Banks, ISPs Increasingly Embrace 'Voice Print' Authentication Despite Growing Security Risk

from the this-probably-won't-go-well dept

While it’s certainly possible to sometimes do biometrics well, a long line of companies frequently… don’t. Voice print authentication is particularly shaky, especially given the rise of inexpensive voice deepfake technology. But, much like the continued use of text-message two-factor authentication (which is increasingly shown to not be secure), it apparently doesn’t matter to a long list of companies.

Banks and telecom giants alike have started embracing voice authentication tech at significant scale despite the added threat to user privacy and security. And they’re increasingly collecting user “voice print” data without any way to opt out:

“despite multiple high-profile cases of scammers successfully stealing money by impersonating people via deepfake audio, big banks and ISPs are rolling out voice-based authentication at scale. The worst offender that I could find is Chase. There is no ?opt in?. There doesn?t even appear to be a formal way to ?opt out?! There is literally no way for me to call my bank without my voice being ?fingerprinted? without my consent.”

The U.S. has generally been extremely lax on privacy and security legislation and oversight, generally opting for baseline requirements that companies at least be transparent about their security and privacy practices, and provide users with working opt out tools. But time and time again neither are really adhered to. Eventually our lack of any meaningful privacy rules for the internet era will culminate in a privacy scandal that makes past scandals look like a grade school picnic. And with companies increasingly prioritizing convenience and simplicity over security and common sense, that day could arrive sooner than we think.

The rush toward voice authentication tech is particularly problematic given the quick rise of automated deepfake systems and the growing trove of user voice data available online. With parades of online creators, and smart televisions and other gadgets hoovering up voice data (and frequently failing to secure or encrypt it), availability of this data is ballooning. As are examples where faking a user’s voice has been used for significant thefts. What happens when voice print authentication is adopted at scale, and exploitation of that trend becomes automated by robocall scammers already running amok? Nothing good.

Using voice authentication to secure your finances (or much of anything notable) is, at its base, already very much a hit or miss proposition:

If you figure voice deepfake tech will only get cheaper and better over time, you can also figure replacing passwords and pins with voice authentication isn’t a great idea in a country already drowning in robocall scams. Yet we’re apparently doing it anyway:

“Again, society must adjust to the following reality: It?s become easy for anyone to spoof the voices of others who have public recordings of them talking (very common). Therefore, companies (especially banks) should not be using this as a @#%!ing way to log into accounts! You would think this is SIMPLE-enough for corporate America to understand, but alas, here we are.”

At the very least informed users should have the ability to opt out of voice data collection, yet in many cases they can’t even do that. It’s yet another example of why the nation needs at least some kind of baseline privacy rules that at an extreme minimum mandates that both data collection and security options should be transparent, and users should always retain opt out control. Baseline privacy legislation should also include meaningful penalties and accountability for the very long line of companies that view consumer privacy and security as an annoying afterthought.

Given this would cost a large number of politically powerful industries money we’re not going to do any of that. Instead, we’re going to continue to embrace the current paradigm: a few badly crafted state privacy proposals and a generalized apathy on the federal level. Surely that will work out well, right?

Filed Under: , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Banks, ISPs Increasingly Embrace 'Voice Print' Authentication Despite Growing Security Risk”

Subscribe: RSS Leave a comment
34 Comments
Anonymous Coward says:

At the very least informed users should have the ability to opt out of voice data collection, yet in many cases they can’t even do that.

"Very least" indeed, because the alternate authentication methods are usually complete crap. Date of birth, maybe a social security number, or some other things that have leaked many times. I’ve got two smartcards from my bank, and can’t use their chips (or PIN) for authenticating to their callcenters or web apps or for online purchases. Instead, the webapp sometimes sends an SMS code; and for authorizing online purchases, they datamine my life and check whether a purchase meets their predictions of my behavior.

It’s a good example of why the "security vs. convenience" argument is often bullshit. It’d be quicker and easier, and more secure, to tap a card to my phone or computer than to answer the agent’s questions or enter my card number, expiration date, etc.

PaulT (profile) says:

Re: Re:

""Very least" indeed, because the alternate authentication methods are usually complete crap."

True, but there’s levels of badness.

"Date of birth, maybe a social security number, or some other things that have leaked many times"

Anyone designing a security system that accepts those as proof of identity should probably be taken as far from that job as possible, as quickly as possible.

"I’ve got two smartcards from my bank, and can’t use their chips (or PIN) for authenticating to their callcenters or web apps or for online purchases"

I’d assume that the problem is that if they did enforce that it would remove the ability to make mobile purchases.

