Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
AI Privacy Security

'I Broke Into a Bank Account With an AI-Generated Voice' (vice.com) 46

An anonymous reader quotes a report from Motherboard, written by Joseph Cox: On Wednesday, I phoned my bank's automated service line. To start, the bank asked me to say in my own words why I was calling. Rather than speak out loud, I clicked a file on my nearby laptop to play a sound clip: "check my balance," my voice said. But this wasn't actually my voice. It was a synthetic clone I had made using readily available artificial intelligence technology. "Okay," the bank replied. It then asked me to enter or say my date of birth as the first piece of authentication. After typing that in, the bank said "please say, 'my voice is my password.'" Again, I played a sound file from my computer. "My voice is my password," the voice said. The bank's security system spent a few seconds authenticating the voice. "Thank you," the bank said. I was in.

I couldn't believe it -- it had worked. I had used an AI-powered replica of a voice to break into a bank account. After that, I had access to the account information, including balances and a list of recent transactions and transfers. Banks across the U.S. and Europe use this sort of voice verification to let customers log into their account over the phone. Some banks tout voice identification as equivalent to a fingerprint, a secure and convenient way for users to interact with their bank. But this experiment shatters the idea that voice-based biometric security provides foolproof protection in a world where anyone can now generate synthetic voices for cheap or sometimes at no cost. I used a free voice creation service from ElevenLabs, an AI-voice company. Now, abuse of AI-voices can extend to fraud and hacking. Some experts I spoke to after doing this experiment are now calling for banks to ditch voice authentication altogether, although real-world abuse at this time could be rare.
A Lloyds Bank spokesperson said in a statement that "Voice ID is an optional security measure, however we are confident that it provides higher levels of security than traditional knowledge-based authentication methods, and that our layered approach to security and fraud prevention continues to provide the right level of protection for customers' accounts, while still making them easy to access when needed."

The Consumer Financial Protection Bureau, one of the U.S. agencies that regulates the financial industry, said: "The CFPB is concerned with data security, and companies are on notice that they'll be held accountable for shoddy practices. We expect that any firm follow the law, regardless of technology used."
This discussion has been archived. No new comments can be posted.

'I Broke Into a Bank Account With an AI-Generated Voice'

Comments Filter:
  • by El_Muerte_TDS ( 592157 ) on Friday February 24, 2023 @05:05PM (#63321158) Homepage

    That's some 30 year old hack.

    • Thank you! And by the way, you have a pretty nice voice, for a human.

    • What kind of f-ed up bank has so much nostalgia, they'd use a voice as some sort of authentication token? LOL! I want a bank that says: "f-off. Use HTTPS only."
      Snail mail them a "signature" that anyone can easily forge? I want them to say the same thing. "f-off. That's not trustable."

      • by UpnAtom ( 551727 )

        UK banks are responsible for pretty much all unauthorised access to your account. You have to have done something remarkably stupid like not report your card missing for days in order that you don't get refunded.

        As such, I'd expect Lloyds to phase voice identification out asap.

        I also suspect that they check the number you're calling on and while that can be faked, it's an extra layer of security.
        They also routinely insist on holding up any large unusual transfers until one of their staff personally verify

      • What annoys me most is that, when confronted with this hack, the continue to claim that this method provides higher levels of security than traditional methods. Well, if you compare it to "what's your date of birth", sure. But a password is definitely a lot safer. Sure, you can steal someone's password by looking over their shoulder. But if a public figure uses voice authentication (and date of birth), I can use AI and youTube videos to get into their account without ever having been near them!

    • Well, if the OP did it "properly", by having the AI listen to unrelated words to build a voice profile from just those, and then generated the voice commands from text, then that would be a fair hack.

      Banks have been trying to push voice print identification [wikipedia.org] on me for several years, offering it as extra security. And they've done it in their annoying voice menu system while I wait to reach a human, and even the human pushes it. To me, it's less security, because they never offer to disable any of the other

    • by Burz ( 138833 )

      Yep, Brad Carter did this with a tape recorder. I think it was in the late 90s.

      Cactus Cactus!

  • by sinij ( 911942 ) on Friday February 24, 2023 @05:09PM (#63321164)
    You can have ease of access or security, pretending that you can have both leads to preventable disasters like this.
    • So, is the telephone completely out in general? If a co-worker calls to have a normal business discussion how would you know if it's them?
  • although real-world abuse at this time could be rare
    Just call the mark to get them on the phone and record your talk with them. Heck you could possibly trick them into saying the passphrase!
  • Bank of Karabraxos [fandom.com].

    The Bank of Karabraxos was a financial institution used by the ultra-wealthy of the galaxy. It was the most secure bank in the galaxy: no one stepped foot on the planet without protocols, all movement was monitored, air consumption was regulated and DNA was required at every stage.

    And that was just for starters.

  • Sounds like he broke into his own account? Am I reading the summary incorrectly?
    • Sounds like he broke into his own account? Am I reading the summary incorrectly?

      Yes, he broke into his own account using an AI clone of his voice, which he presumably made using his voice as input into the AI. This is not very surprising, as all the AI would have to do is duplicate its input. I guess, if someone had a sufficiently large amount recorded of someone else speaking, it would be possible to do this to them. I think that using your voice as a password is probably a poor idea, but I do not think that his actually demonstrates anything real.

