[HN Gopher] I Broke into a Bank Account with an AI-Generated Voice
___________________________________________________________________
I Broke into a Bank Account with an AI-Generated Voice
Author : atlasunshrugged
Score : 184 points
Date : 2023-02-23 17:08 UTC (5 hours ago)
(HTM) web link (www.vice.com)
(TXT) w3m dump (www.vice.com)
| sjkoelle wrote:
| https://www.forbes.com/sites/thomasbrewster/2021/10/14/huge-...
| zizee wrote:
| How long until people start recieving voicemails from scammers in
| their boss's voice? How long until we can filter voices in real
| time to convert anyone to sound like anyone else?
|
| Video is also not that far away. Will I be able to send my AI
| doppleganger to videocall standups?
|
| It will be interesting to see if we have to take extra steps to
| verify we are on any non-physically present communications. Email
| is already suspect. Phone calls are next.
|
| On the plus side, it will help enable things like proper double
| blind interviews, to allow for gender bias free interviews. It
| will also help anonymity, or people with disabilities.
| woliveirajr wrote:
| > My voice is my password
|
| No, your voice (like your fingerprint, iris, SSN, passport
| number, or any other relatively immutable thing) might be your
| identification or "a thing that you have".
|
| Password is something you choose, you change when you want, and
| that you shouldn't reveal to anyone.
| Manfred wrote:
| Your voice is a thing that you "are", up to a certain extent.
| People can be trained to sound like other people.
|
| Physical things other than the body is something you "have".
| [deleted]
| jbaczuk wrote:
| "biometrics"
| blitzar wrote:
| My Voice Is My Passport, Verify Me -
| https://www.youtube.com/watch?v=-zVgWpVXb64
| thewebcount wrote:
| This was the first thing I thought of when I read that. I was
| like, "Is this the author being cheeky and not really saying
| what the phrase is, or did someone who works for the bank
| think they were being clever re-using this line that a 30
| year old movie shows is super-easy to spoof?"
| vatys wrote:
| > 30 year old movie
|
| It may be a shock but that movie will actually turn 41 this
| summer.
|
| It seems the author has shown that a replicant can trick a
| bank.
| dingusdew wrote:
| [dead]
| EGreg wrote:
| This is bad and insecure. Look at this:
| https://m.youtube.com/watch?v=rERApU26PcA
|
| Same thing with "pay with your face" they tried in China.
| They all are susceptible to replay attacks. It is garbage!
|
| The _only_ secure way to authorize actions is to have a
| device _in your possession_ which you unlock with your
| password and /or biometrics -- and use THAT device to sign
| interactive challenges or ZK-SNARKS.
|
| The device could stores keys in a secure enclave, but
| regardless, the keys should never leave the device. The
| ability to export private keys (as with ethereum and bitcoin
| wallets) is insecure, too.
|
| Look how 1password does it: local key plus master password.
| Far better than LastPass (master password only).
|
| Also you should have notifications whenever a new device
| authenticates, or when you are trying to establish new
| recurring payments at a great rate than you would allow
| otherwise. Then you need to confirm from other devices.
|
| That is the scheme that works universally and the further you
| depart from that, the more ridiculous hacks you get.
| hbrn wrote:
| > Same thing with "pay with your face" they tried in China.
| They all are susceptible to replay attacks. It is garbage!
|
| That's such a naive take on security. Reminds me of "salt
| shaker vulnerability":
| https://www.linkedin.com/pulse/hacker-restaurant-
| alexander-s...
|
| Today, almost any time you use your credit card online in
| the US, you are susceptible to replay attack. Even PCI-
| compliant merchant can simply save your payment method for
| future uses (neither SCA, nor VISA's VAU is being
| enforced).
|
| What exactly is the attack vector for face payments, if
| they are not used for P2P payments, only happen in public
| places with plenty of cameras, and are capped?
|
| Just because it's "possible", doesn't mean it introduces
| risks that are not acceptable. Sure, you can risk prison
| time and get a bag of groceries for free. But stealing
| groceries old-fashioned way is less risky.
| EGreg wrote:
| The same as for the credit card payments you just
| mentioned (which ARE insecure and naively rely on store
| clerks not copying your 3 digit number etc).
|
| ANY biometrics you use to pay can be easily replayed.
| Whatever function you derive from these biometrics can be
| executed when you're not there.
|
| Not to mention that the biometrics themselves can be
| emulated by a device (eg voice recording) as you see in
| sci-movies like Minority Report (fake eyes) or that star
| trek clip.
