124 comments

[ 2.9 ms ] story [ 210 ms ] thread
> My voice is my password

No, your voice (like your fingerprint, iris, SSN, passport number, or any other relatively immutable thing) might be your identification or "a thing that you have".

Password is something you choose, you change when you want, and that you shouldn't reveal to anyone.

My Voice Is My Passport, Verify Me - https://www.youtube.com/watch?v=-zVgWpVXb64
This was the first thing I thought of when I read that. I was like, "Is this the author being cheeky and not really saying what the phrase is, or did someone who works for the bank think they were being clever re-using this line that a 30 year old movie shows is super-easy to spoof?"
> 30 year old movie

It may be a shock but that movie will actually turn 41 this summer.

It seems the author has shown that a replicant can trick a bank.

This is bad and insecure. Look at this: https://m.youtube.com/watch?v=rERApU26PcA

Same thing with “pay with your face” they tried in China. They all are susceptible to replay attacks. It is garbage!

The only secure way to authorize actions is to have a device in your possession which you unlock with your password and/or biometrics — and use THAT device to sign interactive challenges or ZK-SNARKS.

The device could stores keys in a secure enclave, but regardless, the keys should never leave the device. The ability to export private keys (as with ethereum and bitcoin wallets) is insecure, too.

Look how 1password does it: local key plus master password. Far better than LastPass (master password only).

Also you should have notifications whenever a new device authenticates, or when you are trying to establish new recurring payments at a great rate than you would allow otherwise. Then you need to confirm from other devices.

That is the scheme that works universally and the further you depart from that, the more ridiculous hacks you get.

> which you unlock with your password and/or biometrics

Does this kind of devices really comes in biometric versions ? As someone else mention, unlocking an ATM (or anything else) with a device and your fingerprint is very vulnerable to “steal device and cut finger”.

Sure. Your iPhone unlocks using your fingerprint or face. But the point is that YOUR iPhone is what’s being unlocked with it — not a machine operated by someone else.
agreed with first two sentences.

but, "..which you unlock with your password and/or biometrics"?

unlocking with biometrics is actually the problem, regardless of where the unlocking takes place.

relying on a third-party device that you can't even verify is in the custody of its user as "the only secure way to authorize actions" is highly problematic for similar reasons.

and confirming "from other devices" rapidly turns into a user nightmare.

the irony in all this is that lengthy, strong, non-reused passwords are actually pretty secure, and they don't require any specialized technology or rely on possessing a device that you just forgot on the airplane seat pocket and is now winging its way toward another country.

Not necessarily. As long as the device is YOURS, you can unlock it with your face, thumbprint etc. That is how iPhones and Android security has been managed for a long time.

Perhaps to unlock even more valuable transactions, you’d want to bring an external key, like a Yubikey or Ledger Nano wallet etc.

Lengthy passwords that you enter are not very secure. Anyone can capture your keystrokes, look over your shoulder with a camera, or even look at heat signatures on your phone after you left to the bathroom and locked it: https://www.zdnet.com/google-amp/article/this-thermal-attack...

> Same thing with “pay with your face” they tried in China. They all are susceptible to replay attacks. It is garbage!

That's such a naive take on security. Reminds me of "salt shaker vulnerability": https://www.linkedin.com/pulse/hacker-restaurant-alexander-s...

Today, almost any time you use your credit card online in the US, you are susceptible to replay attack. Even PCI-compliant merchant can simply save your payment method for future uses (neither SCA, nor VISA's VAU is being enforced).

What exactly is the attack vector for face payments, if they are not used for P2P payments, only happen in public places with plenty of cameras, and are capped?

Just because it's "possible", doesn't mean it introduces risks that are not acceptable. Sure, you can risk prison time and get a bag of groceries for free. But stealing groceries old-fashioned way is less risky.

The same as for the credit card payments you just mentioned (which ARE insecure and naively rely on store clerks not copying your 3 digit number etc).

ANY biometrics you use to pay can be easily replayed. Whatever function you derive from these biometrics can be executed when you’re not there.

