[jdee]

I've done a lot of work fixing up holes in bank telephone services over the years. I've got evidence of telephone banking customer service reps recording customer's voices and manually piecing together fragments in order to defeat biometric id systems and the like. I've also seen "what is the 3rd letter of your secret word" type voice challenges being pieced together over time to reveal the full secret word. It's inevitable that all these vectors will be automated at some point.

[eternalvision]

"My voice is my passport. Verify me."

The flaw of this authentication mechanism was detailed in popular culture many decades ago.

[nickgrosvenor]

One of the great underrated films of all time. Sneakers

[brians]

That phrase is now the equivalent of "Password1!" for banks and registrars.

[gregmac]

Can you explain a bit more of this? The service reps are using customers voices to get into what? Is this a targeted attack against specific people?

The secret word thing over time sounds even stranger. A single rep would need to take (length of secret word) calls with that customer to get their password. Where are they storing it, and what are they doing with it (that they can't already do using their customer rep-level system access)?

[jdee]

Certainly activity is higher amongst teams that deal with higher wealth individuals, so your question about specific people is broadly correct. To get into what? Bypass biometric ID systems that are common in telephone banking systems. Audio was recorded in high fidelity via smartphones from customers and then manually pieced together in an audio editor and played back down the phone to a biometric system in order to bypass detection. As an adjunct, certain banks in the U.K. have microphones hidden in the counters of physical branches that cross reference your voice with known patterns such is the prevalence of such systems. In regard to secret words, it was a team working within the bank that shared information to crack words. High value CS teams are traditionally very small to keep "the personal touch". CS teams never get access to the full secret word. They get prompted with which questions to ask and what response to expect, so therefore gluing small answers together is the trick.

[literallycancer]

Wouldn't all these issues be solved by the customer reading a one time key over the phone?

[jdee]

Banks are nowhere near to being on this page yet. 99% haven't even committed to primary authentication method. It's a jumble of mobile apps, pin sentry devices, fobs, voice, logic engines, SS7 network squanning via back door agreements with smaller telco network providers, location. It's a real mess.

Can someone bookmark this post where I say the first billion dollar external bank fraud success will happen within the next 18 months please.

[tim333]

I had something close to that with Bank Sabadell. They had 40 four digit numbers on a card and you gave them one of the 40 which they chose. They've now moved to a fancier app based system,

[jacquesm]

Guess who would have access to the software that generates and distributes the one time keys.

[literallycancer]

Why? Have a page with a QR code seed in the internet banking. Scan it with a phone app, no interaction with customer service (unless you lose the phone).

If a bitcoin exchange can do it, I don't see why a bank couldn't (banking is easier - you can cancel transactions).

[Markoff]

Insurance companies are doing this to detect stress levels and other factors to figure out if you are commiting insurance fraud when reporting accident.

TLDR - purpose can be to detect lying

[secfirstmd]

I remember reading somewhere years ago that certain militarys (think Israel and the US were two of them) used speech synthesis technology to do things like give false commands over radio to enemy fighters.

[RealityVoid]

Would be impressive considering the state of the art that I know of[1] would not be able to fool anyone. I find the truthfulness of this statement questionable, especially when they could have done it more easily by having someone issue the false orders. Or maybe they pieced together several real samples to issue a full command?

[1] https://news.ycombinator.com/item?id=13992454

[tedmiston]

Even without a mole on the inside, social engineering is my biggest concern of any company where I have a financial account.

[jacquesm]

Did anyone get charged?

[jdee]

Yes arrests made. No idea of the outcome though. Plenty of people getting away with it though. Simple fraud still works. Identity theft etc. Very easy stuff. There's a great Vice documentary about fraud online somewhere where one of the fraudsters opens up his lockup to reveal 100+ garbage bags full of stolen bank statements, utility bills etc that they use to piece together fake identity ammo.