There are other forms of ID that are better, but far from perfect. One of my accounts confirms online purchases via SMS. The others have phone apps that ask me to go into the app and accept the purchase via some affirmative action. If I need to call them, they take me to an automated system that asks me to enter my PIN or the agent asks me for individual randomly selected characters from my password. These can be compromised, but they seem better than some of the ones you’re describing.

But, the basic problem with using voice or other biometrics is that they’re immutable. If someone compromises your voice, there’s nothing you can do to change it. You can always get a new phone, change your number, change your password, etc., but one a biometric avenue is compromised you can do nothing about it.

Anonymous Coward says:

Re: Re: Re:

One of my accounts confirms online purchases via SMS. The others have phone apps that ask me to go into the app and accept the purchase via some affirmative action. If I need to call them, they take me to an automated system that asks me to enter my PIN or the agent asks me for individual randomly selected characters from my password.

Tell them you’ve lost your cellphone, and you might find all that’s just theater. Sure, we’ll put your new number in, just give us your date of birth and SSN. (Better to never give such information in the first place, but it’s not always possible. Plus, they may obtain it from elsewhere anyway.)

Anonymous Coward says:

Re: Re: Re: Re:

As opposed to the card method, since nobody could ever lose their card…

No, I’m much happier knowing that somebody obtaining my card can only make some purchases, rather than having full control over all of my accounts. "Something I have" can be a reasonable means of validating my identity… but only if I don’t also need to carry it around everywhere and wave it at a half dozen payment terminals while I’m at it.

I can’t imagine the chaos if ducktaping a phone to the bottom of a card reader was sufficient to log into someone’s bank account.

Anonymous Coward says:

Re: Re: Re:2 Re:

As opposed to the card method, since nobody could ever lose their card…

When I lost my bank card, they wanted me to go into a physical branch and show photo ID matching the account. It’s reasonably secure (when people are not required to cover their faces…), and somewhat difficult for a scammer to scale up or automate.

I can’t imagine the chaos if ducktaping a phone to the bottom of a card reader was sufficient to log into someone’s bank account.

That’s why we have multi-factor authentication. We shouldn’t get rid of the password or PIN for "important" operations (like large transfers or purchases).

I think there’s real value in making the "usual" authentication methods quick and easy. And then when someone calls in with an unusual case—like a lost card or phone, a name change, or a large transfer to Nigeria—they can afford to put the best-trained people on it and give it extra scrutiny.

PaulT (profile) says:

Re: Re: Re: Re:

"Tell them you’ve lost your cellphone, and you might find all that’s just theater"

I actually did lose my phone a few weeks ago, weirdly, but didn’t have to speak to anyone to get things set back up. With one bank, I logged into the app with my username/password, they verified the number through SMS and I got multiple notifications through email and SMS to inform me that it was logged into another device. Not 100% infallibly secure, but the likelihood of someone getting access to my phone, account login and email all at the same time is fairly low. In my experience with this particular bank I would have to go into the branch if further ID was needed, IIRC, although I understand that option is not available to everyone.

With the other bank I use on a regular basis, after logging in they requested a selfie to verify it was me logging in. I’ve seen other places use a system where you have to have a video call with someone and they verify your ID with you holding it up in a certain way so that it can be scanned with you in the same frame. A bit weird, but certainly better than a voice on a phone.

If your bank is asking for publicly verifiable information to confirm your identity, then the problem is with your bank and not the concept of online security.

Anonymous Coward says:

Re: Re: Re:2 Re:

I actually did lose my phone a few weeks ago, weirdly, but didn’t have to speak to anyone to get things set back up.

That you didn’t encounter an insecure process doesn’t mean you’re not vulnerable to one. When you say "they verified the number through SMS", presumably that means you still had your phone number. But an attacker might say they’re still waiting on the new SIM, or someone stole their number, or whatever. It’s good that your bank asks you to go in; these days, I suppose an attacker would use COVID as an excuse why they can’t do that (they’re in quarantine, or think they might have been exposed, or are afraid of getting it due to some health condition).

Social engineering never really stopped working.

If your bank is asking for publicly verifiable information to confirm your identity, then the problem is with your bank

Agreed, but I’ve never phoned any company and had a "security verification" process that went much better than that. They might ask for an approximate account balance or something, or maybe a security I’m holding (I keep my checking account near the minimum balance, hold only super-common index funds in the associated brokerage account… and the last time I dealt with them on the phone they suggested I sign up for voiceprint).