|
| Sure, for smaller amounts and using copious amounts of
| "seller beware" chargeback protections, the system can
| work. And those chargebacks can be good for many things,
| so that is how our financial system works now.
|
| But if you want to secure thing that are valuable, like
| elections and many others, then what I described is the
| optimal solution.
| aziaziazi wrote:
| > which you unlock with your password and/or biometrics
|
| Does this kind of devices really comes in biometric
| versions ? As someone else mention, unlocking an ATM (or
| anything else) with a device and your fingerprint is very
| vulnerable to "steal device and cut finger".
| EGreg wrote:
| Sure. Your iPhone unlocks using your fingerprint or face.
| But the point is that YOUR iPhone is what's being
| unlocked with it -- not a machine operated by someone
| else.
| throwawayapples wrote:
| agreed with first two sentences.
|
| but, "..which you unlock with your password _and /or
| biometrics_"?
|
| unlocking with biometrics is actually the problem,
| regardless of where the unlocking takes place.
|
| relying on a third-party device that _you_ can 't even
| verify is in the custody of its user as "the _only_ secure
| way to authorize actions " is highly problematic for
| similar reasons.
|
| and confirming "from other devices" rapidly turns into a
| user nightmare.
|
| the irony in all this is that lengthy, strong, non-reused
| passwords are actually pretty secure, and they don't
| require any specialized technology or rely on possessing a
| device that you just forgot on the airplane seat pocket and
| is now winging its way toward another country.
| EGreg wrote:
| Not necessarily. As long as the device is YOURS, you can
| unlock it with your face, thumbprint etc. That is how
| iPhones and Android security has been managed for a long
| time.
|
| Perhaps to unlock even more valuable transactions, you'd
| want to bring an external key, like a Yubikey or Ledger
| Nano wallet etc.
|
| Lengthy passwords that you enter are _not_ very secure.
| Anyone can capture your keystrokes, look over your
| shoulder with a camera, or even look at heat signatures
| on your phone after you left to the bathroom and locked
| it: https://www.zdnet.com/google-amp/article/this-
| thermal-attack...
| Blahah wrote:
| It's "a thing that you are", as opposed to:
|
| "a thing that you have": a key, an ID card, security fob,
| official uniform, etc.
|
| "a thing that you know": a password, PIN, the answer to a
| secret question, secret handshake, etc.
| hbcondo714 wrote:
| Yeah, Vanguard has been using this since 2014:
|
| [1] https://www.bogleheads.org/forum/viewtopic.php?t=137530
| mayormcmatt wrote:
| "My voice is my passport. Verify me."
| mcoliver wrote:
| A theory I have had for a while (when I put on my tinfoil hat) is
| that all those robocalls are really looking to generate a voice
| print of the person associated with a number for future nefarious
| purposes. For example most people will answer and say "hello,
| hello, anyone there?" Or something to that effect. Or it will go
| to voicemail which can then capture their voice. Yet another
| reason I don't answer calls from people I don't know and use a
| generic computer generated voicemail message.
| beepbooptheory wrote:
| This is probably still not advisable, but whenever I get one
| those calls where I happen to be curious enough to answer, I
| wait for a beat to see if anyone says anything, and if they
| don't I start screeching, making monkey noises, farting sounds,
| and it always just hangs up as soon as I start.
| williamcotton wrote:
| Try that at the DMV!
|
| It's almost like if the DMV issued IDs with public key
| cryptography support and maintained a public certificate
| authority that we would have a much more reliable form of
| identification... a bank has customers they aim to please. The
| DMV does not aim to please anyone!
| f38zf5vdt wrote:
| I feel like a broken record, but in the near future we are
| going to switch to a public key authentication object for
| everything social we do. Payment has already moved to it: tap
| payments use public key cryptography.
|
| Yet, at the same time, whenever it is brought up people love to
| engage in contrarian rambles about how it is simply too hard,
| people will lose their dongles, etc etc. Most phones support
| NFC communications these days, it's a tap against a phone or
| reader for verification and so couldn't be easier.
|
| Within 10 years people are going to wonder how we ever lived
| _without_ this.
| JohnFen wrote:
| > Most phones support NFC communications these days
|
| There are signs of a trend of people getting rid of their
| smartphones in favor of dumbphones. (Disclaimer -- I will be
| doing this when my smartphone dies.) So using them for
| payment may not, in fact, become ubiquitous.