Not to mention that the biometrics themselves can be emulated by a device (eg voice recording) as you see in sci-movies like Minority Report (fake eyes) or that star trek clip.

Sure, for smaller amounts and using copious amounts of “seller beware” chargeback protections, the system can work. And those chargebacks can be good for many things, so that is how our financial system works now.

But if you want to secure thing that are valuable, like elections and many others, then what I described is the optimal solution.

Your voice is a thing that you “are”, up to a certain extent. People can be trained to sound like other people.

Physical things other than the body is something you “have”.

(comment deleted)
It's "a thing that you are", as opposed to:

"a thing that you have": a key, an ID card, security fob, official uniform, etc.

"a thing that you know": a password, PIN, the answer to a secret question, secret handshake, etc.

Try that at the DMV!

It’s almost like if the DMV issued IDs with public key cryptography support and maintained a public certificate authority that we would have a much more reliable form of identification… a bank has customers they aim to please. The DMV does not aim to please anyone!

I feel like a broken record, but in the near future we are going to switch to a public key authentication object for everything social we do. Payment has already moved to it: tap payments use public key cryptography.

Yet, at the same time, whenever it is brought up people love to engage in contrarian rambles about how it is simply too hard, people will lose their dongles, etc etc. Most phones support NFC communications these days, it's a tap against a phone or reader for verification and so couldn't be easier.

Within 10 years people are going to wonder how we ever lived _without_ this.

> Most phones support NFC communications these days

There are signs of a trend of people getting rid of their smartphones in favor of dumbphones. (Disclaimer -- I will be doing this when my smartphone dies.) So using them for payment may not, in fact, become ubiquitous.

Even now, just watching people at stores and coffee shops in my area, it seems that only about 10-20% of them use their phones for payment.

Yes, I phrased this badly. I meant that instead of using the phone's NFC for verification, we can use a small NFC device that we tap to the phone and which the phone reads via NFC to verify our identities. Just like we tap our cards to payment terminals.
There is no reason why simple non-smart phones should not support NFC.

> watching people at stores and coffee shops in my area, it seems that only about 10-20% of them use their phones for payment.

It seem more like 50% here in central Norway, perhaps more.

But doesn't the phone need to interact with a backend service to be used for payment? Maybe it doesn't -- I don't know how these services actually work in this regard -- but typically you need to use an app and register your accounts in order to be able to do payments, correct?

A dumb phone wouldn't do any of that stuff.

It doesn't necessarily need to be online for that kind of payment workflow. It could just directly emulate a payment card, which those definitely do not have internet connectivity. It would probably take some kind of app to add/remove payment cards, but theoretically this could just be something built-in to the device instead of being some kind of app you'd get from an app store.

Dumb phones still run applications, they're not mechanical devices, at least anymore.

> this could just be something built-in to the device instead of being some kind of app you'd get from an app store.

Yes, I wasn't asking about where the app came from. Preinstalled or user-installed doesn't matter.

So what I hear you saying is that the app doesn't need to communicate with anything, either to add/drop accounts or to make payments. Is that correct?

Ah ok, I think I get what you're talking about -- you're talking about the initial provisioning. I do imagine that would need some kind of communication. But it might not necessarily be some kind of internet connection on the device itself. It could be logging into your bank's website from your computer and putting in some kind of fixed identifier of the device or like a smart card transaction with the website by a USB cable, or registering the device at some physical bank branch, putting in some kind of SIM-card like device, etc.

There would probably have to be some way of pairing the device to your account, but there's probably many potential ways it could be done with some theoretical "dumb phone".

Yes, I understand better now. I don't use these sorts of things, so I've never needed to really know how they work practically. I do understand the cryptographic underpinnings.

So, a feature phone could be used for this. Good to know!

Theoretically, yes. In practice, I don't know any.
No both Google Pay and Apple Pay directly work with the payment terminal as if they were cards. You need to add your card to the app so that your bank sends the necessary keys to your phone secure enclave but then it works perfectly fine offline. You just have to tap twice on a physical button and pass the biometric auth to pay.
> your bank sends the necessary keys to your phone

Ah, that clarifies things. Thank you.

