery Abuse Credential Phishing w/advanced features Credential Stuffing Social Engineering Malware Agenda 03 – Wrap Up & Questions
How is ATO happening? Targeted ATO is a Journey ● High end attackers are increasingly targeting victim centers of gravity first ● Attackers frequently have access to email, file storage, social media, control of a phone number The Vast Majority of ATO is Not Targeted ● Less than 10% of the ATO or attempted ATO activity we see we rate as ‘targeted’ ● By far, most ATO we see is based on social engineering, not porting, SIM swapping, etc. SMS 2fa is effective vs most untargeted ATO; targeted ATO can bypass both SMS and TOTP 2fa ● Targeted attackers pivot to seeking seed backups, recovery codes or account recovery. ● Modern credential phishing is just as happy capturing TOTP 2fa as SMS 2fa.
Who is conducting ATO? Economically Motivated ● Looking for the shortest path to money. ● Want to show a positive ROI on attacks ● Tend to focus on one thing that works and repeat till it doesn’t Average skill is low (but stddev is high) ● Most ATO is not technically complex. Most actors are playing a numbers game. ● Some ATO is very complex ● There is little to no actor crossover. Mostly located in poor countries ● Actors tend to be in places like the Philippines, Nigeria and Eastern Europe. Caveat: selection bias. ● A $10k payday from ATO may be enough money to keep an attacker in the black for a long time.
SIM Swapping/Phone Porting Details ● We see SIM swapping more than phone porting these days ● Some SIM swaps last as little as 15 minutes. ● Generally used in highly targeted attacks/presumed HVTs ● Also used to hijack SMS-based account recovery workflows
SIM Swapping/Phone Porting
SIM Swapping/Phone Porting Countermeasures ● Push non-SMS 2FA options ● There are porting and SIM-swapping detection vendors (but this is FAR from 100%) ● Any 2fa is better than no 2fa. Porting/swapping is NOT in most people’s threat models.
Account Recovery Abuse Details ● The abuse of account recovery mechanisms is also a consistent theme when we investigate ATO. ● SMS hijacking or poorly secured recovery email most common ● High criticality accounts depending on the security of lower-criticality accounts is not great.
Account Recovery Abuse Countermeasures ● We require an ID verification w/ selfie step in our account recovery flow. ● We also enforce a recovery waiting period and aggressive customer contact policy during that waiting period.
Credential Phishing w/ 2FA Theft Details ● Credential phishers include integrated 2FA token theft and real-time account connections. ● We require 2FA for several in-app actions (e.g. sending funds) so we see attackers integrating multiple 2FA code collection via fake failures.
Credential Phishing w/ 2FA Theft Countermeasures ● Standard anti-phishing countermeasures (CT Logs, referrer monitoring, etc) help ● Device verification is very effective against these attacks ● Rate limiting is also effective, especially if you can rate limit on things like browser fingerprint.
BONUS - Device Verification Bypasses ● We do see attackers trying to innovate around DV, but it has a petty low effectiveness rate so far. Credential Phishing w/ 2FA Theft
Details ● Increasingly seeing this conducted by broad botnets ○ 2-3 requests per IP ○ global footprint Credential Stuffing
Details ● Increasingly seeing this conducted by broad botnets ○ 2-3 requests per IP ○ global footprint ○ IoT devices (we recently ID’d a toaster trying to login to Coinbase) Credential Stuffing
Countermeasures ● Rate limiting is effective if you can rate limit on specific rare/invalid UAs or other unique behaviors ● 2FA is the ultimate solution. Because we enforce 100% 2FA our users generally see no impact from credential stuffing. Credential Stuffing
BONUS - 100% 2FA ● With about 30m global users, we’re the largest site I know that requires 2FA on all accounts. ● We default to SMS 2FA but also support TOTP and WebauthN. ● Getting folks to move up the 2FA stack is hard, but in-app prompts is key Credential Stuffing
DOUBLE BONUS - Active Deception ● Since 2016, we’ve been running a large scale active deception campaign against credential stuffers/list validators. ● Whenever we detect a campaign, we feed it statistically probable lies. Credential Stuffing
Details ● We see tech support style scams very frequently. ● Traditionally part of a cold calling scheme using call centers in places like India ● Increasingly we’re seeing attacks that bring the users to the attackers instead Social Engineering
Countermeasures ● Screen sharing detection is our main focus. We see fingerprintable differences in things like mouse events, keyboard events, etc. ● We also devote a lot of time to detecting and disrupting the channels scammers use to lure users into their funnel via, e.g. aggressive social media monitoring. Social Engineering
Maps Locations Answer Box Pollution Emerging Social Engineering Techniques
Details ● Banking Trojans and Malspam (Emotet, LokiBot, TrickBot) being repurposed to target cryptocurrency ● This largely shows up as session token theft with connections proxied through the victim system these days, but we’ve also seen clipboard modifiers, javascript injectors and a few others Malware
23
Countermeasures ● For the lower hanging fruit (clipboard modifiers, javascript injectors, etc) there are well-known countermeasures. ● Proxying is much harder. It’s all about flagging behavior changes and injecting friction (we introduce a 48hr hold on transactions that trigger certain rules). Malware
Wrap Up Some of these techniques have or will trickle down ● More and more things are becoming monetizable about our online presence ● Attacks are also getting easier to conduct. Mega-dumps, deepfakes (for ID verification), etc. Attackers constantly innovating ● We need to continue to push the boundary in terms of 2FA normalization and JIT user awareness ● Change the economics of the situation, like using active deception. ATO Prevention is about incentivising good security behavior ● Good security UI/UX can do a lot to enable users and incentivise good security practices. ● More research on global user communication
Any Questions? (BTW, if this sounds like a fun set of challenges then I’ve probably got an open role that you’d love… https://coinbase.com/careers)