|
| Even now, just watching people at stores and coffee shops in
| my area, it seems that only about 10-20% of them use their
| phones for payment.
| kwhitefoot wrote:
| There is no reason why simple non-smart phones should not
| support NFC.
|
| > watching people at stores and coffee shops in my area, it
| seems that only about 10-20% of them use their phones for
| payment.
|
| It seem more like 50% here in central Norway, perhaps more.
| JohnFen wrote:
| But doesn't the phone need to interact with a backend
| service to be used for payment? Maybe it doesn't -- I
| don't know how these services actually work in this
| regard -- but typically you need to use an app and
| register your accounts in order to be able to do
| payments, correct?
|
| A dumb phone wouldn't do any of that stuff.
| vel0city wrote:
| It doesn't necessarily need to be online for that kind of
| payment workflow. It could just directly emulate a
| payment card, which those definitely do not have internet
| connectivity. It would probably take some kind of app to
| add/remove payment cards, but theoretically this could
| just be something built-in to the device instead of being
| some kind of app you'd get from an app store.
|
| Dumb phones still run applications, they're not
| mechanical devices, at least anymore.
| JohnFen wrote:
| > this could just be something built-in to the device
| instead of being some kind of app you'd get from an app
| store.
|
| Yes, I wasn't asking about where the app came from.
| Preinstalled or user-installed doesn't matter.
|
| So what I hear you saying is that the app doesn't need to
| communicate with anything, either to add/drop accounts or
| to make payments. Is that correct?
| vel0city wrote:
| Ah ok, I think I get what you're talking about -- you're
| talking about the initial provisioning. I do imagine that
| would need _some_ kind of communication. But it might not
| necessarily be some kind of internet connection on the
| device itself. It could be logging into your bank 's
| website from your computer and putting in some kind of
| fixed identifier of the device or like a smart card
| transaction with the website by a USB cable, or
| registering the device at some physical bank branch,
| putting in some kind of SIM-card like device, etc.
|
| There would probably have to be _some_ way of pairing the
| device to your account, but there 's probably many
| potential ways it could be done with some theoretical
| "dumb phone".
| JohnFen wrote:
| Yes, I understand better now. I don't use these sorts of
| things, so I've never needed to really know how they work
| practically. I do understand the cryptographic
| underpinnings.
|
| So, a feature phone could be used for this. Good to know!
| WastingMyTime89 wrote:
| No both Google Pay and Apple Pay directly work with the
| payment terminal as if they were cards. You need to add
| your card to the app so that your bank sends the
| necessary keys to your phone secure enclave but then it
| works perfectly fine offline. You just have to tap twice
| on a physical button and pass the biometric auth to pay.
| JohnFen wrote:
| > your bank sends the necessary keys to your phone
|
| Ah, that clarifies things. Thank you.
| f38zf5vdt wrote:
| Yes, I phrased this badly. I meant that instead of using
| the phone's NFC for verification, we can use a small NFC
| device that we tap to the phone and which the phone reads
| via NFC to verify our identities. Just like we tap our
| cards to payment terminals.
| aaomidi wrote:
| The main problem is, PKI is hard and banks and DMV aren't
| known for their appreciation of technical complexity.
|
| we have highly technical CAs for https that have wild
| problems. A well functioning PKI system for banking, identity
| might work - but it needs to actually be well functioning and
| transparent.
| cheeselip420 wrote:
| We microchip our pets. Let me walk into the DMV and get
| microchipped.
|
| Then I can force-wave to pay for goods, go through security
| checkpoints, etc. People will freak the fuck out about it...
| but personally I'm 100% for it.
| zoklet-enjoyer wrote:
| I'm all for this. I've had a chip in my hand since 2014
| atlasunshrugged wrote:
| Did you do it yourself or use a service? What do you use
| it for?
| zoklet-enjoyer wrote:
| I had a local body mod artist implant it. He ordered it
| from dangerousthings.com
|
| I just have my contact card on it so when I meet people I
| can have them scan my hand with their phone to give them
| my number.
| BiteCode_dev wrote:
| If you have to own a specific device to exist
| administratively, I'd rather use something that:
|
| - doesn't cost hundred of dollars
|
| - doesn't live track me every seconds
|
| - isn't holding also the rest of my entire life
|
| - isn't a good target for stealing, ceasing or hacking
|
| The wonderful thing about the payment card is that it's just
| that: a payment card.
