Banks, ISPs Increasingly Embrace 'Voice Print' Authentication Despite Growing Security Risk
from the this-probably-won't-go-well dept
While it's certainly possible to sometimes do biometrics well, a long line of companies frequently... don't. Voice print authentication is particularly shaky, especially given the rise of inexpensive voice deepfake technology. But, much like the continued use of text-message two-factor authentication (which is increasingly shown to not be secure), it apparently doesn't matter to a long list of companies.
Banks and telecom giants alike have started embracing voice authentication tech at significant scale despite the added threat to user privacy and security. And they're increasingly collecting user "voice print" data without any way to opt out:
"despite multiple high-profile cases of scammers successfully stealing money by impersonating people via deepfake audio, big banks and ISPs are rolling out voice-based authentication at scale. The worst offender that I could find is Chase. There is no “opt in”. There doesn’t even appear to be a formal way to “opt out”! There is literally no way for me to call my bank without my voice being “fingerprinted” without my consent."
The U.S. has generally been extremely lax on privacy and security legislation and oversight, generally opting for baseline requirements that companies at least be transparent about their security and privacy practices, and provide users with working opt out tools. But time and time again neither are really adhered to. Eventually our lack of any meaningful privacy rules for the internet era will culminate in a privacy scandal that makes past scandals look like a grade school picnic. And with companies increasingly prioritizing convenience and simplicity over security and common sense, that day could arrive sooner than we think.
The rush toward voice authentication tech is particularly problematic given the quick rise of automated deepfake systems and the growing trove of user voice data available online. With parades of online creators, and smart televisions and other gadgets hoovering up voice data (and frequently failing to secure or encrypt it), availability of this data is ballooning. As are examples where faking a user's voice has been used for significant thefts. What happens when voice print authentication is adopted at scale, and exploitation of that trend becomes automated by robocall scammers already running amok? Nothing good.
Using voice authentication to secure your finances (or much of anything notable) is, at its base, already very much a hit or miss proposition:
The problem here isn't "deep voice" tech. This is a laughably poor security protocol that allows money to be moved with a phone call. https://t.co/ClzzxILOz7
— Anthony DeRosa (@Anthony) October 14, 2021
If you figure voice deepfake tech will only get cheaper and better over time, you can also figure replacing passwords and pins with voice authentication isn't a great idea in a country already drowning in robocall scams. Yet we're apparently doing it anyway:
"Again, society must adjust to the following reality: It’s become easy for anyone to spoof the voices of others who have public recordings of them talking (very common). Therefore, companies (especially banks) should not be using this as a @#%!ing way to log into accounts! You would think this is SIMPLE-enough for corporate America to understand, but alas, here we are."
At the very least informed users should have the ability to opt out of voice data collection, yet in many cases they can't even do that. It's yet another example of why the nation needs at least some kind of baseline privacy rules that at an extreme minimum mandates that both data collection and security options should be transparent, and users should always retain opt out control. Baseline privacy legislation should also include meaningful penalties and accountability for the very long line of companies that view consumer privacy and security as an annoying afterthought.
Given this would cost a large number of politically powerful industries money we're not going to do any of that. Instead, we're going to continue to embrace the current paradigm: a few badly crafted state privacy proposals and a generalized apathy on the federal level. Surely that will work out well, right?
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: banks, security, voice authentication
Reader Comments
Subscribe: RSS
View by: Time | Thread
And what of scammers who preempt the voiceprint fingerprinting by calling the bank with a generic synthesized voice ... which then locks the actual customer out of their account?
[ link to this | view in chronology ]
Link? source?
Who are the sources being quoted in this article?
Just curious....
Keep hammering for privacy and competition Karl!!
[ link to this | view in chronology ]
What are the odds of any of the executives making this decision being in on these very lucrative transactions just like with junk mortgages not all that long ago?
[ link to this | view in chronology ]
"Very least" indeed, because the alternate authentication methods are usually complete crap. Date of birth, maybe a social security number, or some other things that have leaked many times. I've got two smartcards from my bank, and can't use their chips (or PIN) for authenticating to their callcenters or web apps or for online purchases. Instead, the webapp sometimes sends an SMS code; and for authorizing online purchases, they datamine my life and check whether a purchase meets their predictions of my behavior.
