In an article written for Motherboard, Cox detailed the attack steps and his usage of a free service called ElevenLabs, an AI-voice company.
I played a sound file from my computer. “My voice is my password,” the voice said. The bank's security system spent a few seconds authenticating the voice.
“Thank you,” the bank said. I was in.
I couldn’t believe it—it had worked.
Cox stated that he performed the security test on a Lloyds bank account. At the time of publishing, their website states that Voice ID is safe.
Cox discussed the matter with a Lloyds spokesperson who stated:
“Voice ID is an optional security measure, however we are confident that it provides higher levels of security than traditional knowledge-based authentication methods, and that our layered approach to security and fraud prevention continues to provide the right level of protection for customers' accounts, while still making them easy to access when needed.”
Cyberbullies have used ElevenLabs to create synthetic voices of people by using clips of them talking online. Celebrities, politicians, CEOs, journalists and more could be at risk of this type of attack, given that there will be hours of available recordings to feed into ElevenLabs' tool.
Julien Laurent, Anti-Fraud Lead at Singaporean cybersecurity firm Group-IB told TEARLINE:
Unfortunately, in today’s world, your voice is a very easy thing to sample covertly, via social engineering or from OSINT. Group-IB first observed this kind of attack in 2019, and based on our own experiences in Fraud protection, we recommend a multi-layer approach as demanded by the PSD2 regulation.
Lloyds said that they have not observed successful fraud attempts utilising synthetic voice applications.
Cox used ElevenLabs to build the synthetic voice and trained it using roughly five minutes of speech. Ironically, he read sections of Europe’s GDPR data protection regulation to the tool.
Microsoft's VALL-E voice synthesis project claims to be able to create "high-quality personalized speech with only a 3-second enrolled recording". The cyber threat landscape is undoubtedly heating up with the rapid development of cutting-edge artificial intelligence tools.
Updated on 28th Feb 2023 to include comment from Group-IB.
