Mihai Roman

Then let's start it. Thank you, everybody, for being here. Finally we can do it in person. It was a difficult period of doing everything online. So that reflects also a bit in our title, Cybersecurity During Dark Times. Why dark times? We all know the health crisis that just ended. So for us there were dark times from a couple of perspectives. We'll look a bit deeper today into cybersecurity, what were the threats. We'll touch a bit on fraud as well, on modus operandi, and also on ChatGPT or like ChatGPT, because everybody is talking about ChatGPT.

Who are we? I'm here with George. I'm Mihai. We are both engineering leaders with ING Belgium and part of fraud and cybersecurity, so it's kind of our core business, what we're doing. Looking at ING: ING is a Dutch bank. We have the headquarters not far away from here, next to the Amsterdam Marina. Being a bank, we have to provide seamless financial services to our customers. We are really proud because we go first mobile, digital, and for everybody. We cover quite a lot of the spectrum of clients, starting from private, going to businesses, also to wholesale. With the footprint of more than 50,000 employees, you have in front of you two tech guys; nevertheless, one out of three employees of ING Group is linked to tech. So it's doing tech on a day-to-day basis. We still have an ambition that by 2050 we'll be carbon neutral, because even if you say it's a bank, we still have a footprint. Just imagine our data centers, the amount of energy that is being consumed. That's our goal, but of course we need to pay attention to not disrupt our services.

Going into fraud a bit and social engineering: I have a simple definition for fraud, and it's my own. It's an event that you do not want to face at any moment in time in your life. It has an emotional impact. It comes with financial impact or identity theft. So it's something that I compare with Murphy. We talk, we make fun of Murphy, but when we meet him, it doesn't go well.

I'm going to do a bit of role playing here. We have a big customer, a private customer called John Doe. Mr. Doe receives a call in an afternoon from his preferred private banker: 'Mr. Doe, something happened with your accounts. We need you to act fast. You have all the instructions in the mail. Please follow them and then everything is going to be fine.' John Doe has a very good relation with his private banker, so it's a relation of trust, but unfortunately he didn't receive the call from his private banker. It was somebody else pretending. So there comes into the discussion the impersonating modus operandi. You saw my face, you saw my name. Do you really believe that I am who I pretend to be? I will have some doubts. I barely trust myself sometimes while doing stuff and acting.

And then we have the other part: social engineering. What is social engineering? I trick you to give me your personal information. We can start with credentials. We can go to bank account details. Looking at it, in the example on a phone call, it was hard to identify if I'm the real one or not. But I'm going to let George now scare you a bit more than that.

George Proorocu

Excellent. Thank you. Thank you, Mihai. Today we're going to discuss a bit about how new technologies are impacting the fraud and cybersecurity landscape. We're going to focus just on two, unfortunately, because we don't have a lot of time. Today we're going to talk about deepfake. We're going to see a bit how deepfake is currently used, and we're going to have a small hypothetical scenario from the financial world. Then we're going to move to see how large language models like ChatGPT are impacting the fraud landscape and how fraudsters are using them at this point.

First of all, what is deepfake? Well, in a nutshell, deepfakes are computer-generated audio, video, or a mix of two, that are impersonating genuine persons or another person, or they are just generating a random person that doesn't exist. We're going to see a bit how they are used. In the past years, we saw an increase in deepfakes. Some are better than others. Maybe some of you already saw on social media, for example, various ads where a famous person, like Elon Musk, is saying that, yeah, this is the cryptocurrency of the future, we're going to all make a thousand-x, just buy it, and we're all going to get rich. These are of course generated with deepfake. They're not endorsed by the real Elon Musk, and they're usually a scam. You just go there, invest your money, and poof, they went away.

The second one is a more targeted one. We saw it a while ago when they are targeting actually a specific set of engineers within a specific company, and they will post very good job opportunities at competitors. There was a famous case a while ago where one of the engineers actually applied to the job. They went through the interviews, like four or five, with HR, technical interview, and they were always using deepfake in order to impersonate the real persons that should have taken the interview. At the end they sent the offer on the engineer's corporate mailbox. Unfortunately, the engineer opened the PDF, which was injected with malware. They got access and they did a lot of damage to the company. These are some things that we see currently already happening.

