SlideShare une entreprise Scribd logo

The Future of ATO

P
pm123008

Slides for my Blackhat 2019 talk, The Future of ATO.

Technologie
1  sur  26
Télécharger pour lire hors ligne
The Future of ATO
About Me I’m Philip Martin, the CISO at Coinbase Ex-Palantir, Amazon, Sun and US Army
00 – Intro 01 – A Bit About ATO 02 – Specific Methods SIM Swapping/Porting Account Recovery Abuse Credential Phishing w/advanced features Credential Stuffing Social Engineering Malware Agenda 03 – Wrap Up & Questions
How is ATO happening? Targeted ATO is a Journey ● High end attackers are increasingly targeting victim centers of gravity first ● Attackers frequently have access to email, file storage, social media, control of a phone number The Vast Majority of ATO is Not Targeted ● Less than 10% of the ATO or attempted ATO activity we see we rate as ‘targeted’ ● By far, most ATO we see is based on social engineering, not porting, SIM swapping, etc. SMS 2fa is effective vs most untargeted ATO; targeted ATO can bypass both SMS and TOTP 2fa ● Targeted attackers pivot to seeking seed backups, recovery codes or account recovery. ● Modern credential phishing is just as happy capturing TOTP 2fa as SMS 2fa.
Who is conducting ATO? Economically Motivated ● Looking for the shortest path to money. ● Want to show a positive ROI on attacks ● Tend to focus on one thing that works and repeat till it doesn’t Average skill is low (but stddev is high) ● Most ATO is not technically complex. Most actors are playing a numbers game. ● Some ATO is very complex ● There is little to no actor crossover. Mostly located in poor countries ● Actors tend to be in places like the Philippines, Nigeria and Eastern Europe. Caveat: selection bias. ● A $10k payday from ATO may be enough money to keep an attacker in the black for a long time.
SIM Swapping/Phone Porting Details ● We see SIM swapping more than phone porting these days ● Some SIM swaps last as little as 15 minutes. ● Generally used in highly targeted attacks/presumed HVTs ● Also used to hijack SMS-based account recovery workflows
SIM Swapping/Phone Porting
SIM Swapping/Phone Porting Countermeasures ● Push non-SMS 2FA options ● There are porting and SIM-swapping detection vendors (but this is FAR from 100%) ● Any 2fa is better than no 2fa. Porting/swapping is NOT in most people’s threat models.
Account Recovery Abuse Details ● The abuse of account recovery mechanisms is also a consistent theme when we investigate ATO. ● SMS hijacking or poorly secured recovery email most common ● High criticality accounts depending on the security of lower-criticality accounts is not great.
Account Recovery Abuse Countermeasures ● We require an ID verification w/ selfie step in our account recovery flow. ● We also enforce a recovery waiting period and aggressive customer contact policy during that waiting period.
Credential Phishing w/ 2FA Theft Details ● Credential phishers include integrated 2FA token theft and real-time account connections. ● We require 2FA for several in-app actions (e.g. sending funds) so we see attackers integrating multiple 2FA code collection via fake failures.
Credential Phishing w/ 2FA Theft Countermeasures ● Standard anti-phishing countermeasures (CT Logs, referrer monitoring, etc) help ● Device verification is very effective against these attacks ● Rate limiting is also effective, especially if you can rate limit on things like browser fingerprint.
BONUS - Device Verification Bypasses ● We do see attackers trying to innovate around DV, but it has a petty low effectiveness rate so far. Credential Phishing w/ 2FA Theft
Details ● Increasingly seeing this conducted by broad botnets ○ 2-3 requests per IP ○ global footprint Credential Stuffing
Details ● Increasingly seeing this conducted by broad botnets ○ 2-3 requests per IP ○ global footprint ○ IoT devices (we recently ID’d a toaster trying to login to Coinbase) Credential Stuffing
Countermeasures ● Rate limiting is effective if you can rate limit on specific rare/invalid UAs or other unique behaviors ● 2FA is the ultimate solution. Because we enforce 100% 2FA our users generally see no impact from credential stuffing. Credential Stuffing
BONUS - 100% 2FA ● With about 30m global users, we’re the largest site I know that requires 2FA on all accounts. ● We default to SMS 2FA but also support TOTP and WebauthN. ● Getting folks to move up the 2FA stack is hard, but in-app prompts is key Credential Stuffing
DOUBLE BONUS - Active Deception ● Since 2016, we’ve been running a large scale active deception campaign against credential stuffers/list validators. ● Whenever we detect a campaign, we feed it statistically probable lies. Credential Stuffing
Details ● We see tech support style scams very frequently. ● Traditionally part of a cold calling scheme using call centers in places like India ● Increasingly we’re seeing attacks that bring the users to the attackers instead Social Engineering
Countermeasures ● Screen sharing detection is our main focus. We see fingerprintable differences in things like mouse events, keyboard events, etc. ● We also devote a lot of time to detecting and disrupting the channels scammers use to lure users into their funnel via, e.g. aggressive social media monitoring. Social Engineering
Maps Locations Answer Box Pollution Emerging Social Engineering Techniques
Details ● Banking Trojans and Malspam (Emotet, LokiBot, TrickBot) being repurposed to target cryptocurrency ● This largely shows up as session token theft with connections proxied through the victim system these days, but we’ve also seen clipboard modifiers, javascript injectors and a few others Malware
23
Countermeasures ● For the lower hanging fruit (clipboard modifiers, javascript injectors, etc) there are well-known countermeasures. ● Proxying is much harder. It’s all about flagging behavior changes and injecting friction (we introduce a 48hr hold on transactions that trigger certain rules). Malware
Wrap Up Some of these techniques have or will trickle down ● More and more things are becoming monetizable about our online presence ● Attacks are also getting easier to conduct. Mega-dumps, deepfakes (for ID verification), etc. Attackers constantly innovating ● We need to continue to push the boundary in terms of 2FA normalization and JIT user awareness ● Change the economics of the situation, like using active deception. ATO Prevention is about incentivising good security behavior ● Good security UI/UX can do a lot to enable users and incentivise good security practices. ● More research on global user communication
Any Questions? (BTW, if this sounds like a fun set of challenges then I’ve probably got an open role that you’d love… https://coinbase.com/careers)

