How can businesses protect themselves against deepfakes? In this episode, hear how a key player in the banking industry is taking steps to securely verify its user identity amidst AI-generated deepfakes.
How can businesses protect themselves against deepfakes? In this episode, Simon is joined by Ahron Geminder, Global Head of Digital Identity, Wealth & Personal Banking at HSBC, to discuss fraud detection and prevention in the banking industry. They dive into how AI is changing the landscape, the imminent challenges presented by deepfakes, and how to take a black mirror approach when thinking about potential issues.
---------
“If you want zero fraud, then you have zero customers.”
“Deep fakes are going to become the norm. I think it's going to become a lot more prolific than we have right now. I think prevention for deep fakes is probably going to be one of the biggest challenges that most companies are going to face.”
---------
Time stamps:
(01:15) How is the fraud landscape changing?
(05:03) The impact of bias and familiarity
(06:22) Finding the balance between prevention and user experience
(12:58) Organized fraudsters versus lone wolves
(17:46) Challenges across the industry from generative AI / deep fakes
(21:34) The Black Mirror Approach
(23:50) What does Ahron see coming next?
---------
Ahron Geminder on LinkedIn
Simon Horswell on LinkedIn
Onfido’s Identity Fraud Report
[Subscribe to the Podcast]
On Apple Podcasts
Simon Horswell: [00:00:00] In this episode I'm joined by Aaron Geminder, Global Head of Digital Identity, Wealth and Personal Banking at HSBC. For those who may not know, HSBC Group is a financial institution that serves over 40 million customers, ranging from individual savers and investors to some of the world's biggest companies and governments.
Their network covers 64 countries and territories. As Global Head of Digital Identity, Wealth and Personal Banking, Aaron is responsible for creating products and processes that prevent fraud, meet compliance requirements, and meet the expectations of their customers. He does all that while focusing on leveraging capabilities from leading third party vendors.
for HSBC's Wealth and Personal Banking business. But first, a word from our sponsor.
Narrator: Inside the Fraud Lab is brought to you by Onfido. Onfido's [00:01:00] real identity platform is trusted by thousands of businesses to stop fraud and know their customers. Their AI powered identity verification means businesses can securely and seamlessly onboard customers anytime, anywhere.
Simon Horswell: Hello and welcome to the show. I'm Simon Halswell. Aaron, thank you for being here with us today.
Ahron Geminder: Absolute pleasure.
Simon Horswell: I've been meaning to get you on for ages. Um, so let's just dive right in. The kind of thing I'm interested in is how is the KYC and fraud prevention environment, well, you've been in this business for a while, how have you seen it change at HSBC?
Ahron Geminder: The landscape is changing a little bit in terms of the introduction and, not even introduction, but drive towards digital and doing things more from a digital perspective. I mean, it, it, it goes without saying, you know, banks are closing branches around the world [00:02:00] because customers are choosing to interact with us more digitally.
With that digital interaction comes a greater risk of, of how we manage that, that, that digital interaction. Yeah, the fraud landscape is changing a little bit in the sense of, of, of the access to technology that people have, that they never have before, our dependence as a business on that technology and how that can then be exploited.
I think what's also interesting that we're seeing is. The type of technology that people have access to today is very different to what they would have had five, 10 years ago. So the ability to, to do things, um, in a slightly easier and cheaper way that maybe wasn't available in the past has now become a lot more easily and a lot more accessible to a lot of people.
Simon Horswell: Yeah, I think one of the biggest things obviously is that introduction, that onboarding process. So previously you would have to go down to a bank in person with your documents, have someone down there vet you, [00:03:00] and now we're looking at remote introductions, remote onboarding, where you have access to the bank to join up 24 7 and there's no limit to the number of people that can squeeze into that time period.
Ahron Geminder: Absolutely, but I think what we need to remember is that the technology is also helping here. So the example I use quite a bit is, you still have the ability to go to an HSBC bank branch in whatever country you live in where we operate, and you can go in and open up an account. And the person behind the counter is going to get Your ID documents, and they're going to have to verify that ID document themselves based on some prompts and some information that are given to them, but it's a little bit harder, whereas now we're able to use technology in such a way that we can verify that document to a much greater degree of certainty that that ability for you as a person to have to depend on training and knowledge.