Recommended

CSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserCSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserguestb1956e
 
Man in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactionsMan in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactionsDaveEdwards12
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityYellowSlice1
 
Login cat tekmonks - v4
Login cat tekmonks - v4Login cat tekmonks - v4
Login cat tekmonks - v4TEKMONKS
 
Login cat tekmonks - v4
Login cat tekmonks - v4Login cat tekmonks - v4
Login cat tekmonks - v4Rohit Kapoor
 
Protecting Your Business From Cybercrime
Protecting Your Business From CybercrimeProtecting Your Business From Cybercrime
Protecting Your Business From CybercrimeDavid J Rosenthal
 
Web Security
Web SecurityWeb Security
Web SecurityBharath Manoharan
 
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...TigerGraph
 

Recommended

CSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserCSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserguestb1956e
 
Man in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactionsMan in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactionsDaveEdwards12
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityYellowSlice1
 
Login cat tekmonks - v4
Login cat tekmonks - v4Login cat tekmonks - v4
Login cat tekmonks - v4TEKMONKS
 
Login cat tekmonks - v4
Login cat tekmonks - v4Login cat tekmonks - v4
Login cat tekmonks - v4Rohit Kapoor
 
Protecting Your Business From Cybercrime
Protecting Your Business From CybercrimeProtecting Your Business From Cybercrime
Protecting Your Business From CybercrimeDavid J Rosenthal
 
Web Security
Web SecurityWeb Security
Web SecurityBharath Manoharan
 
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...TigerGraph
 
LoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityLoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityRohit Kapoor
 
Stop losing your NFTs - introducing ZenGo ClearSign Firewall for web3
Stop losing your NFTs - introducing ZenGo ClearSign Firewall for web3Stop losing your NFTs - introducing ZenGo ClearSign Firewall for web3
Stop losing your NFTs - introducing ZenGo ClearSign Firewall for web3Ouriel Ohayon
 
LoginCat - Mini Presentation
LoginCat - Mini PresentationLoginCat - Mini Presentation
LoginCat - Mini PresentationRohit Kapoor
 
Login cat tekmonks - v5 (mini)
Login cat tekmonks - v5 (mini)Login cat tekmonks - v5 (mini)
Login cat tekmonks - v5 (mini)Rohit Kapoor
 
How to Create 80% of a Big Data Pilot Project
How to Create 80% of a Big Data Pilot ProjectHow to Create 80% of a Big Data Pilot Project
How to Create 80% of a Big Data Pilot ProjectGreg Makowski
 
Understanding the Card Fraud Lifecycle : A Guide For Private Label Issuers
Understanding the Card Fraud Lifecycle : A Guide For Private Label IssuersUnderstanding the Card Fraud Lifecycle : A Guide For Private Label Issuers
Understanding the Card Fraud Lifecycle : A Guide For Private Label IssuersChristopher Uriarte
 
Fraud is rampant Six key Principles for security
Fraud is rampant Six key Principles for securityFraud is rampant Six key Principles for security
Fraud is rampant Six key Principles for securityStrategic Treasurer
 
What is an IDO How can IDO be attacked.pdf
What is an IDO How can IDO be attacked.pdfWhat is an IDO How can IDO be attacked.pdf
What is an IDO How can IDO be attacked.pdfcoingabbar
 
CYBER CRIME
CYBER CRIMECYBER CRIME
CYBER CRIMEamani kadope
 
5 ways
5 ways5 ways
5 waysOliviaJune1
 
A Novel Approach for E-Payment Using Virtual Password System
A Novel Approach for E-Payment Using Virtual Password SystemA Novel Approach for E-Payment Using Virtual Password System
A Novel Approach for E-Payment Using Virtual Password Systemijcisjournal
 
Non custodial wallets enable private, p2 p crypto trading in 2021
Non custodial wallets enable private, p2 p crypto trading in 2021Non custodial wallets enable private, p2 p crypto trading in 2021
Non custodial wallets enable private, p2 p crypto trading in 2021AmniAugustine
 
13.02 Network Security
13.02 Network Security13.02 Network Security
13.02 Network SecurityAnjan Mahanta
 
Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!Halo Metrics
 
#CYBER SECURITY.pptx
#CYBER SECURITY.pptx#CYBER SECURITY.pptx
#CYBER SECURITY.pptxsiddhantkpatil2905
 
Bi
BiBi
BiHabibah Mat
 
How to Secure Your Mac Based Law Practice
How to Secure Your Mac Based Law PracticeHow to Secure Your Mac Based Law Practice
How to Secure Your Mac Based Law PracticeRocket Matter, LLC
 
Under thehood
Under thehoodUnder thehood
Under thehoodDarius Povilaitis
 
LoginCat from TekMonks
LoginCat from TekMonksLoginCat from TekMonks
LoginCat from TekMonksRohit Kapoor
 
Sgsits cyber securityworkshop_4mar2017
Sgsits cyber securityworkshop_4mar2017Sgsits cyber securityworkshop_4mar2017
Sgsits cyber securityworkshop_4mar2017Anil Jain
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 

More Related Content

Similar to The Future of ATO

LoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityLoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityRohit Kapoor
 
Stop losing your NFTs - introducing ZenGo ClearSign Firewall for web3
Stop losing your NFTs - introducing ZenGo ClearSign Firewall for web3Stop losing your NFTs - introducing ZenGo ClearSign Firewall for web3
Stop losing your NFTs - introducing ZenGo ClearSign Firewall for web3Ouriel Ohayon
 
LoginCat - Mini Presentation
LoginCat - Mini PresentationLoginCat - Mini Presentation
LoginCat - Mini PresentationRohit Kapoor
 
Login cat tekmonks - v5 (mini)
Login cat tekmonks - v5 (mini)Login cat tekmonks - v5 (mini)
Login cat tekmonks - v5 (mini)Rohit Kapoor
 
How to Create 80% of a Big Data Pilot Project
How to Create 80% of a Big Data Pilot ProjectHow to Create 80% of a Big Data Pilot Project
How to Create 80% of a Big Data Pilot ProjectGreg Makowski
 
Understanding the Card Fraud Lifecycle : A Guide For Private Label Issuers
Understanding the Card Fraud Lifecycle : A Guide For Private Label IssuersUnderstanding the Card Fraud Lifecycle : A Guide For Private Label Issuers
Understanding the Card Fraud Lifecycle : A Guide For Private Label IssuersChristopher Uriarte
 
Fraud is rampant Six key Principles for security
Fraud is rampant Six key Principles for securityFraud is rampant Six key Principles for security
Fraud is rampant Six key Principles for securityStrategic Treasurer
 
What is an IDO How can IDO be attacked.pdf
What is an IDO How can IDO be attacked.pdfWhat is an IDO How can IDO be attacked.pdf
What is an IDO How can IDO be attacked.pdfcoingabbar
 
A Novel Approach for E-Payment Using Virtual Password System
A Novel Approach for E-Payment Using Virtual Password SystemA Novel Approach for E-Payment Using Virtual Password System
A Novel Approach for E-Payment Using Virtual Password Systemijcisjournal
 
Non custodial wallets enable private, p2 p crypto trading in 2021
Non custodial wallets enable private, p2 p crypto trading in 2021Non custodial wallets enable private, p2 p crypto trading in 2021
Non custodial wallets enable private, p2 p crypto trading in 2021AmniAugustine
 
13.02 Network Security
13.02 Network Security13.02 Network Security
13.02 Network SecurityAnjan Mahanta
 
Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!Halo Metrics
 
How to Secure Your Mac Based Law Practice
How to Secure Your Mac Based Law PracticeHow to Secure Your Mac Based Law Practice
How to Secure Your Mac Based Law PracticeRocket Matter, LLC
 
LoginCat from TekMonks
LoginCat from TekMonksLoginCat from TekMonks
LoginCat from TekMonksRohit Kapoor
 
Sgsits cyber securityworkshop_4mar2017
Sgsits cyber securityworkshop_4mar2017Sgsits cyber securityworkshop_4mar2017
Sgsits cyber securityworkshop_4mar2017Anil Jain
 

Similar to The Future of ATO (20)

LoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityLoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated Cybersecurity
 
Stop losing your NFTs - introducing ZenGo ClearSign Firewall for web3
Stop losing your NFTs - introducing ZenGo ClearSign Firewall for web3Stop losing your NFTs - introducing ZenGo ClearSign Firewall for web3
Stop losing your NFTs - introducing ZenGo ClearSign Firewall for web3
 
LoginCat - Mini Presentation
LoginCat - Mini PresentationLoginCat - Mini Presentation
LoginCat - Mini Presentation
 
Login cat tekmonks - v5 (mini)
Login cat tekmonks - v5 (mini)Login cat tekmonks - v5 (mini)
Login cat tekmonks - v5 (mini)
 
How to Create 80% of a Big Data Pilot Project
How to Create 80% of a Big Data Pilot ProjectHow to Create 80% of a Big Data Pilot Project
How to Create 80% of a Big Data Pilot Project
 
Understanding the Card Fraud Lifecycle : A Guide For Private Label Issuers
Understanding the Card Fraud Lifecycle : A Guide For Private Label IssuersUnderstanding the Card Fraud Lifecycle : A Guide For Private Label Issuers
Understanding the Card Fraud Lifecycle : A Guide For Private Label Issuers
 
Fraud is rampant Six key Principles for security
Fraud is rampant Six key Principles for securityFraud is rampant Six key Principles for security
Fraud is rampant Six key Principles for security
 
What is an IDO How can IDO be attacked.pdf
What is an IDO How can IDO be attacked.pdfWhat is an IDO How can IDO be attacked.pdf
What is an IDO How can IDO be attacked.pdf
 
