The Researcher Hacked His Own Bank Account by Imitating a Voice with AI

The journalist Vice Motherboard Joseph Cox hacked the bank account by imitating a voice with the help of AI, which proved that the voice ID used by banks in the USA and Europe is not a very safe way to enter the account.

The system managed to deceive with the help of the voice, synthesized by the Elevenlabs AI service.

Let me remind you that we also talked about the fact that Microsoft’s VALL-E AI is able to imitate a human voice in a Three-Second Pattern, and also that Russian Cybercriminals Seek Access to OpenAI ChatGPT.

The media also said that Attackers Use Voice Changing Software to Deceive Their Victims.

Cox says that banks in the USA and Europe are increasingly using voice verification so that customers can enter their accounts. Some banks even advertise voice identification as the equivalent of a fingerprint, saying that this is a safe and convenient way to interact with the bank.

However, the journalist experiment proves that voice biometrics are hardly reliable protection in the modern world, where anyone can generate a synthetic voice cheap or completely free.

For his experience, Cox used a free service to synthesize speech from ElevenLabs. It is noteworthy that Elevenlabs have previously used the trolls to create vocal diphes of the votes of Emma Watson, Joe Rogan and other celebrities, forcing AI to “pronounce” racist, insulting and cruel things (for example, with the voice of Emma Watson, 4Chan users “voiced” MEIN Kampf excerpts ). As a result, representatives of Elevenlabs promised to develop additional security measures for their platform.

Potentially, any person, at least a few minutes of whose vote can be found open access (YouTube users, influensers on social networks, politicians, journalists) may be subject to this kind of voice cloning.Cox writes.

The journalist put his experiment on the British Lloyds Bank. The website of the financial institution reports that the Voice ID program is absolutely safe.

Your voice is like a fingerprint and it is unique. Voice ID analyzes more than 100 different characteristics of your voice, which, like your fingerprint, are unique. For example, how you use your mouth and vocal cords, your accent and how quickly you say. [Voice ID] recognizes you even if you have a cold or sore throat.the site says.

At the same time, the researcher notes that other banks offer similar services, including Voiceprin in TD Bank, Voice ID in Chase, Voice Verification in Wells Fargo and so on. According to Koks, all these systems are also vulnerable to attacks using synthetic votes, and allow you to perform many actions by phone, including checking the history of transactions, residues in accounts and, in some cases, even transfer of funds.

It is also noted that for such an attack a fraudster will need to know the date of birth of the victim, however, thanks to many data leaks, this is unlikely to become a big problem.

I tested several AI services to generate my voice. Most of them have restrictions or there were problems with the reconstruction of my British accent, which was necessary to access Lloyds Bank. In the end, I took advantage of the services of Elevenlabs, which coped well with an accent. To synthesize my voice, I recorded about five minutes of speech and loaded it to Elevenlabs (I read the sections of the European Data Protection Law). Soon, a synthetic voice was ready for use, and he pronounced any text entered on the Elevenlabs website.the journalist says.

imitating a voice with AI

However, at first, the entrance to the banking failed: the Lloyds Bank system reported that it could not authentify the voice. After making a number of changes to Elevenlabs, including reading a longer fragment of the text, the generated sound successfully bypassed the bank security system. Cox successfully reproduced the phrase “My Voice is my password” with the help of AI, and then the same AI asked to check the balance. As you can verify in the video below, an attempt was successful.

After problems with celebrities, Elevenlabs asked on Twitter what security measures should be used, for example, to request a complete identification of users or payment information. However, Motherboard was able to generate a voice without providing documents confirming the identity, or any payment information. Perhaps the fact is that [our] account was created before Elevenlabs introduced new security measures. As a result, the bypass of the bank’s voice protection was free.Cox sums up.

Representatives of ElevenLabs did not answer journalists to numerous comments. Earlier, the company assured that “new security measures quickly reduce cases of illegal use” of the platform.

In turn, representatives of Lloyds Bank said that “Voice ID is an additional security measure”, but the company is sure that it still provides a higher level of protection than traditional authentication methods.

Lloyds Bank explained that they know about the threat of synthetic votes, but so far, the financial institution has not encountered cases when such fakes were used for fraud regarding its customers. According to representatives of the bank, synthetic voices are not so attractive for attackers as simpler and more common methods of fraud, and voice identification has helped to significantly reduce the number of cases of fraud with telephone banking.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *