The digital economy is unforgivingly fast-evolving, and organizations often find themselves moving at a pace that makes it extremely difficult to overcome novel security challenges and threats.
As we approach the midpoint of 2024, the themes of change and innovation are pushed into overdrive in response to new technologies like artificial intelligence (AI) and the metaverse, which are turning identity into the new battleground for security.
Identity fraud is a growing problem for organizations today. According to a recent Ping Identity survey, only 10% of consumers have full trust in the organizations that manage their identity data, with the most trust in banks (61%) and healthcare services (51%).
Whether fraudsters are stealing credentials or otherwise compromising the accounts of existing customers, organizations need a way to keep cybercriminals out without bogging the user experience down with excessive and frustrating security steps.
CybersecAsia discussed this increasingly critical cybersecurity battlefield in the age of AI and deepfakes with Johan Fantenberg, Principal Solutions Architect – APAC, Ping Identity.
Identity has always been a gatekeeper of authenticity and security. What are your observations on how identity fraud has been impacting organizations today?
Fantenberg: Fraud is rampant, and current solutions are causing poor user experience – losses due to identity theft totaling over $635 billion in 2023 and account takeover attacks up 354% year-over-year. But fraud prevention measures can result in frustrated prospects abandoning account registration, or existing customers moving on to a competitor in search of a more convenient experience.
Whether fraudsters are compromising the accounts of existing customers or creating new accounts using stolen or synthetic identity information, organizations need a way to keep cybercriminals out while offering customers an enjoyable digital experience.
Moreover, threat actors are increasingly sophisticated at posing as figures of authority, including but not limited to a trusted executive, a bank or someone from the government. This requires organizations to adopt a ‘verify more – trust less’ approach, rethinking how and to whom access is granted as well as constantly verifying identities.
It is vital that organizations incorporate fraud prevention methods that prioritize both security and experience, including dynamic fraud detection, real-time risk scoring and centralized decisioning.
Forward-looking organizations will also consider ways to prove their own authenticity in interactions with customers, e.g. for contact center interactions when a customer is talking to a customer service representative. Verifiable credentials standards and solutions can play a strong role in such use cases.
How does AI come into the picture?
Fantenberg: Fraudsters are using AI to generate sophisticated phishing emails that look nearly identical to a legitimate email one would receive. AI is being used to create video and voice impersonations – not just of public figures, but of CEOs, CFOs and those whom you would genuinely trust.
People can no longer implicitly trust the things they see, hear, read or receive digitally, whether it’s the contents of an email, the content of an SMS message, a voice call, or even a video-conferencing interaction.
What happens when you can’t trust what you hear or see? When AI can mimic our voice across unauthenticated channels, how will we know who we’re listening to? This poses a massive societal challenge.
Identity and access management can help reduce the risk, but you need the right partner with you on the journey. It needs to be seamless and friction-free, yet strong and integrated. This is where identity orchestration plays a major role across the digital ecosystem.
What can organizations do to support their employees to adopt better cyber hygiene?
Fantenberg: Enforcing multifactor authentication (MFA) and offering passwordless authentication methods, including passkeys, biometrics, and device identifiers, can significantly reduce the risk of account takeovers (ATOs) and data breaches brought on by stolen credentials.
Traditional passwords not only hampers the employee experience with the burden of remembering a range of unique passwords, or time wasted while resetting forgotten ones, but it decreases their productivity.
Organizations must also enforce device trust strategies that ensure only employees can access enterprise networks. Implementing device fingerprinting, for example, allows cybersecurity teams to identify trusted devices and block malicious ones.
Besides that, cybersecurity teams should also incorporate profiling solutions to assess devices’ compliance with security policies. This includes identifying operating system versions, the safeguards in place, and malicious software. Even if the device has met the cybersecurity requirements, teams must conduct frequent verification so they can stay on top of changes in the device’s status and behavior.
It is also important to note that an increasing number of risk signals need to be processed in real-time requiring authentication, authorization and MFA services to be fast and predictable so that the user experience is not negatively impacted.
Finally, promoting a security-aware culture where the protection of digital identity data is encouraged and valued will help decrease the threat of human errors. This means conducting regular training sessions on the latest measures to counter phishing attempts and keep data secure. Simultaneously, cybersecurity teams should also communicate the latest attacks and scam tactics so that employees know how to spot them before threat actors make their moves.
What are some of the latest attack innovations that organizations must take note of?
Fantenberg: Account takeover fraud (ATO) attacks are on the rise, jumping an eye-popping 354% year-over-year. ATO is a form of identity theft where fraudsters overtake an online account and pose as real users. Typical means for ATO include compromised credentials, session-hijacking, social engineering, and device takeover.
Checkout fraud is another new attack variant that needs to be on organizations’ radars. This involved threat actors clicking on the “Guest Checkout” feature to bypass identity verification checks. From there, the threat actor uses bots to enter stolen credit card information and discount codes for different websites.
Organizations also need to watch out for authorized push payment (APP) fraud, where the threat actor poses as a merchant selling fake products and offers exclusive discounts to customers who pay via mobile wallet apps. Because these payments are treated like cash, it is difficult to reverse them once the transaction has been approved.
There is also promo and bonus fraud, in which threat actors create different accounts to collect sign-up bonuses. This type of fraud commonly targets online gambling services, but it also appears in other businesses that offer similar incentives to customers who register for new accounts. With enough accounts, threat actors will be able to maximize their profits.
