FTX scam highlights the real and growing threat of Deepfakes (Guest blog by iProov)
A deepfake video of FTX former CEO Sam Bankman-Fried recently circulated on Twitter – fraudsters looking to steal funds from users of the collapsed crypto exchange, lured viewers to a website where they could supposedly get compensated for their losses by sending in crypto tokens and receiving double in return.
The fraudsters, taking old interview footage of Bankman-Fried, used a voice emulator to capture his likeness. This is not the first time a deepfake has been used to scam those in the crypto industry. In July 2022, a sophisticated scam using deepfake technology managed to drain liquidity from Brazilian crypto exchange, BlueBenx, by impersonating the COO of Binance.
This high-profile deepfake is the tip of the iceberg. Criminals now have access to the technology and means to create incredibly realistic and convincing deepfakes. And they’re using these deepfakes to launch large-scale attacks at organizations and their users worldwide.
The global pandemic accelerated the transition from in-person to remote activities. Now that government agencies, banks, and many other organizations are communicating with colleagues, users, and job candidates remotely, criminals are using deepfakes to exploit this channel. In 2022, the FBI warned that deepfakes are also being used for fraudulent job applications for remote tech roles.
One way to combat deepfakes is with biometric face verification that enables users to verify their identity and gain access to an online service by scanning a government-issued ID and their face. They can then use their face every time they wish to authenticate and return to the service.
However, as the use of face verification has increased, bad actors have conceived new ways to circumvent these systems to gain unauthorized access to online services, either through presentation or digital injection attacks.
A presentation attack is an act of holding up an artifact to the user-facing camera to impersonate a legitimate customer to try and spoof the face authentication sequence. These artifacts can take the form of static images, videos, and highly-quality masks.
Digital injection attacks are the more dangerous form of threat because they are more difficult to detect than presentation attacks and can be replicated quickly. They carry none of the clues that artifacts do when they are presented to the camera, making the more sophisticated attacks challenging for systems to distinguish and near impossible for humans. The process of creating a deepfake and presenting it to a camera can be effective, but it is limited in scope. The criminal can only do this one at a time.
Digital injection attacks, on the other hand, can be run from an attacker’s computer. Or they can be done using a thousand cloned devices in a data center operated by a criminal network.
As an additional level of security, liveness detection is incorporated into face verification and authentication systems to distinguish whether the individual asserting their identity is a real-life person and not a presented artifact. Liveness detection technology can detect a deepfake if it is used as part of a presentation attack. But as mentioned previously, criminals now have the capability to inject deepfakes directly into the data stream, bypassing the authentication system altogether.
For high-risk use cases, such as opening a new account or transferring a large sum of money, most liveness detection technology does not provide a high enough level of assurance. Deepfakes can emulate a person verifying themselves, which some liveness technology cannot spot. Advanced methods are needed to secure against advanced threat types.
Therefore, one-time biometrics that assure both liveness and that a user is a real-live person, verifying in real-time, is essential in an organization’s defense strategy against deepfakes.
Authors
Campbell Cowie
With more than 25 years’ experience in cyber policy and regulation, I am an economist and cyber policy specialist. I lead for iProov on government, regulatory and public policy engagement, supporting and shaping our commercial objectives in key markets. iProov is that rare thing of a British SME that is a world leader in our field, providing remote digital identity verification & authentication using advanced biometrics and artificial intelligence. Although UK-based, my role is global, reflecting our customer base, which includes governments and public bodies in the US, Europe and Asia, as well as banks and transportation organisations. We are also delighted to be a participant in the NOBID consortium, now in discussions with the European Commission for pilot funding under the EU Digital Wallet programme.