…
My voice was cloned by the same expert that did James Nesbitt’s - his was for an awareness-raising campaign by Starling Bank. Mine was easily generated using an interview I had done on the radio.
While we had fun typing in different phrases for my clone to say back, the serious issue was finding out how convincing it really was.
Colleagues in the You and Yours office struggled to tell the difference between the two voices.
But rather than seeing if an AI voice could dupe people into believing they were listening to the voice of a real person, I wanted to see how it fared against a piece of tech.
Could it get past my bank account’s voice ID system?
Several banks use a system called voice ID or ‘my voice is my password’ for their phone banking.
The phrase allows the bank to automatically confirm an account holder’s identity without the need to remember a security number.
So that was what I asked my cloned voice to say.
Armed with a recording of an AI version of me saying “my voice is my password” I called up my bank, Santander.
“Thanks for calling Santander,” came the automated response. “I can see you’re calling from your registered phone number. Let’s quickly confirm your identity with your voice.”
I pressed play.
“My voice is my password,” said an AI version of me.
After a very brief pause, the bank replied: “Thank you for using your voice as your password.”
Then it asked the reason for my call.
I was in. Or at least, this AI cloned version of my voice was in.
I then tried the same trick with my other bank, Halifax, and it resulted in another successful hack by the AI clone.
I should point out that those initial logins were done in the office, using BBC studio speakers to play my cloned voice down the phone.
So later, a my kitchen table at home on Merseyside, I did it again using a basic iPad speaker. And it worked, which suggested there was no need for top-quality sound.
Wait, wait, what the fuck?
Are they using a voice ID system over a fucking phone system?
A phone system that reduces the quality of sound transmitted over it?
Thus reducing entropy to verify?
I have been using tokens to access my bank for almost twenty years, a mobile app token for almost a decade, why are they reinventing the wheel?
Stop being stupid!
My bank and my phone service have both been trying me to agree to voice verification for years. I always tell them no, and they always ask again the next time.
I know, right? Every time I call my bank they try to automatically enroll me in the service and I have to opt-out. Its more nonsense info to give to the bank and if anything if makes my account less secure.
A security system is only as secure as it’s weakest point.
Here in Sweden we have BankID to access banks and government services.
To logon you either need to launch BankID on the same device as the browser/app, or you get a QR code to scan with the app.
Once you are in the app and have scanned the QR code, you authenticate the login attempt and get logged in.
In the past the service worked slightly differently, you would enter your personal number on the webpage/app and a login prompt would appear in your BankID app.
That was quickly exploited by scammers, who scammed elderly people out of their savings.