Staying cyber-secure in the age of misdirection

Yubico is a Business Reporter client.

The use of artificial intelligence (AI) and machine learning (ML) is infiltrating many aspects of our lives. While much of this will be with the best of intentions, AI is raising concerns about jobs and the use of data, and has significantly added to the armoury of tools that can be deployed by cyber criminals.

Today, as businesses operate with geographically distributed workforces, AI tools enable advanced techniques to execute social engineering attacks like phishing. Authentication methods that were previously difficult to circumvent, such as voice verification to prove identity when resetting a password, will become obsolete.

There are a number of ways in which AI and ML can be used to facilitate social engineering attacks, including:

As adoption of AI and ML-based tools such as ChatGPT continues to grow, it will be important to focus on how we can circumvent the risks associated with them. There are various ways individuals can protect themselves against these threats, and businesses should also look to conduct employee training to ensure their valuable data is not compromised. Keeping social media profiles private can help restrict the information readily available online, although with the potential for posts to be shared, this is far from foolproof. Having a secret codeword among family members could also help to determine if a voice is genuine or an AI-generated impersonation.

As it becomes less possible to rely on elements we have traditionally subconsciously used to verify someone’s identity, such as knowing their voice or recognising their face, we require new ways to guarantee authentic interactions. Machine learning itself can be part of the solution here, too, learning to identify AI-based attacks and flag them as suspicious before any damage can be done.

To protect our online lives, the use of phishing-resistant multi-factor authentication (MFA), such as physical security keys, becomes essential. The YubiKey, for instance, requires a user to prove their physical presence by touching the key, guarding against remote attacks. An individual’s credentials are tied with a particular site, which prevents people inadvertently dealing with hackers rather than a genuine site. “It prevents attackers from preying on our human inability to spot nefarious websites that look exactly like the real ones,” says Treece. “When the efficacy of identity measures that companies have trusted for decades such as voice verification and video verification erodes, strongly linked authentication mechanisms are even more important.”

With the YubiKey, credentials are securely stored in hardware, which prevents those credentials from being transferred to another system without the user’s knowledge. “The use of FIDO2 authenticators, such as the YubiKey, greatly reduces the efficacy of social engineering through phishing as users cannot be tricked into sending a one-time-password to an attacker, or have SMS authentication codes stolen directly through a SIM swapping attack,” he adds.

With around 90 per cent of all cyber-attacks originating from phishing, according to the US government’s Cybersecurity & Infrastructure Agency, it’s important that individuals and businesses act now to ensure they are able to stay secure. With AI and ML attacks growing in capability and number each day, being prepared is far better than being wise after the event.

To find out more about Yubico and how the YubiKey can protect your online accounts, please visit yubico.com.