What are the latest deepfake speech tools? How has social engineering overtaken phishing? What do consumers expect and more?

Modern Security Newsletter #003 – June 2023

Welcome to the Modern Security Newsletter community newsletter. This newsletter provides members with a monthly summary of news, ideas, insight, and analysis in customer security based on my hours of reading and analysis so that you don’t have to. In this edition:

• Community News – Including new website, recent events
• In-Depth – Is the latest attack on Synthetic Speech Detection really 99% effective?
• In the News – My usual roundup of relevant and interesting news
• Just for fun – Because… why not?

Community News

• 📅 Upcoming Events – After ten live events, we’ve taken a bit of a break for the summer but have some exciting special editions in the works, which you’ll hear about shortly.
• 🏋️ Supporters – I am delighted that Smartnumbers and Nuance are now official supporters of the Modern Security Community, helping me continue to produce great quality and engaging content. Thank you.
• 🗣️ Voice Biometrics Series – I thoroughly enjoyed producing our recent Voice Biometrics in-depth series, which are all now available to watch on our website:
  • 📽️ Beginner’s Guide to Voice Biometrics: Transforming Call Center Security and Customer Experience – An essential guide for anyone getting started with Voice Biometrics and even those who’ve been doing it for a while. It was great to be joined by Ian McGuire, who brought his immense real-world experience to some of the more difficult conceptual issues. Watch ->
  • 📽️ Understanding and Mitigating Voice Biometrics Vulnerabilities – With all the media hype around deep fakes and synthetic voices, I thought it was essential that we take a look at the complete spectrum of vulnerabilities and threats to voice biometrics before going deeper. Watch ->
  • 📽️ Battling Deepfakes and Synthetic Voices: Safeguarding Voice Biometrics Systems – Another fun session where Haydar Talib and I explored the threat in more depth, laid out practical mitigation strategies, and discussed how we expect the threat to evolve. Watch ->
  • 👥 Community Roundtable – We held our first Modern Security Community Roundtable, where representatives from several Financial Services forms joined me to discuss best practices for Voice Biometrics Enrolment and how to communicate with stakeholders on the continued press hype around deep fakes and synthetic voice. More ->

🔎 Is the latest attack on Synthetic Speech Detection really 99% effective? – In-depth

A team at Waterloo University says it has produced a system that is 99% effective against synthetic speech detection countermeasures used to protect Voice Biometric authentication schemes. The headline is definitely eye-catching, but the truth behind the headline actually holds out some promise. Regardless it’s still an important step in the evolution of this threat. More->

📰 In the news

• Deepfakes get better and better – Obviously, Meta (Facebook’s parent) couldn’t let Microsoft and Google beat them, so they had to create their own Synthetic Speech Tool, which is obviously better than everyone else’s but perhaps sensibly; they developed a detection tool in parallel and are keeping it private to ensure responsible usage. Read->
• Social engineering overtakes phishing – Verizon’s annual Data Breach Investigations Report makes interesting reading for those interested in cybersecurity in general. For those in customer service, the key takeaway is that pretexting (social engineering) type scams with some form of psychological manipulation and customisation for the victim are now more prevalent than the traditional spray-and-pray phishing scams. This will only increase further as generative AI tools get their hands on your personal data. Read->
• Do we need caller line identification (CLI) authentication? – OFCOM (UK Telecoms Regulator) published its consultation on implementing the same STIR/SHAKEN technology as the US. There is some interesting commentary on the US and Canadian schemes’ success (or otherwise). My takeaway is that it’s easy for telcos to kick the can down the road and say they are doing something (even if it’s unlikely to be effective) to prevent fraud rather than tackle some more fundamental issues. Read->
• Call centres miss customer expectations. – BT and Cisco Published their annual report on the customer’s changing service attitudes and behaviour. This is a well-researched report with more than 4,000 respondents in 8 countries. You really should read the whole thing, but the key takeaways for me were an increase in the volume of calls (77% expect to call up from 65%) and call centre service expectations that most organisations failed to meet (60% want to be answered within 5 mins but only 40% are). It also reinforces the “customer in crisis” role of the call centre. I look forward to this report every year because it usually has a focus on authentication, but this year they focused a lot on the experience of the victims of fraud, with 41% saying they had been a victim but 61% of those saying it was extremely difficult to get the support they needed. Read->

🤣 Just for fun

🤬 Password Game – Infuriating, frustrating, hilarious, tortuous, painful – These are just a few words summarising this brilliant demonstration of why passwords make for terrible security mechanisms. I finally through my computer out the window at level 12. Play->