Validating Identity in a World of Deepfakes

Presented at CactusCon 12 (2024), Feb. 17, 2024, 9:30 a.m. (60 minutes).

In Sep. 2023, Retool published a post-mortem on a data breach they suffered that included this particularly interesting line (emphasis added): "After logging into the fake portal – which included a MFA form – the attacker called the employee. The caller claimed to be one of the members of the IT team, and **deepfaked our employee’s actual voice.**" Through recent, rapid advancements in and availability of AI tools, the threat actor was able to undermine a key method that’s actively taught and used to validate a person’s identity. **This raises the question: How can we verify someone is who they say they are in a world where currently relied on methods can no longer be trusted?** For example, today a threat actor can spoof/steal the following: *Voices (some services advertise only 5 seconds are needed, though the more the better) *Pictures *Body movements *Phone numbers *Email accounts *Government IDs *Passwords and MFA tokens (esp. non-hardware MFA) *Other attributes, such as idiolect, DNA (via a hack of services like Ancestry), etc. And in the near future, it’ll be possible to spoof videos in real-time (e.g., impersonate an employee a Zoom call). This talk will discuss solutions to this new threat landscape in the context of organizational security and promote further industry discussions on this complicated issue. The solutions will incorporate important factors, such as ease-of-use, scalability, cost, employees’ level of access, etc.

Presenters:

• Andrew Sanford - Sr. Security Engineer
  Andrew Sanford is a Sr. Security Engineer for a global SaaS company. Throughout his career, he's started and matured security programs at organizations ranging from startups to multinationals with complex, legacy systems and legal structures. In 2020, he part of the team Zoom brought in to help improve their security posture. While for several years he focused primarily on GRC and leadership, in recent years he's been "hands-on-keyboard" and loves it. Andrew concurrently earned his BS and MS in Information Systems Management from Brigham Young University, an NSA/DHS designated National Center for Academic Excellence in Information Assurance Education (CAE/IAE) program, with emphases in Cybersecurity, PhD Prep, Data Analytics and Software Development. He has published academic articles on cybersecurity and financial fraud with Dr. Conan Albrecht, one of the world's leading academics on fraud. *My views are my own and do not represent that of my employer

Links:

• https://cactuscon-12.sessionize.com/session/543748

Similar Presentations:

• ToorCon San Diego 19 (2017) / No one left behind : Security Defense through Gamification including CTFs
• Wild West Hackin' Fest 2019 / Campfire Stories - 15 minutes each
• DerbyCon 8.0 Evolution (2018) / Two-Factor, Too Furious: Evading (and Protecting) Evolving MFA Schemes