As an HSBC staff member can be [00:04:00] replaced by technology that is trained really, really well to determine not only if the document that the person is handing to is genuine, but it's something, you know, the example I give, you are a, you know, you're in a bank branch in California and someone walks in with a Florida driver's license.
How do we know that you've ever seen a Florida driver's license? And how were you ever to then know, not only have I never seen it before, how are you supposed to know that this is absolutely genuine and not. A fraud. Um, whereas there are systems out there now that can do that. Yeah,
Simon Horswell: it's um, access to that wider range, that encyclopedic knowledge of documents that you don't tend to get at a local level or an in person level.
I think, yeah, that's definitely one of the advantages of the system that's coming to play now.
Ahron Geminder: I think the other bit that we also forget is bias as well. Yeah. So we know that human beings are inherently bad at recognizing human beings they don't know. And That moment of say, you know, not only do you look [00:05:00] like, again, you walk in, you hand in a document that might be, you know, 9, 10 years old, or a photo that might be 15, 20 years old, and say to somebody you've never met before, Is this me?
And that person has to go to a high degree of certainty that yes, I believe this is the person in the photo or not. That's, that can be hard.
Simon Horswell: Yeah. Well, this is, I think, kind of my time in border control. It highlighted how difficult some of these things could prove to be. And then you're asking someone who works on the front desk at a bank to do that, they don't have the same experience, and again, drawing from, um, my time in immigration, um, what you would always find, kind of across the board internationally, was the highest detected fraud document for any country would be their own national documents, because it was the ones they were most familiar with, so those were the highest pickups.
Yeah. And I think, you know, what you're talking about there is the same kind of thing. You get very used to your local documents because you're familiar with them, you probably [00:06:00] have one. Um, but when someone presents you with something that's, you know, further away from the beaten track, then, yeah, it can present, um, those particular challenges.
Moving on from this idea, if we're in this remote environment now, but as you say, sort of, we've got to find this kind of balance as well. We want the prevention of fraud. And this is a very, as you say, a different environment. We do have some pluses. We do have some minuses as well, though. But I think kind of one of the things I like to talk with people about is the finding that kind of balance between fraud prevention, but also at the same time, a good customer experience.
Now, how have
Ahron Geminder: you found that? It's a very complicated tightrope to walk, if I'm being honest. Yeah. I think, um. We talk a lot internally about the concept of necessary friction. It's about ensuring that you are minimizing the friction for the good guys, you're maximizing the friction for the bad guys, and you're always going to have to try and get that balance right.
So it doesn't necessarily [00:07:00] mean that if you're a good guy. You're not going to get any friction, but it's about making sure that the friction is there at the right time in the right place. So, for example, if you're going and you're logging into your bank account to check your balance, minimal friction, if you are adding a new beneficiary, maybe a little bit more friction, but then if you are logging into your bank account at a time when you've never done so before, um, you're now adding in a new beneficiary and you're transferring your entire life savings to that beneficiary, that is something that needs to come with a.
And that is ultimately to ensure that you are safe, your money is safe, you know, someone is not trying to impersonate you, someone hasn't got control of your account for some reason, and it's just trying to find that right balance. I think you and I have a very similar mantra that we've spoken about before, which is if you want zero fraud.
Then you have zero customers. The sheer acts of opening up a service at a bank to [00:08:00] customers means you are opening yourself up to fraud. And it's finding the right balance of how much you're prepared to accept versus how much you need to lock down and how much you need to shut down. And that's a constant balancing game for us.
Simon Horswell: One of the things I always find interesting is where people tend to draw the line in terms of what's necessary friction. Because I think that there does come a point where, certainly as a consumer, you want some friction to give you that sense of security that, oh, that's good, I wouldn't get swindled, or the bank in this case is actually looking in my best interest and trying to protect me, right?
