strength of voice authentication [was: Re: German ct magazine postulates death of pgp encryption]

flapflap flapflap at riseup.net
Sun Mar 1 22:01:20 CET 2015


Johan Wevers:
> On 28-02-2015 15:09, Daniel Kahn Gillmor wrote:
> 
>> We had this discussion recently over on messaging at moderncrypto.org.
> 
> What is described there is a much more confined problem.
> 
>> It's far from "trivial", but breaking voice-based authentication
>> (particularly in the already-noisy realm of mobile phone calls) with
>> high probability doesn't seem to be beyond serious researchers.
> 
> Fooling a computer that a certain voice belongs to someone else, sure,
> I'm sure that is or will be possible. Fooling me that a short, fixed
> string is spoken by someone I know when in fact it is not, sure, that too.
> 
> But fooling me that the person on the other end of the line is someone I
> know well by only technically impersonating his voice while having an
> actual conversation... I don't believe it very likely to happen in the
> near future. Perhaps it could work on someone I barely know, but pick
> only once the wrong person and I might become very suspicious. It
> requires not only changing the voice but also solving a problem much
> harder than the classic Turing test. For once, it requires much
> contextual knowledge about what both persons know of each other.
> 

Apparently, it is very easy to fool people by voice on the telephone.

Just think about the "grandchild trick" ([0], unfortunately not in
English) which is a method where the criminals phone (often elder)
people and tell them that they are a grandchild, nephew, or other remote
relative and need some money for some reason (need a new car and the like).
According to the article, they often start the conversation with a
question like "Guess who's calling?" and then the victims think some
time and seem to remember someone of their family and answer "Hi $Name"
so the callers know a name of a relative they now can impersonate.
You'd think that people are very careful with regard to money, but the
trick is a huge "success" and the criminals got more than CHF 50k _per
case_ in 2013 in Switzerland.

This is because the telephone channel does not prove authenticity of the
caller and thus cannot be secure.

~flapflap

[0] https://de.wikipedia.org/wiki/Enkeltrick

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150301/c564cd7a/attachment.sig>


More information about the Gnupg-users mailing list