August 23, 2017

Technologically advanced phone scams

Security Threats

Readers of this blog will already be familiar with phone scams — you’ve probably even received a shady call or two. But you don’t accept offers from strangers or give up personal info when speaking to them, so you’ll be fine, right?

It turns out that the answer is no, not really. Not long ago, the Federal Communications Commission (FCC) issued a warning about an unusual phone scam. Fraudsters call their victims up and ask a seemingly innocent question: “Can you hear me?” The answer “Yes” is all they need. Replaying a recorded affirmative response lets them subscribe their victims to paid services, which will be included in the victims’ phone bill.

The type of scam where additional services are included in the bill of a subscriber without his or her consent (for example, daily messages with horoscopes or news) is called cramming.

Consider several alarming points about this type of scam. How is it that cramming is even possible? Why can’t law enforcement officials do something about it? Is it really possible to use a voice recording to subscribe someone to additional services?

Technically, cramming is possible because phone companies allow the inclusion of third-party services in subscribers’ bills.

The ruse itself is not that new: 800Notes.com, a website that lists suspicious telephone numbers, informed people about it as far back as 2008. Back then, the trick was used for imposing services on organizations. According to those who have taken the bait, the audio recordings were edited in such a way as to make it seem that victims agreed to adding paid services.

Authorities are trying to combat cramming; thus, in 2015, the FCC obliged telecom giants Verizon and Sprint to pay $158 million to settle the claims of customers who’d had services foisted on them. Still, fraud techniques like cramming may instead grow with the development of modern technologies.

Voice banking

With growing popularity of voice authentication, in the very near future something similar to cramming may become a problem in the banking sector. For example, one of the largest banks in the United Kingdom, Barclays, introduced voice authentication for all of its private customers in 2016.

Global finance corporation HSBC also lets its clients take advantage of voice authentication instead of using a password. Clients have to call up the bank, authenticate themselves using a code word, and say aloud, “My voice is my password.”

HBSC claims the system is protected against attempts to bypass it with voice recordings of customers. Purportedly, the Voice Biometrics technology creates a voiceprint that recognizes physical and behavioral nuances of one’s speech.

Besides, phone scammers will have to find a way to get a bank client to say the entire secret phrase. It hardly seems possible; however, they can attempt to get the client talking and tease out the words they need one by one over several phone calls.

Whenever someone invents a way to trick people, someone else will look for a way to avoid being tricked. For example, Pindrop created technology that takes a variety of factors — including location — into account when evaluating the authenticity of a remote person. A call from the wrong side of the planet will alert the system, for example. Banks use this type of technology for antifraud purposes as well.

Another sign — although not a sure sign — is the chosen communication channel. According to Pindrop’s statistics, scammers use VoIP in 53% of cases, whereas for genuine clients the proportion is quite different, with only 7% using VoIP to contact their banks. For that reason the system automatically notes VoIP calls.

Naturally, fraudsters take countermeasures — for example, by simulating a low-quality connection, which theoretically makes it harder for the system to identify the caller. Evidently, phone scammers will expand their arsenals with new and powerful tools soon.

Say nothing

Project VoCo, outright called “Photoshop-for-voice,” was demonstrated at the Adobe MAX conference in 2016.

After analyzing a speech fragment, the system generates a sample of that person’s voice, including spoken words that were not in the source recording. The invention, according to BBC reports, has caused concern among information security experts. VoCo, just like its graphical ancestor, may become a tool for compromising people, or a method for bypassing speech-authentication systems.

Adobe’s not the only one. Google announced its own project for realistic speech synthesis in 2016, and a Canada-based start-up called Lyrebird announced its technology for speech generation in April 2017. A 1-minute speech recording is sufficient for training the system to say random phrases with the voice of a person who has been recorded (you can listen to a synthesized discussion between American politicians here). Even the developers have admitted that the capability to synthesize speech is potentially dangerous, especially for players in the political arena.

Lyrebird’s founders have settled their technology’s ethical problem with the following statement: “We hope that everyone will soon be aware that such technology exists and that copying the voice of someone else is possible.”

How to deal with all of this

  1. The specifics of the attack in which a victim is coaxed into saying just one word (“yes”) calls for a radical solution. The FCC recommends not answering calls from unknown numbers at all. If someone really wants to contact you, he or she will leave a message.
  2. Do not reveal personal data at all.
  3. Always check all invoices and bills for unexpected items.
  4. An individual method that offers some protection against some phone spam is listing your contact information on the national registry of numbers that telemarketers have to exclude from their lists. Of course, that’s an option only for countries that have such registries — the United States, for example. In the European Union it’s a bit trickier: there’s no All-European registry, although there are national do-not-call lists.