CYBER CRIME
CYBER CRIMECYBER CRIME
CYBER CRIME
 
5 ways
5 ways5 ways
5 ways
 
A Novel Approach for E-Payment Using Virtual Password System
A Novel Approach for E-Payment Using Virtual Password SystemA Novel Approach for E-Payment Using Virtual Password System
A Novel Approach for E-Payment Using Virtual Password System
 
Non custodial wallets enable private, p2 p crypto trading in 2021
Non custodial wallets enable private, p2 p crypto trading in 2021Non custodial wallets enable private, p2 p crypto trading in 2021
Non custodial wallets enable private, p2 p crypto trading in 2021
 
13.02 Network Security
13.02 Network Security13.02 Network Security
13.02 Network Security
 
Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!
 
#CYBER SECURITY.pptx
#CYBER SECURITY.pptx#CYBER SECURITY.pptx
#CYBER SECURITY.pptx
 
Bi
BiBi
Bi
 
How to Secure Your Mac Based Law Practice
How to Secure Your Mac Based Law PracticeHow to Secure Your Mac Based Law Practice
How to Secure Your Mac Based Law Practice
 
Under thehood
Under thehoodUnder thehood
Under thehood
 
LoginCat from TekMonks
LoginCat from TekMonksLoginCat from TekMonks
LoginCat from TekMonks
 
Sgsits cyber securityworkshop_4mar2017
Sgsits cyber securityworkshop_4mar2017Sgsits cyber securityworkshop_4mar2017
Sgsits cyber securityworkshop_4mar2017
 

Recently uploaded

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 

Recently uploaded (20)

