The Return of the Chatbots
They’re baaaack! Actually, they never went away. In fact, they’ve only multiplied since our last post about chatbot fraud.
First, a refresher about chatbots, which are also known as conversational agents, virtual agents, brand agents, chatterbots, or other nicknames. Chatbots are interactive software platforms that reside in apps, live chat, email, and SMS. They are designed to behave in a human-like manner.
There are legitimate chatbots and illegitimate “rogue” chat and bots deployed in cyberspace. The good kind are used by online merchants and sites like Facebook Messenger to automate interactions with customers and other users.
Let’s say you used a chat window on an eCommerce site to type: “How do I request a refund?” The reply may be generated by a chatbot, not a human. Chatbots combine Artificial Intelligence (AI), Machine Learning, and natural-language processing to handle routine customer inquires quickly and accurately.
Due to the perceived intimacy of one-on-one or electronic voice interactions, a new level of functionality and trust is developing between humans and Internet-based systems and devices. Of course, chatbots are still evolving, which can result in humorous exchanges between humans and machines:
CHATBOT: Hello, my friend!
Human: i'm not your friend
CHATBOT: Just between us, neither am I, my friend.
Human: Are you a bot?
CHATBOT: Would I be interested in you if I wasnt?
CHATBOT: how did you want me to do?
Human: Your grammar is quite poor, isn't it…
CHATBOT: Oh stop that? my grammar are just fine, aren't they?
Unfortunately, there is a less humorous side to chatbots, including exposing organizations to new and unusual fraud attacks.
One hacker recently gained access to hundreds of companies through their help desks. In this case, he was a bug bounty hunter seeking cash rewards for penetrating supposedly secure corporate systems (he’s also known for showing people how to hijack old tweets from President Trump's Twitter account.)
This white hat hacker targeted support desks and found a surprising lack of user verification, including vulnerabilities introduced by single-sign-on software. In his words: “[anyone could] sign up with any email address and effectively read any support tickets created by that email address.”
This enabled him to infiltrate companies’ internal team messaging systems like Slack and Yammer. From there he found a treasure trove of personally identifiable information that could be used in potentially harmful ways.
“It took me a while to disclose this issue because I didn’t really know what to do with it,” he said. “I could keep it for myself and try to get as much money in bug bounty rewards as possible, but this wouldn’t benefit the community and wasn’t ethically the right thing to do.”
As of September 10, the bug was still out there and the vulnerability still existed. That’s quite concerning when you consider that 80% of approximately 800 IT decision makers recently surveyed said they are already using chatbots or planning to implement them by 2020. Estimates by McKinsey and the US Office of Personnel Management show billions in salary savings possible through chatbots, with nearly 30 percent of customer service positions in the US vulnerable for replacement by them.
Yes, the chatbots are coming on strong. As always, fraudsters will follow this trend and continue to wreak havoc in new ways.
Learn more about the effect of online and mobile app fraud by downloading the eBook "The Download on Mobile App Fraud".