> According to police, the worker had initially suspected he had received a phishing email from the company’s UK office, as it specified the need for a secret transaction to be carried out. However, the worker put aside his doubts after the video call because other people in attendance had looked and sounded just like colleagues he recognized.
Regardless of the sophistication of the deepfake, surely this rings huge alarm bells, right? I'm not even sure I'd be comfortable making secret transactions on instruction from my boss. Even if your boss is actually asking you to do this, how can you have the financial authority to transfer $25M and not the savvy to think that being asked to transfer huge amounts of money in secret isn't going to result in you getting thrown under the bus?
The scammers usually have a slightly unusual, but plausible (and urgent) story.
For example, that they've just closed a deal to buy a startup - a negotiation which was of course conducted in secrecy. It's a startup in another country, which is why we're all out of the office. Timezones are why you've received the request outside of normal working hours. And we've got to, um, close the deal so we can announce it outside of stock market opening hours, for both countries. To close the deal we've got to pay 10% of the 250M purchase price upfront. If you can't get this done within 2 hours the deal will fall through.
Secret doesn't mean illegal. Unless something is illegal, this guy doesn't have any input and it's up to the auditor to verify the legitimacy of the transactions.
I guess a scammer can sell it as "we're buying something significant [another company?], this will affect our share price if the info goes out, so you need to sign this NDA and keep this quiet, you're only 1 out of 10 people who knows this...".
They could also sell it as payment for an e.g. consulting firm for the above secret deal...
Most people historically would consider a video call with the person to be sufficiently authenticated. Yeah, that has changed obviously, but it has changed like today.
No, not today. This has already happened a few times. And even before it happened people warned about this predictable use of the technology. There has been enough time to update policies. Even $employer already did, and I consider their security policies so-so.
"Confidentiality" is entirely normal; since many deals such as takeovers rely on your competitors not knowing until it's happened, it's not unusual for this information to be restricted within the company on some sort of need-to-know basis.
Authenticating transactions is going to be an increasing problem in the presence of deepfakes, though.
There are many secrets in business, especially in realestate.
Found out, from some "unnamed source" that there will be a new bus stop and a new aldi store across the street from a building where some apartments are for sale? Don't mention it to anyone, secretly buy them, because their value will go up a lot, and do it discreetely, so other companies don't notice.
That should be classified as corruption/insider trading and punished as such.
In my country that's how politicians and their friends get filthy rich. They know ahead of time where a new highway will be planned so they buy up all the rural land in that area for cheap so that the government will have to buy it from them at inflated prices to build the highway. Then, if a new government comes to power before the highway starts construction and realize they don't have any land where the highway will be built, they cancel the project and re-plan it on another route so that this time they can be the ones getting a cut. So this keeps getting repeated and the country ends up with no highways, but at least some people get obscenely rich.
Insider trading is only when you're the insider. If you happen to walk past a geodetist (land surveyer?) on the street measuring something, ask him what'll be built there, and he tells you, you're still not the insider.
Otherwise I agree, but in my country they do it differently,... government needs a building for X, someone close to someone in the government buys it for eg. 2mio eur, holds on it for a year or two, before a tender comes out (governments are slow), and 'coincidenetally' that building is the best match and the government buys it for eg. 7mio eur from that guy. (and then they split the difference).
Insider Trading is not even a crime (in the US). You can buy and sell stock for companies you have a relationship whether its employer/employee or a contractual relationship.
The actual crime is using "Material Nonpublic Information" [1] and it does not matter how you obtained it. So, asking an employee what they're building and they ignore the confidentiality agreement to tell you - Nonpublic. Stalking surveyers from public land to find the lots they're commonly around - public.
Warning: random anonymous commenters on the internet will confidently make claims about all kinds of legal matters. do not trust them.
> it does not matter how you obtained it
Yes, it does. It's just that it's more nuanced than the naive interpretation would lead you to believe.
> asking an employee what they're building and they ignore the confidentiality agreement to tell you
In the parent's description of this, it is almost certainly the case that you would have no duty of trust or confidence to the person that told you. In that case, it would be fine for you to trade on it (well, assuming you weren't otherwise restricted from such trading).
Did you read your own link? It literally doesn't matter how you obtained it.
> (b) Awareness of material nonpublic information. Subject to the affirmative defenses in paragraph (c) of this section, a purchase or sale of a security of an issuer is on the basis of material nonpublic information for purposes of Section 10(b) and Rule 10b-5 if the person making the purchase or sale was aware of the material nonpublic information when the person made the purchase or sale.
Not a single word describing "how". Its just did you have nonpublic information.
