Can You Impersonate Me?
Voice and speaker recognition and text analysis have come a long way. I use voice-to-text transcription for writing some of my blogs. Call centers can use voice recognition technologies to identify customers. But are these technologies reliable for identification? Are there techniques that can use speech technologies to fraudulently impersonate me?
The Pindrop Report
I recently read Pindrop's "2018 Voice Intelligence Report,". The report reveals that the rate of voice fraud has increased 350% from 2013 to 2017 -- that is one out of 2,900 calls (2013) to one out of 638 calls (2018) are voice channel fraud. The graphics is this blog are from the Pindrop report.
Fraud Costs are High
U.S. data breach incidents investigated in 2017 hit a record high of 1,579 breaches, according to the 2017 Data Breach Year-End Review released by the Identity Theft Resource Center and CyberScout. This indicates an upturn of 44.7% increase over the figures reported for 2016. And according to an academic study, malicious actors in these breaches are "generating, spending, and reinvesting" $1.5 trillion worth of cybercrime profits.
Profits include $860 billion from online markets, $500 billion from intellectual property or trade secret theft, and $160 billion from data trading. Ransomware and cybercrime-as-a-service were less lucrative at $1 billion and $1.6 billion, respectively.
Fraud in the Omnichannel
Fraud perpetrators use all the channels available to them to complete their goals. As sophistication increases, perpetrators often start the fraud in one channel/media and then commit the actual fraudulent transaction in another channel/media. A perpetrator may use social media access to reset a password on a victim's account. The reset password can then be used to commit online fraud.
This example demonstrates the difficulty in identifying interactions that allow fraud to exist. Many cross-channel interactions will appear like a legitimate transaction and make fraud harder to detect. Pindrop's research of the voice channel reported that more than 60% of the confirmed fraud calls were the result of information collected by perpetrators to accomplish fraud in the online channel.
The sources for voice fraud calls include the PSTN, mobile phones, VoIP, and chat. Therefore the fraud detection methods have to cover multiple media. Do not forget that fraud can also be perpetrated through unmonitored IVR and chatbot programs.
Through the use of AI, synthetic voice is potentially the latest dangerous technology. An example is Google Duplex, whose goal is helping to automate tasks like booking a reservation using a synthetic voice based on a real person. This technology will evolve into uses of more complex actions.
The advent of synthetic voice produces privacy and security issues. Perpetrators will use this to their advantage and exploit synthetic
voice in their attacks. A hacked Google Assistant could engage in financial transactions with the victim's bank and credit card accounts.
Businesses already use machine learning for monitoring and matching a customer's device use, behavior, and voice. Machine learning can be used to create synthetic voices, spoof ANIs or CLI, and conduct massive robocalls that can work through an IVR to verify stolen account information.
Synthetic Voice Attacks
A perpetrator may try to impersonate a valid speaker to avoid positive identification. The perpetrator can record the customer's voice by calling them or listening to them via social media recordings. The quality of the voice can be quite good. Voice modification software can change the perpetrators voice so it matches the customer's voice through the use of electronic pitch control. Additionally, voice synthesis software can be used to produce a fake voice avatar.
Who Is Vulnerable?
Any person or any organization might be susceptible to voice attacks. But there are some segments that have seen significant increases in being targeted:
- Insurance companies -- It may take multiple calls, but to bad actors, it's worth it to gain access to pension plans, 401k, and life insurance policies. Insurance fraud has increased 248% since 2015.
- Banks -- Fraud calls for banks are generated from both domestic and international locations. About 80% of credit union fraud calls are domestic in origin. The fraud rate increased 269% from 2014 to 2017.
- Card issuers -- This segment saw a slower rate of increase, 24%, from 2014 to 2017.
- Brokerages -- This segment saw a 78% increase in fraud rate from 2013 to 2017.
- Retail -- This category has seen a 134% increase in fraud from 2014 to 2017. The use of the omnichannel contact center, as well as phone calls, is the source of fraud interactions.