Reply to: Finance worker pays out $25 million after video call with deepfake CFO

You know its going to be the minion's fault. Until the insurance is invalid then stuff all will change.

I agree with having a process in place so that the directors need to log in and authorise the big transaction. And at that point you might as well enable MFA. However, MFA itself wasn't the issue here, i.e. it was a spoken conversation where the big boss said "do it" and the minion said "Yes sir".

I wonder whether this will affect discussions about people working in the office vs working from home. I.e. if someone is standing in front of you (after swiping their pass to get into the building) then you can be pretty confident that they're the real deal, whereas you don't know who's on the other end of a Teams meeting.

This is actually very easy to use.
https://www.microsoft.com/en-gb/secu...henticator-app

This is something I've seen suggested a lot recently - have a word or phrase agreed within the family that proves it's you.

It doesn't work very well if you've got elderly parents with memory issues, of course.

Back when we used cheques you needed 2 directors to co sign for over £10k. Seems reasonable for over a million to ask for 2+ directors to verify via MFA.

In this case, I don't see how that would help. The person who transferred the money didn't have their credentials stolen (e.g. nobody guessed their password). If the system had prompted them for MFA, they would have typed in the code from their app, because they thought that the transfer was legitimate. The problem was that they were tricked by someone impersonating their boss.

There's a fairly common scam where people get text messages saying "Hi Mum, I've lost my phone, please can you send me some cash." There's a targeted version where the child's voice can be faked (e.g. if they've done podcasts or YouTube videos for the AI to learn from), which would then make it more convincing.

You could have a password to prove that this person isn't an imposter, but people aren't good at remembering passwords. Or you could have a "tell me something that only the real Fred would know" conversation.

20+ years ago I had MFA as standard for remote access. Why not have a similar protection for large transfers. people are stupid.

It is surprising when you talk to people how many companies still don't have an authorisation process for transactions.

They presume that people dipping their hands in the till will do it for small amounts not a few thousand at a time.

seems security isn't. You would assume they would have some sort of authorisation process for significant amounts.