Recommandé

CSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserCSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browser
guestb1956e
 
Man in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactionsMan in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactions
DaveEdwards12
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
YellowSlice1
 
Login cat tekmonks - v4
Login cat tekmonks - v4Login cat tekmonks - v4
Login cat tekmonks - v4
TEKMONKS
 
Login cat tekmonks - v4
Login cat tekmonks - v4Login cat tekmonks - v4
Login cat tekmonks - v4
Rohit Kapoor
 
Protecting Your Business From Cybercrime
Protecting Your Business From CybercrimeProtecting Your Business From Cybercrime
Protecting Your Business From Cybercrime
David J Rosenthal
 
Web Security
Web SecurityWeb Security
Web Security
Bharath Manoharan
 
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...
TigerGraph
 

Recommandé

CSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserCSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browser
guestb1956e
 
Man in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactionsMan in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactions
DaveEdwards12
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
YellowSlice1
 
Login cat tekmonks - v4
Login cat tekmonks - v4Login cat tekmonks - v4
Login cat tekmonks - v4
TEKMONKS
 
Login cat tekmonks - v4
Login cat tekmonks - v4Login cat tekmonks - v4
Login cat tekmonks - v4
Rohit Kapoor
 
Protecting Your Business From Cybercrime
Protecting Your Business From CybercrimeProtecting Your Business From Cybercrime
Protecting Your Business From Cybercrime
David J Rosenthal
 
Web Security
Web SecurityWeb Security
Web Security
Bharath Manoharan
 
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...
TigerGraph
 
LoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityLoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated Cybersecurity
Rohit Kapoor
 
Stop losing your NFTs - introducing ZenGo ClearSign Firewall for web3
Stop losing your NFTs - introducing ZenGo ClearSign Firewall for web3Stop losing your NFTs - introducing ZenGo ClearSign Firewall for web3
Stop losing your NFTs - introducing ZenGo ClearSign Firewall for web3
Ouriel Ohayon
 
Login cat tekmonks - v5 (mini)
Login cat tekmonks - v5 (mini)Login cat tekmonks - v5 (mini)
Login cat tekmonks - v5 (mini)
Rohit Kapoor
 
LoginCat - Mini Presentation
LoginCat - Mini PresentationLoginCat - Mini Presentation
LoginCat - Mini Presentation
Rohit Kapoor
 
How to Create 80% of a Big Data Pilot Project
How to Create 80% of a Big Data Pilot ProjectHow to Create 80% of a Big Data Pilot Project
How to Create 80% of a Big Data Pilot Project
Greg Makowski
 
