As published on ACM News June 11, 2020
Artificial intelligence (AI) has made great strides in catching attempted credit-card fraud—most of us have received communications from our credit-card issuers to confirm attempted purchases made by cybercriminals. Using machine learning (ML) to compile “synthetic identities” that display the usual behavior patterns of its credit holders, financial institutions can spot anomalous behaviors in real time. Unfortunately, cybercriminals likewise are using AI to create their own synthetic identities, producing results realistic enough to fool the AI that spots anomalous behaviors.
This battle of the AIs—pitting fraudster again cybersecurity—is also being fought in the trenches of fake news, fake videos, and fake audio. Thus the arms race has begun: AI versus AI.
Jupiter Research’s Steffen Sorrell says synthetic identities are the “low-hanging fruit” of credit card fraud. According to Jupiter Research’s latest Online Payment Fraud report, synthetic identities are driving online payment fraud toward $200 billion in losses to the bad guys by 2024. For the good guys, it is also driving the fraud-detection market to reach $10 billion over the same period, up from $8.5 billion this year.
“Online fraud takes place in a highly-developed ecosystem with division of labor,” said Josh Johnston, director of AI Science at Boise, ID-based fraud prevention enterprise Kount Inc. Johnston said cybercriminals specialize in different types of crimes ranging from manually “skimming cards” to creating synthetic identities with AI. “Others test stolen card numbers and credentials against soft targets like charities and digital goods merchants to make sure they haven’t been cancelled,” said Johnston, who claims high-limit credit card numbers with accurate name, address, and CVV (card verification value) can be purchased for less than a dollar in Internet black markets on the dark web.
“A fraudster can buy a list of these verified cards and monetize them through any number of online schemes,” said Johnston. “AI is used heavily by these criminals, who also share software tools and tips on Internet forums just like legitimate developers.”
These high-volume fakes use all types of AI and other automation techniques, ranging from small programs that generate and register realistic email addresses by combining real first and last names followed by random numbers, to large ML programs that create synthetic identities by combining bits of information from multiple real people to create a composite, according to Johnston. If a fraud detector checks on a synthetic identity, they often find a fake email account, Facebook page, and other Internet presences showing details of the synthetic identity have been recorded by the fraudster.
Thus the fraud-detection skills of cybersecurity programmers are pitted against the fraud-creation skills of the Black Hats.
These fraud-creation skills are not just used in credit-card scams, but extend into the fields of image and speech recognition, where the tools are being used in reverse to create fake news, fake videos, and fake audio. In fact, money transfer fraud, in which fake audio is used, is growing faster than online payment fraud, according to Nick Maynard at Juniper Research, who said losses in this arena are predicted to grow by 130% through 2024.