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 

The Future of ATO

  • 2. About Me I’m Philip Martin, the CISO at Coinbase Ex-Palantir, Amazon, Sun and US Army
  • 3. 00 – Intro 01 – A Bit About ATO 02 – Specific Methods SIM Swapping/Porting Account Recovery Abuse Credential Phishing w/advanced features Credential Stuffing Social Engineering Malware Agenda 03 – Wrap Up & Questions
  • 4. How is ATO happening? Targeted ATO is a Journey ● High end attackers are increasingly targeting victim centers of gravity first ● Attackers frequently have access to email, file storage, social media, control of a phone number The Vast Majority of ATO is Not Targeted ● Less than 10% of the ATO or attempted ATO activity we see we rate as ‘targeted’ ● By far, most ATO we see is based on social engineering, not porting, SIM swapping, etc. SMS 2fa is effective vs most untargeted ATO; targeted ATO can bypass both SMS and TOTP 2fa ● Targeted attackers pivot to seeking seed backups, recovery codes or account recovery. ● Modern credential phishing is just as happy capturing TOTP 2fa as SMS 2fa.
  • 5. Who is conducting ATO? Economically Motivated ● Looking for the shortest path to money. ● Want to show a positive ROI on attacks ● Tend to focus on one thing that works and repeat till it doesn’t Average skill is low (but stddev is high) ● Most ATO is not technically complex. Most actors are playing a numbers game. ● Some ATO is very complex ● There is little to no actor crossover. Mostly located in poor countries ● Actors tend to be in places like the Philippines, Nigeria and Eastern Europe. Caveat: selection bias. ● A $10k payday from ATO may be enough money to keep an attacker in the black for a long time.
  • 6. SIM Swapping/Phone Porting Details ● We see SIM swapping more than phone porting these days ● Some SIM swaps last as little as 15 minutes. ● Generally used in highly targeted attacks/presumed HVTs ● Also used to hijack SMS-based account recovery workflows
  • 8. SIM Swapping/Phone Porting Countermeasures ● Push non-SMS 2FA options ● There are porting and SIM-swapping detection vendors (but this is FAR from 100%) ● Any 2fa is better than no 2fa. Porting/swapping is NOT in most people’s threat models.
  • 9. Account Recovery Abuse Details ● The abuse of account recovery mechanisms is also a consistent theme when we investigate ATO. ● SMS hijacking or poorly secured recovery email most common ● High criticality accounts depending on the security of lower-criticality accounts is not great.
  • 10. Account Recovery Abuse Countermeasures ● We require an ID verification w/ selfie step in our account recovery flow. ● We also enforce a recovery waiting period and aggressive customer contact policy during that waiting period.
  • 11. Credential Phishing w/ 2FA Theft Details ● Credential phishers include integrated 2FA token theft and real-time account connections. ● We require 2FA for several in-app actions (e.g. sending funds) so we see attackers integrating multiple 2FA code collection via fake failures.
  • 12. Credential Phishing w/ 2FA Theft Countermeasures ● Standard anti-phishing countermeasures (CT Logs, referrer monitoring, etc) help ● Device verification is very effective against these attacks ● Rate limiting is also effective, especially if you can rate limit on things like browser fingerprint.
  • 13. BONUS - Device Verification Bypasses ● We do see attackers trying to innovate around DV, but it has a petty low effectiveness rate so far. Credential Phishing w/ 2FA Theft
  • 14. Details ● Increasingly seeing this conducted by broad botnets ○ 2-3 requests per IP ○ global footprint Credential Stuffing
  • 15. Details ● Increasingly seeing this conducted by broad botnets ○ 2-3 requests per IP ○ global footprint ○ IoT devices (we recently ID’d a toaster trying to login to Coinbase) Credential Stuffing
  • 16. Countermeasures ● Rate limiting is effective if you can rate limit on specific rare/invalid UAs or other unique behaviors ● 2FA is the ultimate solution. Because we enforce 100% 2FA our users generally see no impact from credential stuffing. Credential Stuffing
  • 17. BONUS - 100% 2FA ● With about 30m global users, we’re the largest site I know that requires 2FA on all accounts. ● We default to SMS 2FA but also support TOTP and WebauthN. ● Getting folks to move up the 2FA stack is hard, but in-app prompts is key Credential Stuffing
  • 18. DOUBLE BONUS - Active Deception ● Since 2016, we’ve been running a large scale active deception campaign against credential stuffers/list validators. ● Whenever we detect a campaign, we feed it statistically probable lies. Credential Stuffing
  • 19. Details ● We see tech support style scams very frequently. ● Traditionally part of a cold calling scheme using call centers in places like India ● Increasingly we’re seeing attacks that bring the users to the attackers instead Social Engineering
  • 20. Countermeasures ● Screen sharing detection is our main focus. We see fingerprintable differences in things like mouse events, keyboard events, etc. ● We also devote a lot of time to detecting and disrupting the channels scammers use to lure users into their funnel via, e.g. aggressive social media monitoring. Social Engineering
  • 21. Maps Locations Answer Box Pollution Emerging Social Engineering Techniques
  • 22. Details ● Banking Trojans and Malspam (Emotet, LokiBot, TrickBot) being repurposed to target cryptocurrency ● This largely shows up as session token theft with connections proxied through the victim system these days, but we’ve also seen clipboard modifiers, javascript injectors and a few others Malware
  • 23. 23
  • 24. Countermeasures ● For the lower hanging fruit (clipboard modifiers, javascript injectors, etc) there are well-known countermeasures. ● Proxying is much harder. It’s all about flagging behavior changes and injecting friction (we introduce a 48hr hold on transactions that trigger certain rules). Malware
  • 25. Wrap Up Some of these techniques have or will trickle down ● More and more things are becoming monetizable about our online presence ● Attacks are also getting easier to conduct. Mega-dumps, deepfakes (for ID verification), etc. Attackers constantly innovating ● We need to continue to push the boundary in terms of 2FA normalization and JIT user awareness ● Change the economics of the situation, like using active deception. ATO Prevention is about incentivising good security behavior ● Good security UI/UX can do a lot to enable users and incentivise good security practices. ● More research on global user communication
  • 26. Any Questions? (BTW, if this sounds like a fun set of challenges then I’ve probably got an open role that you’d love… https://coinbase.com/careers)