The latest innovations in consumer technology for the home are starting to resemble pets. New devices like the Amazon Echo and Google Home, among others, can recognize their owner’s voices and respond to commands like well-programmed show dogs.
While these high-tech companions can be trained to respond only to the voices of their masters — also known as “authorized device users” — it turns out fraudsters can already fool voice recognition software.
In a recent interview with PYMNTS, Kang G. Shin, professor of electrical engineering and computer science and the Kevin and Nancy O’Connor Professor of Computer Science at the University of Michigan, explained that while talking to electronics is essential to many facets of modern life, those communication channels are far from foolproof. As voice recognition is increasingly used for everything from sending texts to making purchases or even accessing bank accounts, hackers and impersonators are finding it easier than ever to trick the software and gain unauthorized access to consumer accounts.
“Increasingly, voice is being used as a security feature, but it actually has huge holes in it,” Shin said. “If a system is using only your voice signature, it can be very dangerous. You really need to have a second channel or factor of authentication if you want to authenticate the owner of that voice.”
Shin and his team at the University of Michigan have been working to build that second factor of authentication to help secure voice recognition. The result, called VAuth, is a small device using other biological indicators — in this case, the vibrations of vocal chords made against a person’s skin when they speak — to ensure only the accountholders are accessing their accounts. The device is currently being tested and presented to the academic community.
Voice recognition security isn’t the only thing on which Shin and his team are working. They are also designing backup authentication for other forms of biometric security technology, including fingerprint scanners and facial recognition software. The idea is that multifactor authentication, even if it’s more than one form of biometric authentication, is a better defense than any one type of authentication by itself.
Fighting Off Vocal Fraud
As biometric authentication technology like voice recognition has begun to replace legacy systems, fraudsters are setting their sights on beating the new technology. Scammers are flooding consumers’ phones with robo-calls, hoping to get a vocal response that can be used to gain access to voice recognition-protected accounts. In fact, such scams are on the rise, according to the Federal Communications Commission (FCC).
These scams need only a few recordings of a user’s voice to gain access to certain accounts. Some rely on the collection of single words like “yes” or “no” to fool voice recognition software. What’s more, to beat less sophisticated voice recognition systems, sometimes just a mediocre impression will do the trick, Shin explained.
“Sometimes it’s just a short recording they get of your voice from a phone call or from somewhere else, which is then obviously used to fool the voice recognition,” he said. “But, even if someone fakes your voice, that can fool these devices. And, unfortunately, if fraudsters did somehow record your voice or were able to mimic your voice, then they can get access to all of those things your voice can access.”
To take these fraudsters out at the knees, Shin’s team at the University of Michigan designed VAuth to deliver a second factor of authentication through a biometric indicator that cannot easily be faked. The device continuously registers speech-induced vibrations on a user’s skin, paired with the sound of that person’s voice, to create a unique and secure signature.
The device, which currently functions best as a necklace, earbud or eyeglass attachment, can be worn constantly by a user or only when he or she expects to interact with voice recognition software. It uses an accelerometer to detect vibrations on the skin of a person’s face, throat or chest and matches the timing of those signals against the timing of a voice recognition access attempt.
If the two match, access is granted. If not, a fraudster has potentially been denied.
Shin’s team is currently presenting findings for tests conducted using VAuth — a study which included 18 different users and 30 voice commands — at various academic and industry conferences. Those conferences included MobiCom 2017, an international conference on mobile computing, which was held in Utah earlier this month.
The device delivered a 97 percent fraudulent voice detection rate, according to the findings, while allowing unauthorized access via false-positives just 0.1 percent of the time. Shin and his team hope to bring the product to market down the road, with a survey of 952 people indicating that 70 percent of consumers were willing to wear a cybersecurity token like VAuth, while roughly 50 percent were willing to pay for it.
Backing Up Other Biometrics
Voice recognition is far from the only biometric in wide use today, of course. Biometric indicators such as fingerprint and facial scanning also often fall prey to similar fraud attempts. Fingerprint scanners have reportedly been beat by “master fingerprints,” which can be used to unlock hundreds of accounts. Similarly, Shin recalled that hackers in Germany were able to beat iris recognition software — which relies on detecting fluids to determine real eyes from photographs — with a combination of photos of users’ eyes and fluids.
To fight off fraud attempts like these, Shin said he and his team at the University of Michigan are working to build other cybersecurity devices, similar to VAuth, that can protect iris and fingerprint biometrics.
Because, he noted, as mobile devices are used by more people to access financial and other services, fingerprint and iris-based authentication technology is also being used to safeguard their applications and accounts.
It seems even biometrics can benefit from backup before they can truly become man’s best friend in the fight against fraud.
To download the October edition of the Digital Identity Tracker™, powered by Socure, please fill out the form below.
The PYMNTS.com Digital Identity Tracker™, powered by Socure, is a forum for framing and addressing key issues and trends facing the entities charged with efficiently and securely identifying and granting permission to individuals to access, purchase, transact or otherwise confirm their identity.