Ahron Geminder: Yeah, absolutely. I think where it also becomes complicated, though, is What that acceptable level of friction might be different for different people. Yes. So you have the average person and you know, the interesting thing is you look at the amounts of money that is the cap on when you want to. Use a tap and pay system [00:09:00] of a hundred pounds.
You do some research and you'll find that a lot of people find that that might be too much. Some people find it's too little. So for us, we're looking at what is the right level? For example, if you want to do a transfer to a new beneficiary, what is the number that we need to think about of when we need to trigger that higher friction?
Is it standard for everybody? Is it bespoke depending on your own customer profile? And your, your baby, your customer balance, but at the same time, then who says that somebody with a very high balance is not going to be very nervous about 50 going out of their bank account. Yeah. It's, it, that's where the trickiness starts to come into it is that we know that the friction has to be necessary and we know it has to be present.
But how much, and for who, then becomes really complicated. So,
Simon Horswell: I mean, that does present quite a big challenge, it's, it requires you to have a much more kind of personal [00:10:00] understanding of how each of your clients is, how they operate, or how they work. Um, or I think what you touched upon earlier, I think is probably one of the more salient points as well, is the context.
So, you know, if I'm swapping money between my and my spouse's accounts, I, I might do that quite regularly, so that's not a big surprise. But certainly, you know, when you transfer to a new beneficiary, yes, that's definitely a point where you want that reassurance. But again, that could, that can be inconvenient in certain circumstances depending on how many checks there are.
So, I mean, we, What would you say are sort of some of the harder decisions when it comes to that, and what are the consequences?
Ahron Geminder: So I think the decisions are, are always going to be complicated in terms of, of, of how much, I think, for me personally, the decision you need to figure out is how much to put on versus how little.
And The true consequence is somebody who feels that their money is safe now suddenly feels their money is not safe. So, you know, we've [00:11:00] got, we've got guarantees in place and, you know, if you are a true victim of fraud, your money will, will, you know, more than likely be reimbursed. But even then, it feels like something has been taken, like that little bit of confidence has been, has been robbed from you more than anything else.
You know, you go and you talk to people that have suffered a burglary at home and they'll say to you openly that all my things are going to be replaced. But I suddenly don't feel safe in my own home. It's that, it's that kind of belief that we, that we're always worrying about now that, yes, someone may, may steal some money from you and you'll get that money back, but you still feel rattled and still feel shaken and that's the bit we need to try and, and, and preserve.
Yeah. At the same time, I'm the first one to admit, I've had examples where I've had a payment declined through, for no fault of my own, and it was, Because of fraud prevention, there was something that happened that triggered a system somewhere along the line, and I got quite irritated about it, because I'm going, well, obviously it's me, what's going on?
Immediately in the heat of the moment, all you're going is, this thing I [00:12:00] want, I've now had some kind of issue. The concept of a payment being declined is embarrassing. And at no stage do we think, it might have been for my own protections. Um, so yeah, trying to find that balance becomes really, really
complicated.
Simon Horswell: So, you and I both have a keen interest in fraud, in fraud prevention, in the detection of fraud. And I think one of the things that we've spoken about before is the fact that you've got your Let's call it your more organized fraudsters as opposed to your lone wolves, your individuals. How have things changed in your perception of the sphere that we're working at the moment?
Do you think there are more fraud rings operating at the moment or more individuals? What
Ahron Geminder: are you seeing? Unfortunately, I think there's been probably an increase in both, if I'm being honest. I think the increase in professional fraud rings is one that's always been, been a major, major concern. But I think probably since the pandemic.
You know, the lone wolf fraudsters, the guy who's trying something on his [00:13:00] own, has started to rise up a little bit more, but bizarrely, once everyone started going back to work at the end of the pandemic, fraudsters and professional fraud rings started going back to work as well. You just have to watch, you know, certain documentaries and certain shows.
I mean, the BBC does a great show with, with fraud interception and you're seeing the kind of outfits that are out there in the world, geared entirely towards exploiting people's, you You know, vulnerabilities, exploiting someone's, you know, sense of security or sense of perceived security, and it's all geared towards a job.