Understanding the Card Fraud Lifecycle : A Guide For Private Label Issuers
Understanding the Card Fraud Lifecycle : A Guide For Private Label IssuersUnderstanding the Card Fraud Lifecycle : A Guide For Private Label Issuers
Understanding the Card Fraud Lifecycle : A Guide For Private Label Issuers
Christopher Uriarte
 
Fraud is rampant Six key Principles for security
Fraud is rampant Six key Principles for securityFraud is rampant Six key Principles for security
Fraud is rampant Six key Principles for security
Strategic Treasurer
 
What is an IDO How can IDO be attacked.pdf
What is an IDO How can IDO be attacked.pdfWhat is an IDO How can IDO be attacked.pdf
What is an IDO How can IDO be attacked.pdf
coingabbar
 
CYBER CRIME
CYBER CRIMECYBER CRIME
CYBER CRIME
amani kadope
 
5 ways
5 ways5 ways
5 ways
OliviaJune1
 
A Novel Approach for E-Payment Using Virtual Password System
A Novel Approach for E-Payment Using Virtual Password SystemA Novel Approach for E-Payment Using Virtual Password System
A Novel Approach for E-Payment Using Virtual Password System
ijcisjournal
 
Non custodial wallets enable private, p2 p crypto trading in 2021
Non custodial wallets enable private, p2 p crypto trading in 2021Non custodial wallets enable private, p2 p crypto trading in 2021
Non custodial wallets enable private, p2 p crypto trading in 2021
AmniAugustine
 
13.02 Network Security
13.02 Network Security13.02 Network Security
13.02 Network Security
Anjan Mahanta
 
Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!
Halo Metrics
 
#CYBER SECURITY.pptx
#CYBER SECURITY.pptx#CYBER SECURITY.pptx
#CYBER SECURITY.pptx
siddhantkpatil2905
 
Bi
BiBi
Bi
Habibah Mat
 
How to Secure Your Mac Based Law Practice
How to Secure Your Mac Based Law PracticeHow to Secure Your Mac Based Law Practice
How to Secure Your Mac Based Law Practice
Rocket Matter, LLC
 
Under thehood
Under thehoodUnder thehood
Under thehood
Darius Povilaitis
 
LoginCat from TekMonks
LoginCat from TekMonksLoginCat from TekMonks
LoginCat from TekMonks
Rohit Kapoor
 
Sgsits cyber securityworkshop_4mar2017
Sgsits cyber securityworkshop_4mar2017Sgsits cyber securityworkshop_4mar2017
Sgsits cyber securityworkshop_4mar2017
Anil Jain
 
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG Evaluation
Zilliz
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
CzechDreamin
 

Contenu connexe

Similaire à The Future of ATO

Understanding the Card Fraud Lifecycle : A Guide For Private Label Issuers
Understanding the Card Fraud Lifecycle : A Guide For Private Label IssuersUnderstanding the Card Fraud Lifecycle : A Guide For Private Label Issuers
Understanding the Card Fraud Lifecycle : A Guide For Private Label Issuers
Christopher Uriarte
 
What is an IDO How can IDO be attacked.pdf
What is an IDO How can IDO be attacked.pdfWhat is an IDO How can IDO be attacked.pdf
What is an IDO How can IDO be attacked.pdf
coingabbar
 
A Novel Approach for E-Payment Using Virtual Password System
A Novel Approach for E-Payment Using Virtual Password SystemA Novel Approach for E-Payment Using Virtual Password System
A Novel Approach for E-Payment Using Virtual Password System
ijcisjournal
 

Similaire à The Future of ATO (20)

LoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityLoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated Cybersecurity
 
Stop losing your NFTs - introducing ZenGo ClearSign Firewall for web3
Stop losing your NFTs - introducing ZenGo ClearSign Firewall for web3Stop losing your NFTs - introducing ZenGo ClearSign Firewall for web3
Stop losing your NFTs - introducing ZenGo ClearSign Firewall for web3
 
Login cat tekmonks - v5 (mini)
Login cat tekmonks - v5 (mini)Login cat tekmonks - v5 (mini)
Login cat tekmonks - v5 (mini)
 
LoginCat - Mini Presentation
LoginCat - Mini PresentationLoginCat - Mini Presentation
LoginCat - Mini Presentation
 
How to Create 80% of a Big Data Pilot Project
How to Create 80% of a Big Data Pilot ProjectHow to Create 80% of a Big Data Pilot Project
How to Create 80% of a Big Data Pilot Project
 
