AI phishing and its implications for authentication.
By Tim Nodar, CyberWire senior staff writer
Oct 19, 2023

AI-enabled social engineering will require new approaches to authentication.

AI phishing and its implications for authentication.

A study by the FIDO Alliance looks at the current state of online authentication, finding an increased demand for biometric authentication: “When asked what authentication method people consider most secure and the method they most prefer using, biometrics ranked as favourite in both categories, rising around 5% in popularity since last year. This suggests that consumers want to use biometrics more but don't currently have the opportunity.”

Generative AI is increasingly important in social engineering.

The report also observed an increase in convincing social engineering attacks, likely fueled by generative AI tools:

“54% of people have noticed an increase in suspicious messages and scams online, while 52% believe these have become more sophisticated. Threats are seen to be active across several channels, but primarily email, SMS messages, social media, and fake phone or voicemails. The increased accessibility of generative AI tools is a likely driver of this rise in scams and phishing threats. Tools like FraudGPT and WormGPT, which have been created and shared on the dark web explicitly for use in cybercrime, have made crafting compelling social engineering attacks far simpler, more sophisticated, and easier to do at scale.”

Implications of AI-enabled social engineering.

Ted Miracco, CEO of Approov, argues for stronger authentication methods. “AI-driven cybercrime certainly highlights the need for stronger authentication methods beyond traditional passwords,” Miracco wrote in emailed comments. But not all such methods are equally efficacious. “However even passkeys and Multi-factor authentication (MFA) are not immune to all types of attacks. While they provide better security compared to passwords alone, they may still be vulnerable to certain types of attacks, including the increasingly common man-in-the-middle (MITM) attacks. If the communication channel between the user and the authentication system is compromised, an attacker can intercept or manipulate the passkey or MFA during transmission and can effectively impersonate the user or gain unauthorized access. To mitigate the risk of MITM attacks, use secure communication protocols such as HTTPS to encrypt the data transmission between the user and the authentication system.”

Miracco added, “Users should ensure they are using attested mobile devices and trusted networks for authentication. Avoiding public or unsecured Wi-Fi networks reduces the risk of MITM attacks. Lastly, by using out-of-band verification methods, such as receiving authentication codes through a separate communication channel (e.g., SMS codes sent to a registered phone number), users can add an extra layer of security by making it more difficult for an attacker to intercept both the authentication code and the login session.”

Emily Phelps, Director at Cyware, also commented on the insufficiency of passwords against such emerging threats.“Passwords alone are not enough to secure accounts and sensitive data,” Phelps wrote.  “Phishing remains so popular because there is a low barrier to entry and it remains effective. As AI technologies become more commonplace and sophisticated, adopting better security practices will be even more critical than it is today. The reality is no single authentication method is foolproof. Organizations and individuals must adopt multifactor solutions to reduce the risks of phishing attacks. It's encouraging to see an increase in consumer awareness, but awareness alone does not reduce risk. Multifactor authentication is the minimum we should be requiring to defend against social engineering tactics.”