Deepfakes are coming for the identity fraud crown

To no one’s surprise, cybercrime ballooned last year. Ransomware alone saw an 11x increase from July 2020 to June 2021. Adding to the excitement — for fraudsters, at least — is the burgeoning threat of deepfakes: synthetic media that uses AI to mimic a person’s face, voice, or movement with stunning accuracy.

With more companies incorporating biometrics, fingerprinting, and video/voice verification into their authentication processes, a growing interest in deepfake technology across the dark web doesn’t bode well for preventing identity fraud. Educating employees of deepfake warning signs helps, but ultimately companies will need to stave off the threat with AI technology of their own (and then some).

Truly, madly, deeply fake

Most of the general public still considers deepfakes a novelty item. People have used the technology to alter political videos and insert Nicholas Cage’s face into Indiana Jones and James Bond movies. Last year, Roadrunner, a documentary about the late chef Anthony Bourdain, stirred up controversy for using synthetic audio snippets of Bourdain’s voice.

But more nefarious examples of deepfakes illustrate the threat of identity fraud and companies potentially losing millions of dollars. In 2019, a man impersonated the French Defense Minister over Skype and scammed his way to $93 million. The same year, an AI-generated voice cheated a Hong Kong bank manager out of $35 million.

Manipulating audio is a layup for fraudsters — they can turn a short speech from a corporate executive or government official into a cloned voice sample using one of many readily available machine learning apps. Voice deepfakes are harder to spot than video due to the lack of visual evidence. Voice deepfakes delivered over the phone are even more difficult because of the reduced audio quality.

Image- and video-based deepfakes employ tactics reminiscent of Face/Off, fraudsters wearing silicone masks to fool facial biometrics (“face spoofing”), or using social pictures to bypass face verification. Fraudsters often circumvent authentication protocols using pre-recorded deepfake videos, or, again, by wearing hyper-realistic silicone masks. Liveness tools can help detect videos with silicone masks, but only tools that account for facial actions and traits: blood circulation, skin texture, blinking, etc.

Adopting AI-based software that detects deepfakes isn’t enough; fraudsters have AI tools of their own. Synthetic identity fraud is rising fast, as is the sophistication of the technology available on the dark web. Is it possible for businesses to beef up their biometrics authentication and stay a step ahead of bad actors?

Biometrics’ best friend: real-time insights

In the ’80s, no one defended the universe like Voltron. But the Voltron robot without its head? Not as formidable.

Not to say biometrics verification tools — specifically those designed to stop deepfakes — lack intelligence, but without another layer of AI-powered smarts, more identity thieves will slip through the cracks. This will open the door to synthetic identity fraud, account creation fraud, account takeover, and churn.

Why not buttress biometrics and other authentication techniques with an additional layer of real-time insights to thwart identity fraudsters? For example, a facial recognition solution coupled with trust signals such as time of day, IP address, or device ID could boost the certainty that a voice, image, or video is the real McCoy — and be the difference between stopping a deepfake and falling victim to a multimillion-dollar heist. Static, or historic, data can’t compete with real-time data. Relying upon names, dates of birth, addresses, and maiden names as another factor of authentication is futile because much of this information is available on the dark web.

At Deduce, we’ve built a product that pairs nicely with existing AI solutions like aged cheddar to a cabernet sauvignon, harnessing real-time, dynamic data to bolster account verification and help prevent identity fraud. Our real-time insights assist in preempting attacks by adapting to the latest fraudster schemes and behaviors — precisely the malleability needed to strengthen image, video, and voice authentication against deepfakes.

Our not-so-secret sauce? A real-time Identity Network that boasts more than 450 million anonymized US profiles (multiple devices and accounts per user) and 1.4 billion daily activities (logins, checkouts, registrations, etc.) captured from in-page collection methods on 150,000 websites and apps.

Want to see how Deduce’s real-time insights can fortify the castle walls of your identity authentication? Contact us today.