Understanding the Card Fraud Lifecycle : A Guide For Private Label Issuers
Understanding the Card Fraud Lifecycle : A Guide For Private Label IssuersUnderstanding the Card Fraud Lifecycle : A Guide For Private Label Issuers
Understanding the Card Fraud Lifecycle : A Guide For Private Label Issuers
 
Fraud is rampant Six key Principles for security
Fraud is rampant Six key Principles for securityFraud is rampant Six key Principles for security
Fraud is rampant Six key Principles for security
 
What is an IDO How can IDO be attacked.pdf
What is an IDO How can IDO be attacked.pdfWhat is an IDO How can IDO be attacked.pdf
What is an IDO How can IDO be attacked.pdf
 
CYBER CRIME
CYBER CRIMECYBER CRIME
CYBER CRIME
 
5 ways
5 ways5 ways
5 ways
 
A Novel Approach for E-Payment Using Virtual Password System
A Novel Approach for E-Payment Using Virtual Password SystemA Novel Approach for E-Payment Using Virtual Password System
A Novel Approach for E-Payment Using Virtual Password System
 
Non custodial wallets enable private, p2 p crypto trading in 2021
Non custodial wallets enable private, p2 p crypto trading in 2021Non custodial wallets enable private, p2 p crypto trading in 2021
Non custodial wallets enable private, p2 p crypto trading in 2021
 
13.02 Network Security
13.02 Network Security13.02 Network Security
13.02 Network Security
 
Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!Data Breach Prevention - Start with your POS Terminal!
Data Breach Prevention - Start with your POS Terminal!
 
#CYBER SECURITY.pptx
#CYBER SECURITY.pptx#CYBER SECURITY.pptx
#CYBER SECURITY.pptx
 
Bi
BiBi
Bi
 
How to Secure Your Mac Based Law Practice
How to Secure Your Mac Based Law PracticeHow to Secure Your Mac Based Law Practice
How to Secure Your Mac Based Law Practice
 
Under thehood
Under thehoodUnder thehood
Under thehood
 
LoginCat from TekMonks
LoginCat from TekMonksLoginCat from TekMonks
LoginCat from TekMonks
 
Sgsits cyber securityworkshop_4mar2017
Sgsits cyber securityworkshop_4mar2017Sgsits cyber securityworkshop_4mar2017
Sgsits cyber securityworkshop_4mar2017
 

Dernier

Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
CzechDreamin
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
David Michel
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
UXDXConf
 
Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering Teams
UXDXConf
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
ScyllaDB
 

Dernier (20)

Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG Evaluation
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 
Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering Teams
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří Karpíšek
 

