Wow, that's huge. I wonder what are some other tips for dealing with this. And also wonder if this will make banking less convenient again (like they might start requiring more in-person steps...
On Sunday, a report from the South China Morning Post revealed a significant financial loss suffered by a multinational company's Hong Kong office, amounting to HK$200 million (US$25.6 million), due to a sophisticated scam involving deepfake technology. The scam featured a digitally recreated version of the company's chief financial officer, along with other employees, who appeared in a video conference call instructing an employee to transfer funds.
Wow, that's huge.
The police have offered tips for verifying the authenticity of individuals in video calls, such as asking them to move their heads or answer questions that confirm their identity, especially when money transfer requests are involved.
I wonder what are some other tips for dealing with this. And also wonder if this will make banking less convenient again (like they might start requiring more in-person steps again, to tighten security against online fraud).
Also from the article: This made me laugh out loud. The idea that we have come full circle to PGP key signing parties is quite amusing. Since most people in a corporate setting can barely log in...
Also from the article:
Another potential solution to deepfake scams in corporate environments is to equip every employee with an encrypted key pair, establishing trust by signing public keys at in-person meetings. Later, in remote communications, those signed keys could be used to authenticate parties within the meeting.
This made me laugh out loud. The idea that we have come full circle to PGP key signing parties is quite amusing.
Since most people in a corporate setting can barely log in to their email, they'd need probably need some kind of attestation token like the DOD's Common Access Card (CAC). But it would also requires the bank and the company to establish some common root trust, then those become the points where people start attacking.
It's not quite as infeasible as it sounds: equip every employee with a yubikey and require it to sign in to any corporate resources (ideally through your SSO provider). The video conf software...
It's not quite as infeasible as it sounds: equip every employee with a yubikey and require it to sign in to any corporate resources (ideally through your SSO provider). The video conf software should be locking usernames to the name on the employee profile, and should also be aggressively marking users outside the company as external.
At that point you basically have what's described in the blurb, just abstracted out to something practical. The key here is employee training–your video conf software is almost certainly used with external users (partners, customers, etc) and employees need to be very aware of how to tell if someone on a call is not part of the company. If they don't know what external users look like, the external user indicator might as well not be there at all.
I misread the article when I posted that and was thinking it was a bank employee on the conference call, but it was a finance employee within the same org. Establishing trust across multiple orgs...
I misread the article when I posted that and was thinking it was a bank employee on the conference call, but it was a finance employee within the same org. Establishing trust across multiple orgs would be much harder.
But yeah, in this case, you are right, a tight authentication policy around the videoconferencing system within the org would help.
If they have the meeting leader text a code to everyone to log into the meeting room, that would work because you can't apoof someone else's phone number, right? So, as long as you have the...
If they have the meeting leader text a code to everyone to log into the meeting room, that would work because you can't apoof someone else's phone number, right? So, as long as you have the person's name and number saved, you can easily verify it's them.
SIM swapping attacks can be used to gain control of someone else's phone number. When you're talking about someone sophisticated enough to deep faked an entire video conference, they can bring...
SIM swapping attacks can be used to gain control of someone else's phone number. When you're talking about someone sophisticated enough to deep faked an entire video conference, they can bring that same level of sophistication to bear on the mobile provider (or just pay off an employee).
The vulnerability of sim swapping is why, when people set up 2FA/MFA authentication, an app with a preshared secret like Author or Google Authenticator is considered more secure than texting codes via SM'S. Hardware tokens (e.g. yubikey or the CAC smart cards) are even better because the hardware key holds the secret securely offline.
But even if you have hardware tokens, you need a trusted system to set up those keys to begin with or reset those keys when they are lost.
Edited to add: within one organization, deploying hardware keys is pretty feasible. I misread the article when I posted that and was thinking it was a bank employee on the conference call, but it was a finance employee within the same org. Establishing trust across multiple orgs would be much harder.
If dealing with a substantial amount of Other People's Money: Require a quorum for any transaction (can have rules based on txn amount). Always setup an allow list for transaction destinations...
If dealing with a substantial amount of Other People's Money:
Require a quorum for any transaction (can have rules based on txn amount).
Always setup an allow list for transaction destinations before sending anything (again, approved by the quorum during initial setup.)
If the infrastructure allows, disable the ability to send to non-allowlisted destinations.
Sophisticated financial institutions are already doing this with crypto multisigs and MPCs.
I'm actually surprised the bank didn't hold the transaction. I work in corporate Treasury so would be the one who would approve these type of transactions. Their internal policy is definitely...
I'm actually surprised the bank didn't hold the transaction. I work in corporate Treasury so would be the one who would approve these type of transactions.
