As fraud prevention technology gets more sophisticated, account takeover (ATO) tactics are keeping pace. Between 2019 and 2021, ATO attacks increased by 307%, with total monetary losses totaling $11.4 billion, and the loss of credibility and customer trust incalculable.
The massive data breaches that seem to happen daily — clever social engineering fueled by an assist from generative AI, phishing, and brute force attacks — give hackers access to personally identifiable information (PII), and then the consumer account takeovers begin. The financial losses hit consumers hard, but there’s also a very real psychological component, which directly impacts that customer’s relationship with the company that didn’t protect their data.
“There’s a helplessness in realizing that your account has been compromised and your personal information is now in the hands of someone else,” said Juan Rivera, senior solutions engineer at Telesign during a recent VB Spotlight. “It’s detrimental both on a short-term basis, as well as long-term.”
Rivera spoke with Joni Brennan, president of the Digital ID & Authentication Council of Canada (DIACC), about how current threats are evolving in the AI world, how to mitigate risk and more.
“The internet was not invented with an identity verification layer,” Brennan said. “We’re filling a space that didn’t exist. We have a lot more work to do as a community of professionals and practitioners in this space, and we’ll continue to do that work.”
How generative AI is stirring the pot
The traditional methods of fraud are still out there — phishing and dumpster diving are as popular as ever. But AI has enabled some dramatic new areas of attack, both in ATO and credential stuffing.
For instance, a data breach offers a treasure trove of usernames and passwords, and then bots infiltrate accounts and conduct brute force attacks using that data. With AI’s ability to process large amounts of information, that process is stunningly fast. And with AI, attackers can create combinations of passwords based on PII as well. As an example, it can use your password as a guide to what passwords you might choose across other sites.
Deep fakes are also not a children’s story. Recently a woman was blackmailed by criminals claiming they had kidnapped her daughter, and they used voice samples from the daughter to build a convincing simulation with AI. And in February 2023, a journalist was able to break past the authentication scheme of a major financial institution in the U.K. by using deep fake technology.
“The cost of using generative AI for something like a deep fake voice has increased the ability to get access to those capabilities,” Rivera said. “Generative AI is already starting to break authentication methods we have today, and it will continue to break more.”
But on the other side, there’s opportunity to leverage generative AI internally, to automate the monitoring of suspicious behaviors.
“I think we’ll see generative AI, just as with any security ecosystem, play out on both sides of the fence, for attackers as well as defenders,” he added. “It really is going to be a matter of who can get to the technology first. As security experts get hold of technology, so do the fraudsters.”
Building defenses against cyberthreats
There is a lot of work to be done in the digital identification and verification space, Brennan said.
Awareness of the threat — its level and its potential for harm — is the first step. Taking it seriously means investing in the technology you need to lock down the PII you’re responsible for, especially multifactor authentication.
“Both in your personal life and if you’re operating a business, if you’re in the IT department, you have to insist on at least two-factor authentication, if not multi-factor,” Brennan said. “Whether that’s using different channels that you have available through mobile, through email, or even better, using hard token — tokens that are out there for one-time passwords, and things of that nature.”
Unfortunately, that’s a level of friction too far for many users, so they need to, at the very least, create a strong username and password, and make sure it’s unique on every site. Password generators today are tremendously encrypted and secure, easy to use, and with the cloud, generally available across devices. Password vaults are another useful tool, similarly secure and simple to use, and mean that a customer doesn’t have to remember any of those extremely complex passwords they’ve generated.
Why education and awareness are foundational
“Businesses have a lot to lose by not educating their employees,” Rivera explained. “They’re going to constantly send out test emails to make sure you don’t fall into those traps. But the average consumer doesn’t have the luxury of that. If they’re not aware of what fraudsters are doing, they’re going to take advantage of that. That’s why we’re seeing an increase in ATO every year.”
Consumers should be educated on the ways they can proactively implement a multi-layered approach to detect and prevent suspicious behavior, to reduce the risk of accounts becoming compromised to begin with. “Organizations have a responsibility to put in place the flows that help to, step-by-step, lead the customer through the process of putting in that layered effect through different authenticators, and different methodologies,” Brennan said.
That includes teaching them to stay aware of a website’s credentials, whether browsing, buying or interacting. Monitoring suspicious emails and messages, never clicking on a link, and immediately going back to the genuine purported source of the email (whether that’s your bank or a shopping site) and verifying with the source.
“As we go forward, we’re seeing the opportunities for paradigm shifts through distributed networks, distributed ecosystems, and things like verifiable credentials; ways that we can present data, minimize information, using cryptography to verify,” Brennan added. “We have lots of great tools today and we’ll see more evolutions, trusted networks for information-sharing in this space, because folks like Juan and many others are working on this every day to help improve the experience.”