“(In the) multi-person video conference, it turns out that everyone [he saw] was fake,”
This could be totally real, but also could one employee saying 'the CFO was on a call' and claim deepfake to make it an excuse?
I guess it was a matter of time before this occurred. How long before scammers do bulk video calls to parents/grandparent pretending to be the kids saying they are in trouble and need $$$ ASAP.
The even better question, is how can this be stopped or reduced and is there a new business there?
Seems like it can be stopped dead with standard crypto, smart cards and multifactor tokens, multiparty authorization etc. Ideally, issued by public authorities together with any other official ID, leveraging the strong security governments have already built around that process.
The generic type of vulnerability referenced in the latter part of the article has sprung up after fintech tried to emulate traditional offline auth and KYC with things like scanned images of ID documents, face recognition and liveness detection. Anyone in the know could see these attacks coming miles away.
Could you elucidate how exactly "standard crypto" would stop such a thing?
I think the poster meant the prior meaning of the word 'crypto' -- cryptography, in which the CFO could sign and encrypt some message and then the message's authenticity could be verified.
How does crypto add anything that just verifying email ID/phone number doens't provide. If you solution is to whitelist some certificates or key, you can as easily or even easier whitelist email IDs/phone number.
Phone numbers are trivial to spoof or steal and there is currently no way to protect against that.
Care to explain how can I spoof other's phone number. Also phone is as hard to steal as any device where key is stored. In fact, people will remember their phone is stolen much before than the usb key or laptop or anything else.
If you can get S7 link with Telco, in most cases it's trivial to spoof Caller ID signals, as those are essentially forwarded from originating network. Getting direct S7 link isn't as hard as it sounds, it's IIRC common thing if yo want to run VOIP provider.
Your telco's NOC can at best track what "port of entry" the call came from but can't force the Caller ID go be truthful.
I imagine it has changed, but 10-ish years ago I recall having a cheap VoIP account that just let me enter whatever phone number I wanted as the caller ID.
It's very much a "honor system". If VoIP provider doesn't do due diligence, the other networks can't really check the value, especially since number porting became norm
For the first few dozen times sure, but after the hundredth or so report of a scam call associated with a spoofed number, the VoIP provider should be blocked by the telco. That is if they were allowed to do so.
"should" is doing a lot of heavy lifting in that statement :)
There is an authentication between your phone and your telco, but there is no authentication between your telco and others. Any telco in the world (and there are many) or someone who has bribed (or hacked) someone who works there can say "this phone is now roaming our network" and traffic gets routed there.
These things are usually discovered but not before a call or sms goes through. There are also other possibilities such as diverting calls available to someone with the right access to the signalling network. Anything that's unauthenticated and unencrypted should be regarded as insecure, really.
If it's authenticated how can one telco sign a call with the key of another telco?
There is (or was) no authentication within the core of the public switched telephone network, since it was designed at a time when that was impractical and physical infrastructure was assumed to be reasonably secure. So you don’t need to fake signing, you just say “Hey, +1-555-555-5555 roamed onto my network and is making a phone call” and the recipient takes this at face value. (“Blue boxing” to fake the phone system into giving you free long distance phone calls worked for similar reasons.) STIR/SHAKEN is supposed to fix this, though I don’t know how far along implementation has actually gotten.
What happened that made it insecure?
I've heard of stir shaken but I recall FCC ordered it mandatory multiples years ago. Did that not happen?
Except one can simply ask to call them back to verify.
Once you have lived through reporting to a telco you have been dealing with fraud - you learn the procedures are in a scripted loop, everywhere. The answer will probably be go to store get new sim and never reach conclusion it was swapped for people who do not investigate their situation. I haven’t dealt with sim swapping yet some pretty heinous organized crime now and the folks are nice yet you will never walk away knowing the cause or source of an incident.
From what I gather it depends on the carrier. T-Mobile is supposedly the easiest and Verizon the most difficult. The Darknet Diaries (link below) recently did an episode on how the sim swapping thing works and how expensive it is to get it done.
https://www.youtube.com/watch?v=Cjy8-rVXO7o&t=2190s
Cryptography can and should be done on hardware tokens that should directly be reported as stolen. A video call with email/phone is easy to fake.
I work with people who all have hardware crypto, you are right that we do not have the organizational knowledge to verify everything with crypto. Even if the tech is 60% there.
Most company only allows logging in email in work devices, which is as easy to report stolen.
What other kind of verification are we talking about which standard email DKIM doesn't have.
I expect that most work emails are accessed from personally-owned phones.
Email means I got access to your device or something you’ve configured to be able to send email, which is probably a lot of servers unless you have an entire domain dedicated to financial messages everyone knows not to trust any other domains.
A message signature means I got you to do something like tap a Yubikey and enter a PIN, touch a fingerprint sensor, etc. That can still be socially engineered, of course, but it can’t happen by accident and you could add some safeguards against routine by having a dedicated “major transactions” key used only for that purpose to add a physical speed bump.