My electric company won’t let me remove my date of birth from the account unless I provide a driver’s license number, which (a) I don’t have and (b) would include my date of birth as the last 6 digits. They say it’s needed "for security".

PaulT (profile) says:

Re: Re: Re:3 Re:

"That you didn’t encounter an insecure process doesn’t mean you’re not vulnerable to one."

I didn’t say I was invulnerable, I said that I went through a process vastly more secure than asking for publicly available data like you were claiming. Now that I have gone through the process, any purchase or transaction I make online is way more secure than the processes you were describing.

"When you say "they verified the number through SMS", presumably that means you still had your phone number"

Yes, I went to my phone provider and showed them my ID to get a replacement SIM. As I mentioned above, it’s not out of the question that an attacker could also get one, but it’s astoundingly unlikely that they would be able to get my number, get my phone (or my account login to change the phone the account is attached to) and get access to the other avenues through which notification is sent that the login has changed. If they didn’t have all that, I would have been immediately aware that my account was under attack, even if the attack was successful. If someone is deliberately targeting me to the degree that they have all of that compromised, I have way more problems than simply whether or not SMS is secure as 2FA.

"Agreed, but I’ve never phoned any company and had a "security verification" process that went much better than that."

Well, unless there is a really lax set of standards where you live and everyone is taking advantage of them, it seems like you need to change who you do business with. I can’t remember the last time I phoned a company that didn’t require a more secure set of responses, although I will admit that it’s been very rare for me to phone a company in the last decade or so, as I prefer to do business either through more secure channels or through channels where there’s some auditable trail if something goes wrong.

"unless I provide a driver’s license number, which (a) I don’t have and (b) would include my date of birth as the last 6 digits"

Well, that seems like really stupid design on the part of whoever provides you with your licence, which is another very good reason not to use a date of birth for identity verification.

Scary Devil Monastery (profile) says:

Re: Re: Re:

"True, but there’s levels of badness."

…which only need to be applied because the banks are competitively desperate to gain more users of their services and as a result increasingly on convenient and cheap while sacrificing security. The golden rule of the security triangle still applies and customer-centric businesses have always opted to expose their customers to greater risk as a result.

This just reminds me of the old credit card scandal in the 90’s, when anyone could apply for a credit card and the banks would simply send one to the address provided. As a result of which scammers sent in hundreds of applications and then followed the mailman through the neighborhoods, lifting the envelope with the fresh card from the mailbox before the home owner whose name was on the card could do anything about it.

The only thing we learn from history is that we don’t learn from history, and all that.

That Anonymous Coward (profile) says:

The solution is simple…

Don’t let the bank stick the consumer with the bill to fix it.
It is easy enough to show that the customer did not make the call so they didn’t authorize it so the bank can eat returning the money.

You’d be shocked, just shocked, how fast banks would end this stupid idea if they have to bear the costs for their failure to not do stupid shit.

We force innocent people to fight corporations when their identity is stolen, despite the corporations enabling id theft.

Consumers have to fight stupid systems aligned against them like they were the back actors to cover the financial losses of a corporation who didn’t do any due diligence before handing out thousands.

These systems are not secure but because those creating the systems never have to pay the bill for the fuckups they enabled, they keep doing it.

Stop making us pay the costs for CEOs stupid ideas.

PaulT (profile) says:

Re: Re:

"It is easy enough to show that the customer did not make the call"

No, it’s not. You can’t completely prove a negative. You might be able to show that you didn’t, say, make a call to the bank from your mobile at a specific time by showing phone records. But, you can’t absolutely prove that you didn’t make the call from a different phone.

Anonymous Coward says:

Re: Re:

We force innocent people to fight corporations when their identity is stolen, despite the corporations enabling id theft.

You’re enabling them when you talk about one’s "identity being stolen". That’s some impossible sci-fi shit, and what’s actually happening is that the bank was the victim of identity fraud, and they improperly gave away the wrong person’s money. There are already laws against them doing so, and it’s their responsibility to show a customer authorized any transfers.

That Anonymous Coward (profile) says:

Re: Re: Re:

"We force innocent people to fight corporations when their identity is stolen, despite the corporations enabling id theft."

When is the last time a lender had to pay when someone told them they never applied for that loan? That the loan was obtained with fake documents & information that was leaked by a corporation.

Anonymous Coward says:

Re: Re: Re: Re:

When is the last time a lender had to pay when someone told them they never applied for that loan?

