Johan Wevers: > On 28-02-2015 15:09, Daniel Kahn Gillmor wrote: > >> We had this discussion recently over on messag...@moderncrypto.org. > > What is described there is a much more confined problem. > >> It's far from "trivial", but breaking voice-based authentication >> (particularly in the already-noisy realm of mobile phone calls) with >> high probability doesn't seem to be beyond serious researchers. > > Fooling a computer that a certain voice belongs to someone else, sure, > I'm sure that is or will be possible. Fooling me that a short, fixed > string is spoken by someone I know when in fact it is not, sure, that too. > > But fooling me that the person on the other end of the line is someone I > know well by only technically impersonating his voice while having an > actual conversation... I don't believe it very likely to happen in the > near future. Perhaps it could work on someone I barely know, but pick > only once the wrong person and I might become very suspicious. It > requires not only changing the voice but also solving a problem much > harder than the classic Turing test. For once, it requires much > contextual knowledge about what both persons know of each other. >
Apparently, it is very easy to fool people by voice on the telephone. Just think about the "grandchild trick" ([0], unfortunately not in English) which is a method where the criminals phone (often elder) people and tell them that they are a grandchild, nephew, or other remote relative and need some money for some reason (need a new car and the like). According to the article, they often start the conversation with a question like "Guess who's calling?" and then the victims think some time and seem to remember someone of their family and answer "Hi $Name" so the callers know a name of a relative they now can impersonate. You'd think that people are very careful with regard to money, but the trick is a huge "success" and the criminals got more than CHF 50k _per case_ in 2013 in Switzerland. This is because the telephone channel does not prove authenticity of the caller and thus cannot be secure. ~flapflap [0] https://de.wikipedia.org/wiki/Enkeltrick
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users