Attackers use AI as a weapon to rig elections, defraud stock markets and nations, and attack critical infrastructure.
These adversaries include state attackers and cybercrime gangs that depend on AI to develop and execute increasingly sophisticated identity attacks to fund their operations.
Weaponized AI attacks on identities are increasing
The methods utilized by attackers using generative AI to launch identity-based attacks range from phishing and social engineering-based attacks to stealing passwords and privileged credentials to develop and launch synthetic identity fraud attacks targeting financial institutions, retailers, and the worldwide base of e-commerce merchants.
With identity theft being their lifeline for revenue, state attackers are doubling down on AI to reinforce their efforts. This makes synthetic identity fraud considered one of the fastest growing forms of fraud and is experiencing a 14.2% Increase in comparison with the previous 12 months.
Financial institutions are facing $3.1 billion in suspected identity fraud involving U.S. auto loans, bank bank cards, retail bank cards and unsecured personal loans – the best level ever. TransUnion found suspected digital fraud in nearly 14% of all newly opened global digital accounts last 12 months. Retail, travel, leisure and video gaming are essentially the most affected industries.
Deepfakes are the spearhead of AI-driven identity attacks. There have been an estimated 3,000% increase in using deepfakes within the last 12 months alone. Deepfake incidents are expected to extend by 50-60% by 2024, reaching 140,000-150,000 cases worldwide.
Last 12 months, deepfakes were found on almost 20% of synthetic identity fraud casesmaking it the fastest-growing category of weaponized AI. Attackers are always improving their methods, leveraging the most recent AI apps, video editing, and audio techniques. It is estimated that there shall be 50,000 attempts at identity fraud involving deepfakes this 12 months.
Deepfakes have grow to be so commonplace that the Department of Homeland Security has published the guide Increasing threat from deepfake identities.
Most corporations aren’t prepared for AI-driven identity attacks
Today, one in three organizations doesn’t have a documented strategy for managing the risks of AI. Ivantis State of Cybersecurity Report 2024CISOs and IT leaders admit they’re unprepared for AI-driven identity attacks.
According to Ivanti's report, 74% of organizations are already experiencing the impact of AI-powered threats and 89% consider AI-powered threats are only starting. 60% of CISOs, CIOs and IT leaders surveyed fear their organizations aren’t prepared to defend against AI-powered threats and attacks. Phishing, software vulnerabilities, ransomware attacks and API-related vulnerabilities are the highest 4 threats that CISOs, CIOs and IT leaders expect to grow to be more dangerous as attackers refine their tactics using next-generation AI.
Ping Identity current report, Fighting the following big digital threat: AI and protection against identity fraud are a priorityreflects how unprepared most organizations are for the following wave of AI-powered identity attacks. “AI-powered cyber threats and identity attacks are set to blow up, and over 40% of organizations expect fraud to extend significantly in the following 12 months,” writes Jamie Smith, considered one of the report's authors and founding father of Customer Futures. Ping Identity's report found that 95% of organizations are expanding their budgets to combat AI-based threats.
Despite the rapid rise of AI-powered identity attacks, organizations aren’t leveraging the most recent technologies to counter threats. Just under half (49%) use one-time password authentication and 46% depend on issuing and verifying digital credentials. Only 45% use two-factor or multifactor authentication (MFA). CISOs told VentureBeat that MFA is a fast win, especially when it's a part of a broader zero-trust framework strategy. In addition, 44% of security leaders use biometrics or behavioral biometrics.
The goal: to combat identity fraud while improving the user experience
The challenge for a lot of organizations is to strengthen their identity and access management (IAM), privileged access management (PAM), and authentication systems without negatively impacting the user experience. CISOs have long told VentureBeat that one of the best cybersecurity defenses are invisible to users.
The trend is to interchange passwords with authentication technologies that resist AI-driven attacks, making it harder for attackers to steal credentials. Gartner predicts that by next 12 months, 50% of the workforce and 20% of customer authentication transactions shall be passwordless. APIs, biometrics, and passwordless technologies are all seen as strong replacements for traditional passwords.
Leading passwordless authentication providers include Microsoft Azure Active Directory (Azure AD), OneLogin Workforce Identity, Thales SafeNet Trusted Access, and Windows Hello for Business. Of these, Ivantis Zero Sign-On (ZSO) leverages the corporate's Unified Endpoint Management Platform (UEM) to mix passwordless authentication while supporting customers' zero-trust frameworks to optimize the user experience. Ivantis FIDO2 protocols eliminate passwords and support biometrics equivalent to Apple's Face ID, making compromised credentials harder to access through AI-based identity attacks. Passwordless authentication and mobile integration stop AI-driven identity threats.
Stopping AI-based identity attacks by utilizing application programming interfaces (APIs) that consolidate omnichannel verification traffic into one API that streamlines transactions also reduces fraud. Telesign began working with customers early on on AI-enabled APIs to consolidate verification channels. Their Verify API quickly evolved from a customer-driven idea in a matter of months. This latest omnichannel API integrates seven leading user verification channels: SMS, silent verification, push, email, WhatsApp, Viber, and RCS (wealthy communication services) right into a unified API.
Telesign CEO Christophe Van de Weyer told VentureBeat in a recent interview, “With the growing threat of synthetic identity fraud, corporations view onboarding as essentially the most effective approach to prevent fraud by ensuring their customers are who they are saying they’re once they enroll. Now greater than ever, it has grow to be critical for corporations to guard their customers' identities, credentials, and PII. Telesign's onboarding model delivers a risk rating that helps corporations block, flag, and detect synthetic identities while introducing an appropriate level of user friction.”
Telesign's Verify API integrates multiple verification channels using AI and machine learning (ML) to enhance security and reduce fraud. This method improves customer identity protection across platforms by detecting and assessing fraud in real time.
Van de Weyer added: “Customer verification is so vital because many forms of fraud have one thing in common: they’ll often be stopped on the 'doorstep', so to talk. Our recently launched Verify API solution takes an omnichannel approach that permits every company to seamlessly select the most recent, most secure and customer-friendly verification channels for his or her specific use cases. With a single integration, Verify API enables corporations to effortlessly integrate seven commonly preferred authentication channels with minimal development resources to simplify end-user verification and stabilize the worth of verification.”
Whoever controls the identities of an organization owns the corporate
Trading stolen credentials and creating synthetic identities using AI are only two of the numerous ways government and cybercrime organizations are turning stolen identities into money to fund their operations. As government attackers turn to deepfakes to ideological and financial goalsThe threat landscape that organizations must take care of is changing rapidly. Organizations must consider where the gaps and weaknesses lie in managing identities, or their teams risk losing the AI ​​war.