The lenders wouldn’t have to pay unless they violated some law. They’d just have to eat the cost.

I did find a story about a debt collector having to pay:

The Minnesota Department of Commerce brought down the hammer on a local debt collector recently, stripping First Financial Services and its owner of their collection licenses and levying $100,000 in fines for violations of the Fair Debt Collection Practices Act.

(Among other things, the FDCPA says a person can demand verification of any alleged debt, and can’t be bothered again—except via a lawsuit—until proof is provided. The above story isn’t a great example but does show the potential for enforcement.)

I’m not really sure what you’re getting at. The person whose information was used still has their identity (which is more than a name and SSN and whatever other data gets leaked), and they’re not victims of the fraudster but of the bank or collector. It still sucks for them, but we shouldn’t use language that makes the banks seem uninvolved.

That Anonymous Coward (profile) says:

Re: Re: Re:2 Re:

People are paying Lifelock tons of cash to provide lawyers & experts to help them undo the issues when an lender hands out cash to a random person who knew the name of your first pet.
The system always requires the victims to prove they didn’t get the loan/credit card & spend a lot of time cleaning up a mess created by a system that relies on some of the most exfiltrated data that is rarely secured.
The system is rigged against consumers.
If a bank decided that voiceprint was the way to go & then got scammed it would be nice if the bank had to clean up the mess rather than forcing a consumer who never opted into this stupidity to be the one to prove they didn’t call in to make this happen.

PaulT (profile) says:

Re: Re: Re: The very model of Irony

Now, I’ll admit I’m no expert on this, but I believe that voiceprints can account for a lot of those types of attempts, as even if a voice sounds the same to a human ear there are elements that make it clear that it’s not the same person talking. But, if you’re assembling stock responses from a recording of the actual person, or creating a deepfake version that can say anything with the same exact voice pattern, those checks go out the window.

Lily May says:

Hollywood insecurity systems made real

For decades, biometrics have been the go-to trope for spy/science fiction authors in need of of "security" systems that sound plausible enough for an audience that doesn’t think too hard about it, but that can be broken in all kinds of interesting ways every time the plot demands it. Now the people who still aren’t thinking too hard about it want to make those systems real.

PaulT (profile) says:

Re: Hollywood insecurity systems made real

Most of the ways biometrics are broken in movies involve a level of violence or effort that the average thief doesn’t want to do, or isn’t able to do. After all, safes are broken into all the time in movies, that doesn’t stop people using safes.

The problem as I’ve mentioned before is that biometrics as immutable. You can’t grow different fingerprints or a different eyeball if the ones you current have are compromised. It’s this problem that make biometrics undesirable in practice as a primary identifier for anything other than convenience.

flooryourhomeuk says:

Banks, ISPs Increasingly Embrace 'Voice Print' Authentication De

despite multiple high-profile cases of scammers successfully stealing money by impersonating people via deepfake audio, big banks and ISPs are rolling out voice-based authentication at scale.
The worst offender that I could find is Chase.
There is no “opt in”.
There doesn’t even appear to be a formal way to “opt out”.
There is literally no way for me to call my bank without my voice being “fingerprinted” without my consent.

https://www.floor-your-home.co.uk/

Anonymous Coward says:

Fortunately in the UK, the banks security is considered a vital defence against fraud.

if someone uses telephone banking with deepfake audio, the bank will be on the hook for any stolen money, NOT the customer.

"banks are expected to have reasonable security, and failure to implement this puts the onus onto the financial corporation itself rather than the end customer".

Anonymous Coward says:

Re: Re:

In reality, UK banks give people trouble:

Noted banking security expert Ross Anderson was forced to threaten action in the small claims court before his bank agreed to refund a disputed transaction.
Anderson, professor in security engineering at the University of Cambridge Computer Laboratory, who has often appeared as an expert witness for plaintiffs in so-called "phantom withdrawal" cases, found himself arguing on his own behalf over a disputed £126.51 transaction [in June 2009].

A related quote from Anderson’s book "Security Engineering" (2nd ed. §2.4):

I write ‘identity theft’ in quotes as it’s a propaganda term for the old-fashioned offence of impersonation. In the old days, if someone went to a bank, pretended to be me, borrowed money from them and vanished, then that was the bank’s problem, not mine. In the USA and the UK, banks have recently taken to claiming that it’s my identity that’s been stolen rather than their money, and that this somehow makes me liable. So I also parenthesise ‘victims’ — the banks are the real victims, except insofar as they commit secondary fraud against the customer.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...