I can remember, some years ago, watching a YouTube video that a guy had recorded while he was playing World of Warcraft, the massively multi-player online role playing (MMORG). As the game progressed, he gradually began to realise that he was the only human player and that all of the other avatars in the game were actually controlled by bots. Welcome to the future of financial services.
Bots And Money
The mounting incredulity in that player’s voice as he came to the conclusion—observing the behaviour of the various robo-orcs, bit-goblins, digital dragons and whatnot,—that he was the last person left in the game was fascinating to me. I showed this video at a few seminars and workshops and told people that I found it a more interesting vision of the future of banking than people queueing in a virtual branch in Second Life. The impact bots on that World of Warcraft economy is worth noting. For one thing, it was complicated. Some goods in the game became less valuable because bots were working round the clock to obtain them whereas others became more valuable because “bot mafias” cornered the market.
That poor chap playing alone came to mind when I read the widely reported case of a worker who was tricked into transferring some $25 million after fraudsters using deepfake technology posed as his company’s CFO in a video conference call with what the mark thought were several other members of staff. In fact he was the only human being and everyone else in the video call was a deepfake recreation.
(I’d like to think that if I was in a Zoom meeting with some board colleagues at one of the companies that I advise and the CEO asked me to transfer some money to an unknown third-party, then I might be sufficiently suspicious to Signal the CEO out-of-band and double check the instructions. But I suppose a great many people exist in more hierarchical and structured organisations where this reaction might be seen as expressing disloyalty or disagreement.)
Given the increasing quality of deepfakes, the ease of use of sophisticated voice cloning technology, and the tendency of too many people to turn off their cameras during Zoom meeting anyway, it is no surprise to me to see that enterprising criminals are launching such attacks. Synthetic identity fraud is already one of the fastest-growing cybersecurity threats, accounting for nearly 80% of all identity fraud in the U.S. (and is estimated to cost businesses close to $5 billion this year). With generative AI helping them to scale up their attacks, it is hardly hyperbolic to talk about the tsunami of fraud that it going to wash away trust not only in commerce but in politics and the media as well. We’ve already seen fake videos and phone calls featuring Joe Biden, for example, and are close to the point where we can no longer believe almost anything we see online.
(A recent report that analyzed billions of sessions across various industries and regions found that almost three-quarters of all web and app traffic was malicious, driven by bots and human fraud farms that launched a variety attacks via SMS, the web and mobile phones.)
Since we lack a working population-scale digital identity infrastructure, and appear to lack the will to assemble one, I suppose we’ll just have to get used to mass market mountebanks engaging in large-scale fraud, and just put up with it except in cases where there is a bank somewhere in the loop so that we can make it their problem and force bank shareholders to cough up under something like the Contingent Reimbursement Model (CRM) in place in our United Kingdom. Mind you, the extent of fraud is now so great that going without a practical strategy to attack seems like suicidal approach to a cancer spreading throughout the financial system. Fraud is already more than 40% of all reported crime in England and Wales, yet according to the National Crime Agency it is “largely underreported” with only around a sixth of all incidents being reported to the relevant authorities!
Given the scale of fraud, the billions and billions flowing from the UK (and the USA) straight into criminals’ pockets, it really shouldn’t be that hard to find a business case for a solution. It is not just about money through, a recent report from Visa looks at the the negative impact of authorised push payment (APP) fraud on UK consumers beyond the financial losses. Their research found that one in three of those surveyed reported that their mental health suffered as a result of the fraud and almost half feel at risk of falling for the scam again. Visa call for cross-industry collaboration to fight fraud, with an increased focus on prevention measures. That is, more effort directed towards stopping the money from leaving victims’ bank accounts rather than trying to find the criminals afterwards.
Time For Action
I agree, of course, but it makes me ask the question as to what kind of cross-industry collaboration this should this be. Were we to actually want to do anything about the problem then we should probably start with having some kind of financial services passport, a bank-issued digital identity that would take the place of payer and payee addresses in transactions. In other words we could amend the instant payment infrastructure to allow access to institutions only and give retail consumer and business customers access only via a request-to-pay (R2P) layer or a variable recurring payment (VRP) layer, both of which would deal with digital identities, and not branch, codes, routing numbers and other such relics from the dawn of bank automation.
While consumers would see this switch from sending money to branch XXYYZZ and account 00998877 to responding to a request from £dgwbirch as a matter of convenience and simplicity, under the hood it would be a world of identification, authentication and authorisation using the tried and tested cryptographic techniques. Central to this solution would be restoring trust, so that consumers know that if they send money to £dgwbirch or £tesco or £mancity then the money can only go to the intended recipient. How much would it cost to create this infrastructure compared to the cost of fraud already here, let alone the fraud to come!