Now let's see a more concrete example, a hypothetical scenario from the financial world. Let's say we have corporation X that has a branch in the Netherlands, because we are now in Amsterdam. This branch is quite attractive for the scammers because they don't have a lot of employees, they make a lot of money, they have a lot of money in their bank account, and they are targeting one senior accountant. They are targeting this specific senior accountant because the person has, one, access to do a large-scale transfer; and second, the person knows personally the CEO because they saw on social media that she was at an event together with the CEO, and they kind of know each other. So she knows how the CEO looks and talks. Their goal is to make this person transfer $2 million into one of the bank accounts that they control.

Here on the screen, you can see Mihai is playing the role of the fraudster and I'm playing the role of the CEO. This can be generated in real time, and it's using only one picture of myself. Based on this, we can generate a video call in which we can impersonate video and of course also audio of the real person. Imagine that you are, for example, Julia. You receive a video call from the person that you know is the actual CEO. The person looks like the CEO, talks like the CEO, and the CEO will tell you, 'Julia, I'm really calling you directly because we met at this event and I know that you're an honest person. We are undergoing a very serious issue. We have an audit. Law enforcement is involved. We have a gap of $2 million in the bank account in the HQ. The management of this branch in which you're working is involved in that, so you should not contact anyone. Please go to a meeting room and we're going to make quickly a bank transfer from the branch to this bank account, blah, blah, blah, and I'm going to stay with you on the video call while you do it.' If you are Julia and you receive a call like this, what are you going to do? Usually these scammers are very good. As Mihai mentioned, they were doing this via phone. You can imagine they were convincing someone via phone that they are another person. But now adding also a layer of voice and video to it, it's kind of convincing you that they are the real person.

Now let's see a bit how you can protect. The points from the screen are quite generic. First one: if you are in any doubt, if you receive a call like Mihai said earlier, if you're receiving a video call and you have the slightest suspicion, like your spider senses are tingling, just close the call and try to call back. Even if it's some senior management, you can try to reach out to their assistant, try to reach them via email, and so on. Or if you receive a call from law enforcement, like police, or someone else pretending to be from the FBI, just call their official channels, their official contacts, and see if they're actually legit. Another one: whenever you receive a call like this, audio call, email, SMS, and so on, which asks any type of personal information, passwords, financial data about you, any type of passwords or OTPs, or anything related to your safeguarded secrets, it's 99.99 percent a scam. The bank will never ask for your personal details in a way like that.

The last one: if you're facing this type of video call, we'll show you a small trick on how you might be able to detect it. In our case, it was a very simple example. We were using just one image to generate it, and of course the algorithm only has one output of the image. If you make the person, for example, rotate their head, the output will be a bit like this because the algorithm doesn't have a 360 view, so it cannot generate that. If you have any glitch like that, then it's for sure deepfake. Of course, if it's a very advanced scam, they can have a lot of videos of the person. They can generate a 360. But to do this in real time, it uses a lot of computing power, and if they're doing that, they're probably aiming to get millions from this scam.

Now we're going to move further to ChatGPT and the other large language models, because probably everyone in the room either used it or is using it in their enterprise or personal life. I'm personally using it. Or you've heard about different use cases and so on for ChatGPT. ChatGPT is kind of a holy grail for scammers because it helps them achieve various tasks that before were taking a lot of time, they were not able to make them properly, and it's kind of adding some extra technical skills that many of them didn't have before. Let's see a bit how this actually happens.

There's a very interesting report from Europol that we used here. Europol is an organization of law enforcement here in Europe. It's amazing that they're actually actively looking into how new technologies are impacting the fraud landscape and how criminals are using them to achieve various malicious goals. They highlight three different pillars. The first one is fraud. As I mentioned earlier, this helps a lot of fraudsters because before, many of you probably already received a phishing email that was either having some grammatical errors, or if it was in your native language, it looked like it was Google translated. So it immediately triggered, 'Oh, this is a scam. It's a phishing email.' But now using ChatGPT, they can do that perfectly in many languages. This first layer that you are looking out for is kind of removed, so it increases their percentage of succeeding.