We microchip our pets. Let me walk into the DMV and get microchipped.

Then I can force-wave to pay for goods, go through security checkpoints, etc. People will freak the fuck out about it... but personally I'm 100% for it.

I'm all for this. I've had a chip in my hand since 2014
Did you do it yourself or use a service? What do you use it for?
I had a local body mod artist implant it. He ordered it from dangerousthings.com

I just have my contact card on it so when I meet people I can have them scan my hand with their phone to give them my number.

If you have to own a specific device to exist administratively, I'd rather use something that:

- doesn't cost hundred of dollars

- doesn't live track me every seconds

- isn't holding also the rest of my entire life

- isn't a good target for stealing, ceasing or hacking

The wonderful thing about the payment card is that it's just that: a payment card.

It's small, cheap to replace, doesn't require a battery, doesn't share my GPS position at every second, can't show me ads, and if it gets stolen, I don't also lose my entire list of contacts and my browser favorites.

I can easily have many in my pocket, and only use one when I want. If I lose it, I can cancel it quickly, it doesn't affect anything else, and it's swiftly replaced.

It's also super simple to use, yet not that easy to abuse.

The phone is already too many things at once. Too many eggs on the same baskets.

Yes, a government or corporate issued device like a Yubikey with NFC is my ideal. Just tap to the phone to verify. Payment cards got it right, everyone else is just catching up.
We used to have a little key ring fob that would display a number that would change from time to time. That +password was all we needed.

If my phone breaks, I can’t get onto my work network now…

Contrarian opinion: I’m never going back to using a card now that I’m used to paying with my phone. I always have my phone with me anyway. Paying with it is perfect. I don’t even carry a wallet anymore. Plus, things are frictionless. Changing card is easy. It’s fast and doesn’t require a pin most of the time.

I have been moving more and more things to my smartphone as time goes on. It’s already my 2FA anyway so it will be a major hassle if it’s stolen (but stealing modern smartphone is useless as they can’t be reactivated anyway).

The main problem is, PKI is hard and banks and DMV aren’t known for their appreciation of technical complexity.

we have highly technical CAs for https that have wild problems. A well functioning PKI system for banking, identity might work - but it needs to actually be well functioning and transparent.

You're assuming the post-2001 security state assumptions remain the same or don't ease. Which is probably true, but a lot of us would rather ditch them.
Banks are using voice ID for important authentication?? That's bordering on insanity.
Wow. I just finished reading all of those, and the amount of nonsense and unsupported assertions in them is truly mind-boggling.

I'd love to see what, if any, evidence they have to back up the claims they're making.

Forget AI-generated voices for a second. How are these tools trustworthy for defending against simple low-tech hacking like recording somebody's voice and editing it together in the right pattern?

These old comical soundboards of celebrity voices are imperfect as the audio often has different volume levels and subtle background noise, but illustrates the general principle. With an intense enough effort, you can record enough audio from a person to put together a natural conversation. It takes some effort, but is not outside of the technical capabilities for even a smart 14 year old to set this up.

https://www.101soundboards.com/boards/10716-arnold-schwarzen...

Unless these financial security systems have a way to look for very subtle, unnatural gaps in the audio or the consistency of the audio quality, the voice pattern that exists could be a perfect match with this kind of tactic.

The handful of times I've had to contact Fidelity, their customer service has been exceptionally professional. The only annoying part of the process is trying to insert a long password via the phone dialpad to verify my identity. I've been given the suggestion to setup their MyVoice feature, but have resisted setting that up because it seems like there's a possibility it could be bypassed.

