strength of voice authentication [was: Re: German ct magazine postulates death of pgp encryption]
flapflap at riseup.net
Sun Mar 1 22:01:20 CET 2015
> On 28-02-2015 15:09, Daniel Kahn Gillmor wrote:
>> We had this discussion recently over on messaging at moderncrypto.org.
> What is described there is a much more confined problem.
>> It's far from "trivial", but breaking voice-based authentication
>> (particularly in the already-noisy realm of mobile phone calls) with
>> high probability doesn't seem to be beyond serious researchers.
> Fooling a computer that a certain voice belongs to someone else, sure,
> I'm sure that is or will be possible. Fooling me that a short, fixed
> string is spoken by someone I know when in fact it is not, sure, that too.
> But fooling me that the person on the other end of the line is someone I
> know well by only technically impersonating his voice while having an
> actual conversation... I don't believe it very likely to happen in the
> near future. Perhaps it could work on someone I barely know, but pick
> only once the wrong person and I might become very suspicious. It
> requires not only changing the voice but also solving a problem much
> harder than the classic Turing test. For once, it requires much
> contextual knowledge about what both persons know of each other.
Apparently, it is very easy to fool people by voice on the telephone.
Just think about the "grandchild trick" (, unfortunately not in
English) which is a method where the criminals phone (often elder)
people and tell them that they are a grandchild, nephew, or other remote
relative and need some money for some reason (need a new car and the like).
According to the article, they often start the conversation with a
question like "Guess who's calling?" and then the victims think some
time and seem to remember someone of their family and answer "Hi $Name"
so the callers know a name of a relative they now can impersonate.
You'd think that people are very careful with regard to money, but the
trick is a huge "success" and the criminals got more than CHF 50k _per
case_ in 2013 in Switzerland.
This is because the telephone channel does not prove authenticity of the
caller and thus cannot be secure.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 630 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users