The second one is impersonation. Imagine the fraudsters are hacking an email address. It can be corporate, it can be personal, and then they're impersonating that person, training the algorithm on, let's say, 10 or 20 emails that the person sent. Then you receive an email from your friend, let's say John. He's writing the email exactly like John would write it, maybe even with some specific things. Maybe he was using some specific hellos and so on, and saying, 'This is an amazing opportunity. You have only like five minutes. Go on this link because it's a special promotion now from company X. Put your credit card there and immediately you get a thousand dollars back in your bank account.' If you receive something like that, you say, okay, let me quickly do it. Or many of you probably will not, but there's a high percentage that some might actually fall into it, and those scammers will get some money.

The third one is social engineering. On social engineering, as Mihai mentioned earlier, it is amazing because it can provide contextual answers in real time. It can be used for scam during a chat message or an exchange of emails. It can be used even for audio calls if it's integrated with another algorithm for voice generation, and has many applications in this direction to try to trick the person to give personal details, financial and so on.

Another area where ChatGPT and similar tools are very useful for scammers is the area of technical skills, because it adds a layer for the people that actually don't have a lot of technical skills. Let's say the scammer would like to generate, for example, a malicious script to send emails. Before you could do that by tricking ChatGPT, saying, okay, let's play a game: I'm a scammer and you are working for cybersecurity. If I would write a script like that, how would I write it? How would it be correct to write it? What is amazing is that we see now this type of collaboration from companies like the one that is behind ChatGPT, together with law enforcement, together with other corporations, and together with people that are reporting these type of issues, to close these small doors that the scammers are using in order to generate malicious content using tools like ChatGPT. You can see on the screen that I'm trying to do the same, to play a game with ChatGPT, and ChatGPT is telling me, yeah, I cannot help you with this because blah, blah, blah, and can I help you with something else? They're actively working into this, and I think this is something that we need to work together in order to achieve. We're going to discuss a bit more how we should do this type of awareness. But I will let Mihai talk a bit more about cybersecurity on the enterprise side.

Mihai Roman

We explained a couple of scenarios where you had a fraud, but on the other hand, you had a victim. Somehow they needed to have a relation between them. They needed to have an interaction either via a phone call, video call, email, or something. As I mentioned in the beginning, we are both techies. I would switch it a bit now to look at the threats that our systems were exposed to and, unfortunately, they will be exposed to.

2018 didn't start well. We had Meltdown and Spectre, which were made publicly available. Some of you may remember both hardware vulnerabilities, which could lead to taking full control of our systems. Okay, we got aware about this. What can I do? You had two options. Let's say the drastic, the dramatical one: throwing away all the hardware that was impacted, that was recognized as impacted. That has a cost not only in money, but also time, resources, and so on. Then you had the other part that came directly from the manufacturers, which was applying different patches, going with mitigation actions there. But for me, the question still remains: I know what is the issue, I know what to do, but do I know where to apply it?

Just looking at the couple of you, I see most of you having a phone, but at home you probably have one, two, three laptops, tablets, and so on. But if we look at the magnitude of a company, in an enterprise, do I have a clue? Do I have one system that is impacted, or do I have 10 million of them? I'm going to go a bit on the data, because we said dark times. It was not only due to the health situation. We had this before.

Then December '21, a month that I don't want to remember, I just got a call from a colleague but also best friend, who is part of the CISO office. We need you. I said, okay, what happened? Then it was an entire audience there with different parts of the organization: we have this situation. You see two interesting numbers there. On one hand you see 16,000. That was the usage of Log4j version 1.2. Why was this important? At the time when the vulnerabilities had been exposed, most of us and a lot of people realized that, oops, that version is out of support, out of life as of 2015. Then we moved a bit to today's situation where we're running on version 2-dot-something, and then we started to ask ourselves what we do first and, again, where we do it first. Luckily, the community behind — we are here as a community — helped a lot. It was not a one-time shot, not a one-time fix. There were mitigations, workarounds, suggestions, and then it was a bunch of information. But still: where do I need to apply it? Do I know that if I take ten servers out, I'm fine, I'm protected?