The Future of ATO

  • 2. About Me I’m Philip Martin, the CISO at Coinbase Ex-Palantir, Amazon, Sun and US Army
  • 3. 00 – Intro 01 – A Bit About ATO 02 – Specific Methods SIM Swapping/Porting Account Recovery Abuse Credential Phishing w/advanced features Credential Stuffing Social Engineering Malware Agenda 03 – Wrap Up & Questions
  • 4. How is ATO happening? Targeted ATO is a Journey ● High end attackers are increasingly targeting victim centers of gravity first ● Attackers frequently have access to email, file storage, social media, control of a phone number The Vast Majority of ATO is Not Targeted ● Less than 10% of the ATO or attempted ATO activity we see we rate as ‘targeted’ ● By far, most ATO we see is based on social engineering, not porting, SIM swapping, etc. SMS 2fa is effective vs most untargeted ATO; targeted ATO can bypass both SMS and TOTP 2fa ● Targeted attackers pivot to seeking seed backups, recovery codes or account recovery. ● Modern credential phishing is just as happy capturing TOTP 2fa as SMS 2fa.
  • 5. Who is conducting ATO? Economically Motivated ● Looking for the shortest path to money. ● Want to show a positive ROI on attacks ● Tend to focus on one thing that works and repeat till it doesn’t Average skill is low (but stddev is high) ● Most ATO is not technically complex. Most actors are playing a numbers game. ● Some ATO is very complex ● There is little to no actor crossover. Mostly located in poor countries ● Actors tend to be in places like the Philippines, Nigeria and Eastern Europe. Caveat: selection bias. ● A $10k payday from ATO may be enough money to keep an attacker in the black for a long time.
  • 6. SIM Swapping/Phone Porting Details ● We see SIM swapping more than phone porting these days ● Some SIM swaps last as little as 15 minutes. ● Generally used in highly targeted attacks/presumed HVTs ● Also used to hijack SMS-based account recovery workflows
  • 8. SIM Swapping/Phone Porting Countermeasures ● Push non-SMS 2FA options ● There are porting and SIM-swapping detection vendors (but this is FAR from 100%) ● Any 2fa is better than no 2fa. Porting/swapping is NOT in most people’s threat models.
  • 9. Account Recovery Abuse Details ● The abuse of account recovery mechanisms is also a consistent theme when we investigate ATO. ● SMS hijacking or poorly secured recovery email most common ● High criticality accounts depending on the security of lower-criticality accounts is not great.
  • 10. Account Recovery Abuse Countermeasures ● We require an ID verification w/ selfie step in our account recovery flow. ● We also enforce a recovery waiting period and aggressive customer contact policy during that waiting period.
  • 11. Credential Phishing w/ 2FA Theft Details ● Credential phishers include integrated 2FA token theft and real-time account connections. ● We require 2FA for several in-app actions (e.g. sending funds) so we see attackers integrating multiple 2FA code collection via fake failures.
  • 12. Credential Phishing w/ 2FA Theft Countermeasures ● Standard anti-phishing countermeasures (CT Logs, referrer monitoring, etc) help ● Device verification is very effective against these attacks ● Rate limiting is also effective, especially if you can rate limit on things like browser fingerprint.
  • 13. BONUS - Device Verification Bypasses ● We do see attackers trying to innovate around DV, but it has a petty low effectiveness rate so far. Credential Phishing w/ 2FA Theft
  • 14. Details ● Increasingly seeing this conducted by broad botnets ○ 2-3 requests per IP ○ global footprint Credential Stuffing
  • 15. Details ● Increasingly seeing this conducted by broad botnets ○ 2-3 requests per IP ○ global footprint ○ IoT devices (we recently ID’d a toaster trying to login to Coinbase) Credential Stuffing
  • 16. Countermeasures ● Rate limiting is effective if you can rate limit on specific rare/invalid UAs or other unique behaviors ● 2FA is the ultimate solution. Because we enforce 100% 2FA our users generally see no impact from credential stuffing. Credential Stuffing
  • 17. BONUS - 100% 2FA ● With about 30m global users, we’re the largest site I know that requires 2FA on all accounts. ● We default to SMS 2FA but also support TOTP and WebauthN. ● Getting folks to move up the 2FA stack is hard, but in-app prompts is key Credential Stuffing
  • 18. DOUBLE BONUS - Active Deception ● Since 2016, we’ve been running a large scale active deception campaign against credential stuffers/list validators. ● Whenever we detect a campaign, we feed it statistically probable lies. Credential Stuffing
  • 19. Details ● We see tech support style scams very frequently. ● Traditionally part of a cold calling scheme using call centers in places like India ● Increasingly we’re seeing attacks that bring the users to the attackers instead Social Engineering
  • 20. Countermeasures ● Screen sharing detection is our main focus. We see fingerprintable differences in things like mouse events, keyboard events, etc. ● We also devote a lot of time to detecting and disrupting the channels scammers use to lure users into their funnel via, e.g. aggressive social media monitoring. Social Engineering
  • 21. Maps Locations Answer Box Pollution Emerging Social Engineering Techniques
  • 22. Details ● Banking Trojans and Malspam (Emotet, LokiBot, TrickBot) being repurposed to target cryptocurrency ● This largely shows up as session token theft with connections proxied through the victim system these days, but we’ve also seen clipboard modifiers, javascript injectors and a few others Malware
  • 23. 23
  • 24. Countermeasures ● For the lower hanging fruit (clipboard modifiers, javascript injectors, etc) there are well-known countermeasures. ● Proxying is much harder. It’s all about flagging behavior changes and injecting friction (we introduce a 48hr hold on transactions that trigger certain rules). Malware
  • 25. Wrap Up Some of these techniques have or will trickle down ● More and more things are becoming monetizable about our online presence ● Attacks are also getting easier to conduct. Mega-dumps, deepfakes (for ID verification), etc. Attackers constantly innovating ● We need to continue to push the boundary in terms of 2FA normalization and JIT user awareness ● Change the economics of the situation, like using active deception. ATO Prevention is about incentivising good security behavior ● Good security UI/UX can do a lot to enable users and incentivise good security practices. ● More research on global user communication
  • 26. Any Questions? (BTW, if this sounds like a fun set of challenges then I’ve probably got an open role that you’d love… https://coinbase.com/careers)