So Much for Security: Some Bank Accounts Can Be Hacked with AI Voice Generation

Participant hold their laptops in front of an illuminated wall at the annual Chaos Compute
Patrick Lux/Getty
Alana Mastrangelo

Bank accounts that use voice authentication can be broken into using AI technology, according to a Vice Media writer who hacked into his own bank account using the technique.

Vice’s Joseph Cox has written that he successfully used an AI-generated voice to break into his own bank account, which uses voice ID as a secure way for him to log into his account.

In this Friday, Oct. 21, 2016 photo, the Ares, a humanoid bipedal robot designed by Chinese college students with fundings from a Shanghai investment company, is displayed during the World Robot Conference in Beijing. China is showcasing its burgeoning robot industry as it seeks to promote use of more advanced technologies in Chinese factories and create high-end products that redefine the meaning of “Made in China.” The Ares is a human-sized robot they designed with exposed metal arms and hands and a wide range of uses in mind, from the military to performing basic tasks in a home. (AP Photo/Ng Han Guan, File)

(AP Photo/Ng Han Guan, File)

“I proved it’s possible to trick such systems with free or cheap AI-generated voices,” Cox said. “The bank thought it was talking to me; the AI-generated voice certainly sounded the same.”

Cox explained that he called his bank’s automated service line, and then played “a synthetic clone” of his voice that he had made using “readily available artificial intelligence technology.”

The bank asked the AI-generated voice to say “my voice is my password” in order to access the account. Cox then played a clip of the synthetic voice saying “my voice is my password,” and was granted access to his account — without ever having to speak.

“I had used an AI-powered replica of a voice to break into a bank account,” Cox said. “After that, I had access to the account information, including balances and a list of recent transactions and transfers.”

The Vice writer further disclosed that he had used free voice creation service from the AI-voice company ElevenLabs.

Cox added that he also performed the same experiment with an account at Lloyds Bank in the UK.

While he couldn’t break in right away, he eventually got the bank to authenticate the AI-generated voice “after making some tweaks on ElevenLabs, such as having it read a longer body of text to make cadences sound more natural.”

“I recommend all organizations leveraging voice ‘authentication’ switch to a secure method of identity verification, like multi-factor authentication, ASAP,” Rachel Tobac, CEO of social engineering focused firm SocialProof Security, told Motherboard.

Tobac added that this type of voice replication can be “completed without ever needing to interact with the person in real life.”

 

You can follow Alana Mastrangelo on Facebook and Twitter at @ARmastrangelo, and on Instagram.

COMMENTS

Please let us know if you're having issues with commenting.