We approached it from a different angle. Most organizations have a so-called configuration management database, where ideally data should be up to date, accurate, including hardware versions, software versions, when they were last deployed. Then in three clicks you get your report, and then you can distribute it towards the organization, saying you have to act there, there, there, and there. Fortunately, that's not the case. So we approached it from what I would say three angles: the database; then we had our security, so the CISO office, which did their magic with their tools and so on; and then we've asked application teams, 'Guys, share your data. Share what you have.' Putting all the three things together, we are confident that we have the real picture of the day. That's important because you need to take a decision.

Unfortunately, decision or finding a solution, we need to be creative. One important aspect for us also in general is do not have only a specific pair of eyes looking at the data. I'm looking from a technical perspective. I start to think I need three days for that, I need two days for that, then I cover 80 percent of it. But then what do I do with the 20 percent? That is the creative solutions: bring business together with you. Bring the colleagues that are facing the customers, that are dealing with the customers, the so-called front office. And unfortunately, be ready for a radical decision. The main question remains: do I run with a broken service, if I can call it like that, or a vulnerable service, or do I shut down my service for a period of time and say, okay, that's it. We focus, we fix it, and we go. It's all about the data and interpretation. Again, as many pairs of eyes as you can have, have them, and take a decision based on that.

We mentioned quite a lot of times awareness, people, data. We consider it from our perspective, being exposed to both sides of fraud and cybersecurity, it's not only our responsibility as tech leaders in the domain. It's the responsibility of everybody, starting with the enterprise, with the banks, all types of companies, governments, law enforcement. We need to create awareness. Fraud is not something that you want to share with your friends because it's shameful, but by guiding your family and friends, you may save somebody from losing a certain amount of money. We're making fun in the office, or when we're in the office now we're trying to make fun again, on the last two sentences: I'm never going to call you as a bank employee and ask your credentials. These are sentences that look silly and sound silly, but there are a lot of people who are going into that trap.

Unfortunately, you cannot do awareness in one shot. You can say, I create a campaign, I target all my employees, all my customers. But three days later you have a new wave either from a fraud modus operandi or from a technical vulnerability, and it's coming. Looking a bit at the time, for us the key takeaways here: we have ChatGPT, as George explained, it's thousands of data. They are saying that it's using data until 2021, but still it's data. Data remains key. Find your data. It's fine that you don't have it now, but don't underestimate the power of the data. Don't take decisions, especially in hard situations, based on feelings. You may have a feeling, you may have a hunch, but back it up with data.

Awareness: again, we are not alone in this. We all have a piece of the responsibility. We have to play it more or less depending on where we are located in the society and in a business context. I like to do sport. Protecting ourselves is not a marathon, it's not a one-time sprint. For me, it's a marathon of sprints, and unfortunately it's never going to end. The question is when it's going to happen, not if. Then we can derive: am I ready? Can I take the heat? Can I protect it a bit better, or am I fully exposed to it?

We would love to say that we are perfect, but let's be serious: nobody's perfect, neither as individual, nor as a company. We're looking to have your experience, your sharing, either in the vulnerabilities context, even in other fraud schemes, or how we can promote the protection measures in the society. On the other hand, I'm repeating myself and I don't like it: data. How you make use of data, how you get it. I don't know if it's about tools, if it's about simply mindset or strictly organization. We want to become better in dealing with data. Last but not least, we do all count on all of us and all of you to help the society become better and safer in the future.

Having said that, thank you very much for your time. Thank you.

Q&A

We still have like two minutes for questions. If you have any questions, I think we can take it. If not, we're anyway here, or you can approach us on the chat, or you have our contact details as well. Thank you very much.

Security is a marathon.