Key information
- Voice cloning technology has reached a high level of sophistication, making it possible to create convincing synthetic voices.
- Using an AI-generated voice clone, the perpetrator managed to gain access to their bank accounts by bypassing voice ID security measures.
- The vulnerability can be exploited in real-world scenarios, but requires physical access to the registered phone number.
Voice cloning technology has advanced significantly in recent years, now making it possible to create incredibly realistic synthetic voices. Celebrities such as Martin Lewis and James Nesbitt have already been victims of fraudsters who imitated their voices, highlighting the dangers of the technology. To test the limits of voice cloning, Shari Vahl, an investigative journalist at the BBC, decided to call on an expert to recreate her voice from a past radio interview.
The resulting voice cloning was surprisingly convincing; even his colleagues at the office had difficulty hearing the difference with his real voice. The goal of the experiment was not only to demonstrate the clone’s accuracy, but also to examine whether the clone was capable of bypassing security measures. The focus was on testing the effectiveness of voice identification systems used by banks for telephone banking services.
Bank security measures
Several banks use voice recognition technology, allowing customers to verify their identity using their unique voice, rather than using traditional passwords or PINs. Using an AI-generated recording of her voice saying the phrase “my voice is my password”, Shari Vahl managed to gain access to her Santander and Halifax accounts.
Exploitation of the vulnerability
Initial testing was carried out in a controlled environment within the BBC studios, using high quality loudspeakers. To further test the concept, Shari Vahl repeated the experiment from her own kitchen, using a simple iPad speaker. This demonstrated that you do not need sophisticated audio equipment to exploit this vulnerability.
Consequences and reactions
It is important to note that the first successful connection attempts were linked to the call made from the registered phone number. This means that a criminal would have to physically steal the phone and it must not be locked to carry out this attack. Although not simple, a quick theft of the phone (or “snatch”) could provide access.
Expert reaction and other discussions
Information accessible after bypassing the voice identification system during a telephone banking session can be extremely valuable to criminals. Fraudsters can gain victims’ trust by displaying detailed knowledge of account information.
When Shari Vahl shared her findings with the banks, Santander emphasized its confidence in the security of the voice identification system. They claimed the technology offered better protection than traditional verification methods and was part of a multi-layered approach to preventing fraud. Halifax described Voice ID as an optional security measure, highlighting the improved protection over knowledge-based methods, as well as their commitment to protecting customer accounts.
Saj Huq, a cybersecurity expert and member of the British government’s National Cyber Advisory Board, expressed surprise and concern that Shari Vahl was able to access his bank account using a cloned voice. He stressed that this incident illustrates the risks associated with the rapid evolution of AI technology.
If you want access to all articles, subscribe here!