|
| It's small, cheap to replace, doesn't require a battery,
| doesn't share my GPS position at every second, can't show me
| ads, and if it gets stolen, I don't also lose my entire list
| of contacts and my browser favorites.
|
| I can easily have many in my pocket, and only use one when I
| want. If I lose it, I can cancel it quickly, it doesn't
| affect anything else, and it's swiftly replaced.
|
| It's also super simple to use, yet not that easy to abuse.
|
| The phone is already too many things at once. Too many eggs
| on the same baskets.
| WastingMyTime89 wrote:
| Contrarian opinion: I'm never going back to using a card
| now that I'm used to paying with my phone. I always have my
| phone with me anyway. Paying with it is perfect. I don't
| even carry a wallet anymore. Plus, things are frictionless.
| Changing card is easy. It's fast and doesn't require a pin
| most of the time.
|
| I have been moving more and more things to my smartphone as
| time goes on. It's already my 2FA anyway so it will be a
| major hassle if it's stolen (but stealing modern smartphone
| is useless as they can't be reactivated anyway).
| f38zf5vdt wrote:
| Yes, a government or corporate issued device like a Yubikey
| with NFC is my ideal. Just tap to the phone to verify.
| Payment cards got it right, everyone else is just catching
| up.
| acomjean wrote:
| We used to have a little key ring fob that would display a
| number that would change from time to time. That +password
| was all we needed.
|
| If my phone breaks, I can't get onto my work network now...
| jollyllama wrote:
| You're assuming the post-2001 security state assumptions
| remain the same or don't ease. Which is probably true, but a
| lot of us would rather ditch them.
| ofchnofc wrote:
| I love when I call US financial institutes and are reminded that:
|
| 1. They insist on using voice menus that are only ever capable of
| servicing requests _that I can already do online, or don 't work
| because they're jammed up by the same backend issue that their
| website hits_.
|
| 2. They try to auto-enroll me in Voice ID despite always going
| out of my way to demand that feature not be enabled.
|
| 3. Use TOTPs sent to SMS instead of any halfway reasonable
| TOTP/FIDO2 solution.
|
| US Banks are a joke. So much so that I actively root for them to
| be hacked so a light can be shone on the fact that my god damn
| Xbox account is far more secure (first line security) than my
| Bank account (I do realize that Schwab will probably make me
| whole faster than Microsoft would in the case of some act of God
| compromise).
| jklinger410 wrote:
| Also your personal data and financial details are being
| directly sold by them or stolen by tracking pixels.
|
| Once you realize there are no banks at a consumer level who
| keep your information private in any way, the idea of privacy
| in the US becomes a complete joke.
| LetsGetTechnicl wrote:
| At least you have some recourse and protection if something
| happens to your bank account, unlike an Xbox account where
| Microsoft can just deny access for any reason.
|
| But I'm also grateful my credit union has an online portal that
| has 2FA with authentication app support and the ability to
| disable SMS, phone call and email 2FA options.
| adrianmonk wrote:
| Biometrics work (in their limited way) only if you control the
| hardware and the physical environment. You can measure something
| unique and check that it's as expected, but that's only valid if
| there's proper custody on the measurement and resulting data.
|
| It's a pretty simple concept, but people perennially can't figure
| it out. Or don't care.
|
| So, if you're going to use biometrics, a retina scan on a bank
| vault might be reasonable, but a web site that does facial
| recognition with the user's camera is not.
| 3np wrote:
| In principle, your are correct and one should act accordingly.
|
| In practice, it's an arms race. Plug some more sensors and
| hardware enclave on the next smartphone generation and flame up
| the zero-trust hype and it'll be a while until you can covertly
| unlock your spouse's phone or steal your flatmates custodied
| crypto even as a well-funded hacker.
|
| The colletaral damage of individual autonomy as end-user
| devices, apps, and services are dragged along and slowly
| becoming the only gateways into the financial system and large
| parts of the private and public social room is rather quite
| unfortunate.
| adrianmonk wrote:
| Well, now you get into DRM and its kin. Which is really a
| conflict of values.
|
| If party A (the owner/user) has control of the hardware,
| there are certain things it enables, like doing what you want
| with the hardware you paid for.
|
| If party B (the vendor/manufacturer) has control of the
| hardware, it enables other things like participating in games
| with stronger anti-cheat mechanisms or quicker authentication
| when doing a payment.
