Researchers at the Cheriton School of Computer Science have discovered a method of attack that can successfully bypass voice authentication security systems with up to a 99% success rate after only six tries.
Voice authentication — which allows companies to verify the identity of their clients via a supposedly unique voiceprint — has increasingly been used in remote banking, call centres and other security-critical scenarios.
“When enrolling in voice authentication, you are asked to repeat a certain phrase in your own voice. The system then extracts a unique vocal signature — a voiceprint — from this provided phrase and stores it on a server,” said Andre Kassis, a PhD candidate in the Cryptography, Security, and Privacy research group and the lead author of a study detailing the research.
“For future authentication attempts, you are asked to repeat a different phrase and the features extracted from it are compared to the voiceprint you have saved in the system to determine whether access should be granted.”
After the concept of voiceprints was introduced, malicious actors quickly realized they could use machine learning-enabled “deepfake” software to generate convincing copies of a victim’s voice using as little as five minutes of recorded audio.
In response, developers introduced “spoofing countermeasures” — checks that could examine a speech sample and determine whether it was created by a human or a machine.
- Read the full article on Waterloo News.
The research, Breaking Security-Critical Voice Authentication, by Andre Kassis and his advisor, Professor Urs Hengartner, was published in the Proceedings of the 44th IEEE Symposium on Security and Privacy.