The critical need to protect users and their digital identities has increased over recent times due to a vast majority of users’ information being exposed through large-scale breaches within the Asia Pacific region.
While targeted phishing attacks against specific individuals are less common, broad based phishing attacks that rely on obtaining stolen login credentials through phishing methods like emails and texts are not only frequent, but also continue to grow increasingly sophisticated.
The recent release of artificial intelligence (AI) tools, such as ChatGPT, in the business world has numerous benefits for cost savings and productivity. However, it has also raised concerns about the use of AI in cybersecurity attacks and if it could make attacks easier for hackers and increase their success rates. AI-based attacks pose a challenge because they can lower the bar for adversaries to convincingly and successfully execute cyberattacks like phishing and ransomware by reducing their cost and complexity. AI tools bring technology closer to the edge of what our normal human senses can detect by manufacturing convincing text, video, and audio that could exploit our trusted senses of sight and hearing, making it difficult to detect malicious activity.
In today’s remotely connected environment, AI tools enable increasingly credible methods to execute successful social engineering attacks. Traditional controls like voice verification for identity on a password reset may become obsolete. While ChatGPT may not yet produce convincing spear phishing outputs, it could be used to improve base-level quality issues with most phishing campaigns such as addressing poor grammar and inaccurate information.
Mitigating the risks of AI-based attacks with phishing-resistant MFA
As the adoption of AI tools continues to grow, there needs to be both a regional and global focus on ways to mitigate the associated risk. When traditional identity measures such as voice and video verification become less effective, it becomes even more important to establish strongly linked electronic identities.
Digital identity hygiene partnered with phishing-resistant MFA tools like security keys are becoming essential to protecting what we value, both within a personal and business context. Hardware-backed security keys which leverage the FIDO2 open authentication standard are purpose built to protect users from mistakenly authenticating to a fake website. Security keys enable the replacement of weak username/password credentials with strong hardware-backed cryptographic key pair credentials that are securely stored in hardware, preventing unauthorised transfer to another system without the user’s knowledge. These credentials are not shared across services and are resistant to phishing and replay attacks – stopping hackers in their tracks even if they do obtain stolen login credentials.
FIDO2 authenticators also significantly reduce the efficacy of social engineering attacks through phishing, as users cannot be tricked into providing a one-time password to an attacker or have SMS authentication codes stolen through SIM swapping attacks.
Regulating the use of ChatGPT and balancing the future of AI with strong security
In response to security and privacy concerns around AI tools, some countries have taken a stand against its use. For example, Italy initially banned the use of ChatGPT due to privacy concerns which were then later addressed through changes implemented by OpenAI. However, there have been concerns from several other countries regarding the use of AI tools.
As tools such as AI continue to evolve, businesses must adapt their security strategies to counter the associated evolving threats. MFA continues to play a pivotal role in safeguarding sensitive data and assets. Hardware-based security keys offer robust protection against many modern attacks including several methods that may become more prevalent with advances in AI models. Embracing technologies like FIDO2 security keys represents a proactive approach to mitigating the risks associated with AI and ensuring the security of increasingly connected systems.