|
| Some of these things have value to only one party, and some
| of them might have value to both. You're never going to make
| everybody happy when values conflict. Plus it gets extra
| complicated because values vary. Maybe one end user cares
| less about control and more about convenience, and another
| end user is the opposite.
| justin_oaks wrote:
| Yup. Remote biometrics? Forget about it.
|
| Another big problem with biometrics is that if they're "stolen"
| then you can't revoke them. That said, if you control the
| hardware and physical environment where the biometrics are used
| then it's hard to use the stolen biometrics.
|
| I could see a case for going to an office that was approved by
| the government to verify your biometrics. That way the hardware
| and physical environment would be controlled. The office could
| have people verifying that you don't, for example, have fake
| fingerprints over your real ones.
|
| Then that office could act like a certificate authority and
| generate a certificate that links your identity to a newly
| generated public key. Then all authentication would be done
| using the private key and certificate instead of using the
| biometrics directly.
|
| In such a case, stolen biometric data wouldn't be useful since
| it'd be hard to get past physical inspection.
| hospadar wrote:
| I went to a really interesting talk about biometrics from the guy
| who ran (runs?) the HUGE biometric ID program that India runs
| (Aadhaar). A point I remember him reiterating several times is
| that biometric ID is useful to uniquely identify human meat-
| bodies (my paraphrase), but that it's fairly weak if you're using
| biometrics for authentication.
|
| His idea being that your biometric data is not really secret
| (i.e. in the case of fingerprints or face, it's attached to your
| body and easily observable), and also that it cannot be changed
| (easily, with today's technology). If someone gets their hands on
| your fingerprints or retina scan, you can't "change your
| password".
|
| His point was that biometrics are really useful for stuff like
| KYC when you get a bank account (where bank employees can feel
| pretty sure that they are really scanning your eyeball and not a
| picture of your eyeball reproduced for the camera), but not such
| a good idea for stuff like "are you allowed to access this ATM
| machine?". Also, while identity theft sucks, getting your
| password stolen is painless, whereas someone chopping off your
| thumbs to squish them up to an ATM machine is a less pleasant
| experience.
| nwiswell wrote:
| > Also, while identity theft sucks, getting your password
| stolen is painless, whereas someone chopping off your thumbs to
| squish them up to an ATM machine is a less pleasant experience.
|
| This is not a real distinction if they are physically present
| and willing to use that level of violence. It reminds me of the
| password XKCD -- doesn't matter what your password is or how
| recently it's been changed if they're willing to beat it out of
| you with a wrench.
| whataboutthizy wrote:
| [flagged]
| prettyStandard wrote:
| Biometrics are an username, not a password.
| acchow wrote:
| Except on hundreds of millions of iPhones around the world.
| Apple has shown that the distinction is more nuanced. There
| are cases where biometric use is legitimate.
|
| Signing into an account on a remote server? Probably not. To
| access the secure enclave on a device that is with you for
| 100% of your life? Probably fine.
| tinus_hn wrote:
| In a sense it's two factor authentication with the other
| factor being the phone itself
| TacticalCoder wrote:
| > To access the secure enclave on a device that is with you
| for 100% of your life? Probably fine.
|
| The notion, however, that a device shall be with you for
| 100% of your life is not fine at all. It's totally
| dystopian.
| a_subsystem wrote:
| I think op means with you, rather than someone else.
| joe_the_user wrote:
| The only "nuance" here is that weak security is "probably
| fine" in many situations. It should still be acknowledged
| as weak security.
|
| Most houses don't have locks appropriate for bank. Many
| people do get by with weak passwords in many situations.
|
| But acknowledging the weakness of this sort of security is
| still important because a given person has to consider the
| threat they face (activists who may face repressive state
| should what good and what bad security is still) and
| because new exploit method can appear.
| guru4consulting wrote:
| this is the best one-line explanation I have come across.
| prettyStandard wrote:
| All the people above you are going on and on about things
| that can't be captured in one line. lol.
| O__________O wrote:
| To me, even that's a poor comparison, since usernames can
| change per platform, multiple usernames can be created per
| user, etc.
| IshKebab wrote:
| I wish people would stop saying this because it is clearly
| wrong. Biometrics have different security properties to both
| usernames and passwords. They're another category. They
| aren't the same as usernames.
|
| In some cases they are totally appropriate as passwords. For
| example fingerprints & face recognition for building access.
|
| (And before you say "but someone could copy your fingerprint
| from a glass and wear a prosthetic mask that looks like you!"