Is the alternative of them verifying your identify by sending a code to your phone or you telling them to call you at your phone number better (referring to SIM swapping)? Which commonly used verification method is the lesser of all evils?
Push notification to a banking app or generating a code in the app or the website are secure alternatives I’m familiar with.
Then why not just use the app to do your banking at that point?
In this article, the bank used both voice ID and date of birth to verify identity before a balance check. That seems like a reasonable level of security to me.
Not to me. DOB is publicly available information, and I wouldn't even consider using voice as an authentication method. But perhaps that's because I have a fair bit of experience in those voice techs.
For a balance check? Seems like it's a relatively innocuous piece of information. They aren't transferring money, it's pretty much the same amount of information they would get looking over your shoulder at the ATM.
I consider my bank balance to be very sensitive information.
My point is that they have different levels of authentication required for different levels of access, and the voice id thing seems more reasonable in light of that.
DOB???? How can that possibly be considered a useful factor for authentication?
Yeah, but they use the exact same two forms of auth to send the whole contents of the account overseas... Or to take out a huge loan...
DOB is easy to find and voices are often easy to copy, even without technology. Comedic impressionists have done this for entertainment since about 5 minutes after humans learned to talk.
Yeah sure, and if mine should accidentally leak, I'll just change it. No problem there.
Sure, as long as you've never had a birthday party in a public place. Or never spoken at it.
Date of birth is nothing. It's public on your Facebook profile.

And even ignoring that voice ID is insecure, I still think for the amount of complexity going into voice ID, there are much simpler systems that would be just as easy to use. The difficulty of getting someone to enroll their voice into a database can't possibly be lower than the difficulty of getting them to read a code off the back of their card, or to set up a passcode, or to read off an OTP from an app.

Maybe balance checks are trivial enough where someone doesn't care if they get hacked, but it's still weird because there should be a secure login method over the phone that gets used for everything. That there are separate login methods for different operations is weird and probably not good security. Why bisect it?

If the normal login methods are too cumbersome or hard, well... that's another situation that's worth questioning. There are easy login methods for services that are much more secure, why isn't the normal phone authentication using those? Why is it using a method that's so cumbersome that they need a different login method to check bank balance?

The USA seems to live in a different world. While Europe embraced smart cards and PIN, they stuck with ink signature for years. And now that smart banks are moving to hard two factor tokens, the USA doubles down on craziness like voiceprints. All in the name of convenience. So weird.
> All in the name of convenience.

The lower friction afforded by the convenience is believed to translate to more dollars, and that’s the primary consideration for them.

Biometrics work (in their limited way) only if you control the hardware and the physical environment. You can measure something unique and check that it's as expected, but that's only valid if there's proper custody on the measurement and resulting data.

It's a pretty simple concept, but people perennially can't figure it out. Or don't care.

So, if you're going to use biometrics, a retina scan on a bank vault might be reasonable, but a web site that does facial recognition with the user's camera is not.

In principle, your are correct and one should act accordingly.

In practice, it's an arms race. Plug some more sensors and hardware enclave on the next smartphone generation and flame up the zero-trust hype and it'll be a while until you can covertly unlock your spouse's phone or steal your flatmates custodied crypto even as a well-funded hacker.

The colletaral damage of individual autonomy as end-user devices, apps, and services are dragged along and slowly becoming the only gateways into the financial system and large parts of the private and public social room is rather quite unfortunate.

Well, now you get into DRM and its kin. Which is really a conflict of values.

If party A (the owner/user) has control of the hardware, there are certain things it enables, like doing what you want with the hardware you paid for.

If party B (the vendor/manufacturer) has control of the hardware, it enables other things like participating in games with stronger anti-cheat mechanisms or quicker authentication when doing a payment.

Some of these things have value to only one party, and some of them might have value to both. You're never going to make everybody happy when values conflict. Plus it gets extra complicated because values vary. Maybe one end user cares less about control and more about convenience, and another end user is the opposite.

Yup. Remote biometrics? Forget about it.

Another big problem with biometrics is that if they're "stolen" then you can't revoke them. That said, if you control the hardware and physical environment where the biometrics are used then it's hard to use the stolen biometrics.

I could see a case for going to an office that was approved by the government to verify your biometrics. That way the hardware and physical environment would be controlled. The office could have people verifying that you don't, for example, have fake fingerprints over your real ones.

Then that office could act like a certificate authority and generate a certificate that links your identity to a newly generated public key. Then all authentication would be done using the private key and certificate instead of using the biometrics directly.

In such a case, stolen biometric data wouldn't be useful since it'd be hard to get past physical inspection.

Here's a question I have - how easy is it to fool the detector?

