Navigate AI banking risks by focusing on customer authentication, vendor management

In the digital age, artificial intelligence has become a cornerstone of innovation in the banking sector, offering unprecedented opportunities for efficiency and customer service. However, the integration of AI also introduces new risks, particularly in the realms of customer authentication and vendor management. Let’s explore these challenges and examine strategies for banks to navigate this complex landscape.

AI and customer authentication: A double-edged sword

The use of AI in customer authentication processes promises streamlined operations and enhanced user experiences.

Jeff Olejnik image
Jeff Olejnik

Yet, it simultaneously opens the door to sophisticated forms of fraud. Security engineers at firms like Wipfli employ pretext calling to validate banks’ authentication procedures, creating dossiers on customers using publicly available information, including data from social media and the dark web. 

This practice, while time-consuming, is crucial in identifying potential vulnerabilities in a bank’s authentication system. By using known information about the customer, bank employees are more likely to be manipulated into bypassing authentication procedures to be helpful and provide good customer service.  

The advent of AI and machine learning by attackers expedites this dossier creation process through automation. Attackers can now comb through numerous data sources, including password data exposed from a breach, and combine with personal information found on social media that arms the attacker with information to be more convincing.  

Moreover, the emergence of “deep fakes” poses a significant threat, as they can mimic a customer’s voice with alarming accuracy, potentially bypassing voice identification systems and deceiving bank employees into believing they are interacting with a legitimate customer.

The dark side of AI in authentication

The risks extend beyond voice impersonation. Data breaches involving biometric information, such as fingerprints and facial recognition, have made headlines, revealing the vulnerabilities in relying solely on biometric data for multi-factor authentication (MFA). 

Instances like the India police department data breach of fingerprints and facial recognition data and the Outabox facial recognition breach underscore the potential for misuse of biometric data.  

SIM swapping is a common way for scammers to bypass MFA codes sent to mobile devices. Attackers use a weak or stolen password to log into the user’s mobile carrier account and swap the SIM so that MFA codes and other text messages are sent to the attackers device.  

The amount of data available on the internet and dark web, including MFA information, combined with the velocity that attackers can create the dossiers using AI and ML, make it imperative for banks to evaluate the sufficiency of their current authentication procedures. 

Reinforcing authentication protocols

The amount of data available on the internet and dark web, combined with the velocity that attackers can create the dossiers using AI and ML, makes it necessary for banks to reassess their authentication policies. 

While MFA is a step in the right direction, it may no longer suffice as the sole line of defense. Banks should consider implementing additional authentication methods, such as behavioral biometrics or anomaly detection systems, which can provide a more robust security framework.

AI in vendor management: A call for diligence

The use of AI is not limited to customer-facing processes; it also permeates vendor management. Banks must exercise due diligence in understanding how their vendors utilize AI, particularly concerning the handling of bank and client data. It is essential for banks to verify that their vendors are not using sensitive data to train public large language models, which could lead to unintended data exposure.  

Banks should examine their current vendor management risk assessment and management processes and include questions about their vendors’ use of AI and protection of bank and client sensitive data.  

Conclusion

The integration of AI in banking processes, while beneficial, brings forth a set of risks that must be carefully managed. Banks need to adopt a proactive approach in revising their authentication protocols and vendor management practices to safeguard against these emerging threats. By doing so, they can continue to harness the power of AI while ensuring the security and trust of their customers and stakeholders.

Jeff Olejnik leads the cyber team at Milwaukee-based business consulting and services firm Wipfli.