| think about how you would break into "password" style
| building security - PINs and access cards.)
| Aardwolf wrote:
| > For example fingerprints & face recognition for building
| access.
|
| Huh, why is that fine for building access? Someone can
| enter your house by just having a copy of your fingerprints
| or face data?
| IshKebab wrote:
| I didn't say _all_ buildings, but in any case someone can
| enter your house by smashing a window or copying your key
| or picking the lock or breaking the door or...
|
| Don't imagine that all security has to be mathematically
| perfect, especially in the real world.
| lcnPylGDnU4H9OF wrote:
| > [Biometrics are] another category. They aren't the same
| as usernames.
|
| If one still finds themself disagreeing with this, consider
| the difference between what it means to choose a new
| username and what it means to choose a new face.
| meepmorp wrote:
| Here's a question I have - how easy is it to fool the detector?
|
| Phone lines are frequency limited and connections are sometimes
| poor. Apparently you can fool it with a recording of the target
| speaker, but what about an computer generated voice? And are the
| features it's detecting things you could correlate with
| information you could gather on a subject - age, gender, place of
| birth - to produce a good enough match for enough people to make
| automated targeted attacks possible.
| JohnFen wrote:
| It's not really that hard. You don't even need AI to do it. You
| do have to know what you're doing, though.
| aziaziazi wrote:
| Seems interesting, may you share more details ?
| JohnFen wrote:
| This isn't really the right venue for such detail, but a
| wealth of information is a search away. Sorry to be
| evasive, but the security guy in me is much more
| comfortable being evasive about things that could be
| leveraged against people.
| _ah wrote:
| Every time I've called my broker they've asked to enable Voice ID
| as their "most secure form of authentication!". Hard pass. The
| poor reps on the phone are always very confused.
| jacksnipe wrote:
| Wait isn't this the plot to the original Charlie's Angels movie?!
| acomjean wrote:
| "sneakers" https://en.wikipedia.org/wiki/Sneakers_(1992_film)
| foxandmouse wrote:
| We might need to go back to physical authentication methods with
| advancements in Ai and considering the potential of quantum
| computing
| gabereiser wrote:
| "My voice is my password" brings back memories of hacking banks,
| only in Uplink. What?!? How is this security? Even back in 2000
| this is a bad idea. It's even worse today.
| lightspot21 wrote:
| >Uplink
|
| Woah. I haven't heard about this game in like a decade! Thanks
| for the nostalgia.
| gabereiser wrote:
| My grey beard must be showing. I remember it like it was
| yesterday. The pure OpenGL graphics, the "slide in from the
| right" email "spam". The matrix-like tumbler of hex that
| would "crack" an encryption. It was a perfect game for a
| small studio.
| therein wrote:
| I think many of us played that game a little too much when we
| were young. I remember always going back to it.
| lukevp wrote:
| This game was so fun! It was one of the things that got me
| interested in software development, along with Learn to
| Program BASIC (a game about programming games)
| e12e wrote:
| 2000?! Never forget - "Sneakers". Get off my lawn.. ;)
|
| https://m.youtube.com/watch?v=-zVgWpVXb64
| gabereiser wrote:
| Yeah that's where they got the "idea" from. I didn't know a
| bank would actually consider this "security".
| zizee wrote:
| I watched to again just a couple of nights ago. It still
| holds up! What a great cast.
|
| When I watched the "voice is my passport" sequence, I still
| enjoyed it, but I immediately thought of our recent ability
| to mimic a voice speaking any sentence, just by supplying a
| few minutes of training data.
|
| How long until people start recieving voicemails from
| scammers in their boss's voice? How long until we can filter
| voices in real time to convert anyone to sound like anyone
| else? Video is also not that far away. Will I be able to send
| my AI doppleganger to videocall standups?
|
| On the plus side, it will help enable things like proper
| double blind interviews, to allow for gender bias free
| interviews. It will also help anonymity, or people with
| disabilities.
|
| In an unrelated note, I had forgotten that President Roslin
| was in it and was such a fox (I'll probably say that about
| Battlestar in another twenty years after I have aged past
| her, like I have now caught up to her in Sneakers :-p
| LetsGetTechnicl wrote:
| I've called Spectrum a few times and they offer this tech too and
| I always wondered how secure it could be if it's running over
| regular telephone calls. Like the audio quality isn't great so
| how well can it differentiate voices and particular
| characteristics
| danShumway wrote:
| I'm not really sure the addition of AI changes all that much
| here. It sounds like the bypass the author used would have been
| possible using conventional methods. But if AI draws attention to
| the horrendous practice of biometric authentication, I'm all for
| it and I hope that more reporters start asking similar questions
| about bank security.