Phone lines are frequency limited and connections are sometimes poor. Apparently you can fool it with a recording of the target speaker, but what about an computer generated voice? And are the features it's detecting things you could correlate with information you could gather on a subject - age, gender, place of birth - to produce a good enough match for enough people to make automated targeted attacks possible.

It's not really that hard. You don't even need AI to do it. You do have to know what you're doing, though.
Seems interesting, may you share more details ?
This isn't really the right venue for such detail, but a wealth of information is a search away. Sorry to be evasive, but the security guy in me is much more comfortable being evasive about things that could be leveraged against people.
"My voice is my password" brings back memories of hacking banks, only in Uplink. What?!? How is this security? Even back in 2000 this is a bad idea. It's even worse today.
>Uplink

Woah. I haven't heard about this game in like a decade! Thanks for the nostalgia.

This game was so fun! It was one of the things that got me interested in software development, along with Learn to Program BASIC (a game about programming games)
My grey beard must be showing. I remember it like it was yesterday. The pure OpenGL graphics, the "slide in from the right" email "spam". The matrix-like tumbler of hex that would "crack" an encryption. It was a perfect game for a small studio.
I think many of us played that game a little too much when we were young. I remember always going back to it.
2000?! Never forget - "Sneakers". Get off my lawn.. ;)

https://m.youtube.com/watch?v=-zVgWpVXb64

Yeah that's where they got the "idea" from. I didn't know a bank would actually consider this "security".
I watched to again just a couple of nights ago. It still holds up! What a great cast.

When I watched the "voice is my passport" sequence, I still enjoyed it, but I immediately thought of our recent ability to mimic a voice speaking any sentence, just by supplying a few minutes of training data.

How long until people start recieving voicemails from scammers in their boss's voice? How long until we can filter voices in real time to convert anyone to sound like anyone else? Video is also not that far away. Will I be able to send my AI doppleganger to videocall standups?

On the plus side, it will help enable things like proper double blind interviews, to allow for gender bias free interviews. It will also help anonymity, or people with disabilities.

In an unrelated note, I had forgotten that President Roslin was in it and was such a fox (I'll probably say that about Battlestar in another twenty years after I have aged past her, like I have now caught up to her in Sneakers :-p

I went to a really interesting talk about biometrics from the guy who ran (runs?) the HUGE biometric ID program that India runs (Aadhaar). A point I remember him reiterating several times is that biometric ID is useful to uniquely identify human meat-bodies (my paraphrase), but that it's fairly weak if you're using biometrics for authentication.

His idea being that your biometric data is not really secret (i.e. in the case of fingerprints or face, it's attached to your body and easily observable), and also that it cannot be changed (easily, with today's technology). If someone gets their hands on your fingerprints or retina scan, you can't "change your password".

His point was that biometrics are really useful for stuff like KYC when you get a bank account (where bank employees can feel pretty sure that they are really scanning your eyeball and not a picture of your eyeball reproduced for the camera), but not such a good idea for stuff like "are you allowed to access this ATM machine?". Also, while identity theft sucks, getting your password stolen is painless, whereas someone chopping off your thumbs to squish them up to an ATM machine is a less pleasant experience.

Biometrics are an username, not a password.
Except on hundreds of millions of iPhones around the world. Apple has shown that the distinction is more nuanced. There are cases where biometric use is legitimate.

Signing into an account on a remote server? Probably not. To access the secure enclave on a device that is with you for 100% of your life? Probably fine.

In a sense it’s two factor authentication with the other factor being the phone itself
The only "nuance" here is that weak security is "probably fine" in many situations. It should still be acknowledged as weak security.

Most houses don't have locks appropriate for bank. Many people do get by with weak passwords in many situations.

But acknowledging the weakness of this sort of security is still important because a given person has to consider the threat they face (activists who may face repressive state should what good and what bad security is still) and because new exploit method can appear.

Most banks don't have locks appropriate for banks.
> To access the secure enclave on a device that is with you for 100% of your life? Probably fine.

The notion, however, that a device shall be with you for 100% of your life is not fine at all. It's totally dystopian.