I don't know what to tell you. You continue to pick out sentences from sources and assume that either there is no relative context and just make up your own interpretation of it. You can't just read a line like that and make up your own meaning for it. You need to understand those in the context of the rules it's explaining (https://www.law.cornell.edu/cfr/text/17/240.10b-5).
The law is complicated, but basically if you're not an insider, information becomes public when you, a member of the public, notice it.
If you're at the airport near google HQ and you the CEO of a struggling AI startup arrive and hail a taxi to the google offices, and you think an acquisition might be on the cards? You're free to trade on that information, anyone in the airport could have recognised that guy.
Some complexity arises because insiders aren't allowed to tip you off. If you're golf buddies with the CEO of a struggling AI startup, and he tells you he made a business trip yesterday and Moffett Field is a great airport? If you figure an acquisition is on the cards and trade on that, it's insider trading.
If your business is easily (commonly?) going to wire $25M across 15 transactions you should have a process in place. This is pretty much the whole point of multi-factor; although I'd argue you want the multi to really represent two people. The requester attests that "yes I want $25M" and the sender attests that "yes I am this person".
The wild west ways of the banking sector is finally catching up to them.
I co-own a lot smaller company, so it was more in a range of 4 figures (euros), but more than once I've been in a situation where I've just signed a deal for some business with some company, called one of the 'hardware guys' from the car (external companies that eg. import hardware, are distributers for lenovo/dell, whatever), got an offer for a set of hardware that we needed (a few servers, etc.), forwarded the email to our ceo, called him (without faked AI voice in my case... for now), told him "pay this today, so we can get them by the end of the month", and he did.
If someone knew I was negotiating some business that day, phished an email with whatever account number he wanted and AI faked my voice, he'd get the money transfered.
It would be nice if the article had additional details.
Did the email come from within their own domain? Like a properly set-up domain isn't going to let you spoof their employees so your emails to the CEO will be authoritative since they came from the correct domain (assume your CEO checks its ycombinator.com and not ycombimator.com).
At 4k though I suspect it's not that worthy of a target when you can do the same effort to net 25 million. Although I'm a bit surprised there isn't some internal page to add/remove the hardware requests so that it can be easily accounted for by accounting.
I think op meant more in a way, where Aldi would buy apartments near their new store, since having an aldi nearby raises realestate prices (in some specific cases of course).
Does insider trading apply to real estate in the same way that it does to securities?
It doesn't seem so different to any mixed-use project where a developer might construct a tower that is partly residential, partly commercial. Pretty sure a lot of large companies purchase residential around any major new HQ they intend to open, too.
> Regardless of the sophistication of the deepfake, surely this rings huge alarm bells, right?
Its a company with revenues of a couple of billion and that probably sub contracts thousands of other companies on projects around the world. The finance department is probably sending similar payments regularly.
Most payments will be "secret" in that the amounts won't be made public to employees that don't need to know. The company maybe, for example, be repeating work that has been already been done in house so doesn't want it known inhouse what companies are being paid.
I've heard this happening for a local company with about £9 million with a similar email scam. Supposedly, the person who transferred the money was competent and clever. With that amount of money, saying you don't need to ask questions, in part, is very convincing.
Yeah, this would at least cause me to email my boss and say "Can you just confirm, you want me to transfer $25 million to this account? I'll hold off until you give me confirmation in writing"
hell i do this if our tester hasn't managed to go over some aspect of our release. That way i get in writing from the product owner that he has OKd it, and if he sends me a teams message i ask him to email me confirmation.
Reminds me of that old urban legend about the trader who ordered the coal futures that eventually showed up as actual coal. In that story there's always an element where the subordinates who have to carry out the transactions have been abused to the point of never questioning his decisions.
Yep sometimes I go so far as printing the email and sticking it in a meatspace folder on my desk. Just depends on how important that sign off really is and the consequences of not being able to produce it.
If you are a boomer company that does not know how online works, then you can also afford a boomer-style business class flight tickets to do a secret $25M transaction face-to-face.
Electronic engineers spent decades overcoming thermal noise floors so that humans could communicate over vast distances with small amounts of energy.
AI researchers, in a few short years, undid all that by making computer-generated chatter and images indistinguishable from messages sent by humans.
Until such a time as we live in a Bladerunner-like world of Replicants, being in-person will be the only reliable way to convey a message from human to human.
I'm long on travel and in-person meetings, short on VR and telecoms.
When I'm on a company video call, the people I'm meeting with are logged into their company accounts, through the fancy company authentication system. Large warnings are displayed if there are any external participants, and I wouldn't be surprised if it's possible to disable the ability to even have guests. Third-party video conference software is banned and blocked from installation on work computers.
I am not in the finance department, but in software engineering and operations, two-party controls are everywhere. I can't check in code without reviews. I can't access production systems or make changes without approval from another team member. I would think that similar processes could be put into place for transferring tens of millions of dollars.
