(SaaS), platform-as-a-service (PaaS)
and infrastructure-as-a-service (IaaS)
facilities to those physical networks.
Understanding that complexity, adopt-ing a roadmap that reduces it, and removing the least secure parts (probably
the old legacy systems) is one key to
enhancing security, Thornton-Trump
says. “If you know what ‘normal’ is,
and what systems you need to protect,
this would make anomaly detection far
more effective.”
Bounty Hunters vs. Fraudsters
Still another way to defeat doppelgänger fraudsters is to harness the
skills of crowdsourced ethical hackers, says Laurie Mercer, a security
engineer with London-based Hack-erOne, a bug bounty firm that offers
cash rewards to the more than 400,000
ethical hackers it has registered on its
books. By probing corporate systems,
they can help firms find the kind
of vulnerabilities that let criminals
plant their data-stealing bots.
“Online payment systems and
e-commerce brands have sophisticated technology in place to prevent
fraud, but humans can often outwit
these technical controls. And, it takes
a human to outwit a human,” Mercer
says, suggesting his organization’s
hacker army is the best way to unleash
human intelligence against the fraudsters. He’s not alone: Goldman Sachs,
the U.K. challenger bank Starling,
and the Germany-based direct bank
N26 are all financial organizations
working with white-hat hackers to secure their digital assets. “Anyone who
finds a security vulnerability on these
companies’ assets can report them to
the company, potentially earning a
bounty,” Mercer says.
The human factor matters at another level, too, says Amanda Widdowson, cybersecurity champion at
the Chartered Institute of Ergonomics & Human Factors in London, noting that the Genesis Store’s doppelgängers are more of a threat if they
include login/password pairs, something people have the power to limit
spilling to fraudsters.
“The temptation is to use the same,
easy-to-remember and so easy-to-guess
password for multiple applications.
The danger is, if one application is
compromised, our other applications
are also at risk. What’s needed is more
investment in alternative methods of
user validation such as biometrics—
face, iris, and fingerprint recognition—
to reduce reliance on limited human
memory capacity,” Widdowson says.
Kaspersky Lab agrees, urging that
people use strong passwords, biometrics, and multi-factor authentication
to keep the bots out. “People should
be practicing safe cybersecurity habits,
implementing the same methods they
would to prevent any malware infection
on their personal devices,” says Lozhkin.
Most importantly, he says, since the
doppelgängers were constructed via
botnets, “strong cooperation and quick
information sharing between cyber-
security vendors and law enforcement
agencies around the world will be key
to a fast shutdown of such services.”
For the future, however, the banking
and finance industry’s move to voice-
based account management servic-
es—following on the success of voice
assistants like Amazon’s Alexa, Google
Home, and Apple’s Siri—may end up
making them vulnerable to hack at-
tacks via deepfake audio. That might
add a voiceprint component to digital
doppelgängers, with heavy ramifica-
tions for services.
Indeed, the threat that fake AI-gen-
erated voices pose to humans, rather
than voice assistants, is already more
than apparent. In September, it
emerged that the CEO of a U.K.-based
energy company had been convinced
that he was talking on the phone to
his boss in Germany, who asked him
to make a $220,000 cash transfer to
Hungary, which he did. However,
his supposed superior was actually a
criminal using very convincing voice
synthesizer software that had been
trained to mimic every aspect of the
target’s voice, from his tonality to his
German accent. The money is lost.
Such attacks will force changes on
the payments industry. “Since the at-
tack surface of deepfakes is primarily
banking information and money trans-
fer functions, I believe we will see man-
datory holds for cash amounts over
certain levels, with additional autho-
rizations required to complete money
transfers,” says Thornton-Trump.
“Although this may impede business agility, the risk of being victimized by a multi-thousand- or multi-million-dollar fraud exceeds the
inconvenience.”
Further Reading
Losses from Online Payment Fraud to More
than Double by 2023, Reaching $48 Billion
Annually, Juniper Research, Nov. 20, 2018
https://www.juniperresearch.com/press/
press-releases/losses-from-online-payment-fraud
Digital Doppelgangers:
Cybercriminals cash out money
using stolen digital identities, Kasperky Lab
Securelist blog, April 9, 2019
https://securelist.com/digital-
doppelgangers/90378/
Cimpanu, C.
Cybercrime market selling full digital
fingerprints of over 60,000 users, ZDNet,
April 9, 2019
https://www.zdnet.com/article/cybercrime-market-selling-full-digital-fingerprints-of-
over-60000-users/
Providing a unique behavioral analytics
approach to prevent fraud attacks
Featurespace, 50 Smartest Companies
of the Year 2017, The Silicon Review
http://bit.ly/2lcD8lE
Marks, P.
Bounties Mount For Bugs, ACM News,
August 23 2018, https://cacm.acm.org/
news/230582-bounties-mount-for-bugs/
fulltext
Statt, N.
Thieves are now using AI deepfakes
to trick companies into sending them
money, The Verge, Sept. 5, 2019
http://bit.ly/2mKoD8O
Paul Marks is a technology journalist, writer, and editor
based in London, U.K.
© 2020 ACM 0001-0782/20/2 $15.00
Goldman Sachs,
the U.K. challenger
bank Starling,
and Germany’s
direct bank N26
are all working
with white-hat
hackers to secure
their digital assets.