And I think it's something that people tend to forget, and it's really important for us to all remember that all of us, you know, most of us will go out every day, and you have a job to do, and you are good at it, that's why you have that job, and it's, you know, you practice it, and you hone that craft, and, and, You know, it's something that, that you apply a lot of skill, a lot of time to improve upon for somebody who is a professional fraudster.
That is their job. Their job is to beat the systems we're creating. Their job is to [00:14:00] conceive and deceive people. And we need to remember that. That's who we are ultimately up against, and as somebody who is doing this as a job, just as you and I are doing our jobs on a day to day basis, it becomes quite scary.
Simon Horswell: If there is a distinction, which one do you think you're more worried about of the two, the organized rings or the lone wolf? I
Ahron Geminder: think worried for different reasons. So I think the organized crime rings, you always have to be worried about the scale, the complexity that they bring to this, to this environment, the ability that they have to, to learn about your own preventions at a mass rate.
But at the same time, you know, someone said to me the other, someone asked me the question the other day of what is more concerning, a person who has come in and committed fraud or tried to commit fraud and no fraud losses are made, or somebody [00:15:00] who has come in, tried to commit fraud or tried to beat some of our systems and fraud losses are made.
And I said, the lone individual with fraud losses, you can, you can kind of gear up for that. The individual person, and in my head I'm going, the, the guy who wants to try and crack a system. To create some form of personal credibility, to then post that on the dark web, share with everybody what they've been able to do, that terrifies me even more, because that's somebody that then, you figured out one thing, not for money, you figured out for, you know, a, Longer ranging credibility, and yeah, you'll sell that, and then everyone else comes in, and then the flood follows after that.
That's the bit
Simon Horswell: that's quite scary. See, for me, I think they're both dangerous. I agree. I think the, the, the lone wolf operation is very agile. There is that kind of, there's a different motivation, um, but then at the same time, if you're talking about an organized ring, then potentially you're [00:16:00] talking about a different level of investment, and sometimes that level of investment can be the key to cracking certain locks.
But of course, you know, one of the things you, that previously we would have said about the organized ring is the ability to scale up, and your loan operator doesn't have that. But obviously the changes we've seen. Certainly with generative AI and other elements in technology have meant, certainly over the last 12 18 months or so, we've seen the lone individual is now able to operate at scale as well, which presents a much more dangerous proposition.
But that kind of leads me on to the next topic I wanted to talk to you about as well, and this is the challenges that We are now facing, across the industry, from generative AI. What are your feelings on that? What have you noticed? What have you experienced? What are you
Ahron Geminder: hearing? I think it's, we are at the very edge of a, of a precipice.
And I think it's going to, to become, like, [00:17:00] someone said to me the other day, do you believe that That we will ever face, you know, issues with deepfake. So I'm like, it's not an if, it's a when. They are part of our day to day world now. I think they're going to become a lot more prolific. I think if I take myself just slightly outside of banking for a moment, and I look at the wider world, I think we're about to have numerous elections this year.
Simon Horswell: The most elections I think we've seen in any one year
Ahron Geminder: this year. And it's, it coincides with also a year where suddenly the creation of deepfakes, and deepfakes easy, but deepfakes to a high fidelity, also quite easy, and I think as a society, we're going to learn very quickly how to manage that, and suddenly that moment of going, I'm having, I mean, for a while You know, we've known that you have a voice conversation with somebody and you aren't really sure if that's the person you're talking to.
Now, the next step up is you're going to have a video conversation with somebody and you won't really be sure that [00:18:00] that's the person you're talking to. I mean, for me personally, with my loved ones, um, especially the ones I don't see very often. We have just that little bit of a moment of going, listen, just when I give you a call.
And if I, you know, start saying things that seem a bit weird, or something is a bit strange, just have a verification question. Just,
Simon Horswell: yeah, I was going to say the verification question. I think other, other families have got things, uh, one of the suggestions being a code word, something similar like that, that you can just drop in.