Their internal policy is definitely garbage, who else approved?
But this would have gone to a new account and the bank should have flagged it as potential fraud. Lot of failures along the way for this to get out.
Hell we get shit flagged for 200k if it's a recipient we've never sent funds to.
I would assume there may be a protocol reconnect through a trusted channel if finances are involved. Or simply just having a separate phone call or message on verified numbers as two factor...
I would assume there may be a protocol reconnect through a trusted channel if finances are involved. Or simply just having a separate phone call or message on verified numbers as two factor authentication.
This exact vulnerability was discussed at last year's defcon. Extremely informative talk; only five minutes of voice and shitty zoom footage and you have a convincing zoom-quality doppelganger....
This exact vulnerability was discussed at last year's defcon. Extremely informative talk; only five minutes of voice and shitty zoom footage and you have a convincing zoom-quality doppelganger.
It's not iron clad, but would mitigate against 99% of these kind of exploit attempts: after the video conference ends call up that person on their phone and confirm the request is legit. An attacker would have to put in a hell of a lot more work to survive this simple mitigation technique.
Wow, that's huge.
I wonder what are some other tips for dealing with this. And also wonder if this will make banking less convenient again (like they might start requiring more in-person steps again, to tighten security against online fraud).
Also from the article:
This made me laugh out loud. The idea that we have come full circle to PGP key signing parties is quite amusing.
Since most people in a corporate setting can barely log in to their email, they'd need probably need some kind of attestation token like the DOD's Common Access Card (CAC). But it would also requires the bank and the company to establish some common root trust, then those become the points where people start attacking.
Maybe they should just ask the meeting attendees if they can melt an egg
It's not quite as infeasible as it sounds: equip every employee with a yubikey and require it to sign in to any corporate resources (ideally through your SSO provider). The video conf software should be locking usernames to the name on the employee profile, and should also be aggressively marking users outside the company as external.
At that point you basically have what's described in the blurb, just abstracted out to something practical. The key here is employee training–your video conf software is almost certainly used with external users (partners, customers, etc) and employees need to be very aware of how to tell if someone on a call is not part of the company. If they don't know what external users look like, the external user indicator might as well not be there at all.
I misread the article when I posted that and was thinking it was a bank employee on the conference call, but it was a finance employee within the same org. Establishing trust across multiple orgs would be much harder.
But yeah, in this case, you are right, a tight authentication policy around the videoconferencing system within the org would help.
I'd be curious if the ai produces video of them actually melting an egg.
If they have the meeting leader text a code to everyone to log into the meeting room, that would work because you can't apoof someone else's phone number, right? So, as long as you have the person's name and number saved, you can easily verify it's them.
SIM swapping attacks can be used to gain control of someone else's phone number. When you're talking about someone sophisticated enough to deep faked an entire video conference, they can bring that same level of sophistication to bear on the mobile provider (or just pay off an employee).
The vulnerability of sim swapping is why, when people set up 2FA/MFA authentication, an app with a preshared secret like Author or Google Authenticator is considered more secure than texting codes via SM'S. Hardware tokens (e.g. yubikey or the CAC smart cards) are even better because the hardware key holds the secret securely offline.
But even if you have hardware tokens, you need a trusted system to set up those keys to begin with or reset those keys when they are lost.
Edited to add: within one organization, deploying hardware keys is pretty feasible. I misread the article when I posted that and was thinking it was a bank employee on the conference call, but it was a finance employee within the same org. Establishing trust across multiple orgs would be much harder.
You can absolutely spoof a phone number. SMS is completely insecure. (Sorry for the late reply btw).
If dealing with a substantial amount of Other People's Money:
Sophisticated financial institutions are already doing this with crypto multisigs and MPCs.
I'm actually surprised the bank didn't hold the transaction. I work in corporate Treasury so would be the one who would approve these type of transactions.
Their internal policy is definitely garbage, who else approved?
But this would have gone to a new account and the bank should have flagged it as potential fraud. Lot of failures along the way for this to get out.
Hell we get shit flagged for 200k if it's a recipient we've never sent funds to.
I would assume there may be a protocol reconnect through a trusted channel if finances are involved. Or simply just having a separate phone call or message on verified numbers as two factor authentication.
This exact vulnerability was discussed at last year's defcon. Extremely informative talk; only five minutes of voice and shitty zoom footage and you have a convincing zoom-quality doppelganger.
It's not iron clad, but would mitigate against 99% of these kind of exploit attempts: after the video conference ends call up that person on their phone and confirm the request is legit. An attacker would have to put in a hell of a lot more work to survive this simple mitigation technique.