Imagine you worked for years on building your cyber defense. You built all the systems you need, all the policies are in place, and you are humming along.
When the proverbial “cyber walls” became too high, the cyber gangs decided to try something new. Instead of breaking your cyber walls, cracking them, jumping over them, or tunneling underneath them… what if they decided to go around them?
If you operate an IT Help Desk, use a vendor or MSSP, you will now experience this issue.
Let’s say hackers attempt to reset a password or get privileged access, and your current process requires MFA. The hackers will attempt to socially engineer the IT help desk and /or the targeted user to gain access. Obviously, the IT Help Desk agent is a great target for social engineering since they are the single point of failure that can open the door and allow hackers to come through the gate.
“That isn’t new; social engineering attacks have been around since…” – you might be saying that to yourself. You are right, almost.
What changed in the last eighteen months that could make social engineering more potent and accessible for the attackers?
ChatGPT was launched on November 30, 2022.
Use this date to delineate between the good old days of cyber security and our present state into the future.
Why?
We now see that to mimic a user or an identity, you can simply ask GenAI tools to help you. You can create excellent deepfakes with free tools available to anyone online.
See this image from an article cited below:
Source: https://www.404media.co/inside-the-underground-site-where-ai-neural-networks-churns-out-fake-ids-onlyfake/?utm_source=frankonfraud.beehiiv.com&utm_medium=newsletter&utm_campaign=neural-networks-can-churn-out-20-000-fake-id-s-a-day
Can you tell if this is a real image of a California driver license, or a deepfake made by GenAI?
Yeah, I know – it’s hard to tell.
In the world before GenAI, you could use standard tools to verify the caller to the IT Help Desk. Now you simply cannot.
The caller can use AI tools to mask their voice or video and create any image of a credential to masquerade as an employee of your company.
See this video as an example: https://www.youtube.com/watch?v=nb3R30b-uhc
I started this article by describing the cyber defense walls you built over the years and how, now, cyber gangs can simply walk around them. They are effectively turning them into a “turnstile in the middle of the desert,” as one wise risk manager once told me.
How?
The hackers would call your IT Help Desk and when the agent asks for any of the tools you provided the employee: MFA, hardware FIDO key, [fill in the blank], the caller will simply say, “I don’t have it.”
Deal with it.
You see, if you build a zero trust environment and expect to verify the identity every time – the hackers can also say that their work bag with their PC and gizmos have been stolen. So now you are “forced” to downgrade your bar and rely on other authentication methods.
However, my point is, that once you stop using the authentication methods you set up, it is no longer an authentication issue. It has now become an identity verification issue.
Who is on the other end of the call?
I wish what I am writing was fictional, yet with cases like MGM, this is now the crisis of the day.
“A phone call to the helpdesk was likely all it took to hack MGM.”
Source: https://arstechnica.com/security/2023/09/a-phone-call-to-helpdesk-was-likely-all-it-took-to-hack-mgm/
What can you do about it?
Upgrade your IT Help Desk process and tooling when the caller CANNOT use the tools you gave them. Do not rely on identity verification methods that predate the GenAI revolution, as they are being foiled like a hot knife through butter.
Do not let your agents say, “I know the voice of our CEO, so I know it was them talking to me…”
Those days are over, and a simple public Facebook video can be used to train an AI model on the voice of anyone.
Defenders should use identity verification tools that actually check with authoritative sources to ensure that government issued IDs are real. Otherwise, you are left to guess with fraud detection algos, which does not thwart what the attackers are doing.
About the Author
Ori Eisen is the Founder & CEO of Trusona, Inc. He has spent the last two decades fighting online crime, and is respected for his business knowledge and leadership.
Prior to founding Trusona, Mr. Eisen founded 41st Parameter – the leading online fraud prevention and detection solution for financial institutions and e-commerce. 41st Parameter was acquired by Experian in 2013.
Prior to 41st Parameter, Mr. Eisen served as the Worldwide Fraud Director for American Express focusing on Internet and counterfeit fraud. During his tenure, he championed the project to enhance the authorization request to include Internet specific parameters.
Prior to American Express, Mr. Eisen was the Director of Fraud Prevention for VeriSign/Network Solutions. By developing new and innovative technologies, he skillfully reduced fraud losses by over 85 percent in just three months.
Mr. Eisen is often quoted by industry insiders, and receives numerous invitations to keynote industry events and conferences. Mr. Eisen holds a Bachelor of Science degree in business administration from Montclair State University and he holds over two dozen cybersecurity patents.
In his free time, Mr. Eisen volunteers with Thorn, the digital defenders of children. He founded Ball to All, a charity that donates free soccer balls around the world to children who have never had one. He is a founding member of Security Canyon – Arizona’s Cyber Security Coalition. He resides in Scottsdale and is married with two children.
Mr. Eisen has dedicated his life to fighting online crime.
Ori can be reached online at linkedin.com/in/orieisen, on X @orieisen and at our company website https://trusona.com