In other words, there are ways to deal with this that don't come down to "mistrust all technology and revert to face-to-face meetings and handing cash to each other".
If I was the attacker, I'd use credential-stuffing or something to get access to some random employee's account. Doesn't have to be anyone important.
Then I'd set up a short-notice multi-way meeting between the target, the CEO and the hacked account. The deepfake 'CEO' then turns up with no alarms raised, except one wrong name - easily dismissed as a glitch, or an assistant having booked the meeting.
Almost everywhere I've worked disallows external participants on Teams by default. We add exceptions when needed. I don't know if this is standard, but has been at the larger companies I've worked at.
Isn't it also possible to scam people in in person meetings by pretending to be someone you aren't? The new thing with deepfakes is that you can pretend to be someone that the victim knows.
What you said only applies to communication that requires authenticating a party. Most cases that doesn't matter. Voice or video communication used to be inherently unfakeable, now that it is fakeable, we'll just treat it like text comms, relying on secure channels, signing etc.
Human written text has been indistinguishable from machine written text for a very long time. We've still managed to maintain chains of trust to discern legitimate messages with decent success rates.
> making computer-generated chatter and images indistinguishable from messages sent by humans.
That's a false dichotomy. "computer-generated chatter and images" ARE messages sent by humans. There are no cases of computers having agency known to me yet. The root of the problem is humans who lie and mislead. Now they merely have more avenues to do so. In the same vein, you could blame the electronic engineers for allowing people to lie quickly and over vast distances.
We need new ident protocol just for AI. I think that's part of Altman doing that orb thingy with iris scanner. It's creepy though and I'll never touch that things.
Nobody is anti-public-key crypto per se any more, the US government export control war ended long ago. It's just too much of a hassle to do the key management.
PKI is a pretty old idea. People were trying to deploy it in the 90s. It turns out that managing the issuing and authentication of keys, as well as keeping them secure and if necessary revoking them, is such a huge headache that few organizations have managed to do it properly. It might be possible to do better now with TPMs in laptops and phones; essentially this is why Apple Pay is now slightly more trusted than plastic cards.
And that most people have no idea how to verify any ID, so they need a system that turns any given form of ID into a nice and simple "yes" or "no".
I'm not at all clear what kind of ID is going to be genuinely useful for video calls, given we should only be trusting existing contacts anyway? But those things are why "private key" isn't sufficient in isolation.
Why couldn't a mobile app that everyone uses work for this. The person who wants to verify who they are uses the app, does digital signing and the other person gets notificatiom and the certification.
I mean - we have authentication for bank accounts, why wouldn't that be demanded for transactions like this? Without proper authentication of the authorities there's no way that a transaction like this should be put through.
The whole point of Replicants is that they look exactly like humans in person. Even if we assume AI and robotics advance 100 times or more in the next 10 years to allow the technical part of this, we are not even close to any makeup and prosthetics tech that could make a robot even slightly resemble a human in-person.
And I have to mention, Tesla robots are way behind the competition, it's not even clear if their robot does anything really on its own, given how much they fake their videos of it with "creative" editing.
I know it's a meme and all, but doesn't blockchain solve this? Ok, Mr. Guy who looks like my boss on Video Call, I can send those funds, just sign the transaction with your private key and it'll all be done.
Blockchain does not authenticate the receiver, so there are all sorts of attacks involving substituting the payment address, from dumb (stickers over QR codes) to sophisticated.
That’s a completely different thing though. The problem here is deepfakes where someone pretending to have the authority to send money tells you to send money.
What I find strange about this is you dont need it to be "deepfake".
Just an inside job.
If a large company allows a single employee to transfer millions to a new bank account/vendor that has no history, on "their belief" the instruction came from an approved person (i.e. their boss, CFO etc) - that company has major governance issues that are not related to deepfake.
Imagine the more simple scenario - an employee transfers millions, knowingly fraudulantly, to some people they are working with. They then simply supply some "deep fake" pictures and a story how it was an accident - and boom; you walk away with millions.
Checks and balances exist for many reasons - deepfake doesnt overcome those by itself. This company is just missing basic steps that would have protected itself here.
edit: in fact- its even more obviously some inside job; put the deepfake aside for a moment. How was the meeting even booked? Their PR person said "none of our internal systems were compromised". So this meeting magically appeared in someone's calendar? Using their internal video system (Skype or Teams or whatever). And the criminals knew to target this person, with enough knowledge of random office people to deep fake them? Come on...
You're the only commenter using critical analysis, everyone else is just flapping their jaws.
