When deepfakes charged into the public consciousness, the cybersecurity landscape immediately underwent a seismic shift. The battle lines were instantly redrawn, and conventional cybersecurity assumptions and rules were undermined overnight.
Banking and financial services institutions are on the front lines of this new arms race – and currently, some are on the back foot. Malicious actors armed with generative artificial intelligence (gen AI), deepfakes, and machine learning have already caused havoc, siphoning off millions in cash and stealing reams of highly sensitive financial data.
The banking industry takes fraud and security extremely seriously. The very notion of a bank is built on perceived impermeability. When this perception shatters, banks can unravel rapidly, as the history of bank runs shows from the 16th century right up to Silicon Valley Bank last year.
So, understandably, banks spend millions and hire thousands to specialize in security, part of broader efforts to limit “risk.” But these efforts are, right now, being made redundant. Deepfakes have radically altered what security and risk mean for financial institutions.
You can have robust network segregation, rigorous code signing, and regular patch management. But one deepfake can negate all of these. Just ask the CIO at U.K. engineering firm Arup, which had an employee send $25.5 million to hackers after a deepfake executive requested the transfer on a video call (The Guardian).
Low cost, high payout (for the bad actors)
Even more concerning is the ease with which hackers can produce deepfakes. One reporter produced a deepfake audio recording in six minutes (The Times). Any individual sitting in their bedroom at home could easily pump out hundreds of deepfakes a week.
The pressure is even more acute for financial institutions – they are the most lucrative targets, with large volumes of cash to transfer and sensitive financial data that fetches a high price on the dark web.
The high potential rewards, combined with the low costs of producing AI-generated material, mean that banks are now facing a tsunami of deepfakes. Presentation or liveness attacks have surged 40% this year as malicious actors attempt to undermine video-based Know Your Customer (KYC) procedures (Fortune). This means that synthetic identity fraud is now the fastest-growing category of financial crime in the U.S. – and it costs banks to the tune of $6 billion, by some measures (KPMG).
The potential financial cost is eye-watering, and the ensuing reputational damage is potentially critical. But one under-the-radar threat is litigation. With outdated data storage systems, the highly sensitive customer data that floods onto the black market will likely lead to a barrage of lawsuits as customers seek compensation for the breach of their privacy.
Banks can handle losing $20 million in a one-off scam, and their PR departments can manage the reputational fallout. But a raft of high-profile, multi-million-dollar lawsuits has the potential to squeeze the banks’ finances and irreparably damage consumer confidence.
With litigation in mind, ‘outside the bank’ thinking
So far, too many financial institutions have been reluctant to face down the new threat and go back to the drawing board on their cybersecurity systems. One immediate change that banks should make is on the data handling front.
Banks have long seen themselves as the custodians of their customers’ data, as well as their finances. But there’s no inherent reason why these two must be linked. Banks can relinquish control of KYC data and use decentralized storage providers. Custody of the data then remains in the hands of the individuals who use these third-party providers, and banks won’t be opening themselves up to a stream of litigation or exposing their customers to fraud. Alternatively, the data can be held by the owner of the data – the customer.
To get to this point, there needs to be a mindset change. The remit of a conventional bank has been continuously expanding, to the point where they’ve become the one-stop shop, holding highly sensitive, but also, arguably, unnecessary data. In cybersecurity, sealed-off silos are a good thing – they prevent breaches in one area from leaking into another. Banks are the opposite of this.
I argue that banks must hand over control of this customer data to other providers, separating cash from data, the financial from the personal. It will then be exponentially harder for malicious actors armed with deepfakes to make breaches that compromise the banks so fundamentally.
This will take an admission that right now, banks, without change, may not be best equipped to safeguard customers given the pace with which fraud technology changes. It’s a tough admission, but likely far less harmful than a flood of lawsuits.
Michael Marcotte is founder and CEO of artius.iD.
