COMMENTARY: Deepfakes have been wreaking havoc on individuals and businesses for nearly a decade. While these methods often require considerable effort and sophisticated techniques, they are well worth a cybercriminal’s time when targeting high-value victims.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Case in point: earlier this year, cybercriminals successfully targeted a British multinational design and engineering company. Using an elaborate deepfake scam, they tricked a Hong Kong-based employee into transferring $25 million. A few years prior, two fraudsters used facial images purchased on the black market to create synthetic identities, forming a shell company that issued fake tax invoices totaling over $75 million.
Physical threats meet digital authentication
Synthetic identities and deepfakes are just two examples of the growing challenges around identity fraud. Biometric authentication was once considered a silver bullet for identity verification, but if recent attacks have taught us anything, it’s that no single product is foolproof in cybersecurity. Despite the evolution of identity management to counter increasingly sophisticated threats like deepfakes and AI-powered attacks, vulnerabilities remain.
A new, less sophisticated, yet highly effective threat has recently emerged: physical attacks using silicone fingerprint replicas and hyper-realistic silicone masks. According to a study by the Institute of Electrical and Electronics Engineers, while face recognition systems are effective at detecting basic infiltration attempts, they are far less effective against presentation attacks involving custom silicone masks.
Back in 2017, researchers from a cybersecurity firm used a 3D-printed mask – created for just $150 – to fool iPhone X’s facial recognition system. Fast-forward to 2024, and silicone masks are now used globally to evade law enforcement. In one case in Shanghai, a 40-year-old thief burglarized an apartment complex wearing a hyper-realistic mask, tricking surveillance systems into capturing an image of an elderly man instead of his true identity. These masks – which can be customized for $400 to $4,000 in some regions – drastically reduce the efficacy of facial recognition systems and can even bypass biometric authentication in some cases, undermining what was once considered a highly secure method for protecting personal devices and services.
What’s old is new again: As digital advancements have historically posed threats to the physical world, physical materials are now facilitating digital attacks. Cybersecurity inherently runs in cycles, and while staying ahead of bad actors can seem overwhelming, there are foundational steps that can help prevent and mitigate identity-led attacks.
Cybercriminals pursue high-value targets based on potential gains. These targets are often individuals or organizations – malicious actors don’t discriminate. Stay vigilant, both at work and at home. Here’s how to protect against these threats:
At work:
At Home:
As cyber threats continue to evolve at an alarming rate, IT and business leaders must collaborate to enforce processes and adopt new technologies to defend against identity-related attacks. Meanwhile, consumers must stay vigilant to avoid falling victim to these attacks.
Criminals are constantly finding new ways to carry out attacks, with physical threats like silicone masks being just one of the latest trends. While the cybersecurity landscape has become increasingly complex, both individuals and businesses can stay ahead of cybercriminals by following basic, yet effective, security practices.
Darren Guccione, co-founder and CEO, Keeper Security
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.