|
| This article focuses specifically on UK security, and I'm not
| sure what the situation is over there, but in the US digital
| security around banks is pretty awful. I looked around a while
| back trying to find an online consumer bank with good reviews
| that offered 2-factor authentication (real 2-factor
| authentication, not just SMS). I couldn't find a single one[0].
|
| At best, a couple of banks mentioned that they had their own
| proprietary authentication apps that I could install. None of
| them had basic OTP support for something like AndOTP.
|
| I had to fight with my bank for multiple days before I got them
| to allow me to set up a passcode that they would use to identify
| me when I called, rather than just relying on basic information
| that was all made public in the Equifax leak. To their credit,
| they do actually ask me, but I still wonder if someone tried to
| impersonate me, would they actually block access or would they
| bend as soon as the person made a fuss about not knowing the
| code?
|
| That the response to this from the banks involved is immediately
| "well, it's just an extra layer, we're getting better and better"
| -- it's infuriating to read. It's an industry that is not just
| behind on security, it's actively hostile to people pointing out
| that it's behind on security.
|
| I guess it should make me feel better that apparently it's not
| just a US-specific problem? I'm not sure it does though.
|
| ----
|
| [0]: Sidenote, if anyone has any good suggestions here, I'd be
| all ears. I get regularly annoyed at how bad my bank is with
| notifications around payments, card usage, etc... and how it
| seems to be both antagonistic to actual security measures like
| 2FA and in love with security theater like blocking VPN access.
| PascLeRasc wrote:
| Right now, the only options are Charles Schwab with a
| workaround [1], and Wealthfront and Betterment with native OTP
| 2FA. These are actually pretty great accounts regardless of
| security, >4% interest on savings and no ATM fees ever. The
| only credit card I've been able to find with non-SMS 2FA and no
| SMS fallback is the Apple card.
|
| [1]
| https://www.reddit.com/r/personalfinance/comments/hvvuwl/usi...
| foxandmouse wrote:
| We already know the limitation of physical authentication, which
| is why digital is so convenient but with advancements in Ai and
| considering the potential of quantum computing I wonder where
| we'll turn to next... maybe there will actually be a use for the
| blockchain
| bmitc wrote:
| The title alone reminded me of the scenes in _Archer_ of Archer
| accessing the mainframe using the voice from a voicemail prompt.
|
| https://youtu.be/X1AjJVbQo7M
| 01100011 wrote:
| Your voice is indeed a form of authentication to other people
| that know you. How long until it becomes a valuable token which
| needs to be protected?
|
| I can see various forms of 'man in the middle' attacks taking
| place with selective conversational interposing allowing an
| attacker to inject false data into a live conversation between
| two parties.
|
| Imagine a simple example using caller ID spoofing: Attacker calls
| two parties and uses stolen voices to establish a reason for the
| call(as both people will know they did not instigate the
| conversation, both will need to be convinced that the other party
| did). Now the conversation is started and has context. Now the
| attacker can steer the conversation to various topics and
| selectively invert various factual exchanges or negotiations.
| Afterwards, both parties will be left with a valid memory of the
| interaction and, unless they confer on who instigated the call,
| may have little reason to suspect that sections of the exchange
| were manipulated.
| ulnarkressty wrote:
| This can be mitigated somewhat if both parties agree on a
| secret exchange in advance. I guess it's just a matter of time
| until parents all over will have challenge-response sheets next
| to the phone to prevent them from wiring money to their "son"
| who's been in a terrible accident.
| throwaway_13140 wrote:
| > I had access to the account information, including balances and
| a list of recent transactions and transfers.
|
| But could you make a transaction?
|
| The title is a little sensationalist.
| JohnFen wrote:
| Banks are using voice ID for important authentication?? That's
| bordering on insanity.
| toomuchtodo wrote:
| https://www.fidelity.com/security/fidelity-myvoice/overview
|
| https://investor.vanguard.com/trust-security/security-center
|
| https://www.schwab.com/voice-id
|
| https://www.morganstanley.com/what-we-do/wealth-management/o...
|
| https://www.bnymellon.com/us/en/insights/all-insights/five-d...
