The journalist Vice Motherboard Joseph Cox hacked the bank account by imitating a voice with the help of AI, which proved that the voice ID used by banks in the USA and Europe is not a very safe way to enter the account.
The system managed to deceive with the help of the voice, synthesized by the Elevenlabs AI service.
Let me remind you that we also talked about the fact that Microsoft’s VALL-E AI is able to imitate a human voice in a Three-Second Pattern, and also that Russian Cybercriminals Seek Access to OpenAI ChatGPT.
The media also said that Attackers Use Voice Changing Software to Deceive Their Victims.
Cox says that banks in the USA and Europe are increasingly using voice verification so that customers can enter their accounts. Some banks even advertise voice identification as the equivalent of a fingerprint, saying that this is a safe and convenient way to interact with the bank.
However, the journalist experiment proves that voice biometrics are hardly reliable protection in the modern world, where anyone can generate a synthetic voice cheap or completely free.
For his experience, Cox used a free service to synthesize speech from ElevenLabs. It is noteworthy that Elevenlabs have previously used the trolls to create vocal diphes of the votes of Emma Watson, Joe Rogan and other celebrities, forcing AI to “pronounce” racist, insulting and cruel things (for example, with the voice of Emma Watson, 4Chan users “voiced” MEIN Kampf excerpts ). As a result, representatives of Elevenlabs promised to develop additional security measures for their platform.
The journalist put his experiment on the British Lloyds Bank. The website of the financial institution reports that the Voice ID program is absolutely safe.
At the same time, the researcher notes that other banks offer similar services, including Voiceprin in TD Bank, Voice ID in Chase, Voice Verification in Wells Fargo and so on. According to Koks, all these systems are also vulnerable to attacks using synthetic votes, and allow you to perform many actions by phone, including checking the history of transactions, residues in accounts and, in some cases, even transfer of funds.
It is also noted that for such an attack a fraudster will need to know the date of birth of the victim, however, thanks to many data leaks, this is unlikely to become a big problem.
However, at first, the entrance to the banking failed: the Lloyds Bank system reported that it could not authentify the voice. After making a number of changes to Elevenlabs, including reading a longer fragment of the text, the generated sound successfully bypassed the bank security system. Cox successfully reproduced the phrase “My Voice is my password” with the help of AI, and then the same AI asked to check the balance. As you can verify in the video below, an attempt was successful.
Representatives of ElevenLabs did not answer journalists to numerous comments. Earlier, the company assured that “new security measures quickly reduce cases of illegal use” of the platform.
In turn, representatives of Lloyds Bank said that “Voice ID is an additional security measure”, but the company is sure that it still provides a higher level of protection than traditional authentication methods.
Lloyds Bank explained that they know about the threat of synthetic votes, but so far, the financial institution has not encountered cases when such fakes were used for fraud regarding its customers. According to representatives of the bank, synthetic voices are not so attractive for attackers as simpler and more common methods of fraud, and voice identification has helped to significantly reduce the number of cases of fraud with telephone banking.