Frankfurt Nico Leidecker attacks banks – and the use of artificial intelligence (AI) makes his life easier. With ChatGPT and similar programs, he can better spy out weaknesses in financial institutions and send bank employees customized phishing e-mails. If just one employee clicks on a link or an attachment in such an e-mail, the hacker can penetrate the institute’s systems.
“It is becoming much more difficult for banks and their customers to recognize such phishing emails,” says Leidecker. “At the same time, it will be easier for attackers all over the world to attack German banks.” Thanks to ChatCPT, cybercriminals no longer need to be native speakers to write error-free emails.
Leidecker works for the IT security company Nviso in Frankfurt. Financial firms, industrial groups and even government agencies can let themselves be attacked by him in order to identify and eliminate weaknesses in their own organization.
Banks are a particular focus of cyber attacks with AI, because there are significantly more attacks in the financial sector than in other sectors. After all, all actors need money – and the banks are the ones where you can get the most of it. Successful attacks not only threaten financial institutions, but also risks to financial stability.
The Federal Office for Information Security (BSI) and the financial supervisory authority Bafin have long observed with concern that cyber attacks on banks are becoming more professional. Now there is a risk “that AI can significantly reduce the effort on the part of the perpetrators,” warns the Bafin. “Alongside cyber attacks, the spread of fake news can also be facilitated by AI.”
The BSI is concerned that AI will be used in future attempts at deception in which “fake voices or videos are used”. In addition, criminals could use the technology to program malware.
The German banking industry, an association of local banking associations, has so far had no information about “relevant attacks” in which AI was used. However, she also sees the danger that fraudsters will use the new technical possibilities to refine their attacks.
Attackers act with fake profiles
Nviso hacker Leidecker first uses AI before cyberattacks to collect publicly available information about potential attack targets, such as the names, email addresses, and phone numbers of bank employees. He also looks at which websites a financial institution operates and which partners it works with.
“For example, we can pretend to be a partner company in the attack on the bank and access the systems of the financial institutions unnoticed – through the back door, so to speak.” In the past, collecting information would often have taken several weeks. “Today, thanks to ChatGPT and similar programs, a few days are often enough.”
In addition, Leidecker uses AI to create false identities. For example, there are programs that can be used to create profile pictures of people that don’t even exist. Nivso has created several fake people with fake websites and LinkedIn profiles – and maintains them intensively.
The fake people network with experts in their supposed field on LinkedIn and occasionally share articles to appear credible. “If we then use these profiles to make contact, it is extremely difficult for our counterpart to identify them as fake,” says Leidecker.
Attacks go unnoticed
His colleague Désirée Sacher-Boldewin can confirm that. The 37-year-old is not responsible for attacks at Nviso, but advises companies on setting up cyber defense centers. Before moving to Nviso in May 2023, the Swiss native worked for almost five years for Finanzinformatik, the central IT service provider for the German savings banks and state banks.
“In the past few months, we have already observed many good phishing attempts in the German financial sector, in which attackers probably also used AI,” says Sacher-Boldewin. So far, nothing is known about successful attacks. “But that’s probably only because attacks by cybercriminals often go undetected for months.”
From their point of view, the IT defense systems of banks are better than those of companies in other sectors, but they are far from good enough. In many cases, financial institutions are still dependent on employees being able to tell for themselves whether an email is phishing or not.
“So a lot of responsibility is shifted to the employees,” criticizes Sacher-Boldewin. However, employees often do not have the capacity to research all external emails to determine whether the sender really exists or not.
From the Swiss point of view, banks urgently need to strengthen their cyber defense systems – also with the help of AI. Many bank board members are aware of this, but there are often problems with implementation. “In practice, it sometimes takes several years before modern detection systems are introduced,” reports Sacher-Boldewin. This is not only due to the high costs, but also to the lack of skilled workers. “At many banks, the IT security teams are walking on their gums.”
Is financial supervision slowing down cyber defence?
But not only the banks are responsible for the deficits, but also their inspectors, says Sacher-Boldewin. For example, it is important to banking supervision that all decisions are transparent. “With AI-supported detection systems, however, in many cases it is not possible to understand exactly why certain emails were blocked and others not.”
Blackberry IT security experts estimate that a large proportion of cyber attacks are now carried out using AI. In contrast, only ten to 20 percent of the defense systems of companies and authorities use artificial intelligence. Sacher-Boldewin therefore draws a worrying conclusion: “Cyber criminals currently have a perfect time window for attacks.”
The Deutsche Kreditwirtschaft (DK) rejects this representation. Banks are already doing a lot to ensure cyber security. In some cases, they are already using machine learning and AI.
Bafin does not see regulation as a “braking element” in the fight against cyber attacks. From the point of view of the financial supervisory authority, it is particularly important that banks calibrate their defense systems correctly. “Incorrectly trained systems detect attacks insufficiently or not at all,” warns the Bafin. Overtrained models produced too many false positives.
BSI takes a critical view of video identification procedures
Supervisors and bankers alike are concerned that completely new types of attacks are possible with AI. For example, criminals can forge voices and leave manipulated voice messages from a supposedly known phone number in the mailboxes of bank employees or customers. Passports, holograms and video recordings can also be forged.
AI is currently not able to imitate live conversations via audio or video, says Nviso hacker Leidecker. “But that could change in the future as the technology will advance rapidly.”
This creates additional dangers, for example for video identification processes that banks use when opening accounts. New customers have to hold their ID card up to the camera. Software or a person on the other side then checks whether the ID card and face match.
The DK is of the opinion that the video identification procedures used in Germany are “sufficiently secure” and have proven themselves in practice. Security experts and the BSI, on the other hand, judge the procedure more critically.
The BSI emphasizes that the use of AI and so-called deep fakes, in which voices and videos are faked, will continue to develop. This increases “the threat potential for this type of remote identification further”. In principle, video-based solutions could therefore “not achieve the same level of security as, for example, the online ID function of the ID card.”
Nviso expert Leidecker believes that in the future everyone will have to be more careful that they are dealing with the right person on the other side when texting or making phone calls before exchanging confidential things. “Most people are not yet aware of how great the danger is of being deceived with the help of AI.”
In the meantime, the 39-year-old has raised awareness of his personal environment – and put in an additional safety net. “We have a code word in the family that we use when we have conversations on the phone and via video call that something seems strange.”
More: Volksbanks require more complicated online banking passwords