Banks are continuously coming up with new ways to verify customers’ identities. Before biometrics allowed people to access their accounts from home, banks required customers to show their driver’s licenses or sign a paper or digital pad to compare the signature with the one on file. Now most of us can access our balances, make transfers, and complete other virtual banking tasks with a quick Face ID scan, a fingerprint scan, or by speaking a specific phrase out loud.
One little problem: The latter option is easy to exploit. Vice Motherboard’s Joseph Cox successfully “broke into” his own bank account this week using a readily available AI voice generator, which mimicked Cox’s voice well enough that the bank’s voice-based biometric security system didn’t raise a red flag.
Cox started with a free voice creation service from Eleven Labs, an AI company founded by a former Googler focusing on “realistic and versatile” speech. He recorded five minutes of his own speech and uploaded it to Eleven Labs’ software, which used the recordings to create a synthetic voice. Cox could type in whatever he wanted the synthetic voice to say, then download those snippets as audio files. Among the phrases he procured were “Check my balance” and “My voice is my password.”
Cox called his bank—Lloyds Bank in the United Kingdom—and played the files corresponding with these phrases as the automated teller walked him through its security checks. To Cox’s disbelief, the system perceived the synthetic voice as his own and allowed him access to his balance, recent transfers, and other information.
Lloyds Bank is far from the only bank to use voice verification. (Image: Nick Sarvari/Unsplash)
“Some banks tout voice identification as equivalent to a fingerprint, a secure and convenient way for users to interact with their bank,” Cox writes in his description of the hack. “But this experiment shatters the idea that voice-based biometric security provides foolproof protection in a world where anyone can now generate synthetic voices for cheap or sometimes at no cost.”
A glaring vulnerability like this doesn’t just spell danger for unsuspecting randoms; it also presents real risks for victims of financial abuse, who’d otherwise keep balances and transactions private from toxic partners. Cox notes that while bad actors would need a victim’s date of birth to break into an account (he had to type his own into his phone), such information is readily available online, thanks to social media, data breaches, and data brokers.
Between Wells Fargo’s “Voice Verification” system and Chase’s “Voice ID,” large banks tend to assure their customers that voice-based security systems are secure and effective. When Cox informed his bank that he’d been able to access his account with a synthetic voice, a spokesperson responded that Lloyds Bank’s system provided “higher levels of security than traditional knowledge-based authentication methods.” Wells Fargo and Chase didn’t respond to related inquiries.
At that point, there’s only one small comfort: Voice verification is usually an option that can be disabled, much like Face ID. With the proliferation of AI-based imitation technology as of late, it might be best to turn that feature off.
- Russian Propagandists Are Using Paid Twitter Blue Checks to Spread Disinformation
- LastPass Owner GoTo Confirms It Was Also Hit By November 2022 Hack
- Microsoft, Adobe Announce Edge Browser Will Soon Use Acrobat to Open PDFs