How AI-driven identity attacks are defining the new threatscape

Attackers are weaponizing AI to misdirect elections, defraud present exchanges and nations of thousands and thousands and assault crucial infrastructure.

These adversaries embody nation-state attackers and cybercrime gangs that depend on AI to create and launch more and more refined id assaults to finance their operations.

Weaponized AI assaults on identities are rising 

Attackers’ tradecraft utilizing generative AI to launch identity-based assaults ranges from phishing and social engineering-based assaults to password and privileged entry credential takeover to create and launch artificial id fraud assaults geared toward monetary establishments, retailers and the worldwide base of e-commerce retailers. 

With id theft being their income lifeline, nation-state attackers are doubling down on AI to scale their efforts. That’s making artificial id fraud one of many fastest-growing varieties of fraud, posting a 14.2% year-over-year enhance. 

Monetary establishments face $3.1 billion in publicity to suspected artificial id fraud for U.S. auto loans, financial institution bank cards, retail bank cards and unsecured private loans, the best degree ever. TransUnion discovered suspected digital fraud in almost 14% of all newly created international digital accounts final yr. Retail, journey, leisure and video video games are the hardest-hit industries. 

Deepfakes are the chopping fringe of AI-driven id assaults. There was an estimated 3,000% increase in using deepfakes final yr alone. Deepfake incidents are anticipated to extend by 50 to 60% in 2024, reaching 140,000-150,000 instances globally. 

Final yr, deepfakes had been concerned in almost 20% of synthetic identity fraud cases, making it the fastest-growing class of weaponized AI. Attackers are relentless in enhancing their tradecraft, capitalizing on the newest AI apps, video enhancing and audio methods. Deepfake-related id fraud makes an attempt are projected to succeed in 50,000 this yr. 

Deepfakes have grow to be so commonplace that the Department of Homeland Security has issued the information Increasing Threats of Deepfake Identities.

Most enterprises aren’t prepared for AI-driven id assaults 

Right this moment, one in three organizations don’t have a documented technique to handle gen AI dangers, in line with Ivanti’s 2024 State of Cybersecurity Report. CISOs and IT leaders admit they’re not prepared for AI-driven id assaults. 

Ivanti’s report discovered that 74% of organizations are already seeing the affect of AI-powered threats​, and 89% consider that AI-powered threats are simply getting began. Of the vast majority of CISOs, CIOs and IT leaders interviewed, 60% worry their organizations will not be ready to defend in opposition to AI-powered threats and assaults​​. Phishing, software program vulnerabilities, ransomware assaults and API-related vulnerabilities are the 4 commonest threats CISO, CIOs and IT leaders anticipate to grow to be extra harmful as attackers fine-tune their tradecraft with gen AI.

Ping Identity’s current report, Fighting The Next Major Digital Threat: AI and Identity Fraud Protection Take Priority, displays how unprepared most organizations are for the subsequent wave of AI-powered id assaults. “AI-powered cyber threats and id assaults are about to blow up, with over 40% of companies saying they anticipate fraud to extend considerably subsequent yr,” writes Jamie Smith, one of many report’s authors and founding father of Buyer Futures. Ping Id’s report discovered that 95% of organizations are increasing their budgets to combat AI-based threats.

Regardless of AI-based the quick progress of id assaults, organizations aren’t making the most of the newest applied sciences to counter threats. Just below half (49%) are utilizing one-time passcode authentication, and 46% are counting on digital credential issuance and verification. Simply 45% are adopting two-factor or multifactor authentication (MFA). CISOs have instructed VentureBeat that MFA is a fast win, particularly when it’s a part of a broader zero-trust framework technique. Additional, 44% of safety leaders are utilizing biometrics or behavioral biometrics.   

The objective: Battle again in opposition to id fraud whereas enhancing person expertise

The problem for a lot of organizations is hardening their id and entry administration (IAM), privileged entry administration (PAM) and authentication programs with out negatively impacting person expertise. CISOs have lengthy instructed VentureBeat that one of the best cybersecurity safeguards are invisible to customers.

Momentum is shifting in favor of changing passwords with authentication applied sciences that resist AI-driven assaults, making it harder for attackers to steal credentials. Gartner predicts that by subsequent yr, 50% of the workforce and 20% of buyer authentication transactions will likely be passwordless. APIs, biometrics and passwordless applied sciences are all thought-about sturdy replacements for conventional passwords.

Main passwordless authentication suppliers embody Microsoft Azure Lively Listing (Azure AD), OneLogin Workforce Id, Thales SafeNet Trusted Entry and Home windows Good day for Enterprise. Of those, Ivanti’s Zero Signal-On (ZSO) makes use of the corporate’s unified endpoint administration platform (UEM) platform to mix passwordless authentication whereas additionally supporting prospects’ zero belief frameworks to streamline person experiences. Ivanti’s FIDO2 protocols get rid of passwords and help biometrics like Apple’s Face ID, making compromised credentials more durable to entry by way of AI-based id assaults. Passwordless authentication and cell integration are stopping AI-driven id threats.

Stopping AI-based id assaults through the use of software programming interfaces (APIs) that consolidate omnichannel verification visitors into one API that streamlines transactions can also be lowering fraud. Telesign began working with prospects on AI-enabled APIs to consolidate verification channels early on. Their Confirm API developed rapidly from a customer-driven concept inside a matter of months. This new omnichannel API integrates seven main person verification channels: SMS, silent verification, push, electronic mail, WhatsApp, Viber, and RCS (wealthy communication providers) right into a unified API.

Telesign CEO Christophe Van de Weyer instructed VentureBeat throughout a current interview that “with the rising risk of artificial id fraud, companies look to onboarding as the simplest place to cease fraud by guaranteeing their prospects are who they are saying they’re throughout registration. Greater than ever, it’s grow to be essential for corporations to guard the identities, credentials and PII of their prospects. Telesign’s onboarding mannequin delivers a threat evaluation rating to assist companies block, flag and detect artificial identities whereas introducing the suitable quantity of person friction.”

Telesign’s Confirm API integrates a number of verification channels utilizing AI and machine studying (ML) to enhance safety and scale back fraud. This technique improves buyer id safety throughout platforms by detecting and assessing fraud in real-time.

Van de Weyer added that, “verifying prospects is so necessary as a result of one factor that many sorts of fraud have in frequent is that they’ll usually be stopped on the ‘entrance door,’ so to talk. Our lately launched Confirm API answer takes an omnichannel strategy to empower each firm to seamlessly choose the latest, most safe and customer-friendly verification channels for his or her particular use instances. With a single integration, Confirm API permits companies to effortlessly combine seven generally most well-liked authentication channels with minimal improvement sources to make it simpler to confirm end-users and to stabilize the value for verification.”

Whoever controls the identities of an organization, owns the corporate

Trafficking in stolen credentials and creating artificial identities utilizing AI are simply two of the numerous methods nation-state and cybercrime organizations flip stolen identities into money to fund their operations. With nation-state attackers turning to deepfakes to realize their ideological and financial goals, the threatscape organizations should cope with is altering quick. Organizations want to think about the place the gaps and weaknesses are in how they handle identities or put their groups prone to shedding the AI struggle.