The trouble with identity in an increasingly fake world

COMMENTARY: Deepfakes have been wreaking havoc on individuals and businesses for nearly a decade. While these methods often require considerable effort and sophisticated techniques, they are well worth a cybercriminal’s time when targeting high-value victims.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

Case in point: earlier this year, cybercriminals successfully targeted a British multinational design and engineering company. Using an elaborate deepfake scam, they tricked a Hong Kong-based employee into transferring $25 million. A few years prior, two fraudsters used facial images purchased on the black market to create synthetic identities, forming a shell company that issued fake tax invoices totaling over $75 million.

Physical threats meet digital authentication

Synthetic identities and deepfakes are just two examples of the growing challenges around identity fraud. Biometric authentication was once considered a silver bullet for identity verification, but if recent attacks have taught us anything, it’s that no single product is foolproof in cybersecurity. Despite the evolution of identity management to counter increasingly sophisticated threats like deepfakes and AI-powered attacks, vulnerabilities remain.

A new, less sophisticated, yet highly effective threat has recently emerged: physical attacks using silicone fingerprint replicas and hyper-realistic silicone masks. According to a study by the Institute of Electrical and Electronics Engineers, while face recognition systems are effective at detecting basic infiltration attempts, they are far less effective against presentation attacks involving custom silicone masks.

Back in 2017, researchers from a cybersecurity firm used a 3D-printed mask – created for just $150 – to fool iPhone X’s facial recognition system. Fast-forward to 2024, and silicone masks are now used globally to evade law enforcement. In one case in Shanghai, a 40-year-old thief burglarized an apartment complex wearing a hyper-realistic mask, tricking surveillance systems into capturing an image of an elderly man instead of his true identity. These masks – which can be customized for $400 to $4,000 in some regions – drastically reduce the efficacy of facial recognition systems and can even bypass biometric authentication in some cases, undermining what was once considered a highly secure method for protecting personal devices and services.

What’s old is new again: As digital advancements have historically posed threats to the physical world, physical materials are now facilitating digital attacks. Cybersecurity inherently runs in cycles, and while staying ahead of bad actors can seem overwhelming, there are foundational steps that can help prevent and mitigate identity-led attacks.

Cybercriminals pursue high-value targets based on potential gains. These targets are often individuals or organizations – malicious actors don’t discriminate. Stay vigilant, both at work and at home. Here’s how to protect against these threats:

At work:

Limit access: Implement strong access controls and conduct regular security audits to mitigate both unintentional and malicious insider threats.

Enforce multi-factor authentication (MFA): MFA adds an extra layer of security, making it harder to compromise accounts. Despite its proven benefits, many organizations still fail to enforce MFA. For example, earlier this year, hackers breached Microsoft executives’ accounts, exploiting the absence of MFA on a “legacy” account.

Prioritize training: Business leaders must regularly train employees on cybersecurity best practices, including phishing awareness. The majority of breaches still involve human error, such as falling for social engineering attacks. By training employees to recognize and respond to phishing simulations, organizations empower their “frontline defenders” to question unusual requests and report suspicious activity promptly, strengthening their overall security posture.

At Home:

Share with care: Maximize privacy settings on all social media accounts. Set personal accounts to private or restrict visibility to trusted friends. Even with these settings, still avoid oversharing online to prevent identity theft.

Stay vigilant: Anyone with a pulse and a phone or computer is a potential target for identity-based attacks. If someone calls and claims they are a loved one and asks for money or sensitive personal information, be wary – it’s potentially a vishing attack using spear phishing tactics. With spear phishing, the bad actor may know specific details about a person or their loved one from publicly available information. To avoid falling victim, hang up and contact the loved one directly.

Don’t share sensitive information with unconfirmed parties: In social engineering attacks, cybercriminals may impersonate the authorities, IT staff or financial institutions to scam the victim out of money or extract personal data. Always verify the identity of the requester before sharing any sensitive information – it’s better to be safe than sorry.

As cyber threats continue to evolve at an alarming rate, IT and business leaders must collaborate to enforce processes and adopt new technologies to defend against identity-related attacks. Meanwhile, consumers must stay vigilant to avoid falling victim to these attacks.

Criminals are constantly finding new ways to carry out attacks, with physical threats like silicone masks being just one of the latest trends. While the cybersecurity landscape has become increasingly complex, both individuals and businesses can stay ahead of cybercriminals by following basic, yet effective, security practices.

Darren Guccione, co-founder and CEO, Keeper Security

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.