Deepfaking it: the new cybersecurity frontier
Head of Product
From impersonating a top executive to opening money-laundering bank accounts, deepfake fraud is becoming a growing problem and poses real challenges to businesses.
‘Deepfakes’ – realistic video or audio manipulations that appear to show real people – have gone from sci-fi to reality and soared in popularity over the past year, with some created simply as jokes and others to spread malicious misinformation. The deepfakes that make headlines are typically those depicting celebrities and politicians, but they also pose real threats to businesses as well as individuals when used for fraudulent purposes – such as major theft, loss of revenue, and damage to your brand.
Emma Woollacott (writer for Forbes, Private Eye, and the BBC), provides detailed insight into the problems resulting from this emerging technology in this extract from the Times Digital Identity Report 2021…
The deepfake threat to businesses
The use of deepfake video and audio technologies could become a major cyberthreat to businesses within the next couple of years, cyber-risk analytics firm CyberCube warns in a recent report.
'Imagine a scenario in which a video of Elon Musk giving insider trading tips goes viral, only it’s not the real Elon Musk. Or a politician announces a new policy in a video clip, but once again it’s not real,' says Darren Thomson, head of cybersecurity strategy at CyberCube.
'We’ve already seen these deepfake videos used in political campaigns; it’s only a matter of time before criminals apply the same technique to businesses and wealthy private individuals. It could be as simple as a faked voicemail from a senior manager instructing staff to make a fraudulent payment or move funds to an account set up by a hacker.'
In fact, such attacks are already starting to occur. In one high-profile example in 2019, fraudsters used voice-generating artificial intelligence software to fake a call from the chief executive of a German firm to his opposite number at a UK subsidiary. Fooled, the UK chief executive duly authorised a payment of $243,000 to the scammers.
'What we're seeing is these kinds of attacks being used more and more. They're not overly sophisticated, but the amount of money they're trying to swindle is quite high,' says Bharat Mistry, technical director, UK and Ireland, at Trend Micro.
'I was with a customer in the UK and he was telling me he'd received a voicemail, and it was the chief information officer asking him to do something. Yet he knew the CIO of the organisation was on holiday and would never have phoned. There was no distinguishing factor, so you can see how clever it is.'
Attacks such as this follow the same pattern as traditional business email compromise scams, but with vastly more sophistication.
'We've seen all these cloud technologies, things like analytics, machine-learning and artificial intelligence, and deepfakes are just an extension of that technology, using the tech in an abusive manner,' says Mistry.
Creating fraudulent accounts
Another emerging type of deepfake fraud is the fraudulent creation of accounts, whether they are bank accounts, foreign exchange dealing accounts or share dealing accounts. These can be used by organised crime for the purposes of money laundering. And with the advent of the coronavirus pandemic, what was previously a gradual shift to remote account creation has now been massively accelerated, along with the potential for fraud.
Setting up an account remotely generally involves a two-step process: first, providing a scan of an identity document and then presenting a selfie. The selfie is often generated by asking the applicant to record a video in which they recite words or numbers, or perhaps through a short video interview with an agent.
'It's obviously been a good way of protecting against fraud up until now, but now the fraudsters can deepfake themselves to look like the innocent victim,' says Bud.
'They may have stolen or copied the documents of an innocent victim from some source, and then all they need to do is deepfake the victim's face onto their face and conduct the interview with the agent, and the agent will be never the wiser.'
In a report late last year, identity verification firm Jumio found selfie-based fraud rates were five times higher than ID-based fraud and particularly prevalent where users are able to upload their own ID images. This means fraudsters can manipulate a legitimate ID or use an image of an ID found on the dark web or from a Google Images search.
Financial institutions are awakening to the risk. In a survey for iProov, three quarters of cybersecurity experts in the financial sector said they were concerned about deepfake fraud and nearly two-thirds said they expected the threat to get worse.
'Banks like ING, Rabobank in the Netherlands, Standard Bank in South Africa and the government of Singapore, which is supplying the financial services industry, these are all aware of the threat of deepfakes and are taking proactive measures,' says Bud.
However, only 28 per cent of survey respondents said they’d put plans in place to protect against deepfakes, with 41 per cent planning to do so in the next two years. With another poll of banking customers revealing most were unconcerned about deepfake fraud, introducing extra security measures can be problematic.
'There's a big difference between how much cybersecurity experts think people care and how much they do care, and that turns into a problem as soon as they try to implement intrusive measures,' says Bud.
'There is a risk that if they protect against deepfakes in ways that impact the customer experience, it will be immediately resisted.'
Reliable protection without friction: tru.ID
Avoid deepfake threats by using a reliable, possession-based authentication solution that’s invisible to users. tru.ID can help you to implement mobile verification based on the SIM card, which can’t be duplicated or faked.
Our range of API-based products enable you to quickly and easily implement deterministic, secure, frictionless mobile user authentication, reducing fraud and helping you to increase mobile revenues.
Instant PhoneCheck provides instant authentication of the mobile number of the connected mobile device, greatly improving the user experience and reducing drop-off rates.
Strong SubscriberCheck provides real-time verification of the mobile number and SIM card identity, providing a high-security, low-friction mobile authentication solution that also eliminates the risk of SIM Swap fraud.
Or, if you really, really want to stick with SMS OTP, and so need an easy add-on security solution, we offer:
Active SIMCheck, which allows you to check that there has not been a SIM swap before you send the SMS OTP to the user. (Of course, there are still all the other risks related to SMS OTP, but this is a big improvement and a short-term fix while you plan the full solution.)