Finance worker pays out $25 million after video call with deepfake CFO

**vetran** · 9 February 2024, 21:24

seems security isn't. You would assume they would have some sort of authorisation process for significant amounts.

**SueEllen** · 10 February 2024, 14:56

Originally posted by vetran View Post

You would assume they would have some sort of authorisation process for significant amounts.

It is surprising when you talk to people how many companies still don't have an authorisation process for transactions.

They presume that people dipping their hands in the till will do it for small amounts not a few thousand at a time.

**vetran** · 10 February 2024, 18:41

Originally posted by SueEllen View Post

It is surprising when you talk to people how many companies still don't have an authorisation process for transactions.

They presume that people dipping their hands in the till will do it for small amounts not a few thousand at a time.

20+ years ago I had MFA as standard for remote access. Why not have a similar protection for large transfers. people are stupid.

**hobnob** · 10 February 2024, 18:58

Originally posted by vetran View Post

20+ years ago I had MFA as standard for remote access. Why not have a similar protection for large transfers. people are stupid.

In this case, I don't see how that would help. The person who transferred the money didn't have their credentials stolen (e.g. nobody guessed their password). If the system had prompted them for MFA, they would have typed in the code from their app, because they thought that the transfer was legitimate. The problem was that they were tricked by someone impersonating their boss.

There's a fairly common scam where people get text messages saying "Hi Mum, I've lost my phone, please can you send me some cash." There's a targeted version where the child's voice can be faked (e.g. if they've done podcasts or YouTube videos for the AI to learn from), which would then make it more convincing.

You could have a password to prove that this person isn't an imposter, but people aren't good at remembering passwords. Or you could have a "tell me something that only the real Fred would know" conversation.

**vetran** · 10 February 2024, 21:17

Originally posted by hobnob View Post

In this case, I don't see how that would help. The person who transferred the money didn't have their credentials stolen (e.g. nobody guessed their password). If the system had prompted them for MFA, they would have typed in the code from their app, because they thought that the transfer was legitimate. The problem was that they were tricked by someone impersonating their boss.

There's a fairly common scam where people get text messages saying "Hi Mum, I've lost my phone, please can you send me some cash." There's a targeted version where the child's voice can be faked (e.g. if they've done podcasts or YouTube videos for the AI to learn from), which would then make it more convincing.

You could have a password to prove that this person isn't an imposter, but people aren't good at remembering passwords. Or you could have a "tell me something that only the real Fred would know" conversation.

Back when we used cheques you needed 2 directors to co sign for over £10k. Seems reasonable for over a million to ask for 2+ directors to verify via MFA.

**ladymuck** · 12 February 2024, 09:51

Originally posted by hobnob View Post

You could have a password to prove that this person isn't an imposter, but people aren't good at remembering passwords. Or you could have a "tell me something that only the real Fred would know" conversation.

This is something I've seen suggested a lot recently - have a word or phrase agreed within the family that proves it's you.

It doesn't work very well if you've got elderly parents with memory issues, of course.

**vetran** · 12 February 2024, 11:01

Originally posted by vetran View Post

Back when we used cheques you needed 2 directors to co sign for over £10k. Seems reasonable for over a million to ask for 2+ directors to verify via MFA.

This is actually very easy to use.
https://www.microsoft.com/en-gb/secu...henticator-app

**hobnob** · 12 February 2024, 19:46

Originally posted by vetran View Post

Back when we used cheques you needed 2 directors to co sign for over £10k. Seems reasonable for over a million to ask for 2+ directors to verify via MFA.

I agree with having a process in place so that the directors need to log in and authorise the big transaction. And at that point you might as well enable MFA. However, MFA itself wasn't the issue here, i.e. it was a spoken conversation where the big boss said "do it" and the minion said "Yes sir".

I wonder whether this will affect discussions about people working in the office vs working from home. I.e. if someone is standing in front of you (after swiping their pass to get into the building) then you can be pretty confident that they're the real deal, whereas you don't know who's on the other end of a Teams meeting.

**vetran** · 12 February 2024, 20:13

Originally posted by hobnob View Post

I agree with having a process in place so that the directors need to log in and authorise the big transaction. And at that point you might as well enable MFA. However, MFA itself wasn't the issue here, i.e. it was a spoken conversation where the big boss said "do it" and the minion said "Yes sir".

I wonder whether this will affect discussions about people working in the office vs working from home. I.e. if someone is standing in front of you (after swiping their pass to get into the building) then you can be pretty confident that they're the real deal, whereas you don't know who's on the other end of a Teams meeting.

You know its going to be the minion's fault. Until the insurance is invalid then stuff all will change.

Finance worker pays out $25 million after video call with deepfake CFO