Recently, AI voice clones impersonated Marco Rubio, the US Secretary of State. It clearly illustrates that adversaries are getting more sophisticated and are learning new ways to gather intelligence.
While this news is currently making the rounds, Jim Gerken and Chris Barngrover, Directors of Identity Services at Novacoast, shared a prophetic revelation at the 2024 Innovate Fall Summit in Scottsdale, AZ: lifelike AI-cloned voice quality is evolving at an alarming rate, convincing enough to spoof real personas in social engineering attacks. The only way businesses can protect themselves is through Identity Proofing.
What We Know
A series of AI-powered impersonation attempts occurred across various platforms, targeting several government officials, including a US congressman, three foreign ministers, and a US governor. At least one received a text message inviting them to communicate using the Signal app. To create the faked audio, the threat actors only needed 15-20 seconds of audio that is publicly available.
Voice clones have already proven to be a significant threat. In April, the FBI alerted the public about an ongoing threat involving a campaign that targets US officials. The goal of the adversaries seems to be access to private accounts.
AI cloning goes much further than targeting government officials. Knowing that the people who work for your team are who they say they are is vital and can prevent credential theft and their access to critical business data.
Why It’s Relevant Now
Some security organizations reported a huge 442% surge in the use of AI-powered voice cloning in 2024. With threat groups continuing to improve their tactics and techniques overall, AI voice cloning and deepfakes are worrisome to CISOs and other security professionals.
Assessing where to implement deep protections for riskier assets should be a priority. Too much protection will kill productivity, and too little leaves assets unprotected.
With the advances in artificial intelligence, identity proofing is something we all need to keep on top of to ensure assets are protected.
Proving Identities vs Proving Credentials
Establishing the identities behind the credentials should come first because access decisions are made on the available data. But when we don’t trust the data we have, we need to get data we do trust. We can do this by leveraging stronger and more trustworthy methods. We can use multifactor authentication (MFA), but there are a range of methods within each factor. Some are much stronger than others, so knowing when to choose an appropriate method and factor to protect what’s important is vital.
This is in addition to the initial proofing and then reproofing when things change or age. So if there’s a very critical credential that needs to be kept valid, it would be optimal to reproof it every 90 days, or should something change suddenly, your team should be able to reassess it on the fly. the initial proofing and then reproofing when things change or age.
Tools and Concepts
Validating the level of scrutiny on identity data and documents varies depending on the role a person will have in an organization and what kind of sensitive assets they will access.
Inspecting an identity document and data from a scan may suffice when hiring a frontline employee; however, for an employee who will access critical sensitive data (the keys to the kingdom), it is necessary to call them into the security office to physically inspect their documents and verify their identity before granting access.
In addition, changes need to be revalidated. Phone number changes are a typical axis of attack. If a threat actor can get in and change a phone number suddenly, SMS pushes aren’t going to the right number anymore. So, it’s critical to validate these changes.
It’s also critical to keep these in mind when choosing an identity proofing tool.
- If your identity proofing tool allows registration via a form, regardless of whether the registrant is a contractor, consumer, or employee, it is classified as Identity Access Level 1.
- If the tool scans or takes a photo of the driver’s license and a selfie photo, that’s Identity Access Level 1 ½.
- If your tool also compares the driver’s license against the government database to confirm what the driver’s license for that state should look like, that’s Identity Access Level 2.
- If the person is doing it in front of someone in your company with a matching driver’s license, then you know that they are genuine and not a deepfake video.
Different tools provide different value.
Issuing and Maintaining Credentials
Assurance levels aside, the basics are still an essential part of it. A solid identity foundation is a must in addition to a reasonably mature understanding of the enterprise risks involved.
It’s vital that you know what your risky assets are and the risky user populations and be mindful of where they overlap. In addition, the infrastructure and processes needed to verify identity to the appropriate level during credential generation and for the lifecycle of the credential must be in place.
At some point ID Proofing becomes a question of integration and interoperability if you go far enough. The foundation remains the same, regardless of the integrations or whether you need to go that far.
Your organization’s appetite for risk drives the response; understanding and quantifying risk are all essential, but somebody needs to determine what is an acceptable loss.
Factors of Authentication
There are three factors of authentication that most security professionals know well.
If we break these down:
- Something you know – password.
- Something you have – smart phone.
- Something you are – biometrics.
What some people may not realize is that these are the same three factors humans have used since nearly the dawn of time whenever they wanted to restrict access to something.
If we look back as far as WW2, soldiers on guard would follow the same principles when someone approached them:
- What’s the password?
- Advance and be recognized.
- Present your ID.
So, these are not new concepts. We have been following them since time began; we’ve just adapted them to our digital lives.
Issuing and Maintaining Credentials
Although something you know is straightforward, it also depends on users because anything known can be forgotten, and recovery is often not that easy. Passwords are free, but when they’re forgotten is when the cost comes in.
Something you have is stronger but requires an investment upfront regardless of whether it’s a smartphone, passkey, or other device. It’s also dependent on connectivity, and there’s a risk if the device is lost. Just like anything you know can be forgotten, anything you have can be lost or stolen.
Something you are is very strong but also requires a significant investment. Depending on the factor you choose, the costs can go up. For example, fingerprint readers can be challenging in some sectors, and some people can’t give you a fingerprint.
So, when making these decisions, it’s vital to assess your population, how the device will be used, and what might be appropriate. In addition, some of these factors can be spoofed, and considering this new era of AI voice clones, assessing the right factor for your risk is vital.