Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
AI Crime Technology

Fraudsters Used AI to Mimic CEO's Voice in Unusual Cybercrime Case (wsj.com) 47

Criminals used artificial intelligence-based software to impersonate a chief executive's voice and demand a fraudulent transfer of $243,000 in March in what cybercrime experts described as an unusual case of artificial intelligence being used in hacking. From a report: The CEO of a U.K.-based energy firm thought he was speaking on the phone with his boss, the chief executive of the firm's German parent company, who asked him to send the funds to a Hungarian supplier. The caller said the request was urgent, directing the executive to pay within an hour, according to the company's insurance firm, Euler Hermes Group. Law enforcement authorities and AI experts have predicted that criminals would use AI to automate cyberattacks. Whoever was behind this incident appears to have used AI-based software to successfully mimic the German executive's voice by phone. The U.K. CEO recognized his boss' slight German accent and the melody of his voice on the phone, said Rudiger Kirsch, a fraud expert at Euler Hermes, a subsidiary of Munich-based financial services company Allianz.
This discussion has been archived. No new comments can be posted.

Fraudsters Used AI to Mimic CEO's Voice in Unusual Cybercrime Case

Comments Filter:
  • by fat man's underwear ( 5713342 ) <tardeaulardeau@protonmail.com> on Tuesday September 03, 2019 @01:11PM (#59152744)

    the boss was in on it and blamed AI

    • by rmdingler ( 1955220 ) on Tuesday September 03, 2019 @02:28PM (#59153248) Journal

      An inside job seems plausible, but a share of $243K seems beneath the threshold necessary to corrupt a company's CEO. That amount might be enough to entice the underpaid security personnel.

      Soon: "We'll need 2 factor authentication for that transfer, sir. A cornea scan will do nicely."

      • This sort of attack though is relatively common with spoofing of email. Sometimes the attacker may be an insider but often all that's needed is some minor details about internal operations (names of people, suppliers, procedures).

        • Yep. One of the hardest thing to deal with is when an individual's email is hacked, and all previous conversations are read. Then criminals can then call/email the unsuspecting dupe with an 'urgent' request, dropping details of previous conversations. One of the most cunning had obtained a cell number that transposed the local office portion (the Nxx- part), with a request to call with any questions. The dupe dutifully called - heck, the number *seemed* familiar - talked to what he thought was the CFO,

          • by jabuzz ( 182671 )

            However in my university unless there is an invoice in the ERP then you simply cannot and should not pay. Someone rings up and demands a payment even the boss it has to be in the ERP already because the only way to pay is through the ERP and then only if an invoice exists. This includes large payments for capital purchases like the new HPC system I was involved in last year.

            Everyone bitches about ERP systems but honestly I have worked in universities with them and without them. Im my experience not having t

    • by Tablizer ( 95088 )

      the boss was in on it and blamed AI

      Imagine the chaos if say a leader of a country started using such excuses; claiming everything is faked, rigged, and/or bugged. Pray it doesn't happen here, even if you are an atheist, just in case.

  • by myth24601 ( 893486 ) on Tuesday September 03, 2019 @01:20PM (#59152790)

    The AI angle is simply the reporters pushing copy.

    • by Tablizer ( 95088 )

      I indeed wonder how they verified it was a bot. Maybe somebody's cousin Vinny happened to have a similar voice. (Article is pay-walled, so I haven't seen the details.)

  • by sconeu ( 64226 ) on Tuesday September 03, 2019 @01:22PM (#59152814) Homepage Journal

    Setec Astronomy

  • "My voice is my passport, grant me access." Wait, people thought that voice was a good way to ensure authenticity instead of a signed cert? LOL!
    • "My voice is my passport, grant me access."
      Wait, people thought that voice was a good way to ensure authenticity instead of a signed cert? LOL!

      At one point it probably was a decent form of authentication, but technology caught up with it.

    • by dissy ( 172727 )

      "My voice is my passport, grant me access."

      Ouch. Should have gone with the "My voice is my passport, verify me" quote :P

  • And that's why (Score:5, Interesting)

    by JustAnotherOldGuy ( 4145623 ) on Tuesday September 03, 2019 @02:09PM (#59153110) Journal

    And that's why biometric "passwords" are a bad idea in general, and especially so if not combined with another form of authentication (human interlock, 2FA, etc).

    Fingerprints, vein scanners, voice prints, fingerprints, facial recognition, etc- so far they've all been shown to be spoofable, sometimes trivially so.

    After your voice or fingerprints or facial geometry (to give a few examples) have been copied, you can never get them back or change them.

    • Re:And that's why (Score:4, Interesting)

      by Falos ( 2905315 ) on Tuesday September 03, 2019 @02:27PM (#59153240)

      heard security guys like "something you know, something you have"
      bios were chosen for convenience, "always have"
      and, supposedly, "only you have"
      which has been shown to be a pretty weak claim, yes
      and they go from Mostly Useless to utterly useless once compromised, as they're indeed immutable

      they're good enough for casual authentication, but let's stop pretending they're Secure

      The extra-uphill detail here is that we're not actually using the voice as a technical credential, we're simply doing our human social brain thing and matching up to an identity. Soc engineering can already be powerful, and this pushes it over.

      Saw this coming years ago, "soon you'll not only get a call from your wife's phone number, but you'll hear her voice saying she forgot the bank PIN or garage code etc"

      It's targeted actors for now, but reaching the scamkiddies-automation-mass scale-indiachina phone slaves scene of my example is merely a matter of time, proliferation of the tech, refinement

      • by Falos ( 2905315 )

        "and need to ask her what her favorite color is"

        -- the idiot who forgot he suggests that new world's response could be a Challenge Question or such, "something she knows".

