2018: the year of the AI-powered cyberattack

From WannaCry to Equifax and Uber, the major data breaches that plagued 2017 were a wake-up call for corporations where security systems were lax. This past year has seen a rise in automated bot attacks and bore witness to the first AI-powered cyberattack detected in India, where machine learning was used to study patterns of normal user behavior within a company’s network.

If these developments are any indication, it’s that 2018 will not only be a worse year for data breaches, but the year of AI-powered cyberattacks, which makes prevention more difficult. In order to successfully combat these attacks and prevent larger-scale breaches, here are some trends we can expect to see take shape in 2018.

1. Reliance on centralized systems will drive the need for decentralized AI

AI platforms that hoard millions of users’ private information are experiencing data breaches due to the reliance on unsecure centralized servers, which act as easy targets for hackers to access sensitive information in bulk.  Recently, the AI.type keyboard app that learns users’ writing styles to create a personalized messaging experience suffered a leak that exposed 31 million Android users. Hackers were able to gain access to their server containing user’s names, emails and exact location, along with how long the app had been installed on their device.

Right now, AI platforms help to concentrate power in the hands of those few organizations which are able to source, process and store large amounts of data. As a result, developers and security teams will need to shift to a decentralized approach where AI can digest large amounts of information and then distribute that data to multiple devices as opposed to a single database or entity. 

2. Continuous KYC (Know Your Customer) will be more important than ever

Today, banks and financial apps use knowledge-based authentication (KBA) to verify a user accessing the service based on static data (i.e. security questions, date of birth) and dynamic data (compiled from public and private data pulled from marketing data, credit reports and transaction history). This method of authentication is outdated as these knowledge-based questions are easy to guess or already breached via social media or central servers. These questions are also a burdensome and time-consuming experience for users. 

In countries like Mexico, where the government mandated that all banks onboard their new clients digitally in 2018, there is now a huge push to ensure every aspect of the banking process is transitioned to laptops and other digital devices.

In India, the government is implementing a unified ID program called Aadhaar, forcing every citizen to shift to mobile. In both scenarios, not everyone is tech savvy, meaning that governments, financial institutions and even organizations in other industries will need to adopt a KYC mentality from the beginning to understand what their consumers need in order to make processes as seamless as possible, while adhering to government regulations.

For instance, the mobile banking app Monzo will ask clients to send a photo of their ID along with a self-video for authentication rather than requiring they bring a passport to a physical location. KYC needs to be an ongoing process that begins when you sign up for your online account and continues throughout the course of that customer relationship.

3. Humans versus bots: automated bot attacks will continue to make a splash

The rise of ecommerce and the shift to a mobile-first society plays a significant role in the state of cybersecurity. Fraudsters are moving their attacks to other vectors on a daily basis, making it almost impossible for security teams to model attacks and attack behaviors.

With the rise of AI, AI is teaching bots to be more human-like. Mobile bot farms where bots are implemented on many thousands of devices to appear more human-like are just one example – making it more difficult to differentiate between real users and non-users, and humans versus bots.

Another method is card-not-present fraud, where a payment is made using a credit card number online without the need for a card to be physically presented by the cardholder at the time of the transaction. In either case, once a fraudulent account or device is blacklisted, the individual behind it will simply create another account and change the behavior, leveraging the clear gaps in the system.

Traditional machine learning approaches currently used to combat fraud are ineffective. Such approaches only focus on known fraudulent behaviors, rather than continuously adapting and learning as fraudsters change their attack patterns. The future of authentication lies in building personalized user models that detect any deviation from normal, or “good” behavior in a manner that will be virtually invisible to the end user. Otherwise, automated bot attacks will only increase in 2018 not just from a desktop perspective, but also from a mobile one.