But it will get in conversation. Yeah. Yeah. It gets quite espionage at that point. Nowhere, we all know the password.
Ahron Geminder: And I think the scary thing, though, is also that point of going, like, really? Is this what, what, what has become? And that point of, of, you know, a lot of times you think, well, we're creating this technology to help us.
Um, are we really that helpful?
Simon Horswell: Well, I, I, the, the thing I've been saying about this, because I feel that, um, Certainly in the press at the moment, there's a lot about generative [00:19:00] AI, and there's lots of conversations, particularly about deepfakes, and the two terms are kind of linked hand in hand when they're heading towards the headlines.
But I kind of feel that they demonize generative AI quite a lot, and that kind of, I draw the analogy of, generative AI is a tool, in the same way as, If there's a car accident, do I blame the car, or do I blame the driver? You know, if I've got a hammer, I can build something with a hammer, or I can destroy or injure someone with a hammer, and it's not the tool itself, it's the use that it's being put to.
And that's kind of the way I see generative AI. It does have It does present some very real challenges that we have to try and reel in quite quickly and find a way to cope with, but at the same time, it's potentially an incredibly powerful tool for the rest of our lives. I mean, I think a lot of people overlook the fact that in banking, you guys have been using AI for quite a long time behind the scenes anyway.
Yeah, absolutely. You know, it's not a new tool as [00:20:00] such, it's just, it's becoming more and more, uh, complex or, well, easy to use, but able to handle much more complex tasks at scale.
Ahron Geminder: Yeah. Completely agree. I think, I think it's interesting for me and I, and, and to touch on, on, on what you said now, I think people generally get nervous about what they don't know.
I think there are aspects of AI that have been positioned in a way to make people nervous already. And there was a great article I read a couple of months ago, where someone was talking about. New technology and the genuine fear for people that technology was going to come in and take people's jobs and Rob them of livelihoods and, and really threaten out a way of life.
At the end of the article, the person says, by the way, this was written in the 1980s. Talking about the advent of the personal computer.
Simon Horswell: I was going to say, talking about PCs. Yeah.
Ahron Geminder: And suddenly that moment where you go, no one has lost their job over a PC. If anything, more jobs have been created. Yes. And I think AI has that genuine ability.
[00:21:00] But again, there's a process that I do with my team. And we talk about the The, the black mirror approach and what it is when someone has an idea, we go, okay, you run through that idea and that's amazing. We'll have a separate session with everybody going, right. What we're now going to do is we're going to take this idea and we're going to put it up against the black mirror and go, right, how can this be used?
In a nefarious way, how can this be used in a way that none of us would have ever possibly imagined? And it's open season, you can go, for lack of a better wording, as dark as you possibly want to, because you need to realize that someone out there will come up with a way to turn this into something bad.
And there have been a lot of ideas we've had that you walk away going, and we say, if you can't think of anything, then you're not thinking hard enough. Correct. There has to be something. And at the end of the session, you then go, right, does the good outweigh the bad? And with a little bit of the bad we can come up with already, what can we do to minimize that and to try and mitigate that?
And that's had [00:22:00] an interesting approach. And even with AI, we're looking at the same thing of, yes, there are some remarkable things we can do with AI. But there are also things that can be done using AI for bad, as we can see with things like deepfakes.
Simon Horswell: Well, I find this idea of sitting down and having a Black Mirror session, I think everybody should be doing that.
I think it's a fascinating idea. Well, I mean, this brings me on nicely to the next topic, so We've talked about Gen AI and your idea about the black mirror, and to me the black mirror is kind of like looking to the future, how could this all play out? What I like to do towards the end of our conversations generally is ask people to chance their arm, put their name and reputation on the line.
No, um, no, no, but I'm wondering kind of what kind of things do you see happening? What do you see coming up next? What do you see happening over the next few
Ahron Geminder: years? So I think, as I mentioned, Deepfakes are going to become the norm. I think it's going to become a lot [00:23:00] more prolific than we have right now. I think prevention for deepfakes is probably going to be one of the biggest challenges that most companies are going to face.
