AI voice cracks telephone banking voice recognition
Voice ID is slowly rolling out across various banks worldwide as a way to perform user authentication over the phone. However, questions remain about just how secure it is. Now that we have freely available artificial intelligence (AI) happily replicating people’s voices, could it be a security risk?
Some recent research suggests that it could.
Vice reporter Joseph Cox put it to the test, with surprising results. All it took was five minutes of recorded speech and a site that can learn to synthesise the voice in the recording.
At first the banking website refused to verify Cox’s synthesized voice as genuine. But with a few tweaks, it soon allowed Cox into his account.
From here, he had access to account information, recent transactions, transfers, and balances. You’ll note from the video below that an additional piece of information is required here in the form of date of birth.
Thankfully, you can’t just use the voice on its own and log straight in to this bank. However, while dates of birth are often use as a form of authentication they are not secret. If an attacker is determined enough to find or create five minutes of your voice recordings, they are unlikely to be deterred by the (probably much easier) task of finding out your birth date.
The bank used for the test claims that criminals would rather use other more common methods of attack than AI voice recordings, and that deploying voice ID has led to “a significant dip in fraud with phone banking”. This may well be true, but that dip presumably occurred before the wide availability of AI tools like ChatGPT.
The stunt is a useful reminder that unlike passwords, which are either right or wrong, all forms of biometric authentication are analogue. Voice, fingerprint, face, and iris recognition all rely on a judgement of similarity, which creates opportunities for enterprising criminals who can produce realistic facsimiles. It’s why your iPhone fingerprint recognition is backed up by a passcode, and why the bank in the test also included a birth date in its authentication process.
What’s next for voice AI?
The AI genie is most definitely out of the bottle, with AIs being used for all manner of good things, like additional voice lines in video game mods, and all sorts of bad things too.
If you’re deploying voice recognition as part of your business, it would be wise move to pay close attention to the rapidly improving area of voice synthesis. Don’t let the words “My voice is my password” come back to haunt you in the worst way imaginable.
Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.
https://blog.malwarebytes.com/feed/