[mercari GEARS 2025] The Past, Present, and Future of Anti-Phishing Measures at Mercari

Transcript

1. kokukuma
 
 The Past, Present, and Future of Anti-Phishing Measures

   at Mercari
 Engineer, Mercari, Inc.


2. Table of Contents
 • The basics of phishing attacks
 


   • Phase 1. SMS OTP Short-term Solution
 
 • Phase 2. Passkey Introduction
 
 • Phase 3. Passkey Expansion
 
 • Summary
 


3. Phishing Attacks


4. What are Real-Time Phishing Attacks?
 • Credentials entered into a

   fake site are instantly stolen.
 
 • An attacker logs into legitimate services on the spot.
 
 • Multi-factor authentication (MFA) can also be bypassed.
 Service Providers

5. General Status of Phishing Attacks in Japan
 Number of Phishing

   Reports in General by Year
 Cumulative sum from January to August From フィッシング対策協議会 月次報告書 Reported Cases (Annual)

6. Reported Cases (Annual) General Status of Phishing Attacks in Japan


   
 
Events at Mercari
 2019 Merpay release 2023 Mercoin release

7. Reported Cases (Annual) General Status of Phishing Attacks in Japan


   
 
Events at Mercari
 2019 Merpay release 2023 Mercoin release 2021 Mercari phishing sites were found 2022 - 2024 Mercari phishing sites still exist…

8. Reported Cases (Annual) General Status of Phishing Attacks in Japan


   
 
 2019 Merpay release 2023 Mercoin release 2021 Mercari phishing sites were found 2022 - 2024 Mercari phishing sites still exist… 2024/10 - Now
 Passkey Expansion Phase 2021/06 - 2022/4
 SMS OTP Short-term Phase 2023/3 - 2024/9 Passkey Introduction Phase 2019/09
 MFA required at login

9. SMS OTP Short-Term Solution Phase


10. SMS OTP Short-Term Solution Period
 Mercari’s Situation
 • Mercari phishing

    sites were found. • Mercoin was being designed. Short-term measures • SMS OTP additional authentication • 5-minute OTP limit after login • Secure Payment Setting • Force sign-out and payment monitoring
 Mid- to long-term measures • Passkey implementation • Risk-based login restrictions

11. What we can do with SMS OTP... 
 Short-Term Solution


    
 #1 Thorough additional authn before key features
 #2 Waiting period of SMS OTP after login


12. 
 What phishing sites have done since then… • Request

    SMS OTP two or three times. • Successfully make victims wait 5 minutes.
 Short-Term Solution
 
 
 This is not a legitimate site!

13. Passkey Introduction Phase


14. Passkeys A passkey is an authentication method that uses a

    domain-bound key pair and verifies the domain in the signature, preventing authentication on fake sites and fundamentally blocking phishing attacks. Passkey Introduction Phase Mercari’s Situation
 • Mercari/Merpay: Phishing sites had increased.
 • Mercoin was released. Defense strategy • Mercari introduced passkeys. • Protect Mercoin from phishing attacks with passkeys.

15. Phishing-Resistant Passkey Accounts News related to the introduction of passkey

16. Phishing-Resistant Passkey Accounts Password accounts Passkey accounts Migration by passkey

    registration

17. Passkey Accounts are Required at Mercoin Mercoin No phishing at

    Mercoin because the passkey migration is mandatory Password accounts Passkey accounts Migration by passkey registration

18. Passkey Expansion Phase


19. Problems of Passkey accounts Passkey accounts #1 If users lose

    their passkey, they won’t be able to log in.
 #2 To register a new passkey, you need to contact customer support, which takes several days to process.


20. Passkey Expansion Phase Mercari’s Situation
 
 • Mercari/Merpay: Phishing sites

    were expanding and becoming more regular.
 • Mercoin: Released and in operation. No phishing damage reported. • Mercari NFT (released in 2025/1, Mercari Mobile (released in 2025/3

21. What we need to prevent phishing attacks …
 Increase the

    number of passkey accounts • Raise passkey awareness • Increase passkey required services/conditions • Conditional Registration Improve the UX of passkey accounts • Passkey recovery using high-assurance identity proofing • Risk-based alternative authentication elements


22. The Individual Number card is a government issued digital ID

    card. It contains a digital certificate in its IC chip, it can be used for high assurance identity proofing. • Validation of Authenticity ◦ Validation that the certificate is government issued. ◦ Difficult to counterfeit • Verification of Card Holder ◦ A password is required to exercise the certificate on the card, ◦ thus preventing use of a lost or stolen Individual Number card Passkey Recovery with High Assurance-Level Identity Proofing Identity proofing by Individual Number card

23. Passkey Recovery with High Assurance-Level Identity Proofing Passkey reconfiguration after

    identity proofing using Individual Number card

24. Establish passkey account requirements for new services depending on the

    risk. Increase the Number of Services Requiring a Passkey Account
 Mercari NFT
 Determine whether or not to move to a passkey account depending on the price range of the NFT being purchased.
 Mercari Mobile
 Passkey account required in contracts.
 Certain new Merpay services
 Require passkey accounts at sign-up


25. Current Status at Mercari
 Number of Passkey Registrants Mar. 2023

    Jun. Sept. Dec. Mar. 2024 Jun. Sept. Dec. Mar. 2025 0.1M 0.8M 1.5M 2.2M 3.5M 4.4M 6.0M 7.5M 9.4M Jun. Sept. 10.4M 10.9M It’s about half of the MAU!

26. Current Status at Mercari Percentage of authentication methods used for

    login Password: 44.3 % Passkey: 31.6 % Google: 10.2 % Apple: 6.8 % Email magic link: 4.1 %

27. Summary


28. • Prevent phishing by creating phishing-resistant accounts with passkeys •

    Current UX challenges are the bottleneck to wider adoption • Once resolved, weʼll expand passkey adoption across more users • Final goal: remove all passwords and eliminate phishing Summary


29. Thank You!