And I think it's not just Banks or financial institutions. It's not just companies that are doing remote ID verification. You're going to get, you know, those moments of is the person in the video call that I'm interviewing, the actual person I'm interviewing is the person I've hired, the actual person I've hired.
I mean, just think of that concept that you hire somebody, you, you, you're a fully remote company and you hire somebody and the information they've provided you from. beginning to end is entirely fake. What are the implications then for you as a business? So I
Simon Horswell: think there's even been reports of at least, I'm sure there's been one story that I'd read about where someone had actually used a deep fake to complete a job interview on behalf of somebody else.
Ahron Geminder: If that's what you're hearing now, that probably tells me about a hundred or a thousand are being done [00:24:00] that we haven't heard of, and that's the real nervousness for me, that we're going to be in a position where there are new things coming that we're going to need to figure out how to tackle very quickly, and it's all very much going to be around where AI is going to be influencing and impacting our lives.
Um So, from a, from a security perspective and from an ID verification perspective within the bank, that's one of the key things we're looking at. What can we do that is protecting ourselves against deepfakes, but at the same time not putting a whole raft of unnecessary friction in front of the customer.
And, the problem is at the same time, it's similar in my opinion to certain aspects of social media. The boat has sailed. You can't reign it back in. We're not in a position now where we can say, well, actually, we're going to get customers back to branch. It doesn't, it doesn't work that way. You're not, you're not able to do that.
The boat has sailed on, on remote verification and remote onboarding. Now it's down to how you make sure the boat doesn't sink and [00:25:00] how you make sure that you are strengthening yourself as much as possible with the attacks that you're going to be getting. And for me personally, what I would say to anybody is, if you haven't had a deepfake attack, Then, you
Simon Horswell: know, check, because you probably, because you
Ahron Geminder: probably have, um, and if you're not preparing yourself for it, then.
You, you better start, because you're probably already too late in preparing yourself for
Simon Horswell: it. So, I mean, is this what keeps you up at night? Is this the only thing that keeps you up at night?
Ahron Geminder: Oh, there's, there's plenty that keeps you up at night. But, um, that's probably one of the, yeah. But that's, that's probably one of the big ones.
The other one that we always have to be, be conscious of, which is not, we've been dealing with it for a very long time, is state sponsored action. In the space as well, you know, we talk about the professional fraud ring and we talk about the, the amateur fraudster, but at no stage are we thinking about.
Governments and, you know, large [00:26:00] institutions using this type of technology in a nefarious way. And that's the other bit that we're constantly thinking about, you know, the, the fraud ring with, with, you know, well resourced, but not infinitely resourced compared to, you know, something that's got government backing.
That becomes very scary. Sleep well, everybody.
Simon Horswell: If I wasn't thinking about that before, I certainly am now. Thanks, Aaron. Wonderful. And how could anyone reach out to you if they needed to, if they wanted to get in touch and talk to you about any of the topics we've discussed today?
Ahron Geminder: Yeah, feel free to reach out to me on LinkedIn. Follow me on LinkedIn, send me a message.
Um, I try to be quite responsive. But yeah, just feel free to reach out to me. I'm happy to, uh, to help answer questions that anyone may have.
Simon Horswell: Aaron, I've been looking forward to this. Thank you so much. You've been, uh, you've been wonderful today. Um, it was a pleasure talking to you and I hope We get you back on here again at some point.
Amazing.
Ahron Geminder: [00:27:00] Simon, thank you so much.
Simon Horswell: Thank you for joining us on this journey inside the Fraud Lab. If you'd like more insights into attack patterns and trends as we see them at Onfido, head to onfido. com or click the link in the show notes to access our annual identity fraud report. It's full of proprietary research into how fraudsters are attacking identity verification and how the world of prevention is changing.
It's full of insights, for example, financial services has seen a 23 percent increase in fraud versus last year and 46 percent of document fraud targets national ID cards. If you'd like to learn more, get your free copy by clicking the link in the show notes. Goodbye for now and I hope you join us again next time.