Fraud has long plagued the financial services sector, and deepfakes have emerged as a threat to secure customer experience.
As interactions with customers are becoming more digital, financial institutions rely on three key pillars of authentication to verify users’ identities:
However, these pillars vary in robustness. “Something you have” can be compromised if your devices are stolen. “Something you know” can be found online using social media and similar resources. This makes “Something you are” - verified via biometrics - the gold standard for fraud prevention, especially in contact centre platforms.
The advantages of biometrics are not only their resilience to current technology-based attacks, but also their minimal user friction. Think Face ID versus remembering and typing multiple, complex usernames and passwords. In the contact centre context, voice biometrics have become a popular and secure alternative to PINs, passcodes, and challenge questions. As the technology has matured, sometimes as little as three seconds of talking can be sufficient to verify the user’s identity.1
Capco’s extensive experience in Assisted Digital, in addition to partnering with multiple clients to upgrade their assisted and self-service channels has allowed us to work with numerous authentication technologies. We believe voice biometrics has marked a phase shift in security, seamlessly incorporating robust authentication, while improving customer experience and reducing frustration of passcodes and PINs and the operational effort of manual authentication.
In recent years we have seen the emergence of deep learning techniques within artificial intelligence. Early examples included impressive image recognition technology, that quickly moved to being able to generate deepfakes, i.e. simulated images on demand that will soon be able to generate real-time video.
While current deepfake images and videos are impressive, they still give the uncanny feeling that something is off. The rapid rate of advancement will surely make these media indistinguishable from reality to the average viewer faster than our ability to learn and anticipate.
Another application of these techniques is the ability to mimic individual voices. Using minimal input, such as a voicemail message or a social media post, systems can be trained to mimic human voices with remarkable fidelity, even achieving conversational interactions when combined with technologies like ChatGPT. If systems can mimic an individual’s voice including tone, word choice, and cadence, should we be concerned about the future of voice biometrics security?
Deepfake scams within financial services include fraudulent claims, account opening fraud, and synthetic identity fraud.1 Financial services institutions need to consider how deep learning technology has the potential to defeat current voice authentication systems.2
A recent study at the University of Waterloo showed that voice biometric authentication, including those of industry leaders such as Amazon and Microsoft (Nuance) can be bypassed by deepfake technology in only six attempts.3
As deepfake technology advances and becomes more widely available and democratized, agile financial institutions need to improve the certainty rate of user authentication to prevent breaches. To achieve this, they must ensure that their voice biometric tools are actively tested against deepfake audio samples. Given the fast pace of these advancements, incumbent Infosec players4 and emerging startups5 are already refining their tools to improve the efficacy rates of differentiating synthetic voices from real ones.
Advancements in countermeasures, including the use of machine learning for detection, is leading to authentication systems that produce a probability score. Leading biometric security products are being consistently updated to identify and prevent deepfakes. This includes priority approaches to separating real and synthetic voices using factors too subtle for the human ear, as well as combining with other session metadata such as behavioral patterns, device data, number spoofing, and liveness detection.6
Once a session score is assigned, it can be processed by additional controls and authentication checkpoints, tuned to an organization’s risk tolerance, to grant access to or trigger additional actions such as session termination or step-up authentication. Furthermore, user activity can be monitored for higher risk actions, such as initiating large transactions or changing authentication preferences. A low confidence session combined with suspicious activity could be used to trigger additional security checks, or to trigger alerts for further investigation. The pace of progress in deep learning for both detection and evasion has resulted in a continuous ‘arms race’ between information security teams, authentication service providers and fraudulent actors.
The key to successfully implementing step-up authentication in response to deepfake fraud potential is to understand organizational data and risk indicators and properly tuning the responses.
Given that voice biometric authentication is now adopted widely, trusted by clients, and has high efficacy rates, banks face the challenge of maintaining security without resorting to older, more intrusive techniques for authentication. Introducing multi-factor authentication (MFA) by default, especially on the voice channel, can negatively impact the customer experience.
We believe a layered approach to fraud detection, leveraging step-up multi-factor authentication, tuned against other customer and session meta-data, as well as robust behavioral analytics, provides a pathway forward that protects the customer experience, while maximizing fraud prevention.
Capco’s experience in cyber risk, as well as our data science and analytics expertise has allowed us to identify risk indicators and incorporate those data points into the fraud risk modeling. Working with client experience teams and an understanding of organizational risk tolerance enables us to properly tune the response to potential fraud, which will trigger step-up authentication or block activity according to the threat level.
1 https://www.fintechfutures.com/2022/01/from-viral-fun-to-financial-fraud-how-deepfake-technology-is-threatening-financial-services/
2 https://www.ftc.gov/business-guidance/blog/2023/03/chatbots-deepfakes-voice-clones-ai-deception-sale
3 https://uwaterloo.ca/news/media/how-secure-are-voice-authentication-systems-really
4 https://www.pindrop.com/blog/exposing-the-truth-about-zero-day-deepfake-attacks-metas-voicebox-case-study
5 https://www.biometricupdate.com/202306/generative-speech-firm-elevenlabs-raises-19m-launches-tool-to-snuff-out-deepfakes
6 https://www.incognia.com/the-authentication-reference/what-is-step-up-authentication-and-how-does-it-work and https://www.pindrop.com/blog/exposing-the-truth-about-zero-day-deepfake-attacks-metas-voicebox-case-study