The Future of ATO

Conference:  BlackHat USA 2019



The presentation discusses the ATO landscape and the techniques used by attackers to poison the information that users use to make decisions. The speaker emphasizes the need for industry investment in normalizing 2FA and delivering a security message that is tailored to diverse global populations.
  • 10% of ATO attempts are targeted, with attackers conducting in-depth research and pivoting around target centers of gravity
  • Credential stuffing is a major issue, but targeted attacks are more dangerous as they aim to poison information used by users to make decisions
  • The speaker's company takes down sites and social media to reduce harm and invests in screen sharing detection to counter exploitation
  • Attackers are investing in targeting users of specific platforms and creating a sense of trust by leveraging fake quotes and scraped content
  • Industry investment in normalizing 2FA and delivering a tailored security message to diverse global populations is crucial for lasting and durable victory in the cybersecurity game
The speaker describes how attackers created a clone of a secure browser called Crypto Secure and scraped a picture of a guy who runs security ops from LinkedIn. They then ginned up a fake quote attributed to him and scraped content off security blogs to create a sense of trust among users. This level of investment in targeting specific platforms is a new twist in the cybersecurity landscape.


Account Takeover (ATO) is the silent killer of online security. Between password megalists, massive PII breaches and ever more sophisticated attackers, it's becoming almost impossible to help regular users to thread the needle of a usable, but secure, experience. Coinbase is one of, if not the, largest single store of consumer cryptocurrency in the world. Attackers have enormous motivation to target our customers, and we have enormous motivation to defend our customers. This has resulted in a flurry of innovation over the past few years, on both sides. In this talk, I'll give a look behind the scenes on how Coinbase protects our customers, encourages them to be more secure and handles everything from phone porting to SIM swapping to credential stuffing. I'll also share a view into where we see attackers actively innovating. You will walk away with a window into what ATO may look like in the years to come and some specific, actionable steps you can take to protect your customers right now.