It's a good example of why the "security vs. convenience" argument is often bullshit. It'd be quicker and easier, and more secure, to tap a card to my phone or computer than to answer the agent's questions or enter my card number, expiration date, etc.
[ link to this | view in chronology ]
Re:
""Very least" indeed, because the alternate authentication methods are usually complete crap."
True, but there's levels of badness.
"Date of birth, maybe a social security number, or some other things that have leaked many times"
Anyone designing a security system that accepts those as proof of identity should probably be taken as far from that job as possible, as quickly as possible.
"I've got two smartcards from my bank, and can't use their chips (or PIN) for authenticating to their callcenters or web apps or for online purchases"
I'd assume that the problem is that if they did enforce that it would remove the ability to make mobile purchases.
There are other forms of ID that are better, but far from perfect. One of my accounts confirms online purchases via SMS. The others have phone apps that ask me to go into the app and accept the purchase via some affirmative action. If I need to call them, they take me to an automated system that asks me to enter my PIN or the agent asks me for individual randomly selected characters from my password. These can be compromised, but they seem better than some of the ones you're describing.
But, the basic problem with using voice or other biometrics is that they're immutable. If someone compromises your voice, there's nothing you can do to change it. You can always get a new phone, change your number, change your password, etc., but one a biometric avenue is compromised you can do nothing about it.
[ link to this | view in chronology ]
Re: Re:
Tell them you've lost your cellphone, and you might find all that's just theater. Sure, we'll put your new number in, just give us your date of birth and SSN. (Better to never give such information in the first place, but it's not always possible. Plus, they may obtain it from elsewhere anyway.)
[ link to this | view in chronology ]
Re: Re: Re:
As opposed to the card method, since nobody could ever lose their card...
No, I'm much happier knowing that somebody obtaining my card can only make some purchases, rather than having full control over all of my accounts. "Something I have" can be a reasonable means of validating my identity... but only if I don't also need to carry it around everywhere and wave it at a half dozen payment terminals while I'm at it.
I can't imagine the chaos if ducktaping a phone to the bottom of a card reader was sufficient to log into someone's bank account.
[ link to this | view in chronology ]
Re: Re: Re: Re:
When I lost my bank card, they wanted me to go into a physical branch and show photo ID matching the account. It's reasonably secure (when people are not required to cover their faces...), and somewhat difficult for a scammer to scale up or automate.
That's why we have multi-factor authentication. We shouldn't get rid of the password or PIN for "important" operations (like large transfers or purchases).
I think there's real value in making the "usual" authentication methods quick and easy. And then when someone calls in with an unusual case—like a lost card or phone, a name change, or a large transfer to Nigeria—they can afford to put the best-trained people on it and give it extra scrutiny.
[ link to this | view in chronology ]
Re: Re: Re:
"Tell them you've lost your cellphone, and you might find all that's just theater"
I actually did lose my phone a few weeks ago, weirdly, but didn't have to speak to anyone to get things set back up. With one bank, I logged into the app with my username/password, they verified the number through SMS and I got multiple notifications through email and SMS to inform me that it was logged into another device. Not 100% infallibly secure, but the likelihood of someone getting access to my phone, account login and email all at the same time is fairly low. In my experience with this particular bank I would have to go into the branch if further ID was needed, IIRC, although I understand that option is not available to everyone.
With the other bank I use on a regular basis, after logging in they requested a selfie to verify it was me logging in. I've seen other places use a system where you have to have a video call with someone and they verify your ID with you holding it up in a certain way so that it can be scanned with you in the same frame. A bit weird, but certainly better than a voice on a phone.
If your bank is asking for publicly verifiable information to confirm your identity, then the problem is with your bank and not the concept of online security.
[ link to this | view in chronology ]
Re: Re: Re: Re:
That you didn't encounter an insecure process doesn't mean you're not vulnerable to one. When you say "they verified the number through SMS", presumably that means you still had your phone number. But an attacker might say they're still waiting on the new SIM, or someone stole their number, or whatever. It's good that your bank asks you to go in; these days, I suppose an attacker would use COVID as an excuse why they can't do that (they're in quarantine, or think they might have been exposed, or are afraid of getting it due to some health condition).
Social engineering never really stopped working.
Agreed, but I've never phoned any company and had a "security verification" process that went much better than that. They might ask for an approximate account balance or something, or maybe a security I'm holding (I keep my checking account near the minimum balance, hold only super-common index funds in the associated brokerage account... and the last time I dealt with them on the phone they suggested I sign up for voiceprint).
My electric company won't let me remove my date of birth from the account unless I provide a driver's license number, which (a) I don't have and (b) would include my date of birth as the last 6 digits. They say it's needed "for security".
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
"That you didn't encounter an insecure process doesn't mean you're not vulnerable to one."
I didn't say I was invulnerable, I said that I went through a process vastly more secure than asking for publicly available data like you were claiming. Now that I have gone through the process, any purchase or transaction I make online is way more secure than the processes you were describing.
"When you say "they verified the number through SMS", presumably that means you still had your phone number"
Yes, I went to my phone provider and showed them my ID to get a replacement SIM. As I mentioned above, it's not out of the question that an attacker could also get one, but it's astoundingly unlikely that they would be able to get my number, get my phone (or my account login to change the phone the account is attached to) and get access to the other avenues through which notification is sent that the login has changed. If they didn't have all that, I would have been immediately aware that my account was under attack, even if the attack was successful. If someone is deliberately targeting me to the degree that they have all of that compromised, I have way more problems than simply whether or not SMS is secure as 2FA.
"Agreed, but I've never phoned any company and had a "security verification" process that went much better than that."
Well, unless there is a really lax set of standards where you live and everyone is taking advantage of them, it seems like you need to change who you do business with. I can't remember the last time I phoned a company that didn't require a more secure set of responses, although I will admit that it's been very rare for me to phone a company in the last decade or so, as I prefer to do business either through more secure channels or through channels where there's some auditable trail if something goes wrong.
"unless I provide a driver's license number, which (a) I don't have and (b) would include my date of birth as the last 6 digits"
Well, that seems like really stupid design on the part of whoever provides you with your licence, which is another very good reason not to use a date of birth for identity verification.
[ link to this | view in chronology ]
Re: Re:
"True, but there's levels of badness."
...which only need to be applied because the banks are competitively desperate to gain more users of their services and as a result increasingly on convenient and cheap while sacrificing security. The golden rule of the security triangle still applies and customer-centric businesses have always opted to expose their customers to greater risk as a result.
This just reminds me of the old credit card scandal in the 90's, when anyone could apply for a credit card and the banks would simply send one to the address provided. As a result of which scammers sent in hundreds of applications and then followed the mailman through the neighborhoods, lifting the envelope with the fresh card from the mailbox before the home owner whose name was on the card could do anything about it.
The only thing we learn from history is that we don't learn from history, and all that.
[ link to this | view in chronology ]
The solution is simple...
Don't let the bank stick the consumer with the bill to fix it.
It is easy enough to show that the customer did not make the call so they didn't authorize it so the bank can eat returning the money.
You'd be shocked, just shocked, how fast banks would end this stupid idea if they have to bear the costs for their failure to not do stupid shit.
We force innocent people to fight corporations when their identity is stolen, despite the corporations enabling id theft.
Consumers have to fight stupid systems aligned against them like they were the back actors to cover the financial losses of a corporation who didn't do any due diligence before handing out thousands.
These systems are not secure but because those creating the systems never have to pay the bill for the fuckups they enabled, they keep doing it.
Stop making us pay the costs for CEOs stupid ideas.
[ link to this | view in chronology ]
Re:
"It is easy enough to show that the customer did not make the call"
No, it's not. You can't completely prove a negative. You might be able to show that you didn't, say, make a call to the bank from your mobile at a specific time by showing phone records. But, you can't absolutely prove that you didn't make the call from a different phone.
[ link to this | view in chronology ]
Re:
You're enabling them when you talk about one's "identity being stolen". That's some impossible sci-fi shit, and what's actually happening is that the bank was the victim of identity fraud, and they improperly gave away the wrong person's money. There are already laws against them doing so, and it's their responsibility to show a customer authorized any transfers.
[ link to this | view in chronology ]
Re: Re:
"We force innocent people to fight corporations when their identity is stolen, despite the corporations enabling id theft."
When is the last time a lender had to pay when someone told them they never applied for that loan? That the loan was obtained with fake documents & information that was leaked by a corporation.
