Credit unions have a new cybersecurity risk to monitor: deepfakes.
A form of synthetic media using artificial inteligence to manipulate a person’s image into a doctored photo or video, deepfakes appear to present individuals as saying or doing things they didn’t actually do. Some well-known examples include a 2019 altered video that made it appear House Speaker Nancy Pelosi was slurring her words during public remarks or a clip in which Facebook founder Mark Zuckerberg appears to say the app’s purpose is merely to “manipulate” users.
The threat for credit unions comes in the possibility for deepfakes to infiltrate banking. CUs and other financial institutions are already waging war against fraud in a variety of fashions, but the rise of deepfake technology creates a new layer of trouble, since it makes it more difficult to tell whether fraud is even happening.
Because technology makes these videos appear authentic, they can impact credit union employees and members. Stephen Ritter, chief technology officer at ID verification firm Mitek, suggested cybercriminals could use the technology to impersonate a member during an identification verification process to gain entry to a member’s bank account. Another example is if a fraudster targets a credit union executive and impersonates them, which could lead a credit union employee to transfer or send funds from the credit union’s business account.
That “can lead to serious repercussions for the entire business,” he said.
The new threat is also on the minds of leaders at Credit Union of America in Wichita, Kan.
“The list of things that users can’t trust is continuing to grow and as the technology gets better, you may not be able to trust a loved one’s voice if someone calls asking for money,” said IT Security Manager Blake Penner. “And so it just widens the scope of what really can’t establish trust for you.”
The costs financial institutions will face incurred from deepfake scams are projected to exceed $250 million in 2020, according to data from Forrester Research. That’s another concern credit unions will need to add to their checklist along with their checkbooks, as Gartner projects worldwide cybersecurity spending to touch $133.7 billion by 2022.
It's difficult to pinpoint when deepfakes first emerged. Academic research published in 1997 shows the technology in a premature form in the “Video Rewrite Program,” which involved modifying video footage of a speaking subject to depict them mouthing words to a different audio track. While deepfakes were circulated during the 2016 presidential election, the term itself was coined by Reddit users one year later.
Though deepfake technology has been around for a while, the effects have yet to be measured. Researchers from Cornell University published a paper in October 2019 on adversarial learning of deepfakes in accounting, noting in the paper’s summary that, "the research of such developments and their potential impact on the finance and accounting domain is still in its early stage.”
But that doesn’t mean that credit unions are unable to get ahead of the curve now.
To protect themselves against this emergent technology, Mitek’s Ritter recommended credit unions consider adopting liveness detection into their cybersecurity regimens, which is viewed as one of the most effective methods for not only detecting deepfakes, but also preventing them. The system first requires a user to blink or move in real-time to take a photo, which would prevent fraudsters from using a printed image to impersonate someone. Ritter said the technology also analyzes light and texture from a submitted image or video which could expose a deepfake threat.
“As access to deepfake technologies expands, we’re seeing more financial institutions integrate liveness detection capabilities into their apps to protect their users,” he said.
Ritter added that it’s equally important to incorporate liveness detection into web browsers in order to protect members who access their accounts through the web via a desktop or laptop computer.
Dave Excell, founder of Featurespace, which works with banks and CUs to combat financial crime, said that as with most cybersecurity measures, credit unions are advised to utilize a multi-faceted approach. Along with liveness detection, he recommended CUs require challenging information unlikely to be known to fraudsters before gaining entry to an account, such as recent transaction histories, secret questions and more.
“Credit unions should look at the context of what a [member] has done before and the future transactions [a member] is asking to make,” Excell said.
The good news is that credit unions need not change their tactics all that much, so long as they have cybersecurity protocol in place today. As Credit Union of America’s Penner sees it, it’s an additional layer to social engineering, so a lot of existing training is still applicable today.
That said, these attacks are continuing to evolve each day and credit unions will need to continue advancing their approaches.
“We’ve definitely been paying attention to deepfakes,” Penner. “I think as it becomes more accessible and easier for people to pull off, we’ll probably see a lot more of it layered into existing social engineering attacks so that’s something worth watching.”
