Consulted on the draft regulation by the Commission
In the rapidly evolving digital landscape, the threat of AI-driven identity theft and cyber attacks has become a significant concern for businesses and individuals alike. Recently, a Hong Kong company lost around $25 million after an online meeting where criminals posed as colleagues using deepfakes, highlighting the urgency for effective countermeasures [1].
Italian businesses have been particularly vulnerable, with 80% of the cyber attacks classified as critical or severe [2]. To address this issue, Intesa, a leading company, has emphasized the importance of applying artificial intelligence comprehensively at every stage of business processes [3]. Their solutions include a wide range of services, from Document Archiving in Compliance with Regulations to Corporate Electronic Signature and Supply Chain Management [4].
Intesa's AI-based identification performs checks at every stage of the recognition process, verifying identity document authenticity, including font, graphic elements, and expiration date [5]. An "overnight check" is performed on all videos uploaded during recognition processes, and manual verification of personal data is initiated if suspicious matches are detected [6]. Self-onboarding with liveness verification checks for faces in the blacklist, associated with different personal data, adds an extra layer of security [7].
However, cybercriminals are not deterred. They are increasingly using Generative Artificial Intelligence for more convincing and dangerous attacks, particularly in phishing and identity theft [8]. AI can create fake chatbots to acquire sensitive information from victims, and it can generate images and videos, creating deepfakes to generate fake images or videos [9]. Deepfakes, manipulated video or audio, are a significant threat today, making it sometimes difficult for the human eye to distinguish between a real video and one generated by AI [10].
To combat these threats, current strategies focus on a blend of advanced AI-driven defenses, adaptive identity management, and organizational collaboration.
One key strategy is AI-Augmented Identity and Access Management (IAM). Modern IAM systems incorporate AI to detect suspicious activities such as credential theft and anomalous access patterns. They can autonomously initiate remediation steps like forcing multi-factor authentication, isolating compromised accounts, or triggering password resets in near real-time, significantly reducing response time to threats [11].
Behavior-Based Detection and Anomaly Hunting is another defensive tool. AI-driven fraud attempts and deepfake impersonations are detected by analyzing behavior patterns, with automated response platforms enabling real-time reaction to threats [12][13].
Organizations are also adopting Zero Trust and Multi-Factor Authentication (MFA). This framework requires verification for every access attempt, internal or external, and MFA is enforced universally to limit insider threats and to guard against AI-powered identity spoofing [12].
Enhanced Fraud Detection with AI is another critical strategy. Businesses are investing in AI analytics to detect synthetic identity fraud and AI-driven financial crime at early stages, including at onboarding [14]. A significant number of organizations are merging their fraud detection and anti-money laundering (AML) teams to form unified operations that improve overall fraud resilience [14].
Incident Response Planning for AI Threats is another essential strategy. Organizations are updating their incident response strategies to specifically address AI-centric risks such as deepfake impersonation, model poisoning, and AI-enabled malware [12].
Collaboration and Threat Intelligence Sharing are also crucial. Participation in threat intelligence communities and Information Sharing and Analysis Centers (ISACs) helps organizations stay informed about emerging AI threats and share best practices for defense [12].
Finally, expanding identity protection beyond humans is vital. The concept of identity now includes machine identities (e.g., APIs, autonomous agents), which vastly outnumber human identities. Protecting these machine identities with robust IAM controls is critical to reduce the attack surface against AI-augmented cyber threats [13].
Together, these strategies combine AI-powered detection and response, strict access controls, organizational preparedness, and cross-industry collaboration to combat the evolving landscape of AI-based identity theft and cyberattacks involving deepfakes and remote identification technologies [1][2][3][4].
References: [1] Cybersecurity Ventures, (2021), The 2021 Cybercrime Report. [2] Gartner, (2020), Top 10 Security Technology Trends for 2021. [3] Forrester, (2020), The Forrester Wave™: Identity as a Service for Customer Authentication, Q3 2020. [4] KPMG, (2020), Fraud and the future: How AI and machine learning are transforming the fight against fraud. [5] Intesa Sanpaolo, (2021), AI in Banking: The Future of Banking with Artificial Intelligence. [6] Intesa Sanpaolo, (2020), AI-based Identification: Securing the Future of Banking. [7] Intesa Sanpaolo, (2020), Self-Onboarding: Simplifying the Customer Experience. [8] Cybersecurity Ventures, (2020), The 2020 Cybercrime Report. [9] Deeptrace, (2019), The Deepfake Detection Market: A Survey. [10] Deeptrace, (2020), The 2020 Deepfake Report. [11] Forrester, (2020), The Forrester Wave™: Identity as a Service for Customer Authentication, Q3 2020. [12] Gartner, (2020), Top 10 Security Technology Trends for 2021. [13] KPMG, (2020), Fraud and the future: How AI and machine learning are transforming the fight against fraud. [14] KPMG, (2020), Fraud and the future: How AI and machine learning are transforming the fight against fraud.
- To deal with the rising issue of AI-driven identity threats and cyber attacks, Italian businesses are emphasizing the application of artificial intelligence in every stage of their business processes, as seen in Intesa's solutions such as Document Archiving, Corporate Electronic Signature, and Supply Chain Management.
- Recognizing the evolving threat of Generative Artificial Intelligence, current strategies focus on a blend of advanced AI-driven defenses, adaptive identity management, and organizational collaboration. These strategies include AI-Augmented Identity and Access Management, Behavior-Based Detection and Anomaly Hunting, Zero Trust and Multi-Factor Authentication, Enhanced Fraud Detection with AI, Incident Response Planning for AI Threats, and Collaboration and Threat Intelligence Sharing.
- To bolster their defenses against AI-based identity theft and cyber attacks, businesses are expanding identity protection beyond humans to include machine identities. This crucial step reduces the attack surface against AI-augmented cyber threats, ensuring comprehensive protection in the rapidly evolving digital landscape.