[ link to this | view in chronology ]
Re: Re: Re:
The lenders wouldn't have to pay unless they violated some law. They'd just have to eat the cost.
I did find a story about a debt collector having to pay:
(Among other things, the FDCPA says a person can demand verification of any alleged debt, and can't be bothered again—except via a lawsuit—until proof is provided. The above story isn't a great example but does show the potential for enforcement.)
I'm not really sure what you're getting at. The person whose information was used still has their identity (which is more than a name and SSN and whatever other data gets leaked), and they're not victims of the fraudster but of the bank or collector. It still sucks for them, but we shouldn't use language that makes the banks seem uninvolved.
[ link to this | view in chronology ]
Re: Re: Re: Re:
People are paying Lifelock tons of cash to provide lawyers & experts to help them undo the issues when an lender hands out cash to a random person who knew the name of your first pet.
The system always requires the victims to prove they didn't get the loan/credit card & spend a lot of time cleaning up a mess created by a system that relies on some of the most exfiltrated data that is rarely secured.
The system is rigged against consumers.
If a bank decided that voiceprint was the way to go & then got scammed it would be nice if the bank had to clean up the mess rather than forcing a consumer who never opted into this stupidity to be the one to prove they didn't call in to make this happen.
[ link to this | view in chronology ]
The very model of Irony
Tom Baker said it best, in The Invasion of Time:
[ link to this | view in chronology ]
Re: The very model of Irony
There's a lot of sci-fi and heist movies that investigate the many methods by which such a lock can be compromised, and many of those were depending on technology that's far less sophisticated than what we have now.
[ link to this | view in chronology ]
Re: Re: The very model of Irony
There's also such a thing as "voice actors" and "impressionists". Those are decidedly low-tech options for compromising a voice-lock.
[ link to this | view in chronology ]
Re: Re: Re: The very model of Irony
Now, I'll admit I'm no expert on this, but I believe that voiceprints can account for a lot of those types of attempts, as even if a voice sounds the same to a human ear there are elements that make it clear that it's not the same person talking. But, if you're assembling stock responses from a recording of the actual person, or creating a deepfake version that can say anything with the same exact voice pattern, those checks go out the window.
[ link to this | view in chronology ]
Anyone?
Have a head cold, sinus problems?
YOU KNOW THE PROBLEM< dont you.
[ link to this | view in chronology ]
Countdown to banking voice database being exfiltrated . . .
[ link to this | view in chronology ]
My Name Is Werner Brandes.
My Voice is my Passport
Verify Me.
[ link to this | view in chronology ]
Hollywood insecurity systems made real
For decades, biometrics have been the go-to trope for spy/science fiction authors in need of of "security" systems that sound plausible enough for an audience that doesn't think too hard about it, but that can be broken in all kinds of interesting ways every time the plot demands it. Now the people who still aren't thinking too hard about it want to make those systems real.
[ link to this | view in chronology ]
Re: Hollywood insecurity systems made real
Most of the ways biometrics are broken in movies involve a level of violence or effort that the average thief doesn't want to do, or isn't able to do. After all, safes are broken into all the time in movies, that doesn't stop people using safes.
The problem as I've mentioned before is that biometrics as immutable. You can't grow different fingerprints or a different eyeball if the ones you current have are compromised. It's this problem that make biometrics undesirable in practice as a primary identifier for anything other than convenience.
[ link to this | view in chronology ]
no one watch Burn Notice?
[ link to this | view in chronology ]
Re:
It was Burn Notice that showed that this was a terrible idea?
I thouhht it was in a Hollywood movie...
[ link to this | view in chronology ]
Re: Re:
Sneakers predates Burn Notice
[ link to this | view in chronology ]
Somebody should do this to a few CEOs and some pols.
That might get some action going. Not saying it would be the action we want.
[ link to this | view in chronology ]
Fortunately in the UK, the banks security is considered a vital defence against fraud.
if someone uses telephone banking with deepfake audio, the bank will be on the hook for any stolen money, NOT the customer.
"banks are expected to have reasonable security, and failure to implement this puts the onus onto the financial corporation itself rather than the end customer".
[ link to this | view in chronology ]
Re:
In reality, UK banks give people trouble:
A related quote from Anderson's book "Security Engineering" (2nd ed. §2.4):
[ link to this | view in chronology ]