The problem is that “ignore my gmail, I list my phone” will defeat that training more often than we’d like, so you really need to have process safeguards which make it a requirement and management backing to say even the CEO will follow the lost device process rather than asking someone to bypass process, and that has to be so carefully enshrined that nobody questions whether their job is on the line if they tell the real CFO that they can’t bypass the process.
Banks certainly don't trust email, that's why instead they make you use those "encrypted messages" portals (...from hell).
This is a current, not prior, meaning of the word.
I think many people would expand the word crypto to cryptocurrency and not cryptography. We can argue on and on about which is the "correct" expansion but in my opinion a word's current meaning should be the most popular association people have of it.
Only on HN do I see people saying crypto actually mean like bitcoin or whatever. The rest of the technical world still knows crypto as cryptography.
Only on HN do I find people who actually know what cryptography is. Almost all the people I know have never heard of it, but all of them have heard of bitcoin, and most have heard the word crypto being used with reference to cryptocurrencies.
That's not to say that my experience somehow means more than yours or is more valid. But I personally think my experience is more representative of the average layperson. You're welcome to disagree.
Sure the non technical world is (sadly) more familiar with Bitcoin.
I specifically said the technical world. Most people I know are technical to some degree and almost all of them would assume cryptography when they hear the word "crypto".
phone beeps with SMS message from CEO
"Can you buy $1000 worth of egift cards and text me back with the redemption codes? Our jobs depend on this. I'm in a very important meeting, otherwise of so it myself, left my private key at office and can't sign this message right now."
The human element remains the weakest link.
Hard to buy 25M worth of gift codes though.
"Challenge accepted!"
It's easy. We just generate our own key pairs, establish a web-of-trust by signing each others public keys at in-person meetups, and then use those signed keys to authenticate all the digital communication we do with each other.
You know, like we've been doing with our emails since PGP was developed in 1991. You can tell how simple the process is, by how ubiquitous it has become in a mere 30 years!
Who is this "we"? I know personally exactly one person with a web-of-trust keypair.
Publish it in your Twitter bio,
or as a Nostr note, for cool kids to share with other cool kids.
Defeatists get defeated!
You require that people sign messages cryptographically, including video calls, to validate their identity. You can't fake that.
Do any video call clients support this ?
Everyone in the call has a cryptographic ID that can be authenticated with a trusted authority. Your device would just ask all the others for a one time token that it then submits to the ID server. The server tells you public identifier of the person associated with that token.
We already have infrastructure for bus and rail tickets, for logging in to banks, tax authorities, health services, etc. in Norway and other countries that could easily be extended to cover this use case..
By using it? This was a social engineering attack against an otherwise unprotected service, if you manage to trick the security guard, you are in.
I don't know. Based on how it is described in the article, you could detect it via the means you mentioned and raise them as warning flags to the user, but as a last instance there will still be users that ignore all the warning signs and be convinced by a good scam story.
...such as a person much higher up in the organization giving you a direct "urgent" order. It shouldn't be hard to find corporate employees who really fear their superiors.
Then it's the fault of those superiors for setting up a culture of fear and mindless subservience, instead of one of strong rules even they themselves are expected to follow.
Cryptography without strong social rules is just cargo-cult religion.
A culture of fear and mindless subservience has strong social rules. Would it work there?
Fear culture eats security for lunch. Good points.
The article mentions a pile of stolen ID cards used in another fraud.
Especially when a high percentage of people post their face and voice on social media. I find this especially crazy in the age of AI. I trained a Stable Diffusion LORA with photos of a friend and showed it to them (with permission) and they were completely shocked. Showed it to one of their friends and they were fooled for at least a minute and took some careful looks to find discrepancies
The reality is that if you speak at a conference there's a decent chance there's video of that on YouTube. If you have any sort of public presence as part of your job, your voice and likeness are probably out there whether you put it out yourself or not.
Keeping yourself anonymous isn't compatible with a lot of even moderately senior-level jobs out there.
I'd guess that approximately 0% of moderately senior level jobs involve ever speaking at a conference or other fairly public and recorded venue. Company-internal training videos or recorded meetings are more common, but that's a far narrower attack surface.
You actually don’t think that even mid-level execs much less lower-level people who want to advance in part by speaking at events don’t end up appearing on video? I know I’m on plenty of it.
People speaking at events obviously often end up appearing on video. Most people don't speak at events.
go to the YouTube channels of companies like AWS, Azure, GCP --they publish 10 to 30 minute videos of various employees, from product managers to architects etc doing explainers on various topics, products and services they offer.
More generally --the billions of hours and growing of audio video on YouTube, TikTok, and other platforms -- is literally someone in real life (most cases), likely some employee, that could be or become a middle manager somewhere.