        • Challenge questions are about the weakest link we have today in our password systems. Not only are most of them trivial to lift from social media (maiden name of mother, name of your dog, type of your first car...), quite a few of them are also trivial to guess (favorite color, favorite subject at school).

          If you're smart, your answer to your mom's maiden name is something along the lines of l2Kdjfwh90=nkZU. What, it's a cromulent name on Rigel IV, are you xenophobic or what's wrong with you?

        • "and need to ask her what her favorite color is"

          -- the idiot who forgot he suggests that new world's response could be a Challenge Question or such, "something she knows".

          blue, no, yellooooooooooooooooooooooooooooooooooooooooooooooooow

      • Biometry is the third part of that trinity: Something you are.

        It's fine to establish identity. It's utterly useless to establish authorization. In case of compromise, you can invalidate a password and force a change. You can invalidate a token and issue a new one. But how do you change a person's fingerprints?

        I'm asking for a friend...

        • Biometry is the third part of that trinity: Something you are.

          It's fine to establish identity. It's utterly useless to establish authorization. In case of compromise, you can invalidate a password and force a change. You can invalidate a token and issue a new one. But how do you change a person's fingerprints?

          I'm asking for a friend...

          If not now then quite soon I would imagine it would be possible to 3D print finger tip cover things with whoevers prints on you want (as long you have them to begin with I guess) stick them to your fingers and away you go. The thinner the pad and closer to your skin tone the better to decrease visibility. Can they print latex type stuff? I don't see why not. Probably not consumer grade stuff but almost definitely at the top end.

          • There are already fairly simple ways to fake fingerprints, at least good enough to fool electronic scanners. We didn't try to fool law enforcement yet, so far nobody paid us to do so...

    • Biometrics usually look spiffy but there's often a distinct lack of rigour behind the curtains. They probably should never be used for more than an secondary additional identification (ie, they can unlock your phone, but the primary security is that you possess your phone and if it is stolen you can deactivate it).

    • by Tablizer ( 95088 )

      Anything biological that is read and interpreted by a machine can be hacked and spoofed with fake input. There is no short-cut to authentication; it will probably always be a cat-and-mouse game.

      Multiple authentication/verification factors helps, but also costs time and money. You can audit the auditors of the auditors, but past a point multi-checking becomes more expensive than what's prevented. The debate about where the break-even point in resources stands is a tricky calculation subject to heated disput

    • Supposedly, our GI tract biome is unique. Soooooo, instead of fingerprints, poop in this. And give us a day or 3 to verify.
      • Supposedly, our GI tract biome is unique. Soooooo, instead of fingerprints, poop in this. And give us a day or 3 to verify.

        There are many sites that I've been tempted to send a sample of my shit to, so I'm okay with this.

  • I guess this was inevitable.

  • by Sam Snow ( 6211206 ) on Tuesday September 03, 2019 @02:30PM (#59153258)
  • That's an idea I'd been keeping in my back pocket, now the whole damn world knows...

  • by Pascoea ( 968200 ) on Tuesday September 03, 2019 @03:16PM (#59153580)
    There are reasons business controls are put into place. It's not that hard. Control 1: "Boss isn't allowed to request wire transfers by phone." Control 2: "Employee isn't allowed to transfer money based on a phone call." Done. Problem solved.
    • by khchung ( 462899 )

      "Rules for thee but not for me" is rule #1 for CxOs.

      You think any CEO would be willingly bound by their own rules all the time, rules that they can just bypass simply by throwing a tantrum?

      I have seen more than one CxO brag in front of all employees how they managed to complete some project in record time, like in 1/4 of the time it usually takes, by skipping all the processes and controls in place.

      • by Pascoea ( 968200 )
        Hard to argue with that, as I've also seen some pretty aggressive c-levels. But that's why you have control #2. And a workplace where my job is in jeopardy for following the established rules isn't a place I want to work.
    • So far the theory.

      This usually clashes with the egos of the average C-Level. Because it's taken as insubordination, as if the underling questions your order, if they DARE to ask for confirmation. This is what makes the whole shit possible. It's usually bosses that go by the creed of "me boss, you nothing" that get hit the easiest by these kinds of attacks, where their employees don't dare to ask for any kind of confirmation because they fear backlash if they DARE to "question" their boss.

  • I cannot imagine being in a position where I wouldn't question being asked to make a payment in under an hour to a supplier that was not previously set up in our system. Even if they used a real supplier's name, making a payment to a new account as "urgent" is way too fishy.

    At least for me, even if I was a lowly bean counter I'd still question the request.
    • There are businesses where it's not uncommon that things like this happen. Couple this with bosses that go by the practice of "do what I say or be fired for insubordination" and you know why this is possible in the first place.

      Yes, this can easily be thwarted by relevant security processes being established, trained and reviewed, but CxOs love to establish processes and regulations for their underlings while they themselves are above those laws. Else, this would be completely impossible.

  • So to train an AI like this you need a quite a bit of voice samples with various speaking, especially if you are to capture the accent in German.
    I'm curious as to where they got enough high quality voice, unless this guy did a lot of public speaking.

  • https://www.youtube.com/watch?... [youtube.com]

    BTW, that wasn't Patrick Stewart overdubbing, it was actually Brent Spiner doing his Patrick Stewart impression...

    https://www.youtube.com/watch?... [youtube.com]

  • by shess ( 31691 ) on Tuesday September 03, 2019 @07:35PM (#59154658) Homepage

    Back in the day, you could call someone and mutually understand each other. These days, the first bit of everyone's statements are cut off, or blocked entirely because you were talking, so conversations sound like "What was that?" "Oops, go ahead." "Come again?", etc.

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...