I hate discussing deepfakes. I'm one of the original patent holders of automated actor replacement technology. I developed it for personalized advertising, after having been an actor replacement specialist in a bunch of VFX film you probably saw.
I spent from 2002 to '08 creating a VFX pipeline, with global patent protections, and an ethical guidance that included public education on this fundamental new technology. Long story short, I needed financing, went to VCs and angels and they were perfectly winning to fund a porn company, but not what I'd planned: an ethical rollout of a sensitive and very powerful technology with many legs, few realize even today.
By '13 I was bankrupt, burned out, and one of my tech partners, a global leader in facial recognition hired me. That's a different story. Actor replacement technology is a fundamental capability with applications far more important than fraud and pornography. But our civilization is far far too immature to realize any of them.
> went to VCs and angels and they were perfectly winning to fund a porn company, but not what I'd planned: an ethical rollout of a sensitive and very powerful technology with many legs
Well, yes, that's kind of what the rest of us have come to expect from the industry. Ethical rollout is always going to take a back seat to raking in as much money as possible. I'm slightly surprised they were willing to touch porn though, not for "ethical" concerns but because it's treated as radioactive by payment services.
It was absurd. My refusals began when they would insist on a technology proof that was creating nude celebrities in an image with them as the 2nd person. It was really amazing. Always guys, unable to contain their glee being horny, and insisting, insisting the company make porn. This was every single VC, it met with all of them. Angel investor groups too. It darkened my view of humanity.
The real issue here is a lack of proper risk controls around business processes involving money. Regardless of if it’s £3 for a coffee or £25m for a Secret acquisition there should be an agreed process that everyone involved in business transactions should be aware of so that if they are suddenly privy to a deal they can navigate and validate the authenticity of their involvement.
This brings up an interesting “risk control” that one of my tech investors personally implemented with his family, in case a audio/video version of him ever asks to do anything crazy: secret passwords, agreed upon in person.
I notice every time somebody gets a new phone because it says "Your safety number with x has changed" but whenever I've spoken about it with friends, they have no idea what it means. An additional sentence could help here, such as "You might want to double check that you're really talking to x" or the classic "It's possible someone is doing something nasty". Although I understand that this would definitely scare a lot of people, maybe even push them into thinking Signal is insecure.
How cool is it that Zoom is capturing our data and using it to train their "AI" efforts? Perhaps nobody in the world is better positioned to completely disrupt nearly every tech-using company, by emulating our C-suites, and ordering us to drain everything. Imagine the Robin Hood shenanigans they could get up to! Or the evil supervillain shenanigans! Who cares, really. The future is so fun!
I think the underlying problem is cultural: people have been conditioned to expect others to authenticate them (give me the last 4 digits of your SSN, tell me the last two transactions on your account), BUT they haven't been told they need to authenticate others. They just aren't thinking "how do I know this is who I think it is? How do I know they haven't been kidnapped?".
My personal protocol with my bank when they ring me is for me to call them back.
The bank workers are normally quite understanding - except when it is someone from fraud detection (and yes these are legitimate calls) and they tend to get odly defensive that I wont hand out my personal information.
I think one way to verify legitimacy is by calling back. For example, "Ok boss, just protocol, but you wouldn't mind if I call you using your usual number?" (or just do it without informing in advance).
Ideally they screen-record (can you do that in Android/iPhone?), so at least if it's really scam, they can say "but I follow protocol, here's the evidence".
Btw we once had a similar scam attempt. "The CEO" emailed Finance in great urgency to transfer money. Good thing the CEO was sitting next to the Finance lady. I was sitting next to them watching the horror turned comedy.
Learned recently my mid sized company was also targeted. The CFO received first a (fake) call from a lawyer asking to confirm a transaction, then later a deep faked voicemail from the co founder mentioning that same transaction. It apparently all sounded very real. The attacks are becoming very targeted, customized and elaborate. Very far from the Nigerian prince emails written in poor English...
The article lacks details to discuss this particular incident. This could reasonably be a company with poor governance, insecure configuration and authentication - and then this is a non-story. OTOH, with the amount of money in question, a sophisticated attack is absolutely believeable, and even 2FA and better process governance will help you out. Maybe a PKI does, but as always, it depends.
Explain your reasoning for this. I work in the office, but the vast (98%) of my meetings are on teams or zoom. When you work in a company with multiple locations (and in different countries) working in our assigned office isn’t going to help at all.
Regardless of the sophistication of the deepfake, surely this rings huge alarm bells, right? I'm not even sure I'd be comfortable making secret transactions on instruction from my boss. Even if your boss is actually asking you to do this, how can you have the financial authority to transfer $25M and not the savvy to think that being asked to transfer huge amounts of money in secret isn't going to result in you getting thrown under the bus?