1. Most companies don't do that.
2. AWS, for example, has what, 100k employees? What percentage of them are actually featured in those videos?
A vanishingly small percentage of that content is generated as part of that middle management job. Yes, many people choose to place themselves on publicly accessible video, but it mostly isn't part of a mid level office job, so not doing so isn't incompatible with holding such a position.
CFOs of public companies typically do quarterly earnings conference calls with Wall St. So there's potentially plenty of recordings of their voices using the same kinds of language that it would take to fake something like this.
You would think that executives would clone their own voices for the earnings call script readings like a lot of video essay YouTubers do now. But no, they still use terrible conference call systems for earnings calls rather than decent microphones that would be used in a podcast. That could actually be a silver lining here when it comes to creating quality training data.
One of the tradeoffs you make as you move up the ladder is that you increasingly can't be an anonymous person. That may be a good tradeoff or bad depending upon your perspective.
I once told my colleagues that I didn't think they could find a photo of me on the web.
5 minutes later, one of them came up with a pic: it was a group photo of the company staff, taken a few weeks earlier (with me skulking at the back; I never wanted to be in the photo). It was in an article on the company blog.
Volume and lack of metadata is effective anonymity for most people in most circumstances if they've avoided doing anything that creates a public presence. But most people probably have photos at least on the web even if they didn't put them there.
LockPickingLawyer manages.
Roguescholar@sbcglobal.net Roguescholar@sbcglobain and and and and and and and l.net
I dont think its "crazy".
There has been little issue for most people having photos of themselves online on social media.
If people want a photo of you they will find one.
It's a lose-lose situation.
If you refuse and it's an actual emergency with the real CFO, it might be a career limiting move, if you don't get fired.
If you accept, it might be a deepfake CFO and you might get sued.
This is really the crux of it: senior management needs to take the lead setting up policies which are efficient enough not encourage people to try to bypass them and the culture that everyone in the company should feel comfortable telling the CEO “I’m not allowed to do that”. This is possible but it has to be actively cultivated.
Good luck with that.
I've had a CFO that didn't talk to tech people except through proxy have a "tell your mom to pass the potatoes" style meeting with his secretary as medium. Yes I stood there he talked to his secretary and repeated what each of us said 5 feet away from each other. This was a large bank.
I've had a general council yell with spittle at me because I suggested that it was probably a bad thing that the IT Dept was effectively acting as power of attorney for the company by doing digital signing for him and he should probably learn how to do it himself for legal reasons.
When you get to choose a potentially career limiting move by speaking to a CFO or a freedom limiting move by doing a potentially illegal thing they say... It may be a good idea to do the first one unless you're in really bad situation with work availability.
If they can throw you under a bus because you raise a valid issue, what are the chances they'll protect you when some fraud paperwork gets signed by the IT dept (so you).
Yes, that’s why I described it as a management responsibility. That kind of dominance culture is very common and it basically ensures this kind of stuff will keep happening, similar to how all of the phishing training in the world is largely cancelled out by not requiring partners and vendors to have better email practices. It might take that CFO featuring in a crime like this one to get their attitude to change.
It might not matter in the extreme case as there could always be a sufficiently serious emergency that will force their hand to bypass every policy. e.g. if they get a National Security Letter.
That’s not Joe CPA’s problem, though, beyond verifying that the men in black have valid government ID. If the FBI raids your office, you’re not the one in trouble for it.
Let’s not ascribe too much power to those, either: NSLs can compel release of certain types of information but they can’t force you to do things like transfer money or even disclose the contents of private messages.
Just as every major company now sends out fake phishing emails, we'll need to normalise sending out fake emergency emails from your boss saying that you need to transfer money somewhere.
The solution: Make it your boss's problem.
Unfortunately, this is why we need open access to some deepfake tech. The only way to convince people who are not immersed in tech how convincing deepfakes can be is to sit with them, and create their own deepfakes.
Then memorize and practice security protocols like verbal passwords.
The issue with people disregarding security protocols goes much deeper than them being unaware of what's possible. People just hope nothing will happen and avoid thinking about it. You're facing "Who's got time for that stuff? We have actual work to do!" and "What's so important about our data/access privileges/whathaveyou anyway? Nobody will bother stealing it."
recently a group targeted expat/temp students and their families. they somehow coerced the kid to go camping don't pick up to anyone, and then they told the family the kid is with them. the family paid.
https://abcnews.go.com/US/utah-missing-foreign-exchange-stud...
Umm where have you been the last decade? The "Grandma help me I'm in a foreign prison and need you to buy iTunes gift cards" scam is extremely lucrative.
There was an old theory you needed to be holding today's newspaper or mention current events to at least show that a media was not prepared earlier but this advice is out the window given enough dedication from the adversary.
I would assume the matter of time for it occurring has elapsed a while ago, and now we are in the place where it's not only being detected, but further, actually revealed, regardless of how embarassing that is.
That's already happening successfully without deepfakes. Scammer calls and says "grandma I'm in trouble, they are holding me in jail unless you buy gift cards"