“My voice is my password.” This innocuous phrase is actually the key to many bank accounts. In the United States, as in Europe, banks offer their customers to simply talk to identify themselves and manage their money, through a simple phone call. Thus, a journalist from the American medium Vice questioned this procedure using artificial intelligence, carrying out a test with his bank, Lloyds Bank.
Using software from the startup ElevenLabs, the journalist generated a synthetic copy of his voice. Like Microsoft, the company allows you to reproduce your own voice or that of a celebrity from just a few sound samples. Then just write a text to say almost anything to anyone. This feature quickly generated abuse: actress Emma Watson’s voice was notably used to utter racist slurs.
A supposedly infallible device
To limit abuse, ElevenLabs has revised its rules of use. Now, the service is paid to imitate the voice of someone other than yourself. But the reproduction of your own voice is still free. This is the option the Vice journalist used to test the effectiveness of his bank’s sound protection system.
While establishments that offer voice identification have a foolproof device, unfortunately experience has shown otherwise. At least with the ElevenLabs solution. Tests were carried out with other voice generators, but the software had problems correctly reproducing the journalist’s British accent.
ElevenLabs artificial intelligence made it possible to generate two audio files. The first was used to formulate your request: “verify my balance” (“check my balance”, in French). The second to identify himself by pronouncing the phrase “my voice is my password” (“my voice is my password”, in French).
Countermeasures implemented
During his call, the reporter simply played the audio files instead of speaking. Only his date of birth (which he was able to enter manually) was additionally requested. He thus had access to his accounts, including his bank information, his balances, his latest transactions and his recent transfers.
Lloyds Bank has explained that it is aware of the risks that synthetic voices can pose. It ensures that it is deploying countermeasures and that so far no fraud has been observed with its clients.
However, contacted by Vice, social engineering specialist Rachel Tobac, director of SocialProof Security, recommended “all structures that use voice authentication to switch to a secure method of identity verification, such as two-factor authentication, as soon as possible.” possible”.
Source: BFM TV