| JohnFen wrote:
| Wow. I just finished reading all of those, and the amount of
| nonsense and unsupported assertions in them is truly mind-
| boggling.
|
| I'd love to see what, if any, evidence they have to back up
| the claims they're making.
| scoobitydoobap wrote:
| Is the alternative of them verifying your identify by sending
| a code to your phone or you telling them to call you at your
| phone number better (referring to SIM swapping)? Which
| commonly used verification method is the lesser of all evils?
| toomuchtodo wrote:
| Push notification to a banking app or generating a code in
| the app or the website are secure alternatives I'm familiar
| with.
| logicalmonster wrote:
| Forget AI-generated voices for a second. How are these tools
| trustworthy for defending against simple low-tech hacking
| like recording somebody's voice and editing it together in
| the right pattern?
|
| These old comical soundboards of celebrity voices are
| imperfect as the audio often has different volume levels and
| subtle background noise, but illustrates the general
| principle. With an intense enough effort, you can record
| enough audio from a person to put together a natural
| conversation. It takes some effort, but is not outside of the
| technical capabilities for even a smart 14 year old to set
| this up.
|
| https://www.101soundboards.com/boards/10716-arnold-
| schwarzen...
|
| Unless these financial security systems have a way to look
| for very subtle, unnatural gaps in the audio or the
| consistency of the audio quality, the voice pattern that
| exists could be a perfect match with this kind of tactic.
|
| The handful of times I've had to contact Fidelity, their
| customer service has been exceptionally professional. The
| only annoying part of the process is trying to insert a long
| password via the phone dialpad to verify my identity. I've
| been given the suggestion to setup their MyVoice feature, but
| have resisted setting that up because it seems like there's a
| possibility it could be bypassed.
| elil17 wrote:
| In this article, the bank used both voice ID and date of birth
| to verify identity before a balance check. That seems like a
| reasonable level of security to me.
| londons_explore wrote:
| Yeah, but they use the exact same two forms of auth to send
| the whole contents of the account overseas... Or to take out
| a huge loan...
| anigbrowl wrote:
| DOB is easy to find and voices are often easy to copy, even
| without technology. Comedic impressionists have done this for
| entertainment since about 5 minutes after humans learned to
| talk.
| danShumway wrote:
| Date of birth is _nothing_. It 's public on your Facebook
| profile.
|
| And even ignoring that voice ID is insecure, I still think
| for the amount of complexity going into voice ID, there are
| much simpler systems that would be just as easy to use. The
| difficulty of getting someone to enroll their _voice_ into a
| database can 't possibly be lower than the difficulty of
| getting them to read a code off the back of their card, or to
| set up a passcode, or to read off an OTP from an app.
|
| Maybe balance checks are trivial enough where someone doesn't
| care if they get hacked, but it's still weird because there
| should be a secure login method over the phone that gets used
| for _everything_. That there are separate login methods for
| different operations is weird and probably not good security.
| Why bisect it?
|
| If the normal login methods are too cumbersome or hard,
| well... that's another situation that's worth questioning.
| There are easy login methods for services that are much more
| secure, why isn't the normal phone authentication using
| those? Why is it using a method that's so cumbersome that
| they need a different login method to check bank balance?
| olddustytrail wrote:
| Sure, as long as you've never had a birthday party in a
| public place. Or never spoken at it.
| JohnFen wrote:
| Not to me. DOB is publicly available information, and I
| wouldn't even consider using voice as an authentication
| method. But perhaps that's because I have a fair bit of
| experience in those voice techs.
| elil17 wrote:
| My point is that they have different levels of
| authentication required for different levels of access, and
| the voice id thing seems more reasonable in light of that.
| idiotsecant wrote:
| For a balance check? Seems like it's a relatively innocuous
| piece of information. They aren't transferring money, it's
| pretty much the same amount of information they would get
| looking over your shoulder at the ATM.
| ncallaway wrote:
| DOB???? How can that possibly be considered a useful factor
| for authentication?
| isoprophlex wrote:
| Yeah sure, and if mine should accidentally leak, I'll just
| change it. No problem there.
| michael1999 wrote:
| The USA seems to live in a different world. While Europe
| embraced smart cards and PIN, they stuck with ink signature for
| years. And now that smart banks are moving to hard two factor
| tokens, the USA doubles down on craziness like voiceprints. All
| in the name of convenience. So weird.
___________________________________________________________________
(page generated 2023-02-23 23:01 UTC)