You already have the answers to resolve one of the newest threats – AI Voice Impersonation

We are seeing an increasing demand for a tool to mark the threat of AI voice impersonation solved.? Why hasn’t one been delivered?? Because you already have it.

First lets discuss the concern.? In May 2023, McAfee published a white paper titled “Beware the Artificial Impostor”.? They published an excellent summary in their blog post by Amy Bunn where she quotes that 70% of people in their survey said the “weren’t confident they could tell the difference between a cloned voice and the real thing.”

How does this impact our businesses, very few of which have invested in expensive voice recognition software or have key business data under voice lock?? I posit three scenarios and will allow your imagination to relate this to your company.

Scenario 1:

A member of accounting contacts the helpline stating that they are locked out of their laptop due to a recent password change.? They were in a hurry to get off-site and can’t remember the new password.? They would like their new password set to ThisCrazyLongPassword.? Most helpline members are trained not to do this from an email, and to speak with the person before making such a change.? The requirement has been met.

Scenario 2:

A salesperson contacts marketing.? They are unable to get access to their computer but need that presentation for the big fish to present in fifteen minutes.? Can they please send it to their personal email address, [email protected].

Scenario 3:

A company officer is travelling and calls a member of accounting.? They have lost their credit card and need the number texted to their personal phone number, which they are happy to provide.

I’m sure while reading these, it became obvious that these don’t impact our business because we have other protections in place.? A password change without an MFA solution will only go so far for example.? However, one of the key layers of defense is all too often a verbal confirmation and we are now finding that layer under suspicion.? Now combine this ability to remove voice confirmation with Mobile Phone Cloning, or personal email address compromising, and we find that the threat landscape has gotten more complicated.? We must accept that we are living in an age, where we can no longer accept our ears as positive identification of a person.

The answer of course is to extend the complexity of the procedures we use for a person to be identified by another person in the same way we have already required a computer to check for more than one factor before granting access.?

Examples:

Scenario 1 might have the help line person verify that the caller is locked out.? They may be required to send and MFA response prior to making the change.? Perhaps they require approval from the person’s manager, which the help line person must get.? Above all they should be required to document the change and alert the person’s manager to it.

Scenario 2 could that the presentation be shared in a location the salesperson has access to, ideally protected by an existing authentication that includes MFA.? Again, the request should be documented and the requestors manager should be informed.

Scenario 3 is the hardest one.? This is requires the accounting department to work with the company officers, and train a correct process for sharing of credit card information. It requires that we all recognize that something as seemingly ridiculous as asking for a credit card number through text is something that we can’t pretend won’t happen in our companies under specific circumstances.? And again, I will say this should be documented even though none of us would wish to write it down.

Malicious threat actors capitalize on our sense of urgency and our desire to make business easy for those responsible for getting the work done.? It also relies on our inability to conceive, much less prepare for the crazy requests we are going to encounter.

We must stop feeling silly and document these and other threats into our Risk Matrix.? We must plan for anything we can imagine a salesperson would ask for, and we must be willing to find a way to make these things happen securely through process.? We must also be willing to either document the exceptions or refuse them.