      • Just FYI, "sufficiently large" is down to 3 seconds.

        There is a reported scam of calling relatives of someone with a faked voice saying you are in trouble and need them to wire money. Some families have been taken for over $20,000 this way.

        You really should make up a call/recognition sign with your family before it matters.

      • by Askmum ( 1038780 )
        There are many people out there giving public speeches that you can use to use this method on. Until he succesfully demonstrates that he got into Donald Trump's account, I see this as a hobby project.

        Having said that, using only voice recognition as a password is very poor security.

  • Faces(?) and voices can be mimicked. What's next, fingerprint or Iris? Can you accurately 3D print a fake hand or eyeball with a biometric?
    https://www.youtube.com/watch?... [youtube.com]

    • by Anonymous Coward

      In terms of biometric security, yes basic fingerprints were out years ago - hasn't stopped mobile phone manufacturers continuing to use them, though. I don't think people realize how weak fingerprints are for security purposes. If somebody could get a fingerprint of yours off any surface (or from photograph or still frame of a high resolution video) it was relatively trivial for them to make a mockup. Or even artifically generated "master fingerprints" that aren't based on any living person's fingerprint.

      • 2
  • Nothing is secure by communications.

    I must literally walk in, sigh a temporary letter, present an ID, the signature has to be reasonably close, and then after I'm done, it's all locked up again.

    I keep a small amount in one bank that isn't secure.

    • by Bert64 ( 520050 )

      A signature provides no level of authentication either.
      ID can be faked and commonly is. Do the bank just look at it, or do they actually have the mechanisms for checking the common forms of id like passports?
      Only if the bank staff actually know you would it be reasonably secure.

      For typical users however the bank is more convenient than secure, and there are usually laws to protect account holders from losses unless they themselves were negligent. The bank itself has to weigh up the inconvenience of added se

      • It's a helluva lot more secure than anything online. I've never been breached.

        • by Bert64 ( 520050 )

          It's not secure in the slightest, the only difference is the chance of the perpetrator being caught if they're physically present to make a fraudulent transaction.

  • by Caro Cogitatus ( 7226002 ) on Friday February 24, 2023 @07:02PM (#63321370)
    The only thing I say into the "tell me in a few words..." prompt is "Operator" seventeen times until they send me to a person.

    I know you have a limited number of departments to forward me to. Just list them for me and let me press a gods-damned number.
    • I also use this tactic. I found adding curse words to the mix can speed things up too.

    • If I ran a company where someone suggested we go to that kind of system for CS, I would should them in the meeting and fire them later.
  • And when I tell people I don't want to talk on social media and thus give those my voice imprint, they think I am paranoid.
    I am neither that nor prescient.
    My voice characteristics are simply part of my privacy, and I value the latter.

    TeamSpeak is there for gaming, Skype for family. No need for speaking in Discord et al.

  • So how do I get into my bank account if I have a cold, or just a stuffy nose?

  • If you actually do this, and knowingly or unknowingly access a system across state lines, you are on the wrong side of the Computer Fraud and Abuse Act - https://www.nacdl.org/Landing/... [nacdl.org]
    You're literally risking making some FBI champ cream their jeans, because, if they find you, they're going to come at you hard.

    But hey, thanks for sharing. Good luck dude!

    • Given that it was Lloyds Bank is in the UK, the last thought of the FBI agents as their van sinks beneath the waves will likely be: I wish I paid more attention in geography class...

      • by Arethan ( 223197 )

        Yea.. that makes sense on the surface. But also, we have extradition treaties with many countries, including the UK.
        https://en.wikipedia.org/wiki/... [wikipedia.org]

        So, yea. Nice try, but, no. This is an obvious hacking crime (benign intention or not), that someone within some federal-level investigation team is going to spot as an employment advancement opportunity.

        If they wanted to play by the white-hat rules, they would have broken into their OWN account. At least that way, there is no standing left for any agency to br

        • Given that the author and the bank were both in the UK, I feel strangely comforted that Team America World Police would get involved. Protip: The UK does have state borders but they are quite different to US ones. You also may be shocked to hear that the UK has a distinct legal system to the US. Intolerable! Maybe the US should bomb them into democracy?

  • One financial institution's automated system also looks at the originating phone number and adjusts the number of authenticators. If I call from my registered phone number, I get fewer prompts plus voice ID; conversely, if I call from someone else's phone, I get many more prompts in addition to voice ID. And the ruse is up anyway if you have to talk to a live person.

  • Every Dr. Who fan has known since 1978 that there is nothing more useless than a lock with a voiceprint.
  • If there is nothing artificial about it, due to the fact that it is entirely human created, why are people still calling it "artificial"? It isn't even intelligent.
  • I have repeatedly refused requests by a certain bank to use my voice for biometric authentication. Regardless of what academic papers may say on the subject, voice seems like a very poor biometric. In fact, my voice varies day by day and by social situation. It varies with my speaking volume. It gets garbled by poor internet or voice data connections.

    My laymanâ(TM)s understanding of a biometric is that it is a unique and relatively constant unique signature that is intrinsic to my body. My voice regula

  • And why could you not believe it? What's so unbelievable?

Dinosaurs aren't extinct. They've just learned to hide in the trees.

Working...