In the United States as in Europe, bank customers use their voice to identify themselves and access their bank accounts. But the emergence of voice AIs is reshuffling the cards.
“My voice is my password.” This innocuous phrase is actually the key to accessing many bank accounts. In the United States, as in Europe, banks offer their customers to simply speak to identify themselves and manage their money, by means of a simple telephone call. An American media journalist Vice therefore challenged this procedure with the help of artificial intelligence, by carrying out a test with its bank, Lloyds Bank.
Using software from the startup EvenLabs, the journalist generated a synthetic copy of his voice. Like Microsoft, the company allows you to reproduce your own voice or that of a celebrity from a few sound samples. Then just write a text to say almost anything to anyone. This function quickly generated abuse: the voice of actress Emma Watson was notably used to utter racist insults.
A supposedly infallible device
In order to limit abuse, EvenLabs has revised its rules of use. Now, the service is paid to imitate the voice of someone other than yourself. But the reproduction of his own voice remains free. This is the option that the Vice journalist used to test the effectiveness of his bank’s sound protection system.
While establishments offering voice identification boast of an infallible device, experience has unfortunately proven the opposite. At least with the EvenLabs solution. Tests were carried out with other voice generators, but the software struggled to correctly reproduce the journalist’s British accent.
EvenLabs’ artificial intelligence generated two audio files. The first was used to formulate his request: “check my balance” (“check my balance”, in French). The second to identify himself by pronouncing the sentence “my voice is my password” (“my voice is my password”, in French).
Deployed countermeasures
During his call, the reporter simply played the audio files instead of speaking. Only his date of birth (which he was able to enter manually) was additionally requested. He thus had access to his accounts, including his banking information, his balances, his last transactions and his recent transfers.
Lloyds Bank has explained that it is aware of the risks that synthetic voices can represent. He assures that he is deploying countermeasures and that no fraud with his customers has so far been observed.
Contacted by Vice, social engineering specialist Rachel Tobac, head of SocialProof Security, nevertheless recommended “all structures that use voice authentication to switch to a secure method of identity verification. , such as two-factor authentication, as soon as possible”.