Only a real-time solution can stop shapeshifting fraudsters

Ah, Christmas. The most fraudulent time of the year.

Unlike bad actors, the uptick in online shopping and transactions (and fraud) — compounded by supply chain shortages — doesn’t imbue cybersecurity teams with much holiday cheer. But one simple, yet monumental change can make all the difference: joining the real-time data revolution.

Data is ubiquitous. Fraudsters are smarter and faster than ever. Real-time data analysis is the only plausible way for businesses to protect their finances and reputations. Out with static, or historic, data (email, phone number, SSN); in with dynamic, up-to-the-minute data (user activity, IP address, device). This is the way.

Companies employing a static, traditional fraud prevention approach are prime targets for account takeover (ATO) and new account creation fraud, among other cyber attacks expected to cost $10 trillion globally by 2025. Not switching to a real-time solution will inevitably lead to a breach sooner than later — and it only gets worse from there.

There’s no time like real time

The irrelevance of historic data in preventing fraud is easy to explain: much of that information is already available on the dark web.

In the seediest corners of the internet, large-scale cybercrime syndicates operate like a fraudulent bodega, peddling users’ personal info for discounted prices. Static data such as names, dates of birth, addresses, mother’s maiden names, and the like is low-hanging fruit for the modern fraudster: plug and play, ammunition for credential stuffing or creating a synthetic identity. Some of these groups are sophisticated enough to enlist AI and machine learning experts to orchestrate breaches, and cunning enough to cook up new schemes, like loyalty point fraud.

Hackers are also benefiting from gargantuan data sets. The data is coming in droves, from all directions, and companies unable to analyze, much less access, dynamic data won’t detect fraudulent activity until it’s too late. Time is of the essence, especially with fraudsters closing the gap between account creation and fraudulent purchases. Delayed fraud detection means delayed remediation, and more dollars down the drain. But dollar signs aren’t the only consideration for pivoting to a real-time fraud prevention platform.

Leave historic data in the past

If a company doesn’t leverage real-time identity data, and is consequently infiltrated by bad actors, most higher-ups will naturally obsess over the immediate financial consequences. However, dealing with chargebacks is peanuts compared to what awaits further downstream.

Think about customer churn, and the army of angry ex-customers who will air their grievances across social media. The combined lifetime value of those lost customers plus the negative hit to brand reputation is not an endearing combination — and even the most seasoned crisis comms team may not fully right the ship.

Then, of course, are the fine-happy regulators who won’t be too thrilled to see another Equifax or Robinhood fiasco. Neither will investors, who are increasingly prioritizing businesses with air-tight threat intelligence. If a company, and its customers, are at risk, so is its valuation.

Adopting a solution that can harness real-time, dynamic data is the key to effectively preventing ATO and new account creation fraud. It provides the necessary adaptability to keep up with shapeshifting fraudsters and stop attacks before they happen — the only acceptable speed in today’s world.

Deduce’s real-time Identity Network, comprising more than 450 million anonymized user profiles collected from 150,000 websites and apps, preemptively alerts companies of fraud well in advance. Want to see how Deduce’s real-time solution can shore up your fraud protection? Contact us today.

ATO hits companies hard. It only gets worse downstream.

It’s been an eventful year for embattled trading platform Robinhood. Following its infamous biff with “meme stock” investors in January, leading to lawsuits and congressional hearings (and an upcoming Netflix movie), the company went public in July but failed to inspire much excitement around the IPO.

Before Robinhood could lick its wounds and hope for a better 2022, they suffered another setback in early November: a data breach that impacted more than 7 million customers. The breach snatched names, emails, dates of birth, and — to the delight of robocallers — thousands of phone numbers.

You might think, “No credit card or social security numbers leaked? What’s the big deal?” but bad actors don’t need much to harm consumers.

Here is how stolen account information, even seemingly innocuous details like names and dates of birth, can lead to account takeover fraud (ATO) and cause further damage downstream.

