As deepfake technology advances and becomes more widely available and democratized, a challenge for financial institutions will be improving the certainty rate of user authentication to prevent breaches.
By Gaelan Woolham
Fraud has long plagued the financial services sector, and deepfakes have emerged as a threat to a secure customer experience.
As interactions with customers are becoming more digital, financial institutions rely on three key pillars of authentication to verify users’ identities:
- Something you have. (Example: SMS push to a trusted number or device.)
- Something you know. (Example: security challenge questions.)
- Something you are. (Example: fingerprint, facial or voice recognition.)
The advantages of biometrics are not only their resilience to current technology-based attacks, but also their minimal user friction. Think face ID versus remembering and typing multiple, complex usernames and passwords. In the contact center context, voice biometrics have become a popular and secure alternative to PINs, passcodes, and challenge questions. As the technology has matured, sometimes as little as three seconds of talking can be sufficient to verify the user’s identity.
The emergence of deepfakes in sophisticated cybercrime
In recent years we have seen the emergence of deep learning techniques within artificial intelligence. Early examples included impressive image recognition technology, that has quickly been enabled to generate deepfakes, i.e. simulated images on demand. And will soon be able to generate real-time video.
While current deepfake images and videos are impressive, they still give the uncanny feeling that something is off. The rapid rate of advancement will surely make these media indistinguishable from reality to the average viewer faster than our ability to learn and anticipate.
Another application of these techniques is the ability to mimic individual voices. Using minimal input, such as a voicemail message or a social media post, systems can be trained to mimic human voices with remarkable fidelity, even achieving conversational interactions when combined with technologies like ChatGPT. If systems can mimic an individual’s voice including tone, word choice, and cadence, should we be concerned about the future of voice biometrics security?
Deepfakes and the ability to overcome existing authentication
Deepfake scams within financial services include fraudulent claims, account opening fraud and synthetic identity fraud. Financial services institutions need to consider how deep learning technology has the potential to defeat current voice authentication systems.
A recent study at the University of Waterloo showed that voice biometric authentication including those of industry leaders such as Amazon and Microsoft (Nuance) authentication systems can be bypassed by deepfake technology in only six attempts.
As deepfake technology advances and becomes more widely available and democratized, a challenge for agile financial institutions will be improving the certainty rate of user authentication to prevent breaches. To achieve this, they must ensure that their voice biometric tools are actively tested against deepfake audio samples. Given the fast pace of these advancements, incumbent infosec players and emerging startups are already refining their tools to improve the efficacy rates of differentiating synthetic voices from real ones.
An artificial intelligence arms race?
Advancements in countermeasures, including the use of machine learning for detection, are leading to authentication systems that produce a probability score. Leading biometric security products are being consistently updated to identify and prevent deepfakes. This includes priority approaches to separating real and synthetic voices using factors too subtle for the human ear, as well as combining with other session metadata such as behavioural patterns, device data, number spoofing and liveness detection.
Once a session score is assigned, it can be processed by additional controls and authentication checkpoints, tuned to an organization’s risk tolerance, to grant access or to trigger additional actions such as session termination or step-up authentication. Further, user activity can be monitored for higher risk actions, such as initiating large transactions or changing authentication preferences. A low confidence session combined with suspicious activity could be used to trigger additional security checks, or to trigger alerts for further investigation. The pace of progress in deep learning for both detection and evasion has resulted in a continuous ‘arms race’ between information security teams, authentication service providers and fraudulent actors.
The key to successfully implementing step-up authentication in response to deepfake fraud potential is to understand organizational data and risk indicators and properly tuning the responses.
Given that voice biometric authentication is now adopted widely, is trusted by clients and has high efficacy rates, banks face the challenge of maintaining security without resorting to older, more intrusive techniques for authentication. Introducing multi-factor authentication by default, especially on the voice channel, could negatively impact the customer experience.
We believe a layered approach to fraud detection, such as step-up multi-factor authentication, tuned against other customer and session meta-data, as well as robust behavioral analytics, provides a pathway forward that protects the customer experience, while maximizing fraud prevention.
Gaelan Woolham is an executive director at Capco, a global technology and management consultancy specializing in driving digital transformation in the financial services industry.