I think op means with you, rather than someone else.
It doesn’t work like that.. you always need your password
this is the best one-line explanation I have come across.
All the people above you are going on and on about things that can't be captured in one line. lol.
To me, even that’s a poor comparison, since usernames can change per platform, multiple usernames can be created per user, etc.
I wish people would stop saying this because it is clearly wrong. Biometrics have different security properties to both usernames and passwords. They're another category. They aren't the same as usernames.

In some cases they are totally appropriate as passwords. For example fingerprints & face recognition for building access.

(And before you say "but someone could copy your fingerprint from a glass and wear a prosthetic mask that looks like you!" think about how you would break into "password" style building security - PINs and access cards.)

> [Biometrics are] another category. They aren't the same as usernames.

If one still finds themself disagreeing with this, consider the difference between what it means to choose a new username and what it means to choose a new face.

> For example fingerprints & face recognition for building access.

Huh, why is that fine for building access? Someone can enter your house by just having a copy of your fingerprints or face data?

I didn't say all buildings, but in any case someone can enter your house by smashing a window or copying your key or picking the lock or breaking the door or...

Don't imagine that all security has to be mathematically perfect, especially in the real world.

This 100%. I really wish this was more widely understood. Imagine having a password that you can not change? What happens when it is compromised? Biometrics should NEVER be used as passwords.
imo they shouldn't be used as usernames either. What if I have an accident and burn my fingertips off? Or even worse, I have a facial injury that ruins the username?
Hadn't thought of that to be honest, but it's a good point.
> Also, while identity theft sucks, getting your password stolen is painless, whereas someone chopping off your thumbs to squish them up to an ATM machine is a less pleasant experience.

This is not a real distinction if they are physically present and willing to use that level of violence. It reminds me of the password XKCD -- doesn't matter what your password is or how recently it's been changed if they're willing to beat it out of you with a wrench.

We might need to go back to physical authentication methods with advancements in Ai and considering the potential of quantum computing
We already know the limitation of physical authentication, which is why digital is so convenient but with advancements in Ai and considering the potential of quantum computing I wonder where we’ll turn to next… maybe there will actually be a use for the blockchain
> I had access to the account information, including balances and a list of recent transactions and transfers.

But could you make a transaction?

The title is a little sensationalist.

Vice is putting a lot of clickbait out there these days. Then, on the other hand, the HN post is nearly verbatim of the Vice headline, so not sure if that's enough for flagging. Personally, if I had posted this, I'd have removed the clickbait.
A theory I have had for a while (when I put on my tinfoil hat) is that all those robocalls are really looking to generate a voice print of the person associated with a number for future nefarious purposes. For example most people will answer and say "hello, hello, anyone there?" Or something to that effect. Or it will go to voicemail which can then capture their voice. Yet another reason I don't answer calls from people I don't know and use a generic computer generated voicemail message.
This is probably still not advisable, but whenever I get one those calls where I happen to be curious enough to answer, I wait for a beat to see if anyone says anything, and if they don't I start screeching, making monkey noises, farting sounds, and it always just hangs up as soon as I start.
I love when I call US financial institutes and are reminded that:

1. They insist on using voice menus that are only ever capable of servicing requests that I can already do online, or don't work because they're jammed up by the same backend issue that their website hits.

2. They try to auto-enroll me in Voice ID despite always going out of my way to demand that feature not be enabled.

3. Use TOTPs sent to SMS instead of any halfway reasonable TOTP/FIDO2 solution.

US Banks are a joke. So much so that I actively root for them to be hacked so a light can be shone on the fact that my god damn Xbox account is far more secure (first line security) than my Bank account (I do realize that Schwab will probably make me whole faster than Microsoft would in the case of some act of God compromise).

Also your personal data and financial details are being directly sold by them or stolen by tracking pixels.

Once you realize there are no banks at a consumer level who keep your information private in any way, the idea of privacy in the US becomes a complete joke.

At least you have some recourse and protection if something happens to your bank account, unlike an Xbox account where Microsoft can just deny access for any reason.