A dark reality

Stolen account information is trafficked in the nefarious underworld known as The Dark Web. In what’s essentially a farmer’s market for fraudsters, tens of thousands of account credentials are up for grabs at any given time, some going for as much as $15,000.

Personal information acquired from data breaches is another valuable commodity among Dark Web shoppers. These days, name, date of birth — a zip code in some cases — can be used to verify a customer’s identity. Hackers also leverage data mined from The Dark Web to plan and execute phishing attacks or aid other ATO schemes, such as credential stuffing.

The biggest danger of ATO, however — particularly at the scale of the Robinhood breach — is its ability to metastasize, potentially costing millions in chargebacks, not to mention time spent on remediation and navigating a PR firestorm.

A storm with no calm

The worst part of an ATO breach is the aftermath. Per Javelin Research, customers pay an average of $290 for every successful ATO attack and spend 15–16 hours disentangling the wreckage. Not a fun time for customers — or customer support teams.

Many of the users affected by ATO are likely to flee and seek out other platforms. 85 percent of respondents from a recent CMO Council report indicated they dislike companies with identity verification issues; ostensibly, a breach resulting in ATO fraud bumps this number into the 90th percentile. And what will they do after jumping ship? Air their grievances, which — in aggregate — deals a hefty blow to a company’s brand image. It’s the polar opposite of a Trusted User Experience that encourages loyalty, and, depending on the degree of damage, can be difficult to come back from.

To protect against ATO and its residual impacts, companies need to adopt the data-driven, pre- and post-authentication security approach of a Deduce. Our real-time Identity Network comprises more than 450 million anonymized user profiles collected from 150,000 websites and apps, offering preemptive protection that tips off companies long before ATO can manifest.

Want to give Deduce a go? Try a free trial here.

Cloud breaches aren’t going away any time soon.

For today’s enterprise organizations, operating within the cloud is table stakes. It’s faster, more scalable and cost-effective than your grandma’s service oriented architecture (SOA).

However, companies new to the cloud, or those that’ve been there for a while, may not realize the floodgate of security risks that comes with the cloud’s increased flexibility. Like a tourist unknowingly venturing into a city’s most dangerous neighborhood, they don’t see the cybercriminals around the corner waiting to pounce on valuable company assets.

A new Report from IBM details how hackers are feasting on vulnerable cloud environments, and offers a troubling look at how these stolen resources are trafficked on the dark web. (Picture a farmer’s market, but replace the locally grown carrots and beets with login credentials and other sensitive information.) Here are some eye-opening insights gleaned from the data in the report, gathered from Q2 2020 to Q2 2021.

Unforced errors

More than two-thirds of cloud breaches were simply a case of companies leaving the door open. Specifically, attackers took advantage of misconfigured APIs and default security settings that rendered virtual machines and other cloud tools defenseless. Passwords proved troublesome as well: 100 percent of cloud environments studied had violated password and security policies.

Thank you for shopping at Dark Web Depot

According to IBM’s report, upwards of 30,000 account credentials were up for grabs on the dark web. Some were going for a few dollars, others for as much as $15,000. Many of the sellers operated like your average big-box retailer, offering 1–2 week refunds if buyers couldn’t access the cloud environment with the credentials they purchased.

Keeping up with the times

Cryptominers and ransomware were the most common types of malware used to attack cloud environments, comprising more than half of the breaches in the report. Penetration testing revealed that threat actors updated old malware to key in on Docker containers and developed new malware written in cross-platform programming languages.

It also doesn’t appear that cloud breaches are slowing down any time soon: publicly disclosed attacks of cloud applications have increased by more than 150 percent over the last five years.

Clearly, the latest wave of malware is all-in on cloud vulnerability. Is your company all-in on cloud security?

Deduce safeguards your customers from account takeover fraud. Activate your free trial here, and see how Deduce can bring cloud conspirators back down to earth.