But I'm also grateful my credit union has an online portal that has 2FA with authentication app support and the ability to disable SMS, phone call and email 2FA options.

I've called Spectrum a few times and they offer this tech too and I always wondered how secure it could be if it's running over regular telephone calls. Like the audio quality isn't great so how well can it differentiate voices and particular characteristics
I'm not really sure the addition of AI changes all that much here. It sounds like the bypass the author used would have been possible using conventional methods. But if AI draws attention to the horrendous practice of biometric authentication, I'm all for it and I hope that more reporters start asking similar questions about bank security.

This article focuses specifically on UK security, and I'm not sure what the situation is over there, but in the US digital security around banks is pretty awful. I looked around a while back trying to find an online consumer bank with good reviews that offered 2-factor authentication (real 2-factor authentication, not just SMS). I couldn't find a single one[0].

At best, a couple of banks mentioned that they had their own proprietary authentication apps that I could install. None of them had basic OTP support for something like AndOTP.

I had to fight with my bank for multiple days before I got them to allow me to set up a passcode that they would use to identify me when I called, rather than just relying on basic information that was all made public in the Equifax leak. To their credit, they do actually ask me, but I still wonder if someone tried to impersonate me, would they actually block access or would they bend as soon as the person made a fuss about not knowing the code?

That the response to this from the banks involved is immediately "well, it's just an extra layer, we're getting better and better" -- it's infuriating to read. It's an industry that is not just behind on security, it's actively hostile to people pointing out that it's behind on security.

I guess it should make me feel better that apparently it's not just a US-specific problem? I'm not sure it does though.

----

[0]: Sidenote, if anyone has any good suggestions here, I'd be all ears. I get regularly annoyed at how bad my bank is with notifications around payments, card usage, etc... and how it seems to be both antagonistic to actual security measures like 2FA and in love with security theater like blocking VPN access.

Right now, the only options are Charles Schwab with a workaround [1], and Wealthfront and Betterment with native OTP 2FA. These are actually pretty great accounts regardless of security, >4% interest on savings and no ATM fees ever. The only credit card I've been able to find with non-SMS 2FA and no SMS fallback is the Apple card.

[1] https://www.reddit.com/r/personalfinance/comments/hvvuwl/usi...

Your voice is indeed a form of authentication to other people that know you. How long until it becomes a valuable token which needs to be protected?

I can see various forms of 'man in the middle' attacks taking place with selective conversational interposing allowing an attacker to inject false data into a live conversation between two parties.

Imagine a simple example using caller ID spoofing: Attacker calls two parties and uses stolen voices to establish a reason for the call(as both people will know they did not instigate the conversation, both will need to be convinced that the other party did). Now the conversation is started and has context. Now the attacker can steer the conversation to various topics and selectively invert various factual exchanges or negotiations. Afterwards, both parties will be left with a valid memory of the interaction and, unless they confer on who instigated the call, may have little reason to suspect that sections of the exchange were manipulated.

This can be mitigated somewhat if both parties agree on a secret exchange in advance. I guess it's just a matter of time until parents all over will have challenge-response sheets next to the phone to prevent them from wiring money to their "son" who's been in a terrible accident.
Somewhat, but when the attacker controls the channel they can allow the challenge-response to complete before compromising the integrity of the channel.
How long until people start recieving voicemails from scammers in their boss's voice? How long until we can filter voices in real time to convert anyone to sound like anyone else?

Video is also not that far away. Will I be able to send my AI doppleganger to videocall standups?

It will be interesting to see if we have to take extra steps to verify we are on any non-physically present communications. Email is already suspect. Phone calls are next.

On the plus side, it will help enable things like proper double blind interviews, to allow for gender bias free interviews. It will also help anonymity, or people with disabilities.

Every time I've called my broker they've asked to enable Voice ID as their "most secure form of authentication!". Hard pass. The poor reps on the phone are always very confused.
I just don't understand how come this is so much of an oversight, neural networks today can synthesise voice, pictures. ALSO neural networks today can reliably detect if a picture or voice was generated by neural networks. How come someone skipping the latter in a security application? A BANK? I just don't understand.
(comment deleted)