Stealing Voice Prints

This article feels like hyperbole:

The scam has arrived in Australia after being used in the United States and Britain.

The scammer may ask several times "can you hear me?", to which people would usually reply "yes."

The scammer is then believed to record the "yes" response and end the call.

That recording of the victim's voice can then be used to authorise payments or charges in the victim's name through voice recognition.

Are there really banking systems that use voice recognition of the word "yes" to authenticate? I have never heard of that.

Posted on May 12, 2017 at 6:00 AM • 82 Comments

Comments

TSMay 12, 2017 6:15 AM

Not banking per say,. but there's several other services, such as your ISP who uses phone confirmations where you are informed to agree/disagree and the conversation is recorded. This is then used as a verbal contract.

Same with the power company here, you can request a service, and they record and follow a script to which you are required to agree,. which is then saved for future reference - in case you claim you never agreed to requesting such a service.

In this case the scammer could claim it wasn't them - or request a service for their home, to which your voice agreed to pay for it,. i guess?

SuleviMay 12, 2017 6:15 AM

In Finland, this was in news couple of weeks ago. The scam was reported to happen, that caller asks "Can you hear me?" and if you respond "yes", caller modifies the recording of call to sound like he/she is selling you something and you respond yes.

http://www.hs.fi/ura/art-2000005178615.html
Article is in Finnish, but google translate will probably give you the gist.

Rop GonggrijpMay 12, 2017 6:15 AM

I think a number of binding contracts in the world of telecoms/energy/telemarketing are done this way. I had a gas company person in Berlin ask a friend that I made the call for whether she wanted to change to them, and the callcenter person told me to have her respond with 'ja' to a sentence they read which they had to record to make sure that they could "prove that she authorised switching providers."

I could easily imagine a fraud where some shady broker gets paid for contracts they fraudulently flip to new providers in this way.

Clive RobinsonMay 12, 2017 6:48 AM

@ Bruce,

Do you remember "The power line factor" where mains hum gets into the audio at both ends, and can be tied back to national records to give a time stamp accurat to a couple of hundredths of a second or better?

Thus it would be very difficult to use a single "yes" from a short conversation.

JohnMay 12, 2017 6:53 AM

My bank tried very hard to sign me up to voiceprint authentication the other day. Seems like a no-brainer to refuse, but I'd be surprised if a binding contract could be established with a simple "yes" recording. I was assuming they would have some pre-defined list of words they would ask you to say which would change for every session. "If you assent to this transaction, please say Orangutan Mary Archangel Transit" or something.

mattMay 12, 2017 7:02 AM

Someone tried this out on me several years ago. They kept asking me "can you hear me?" and I kept answering "I can hear you". I could tell something was fishy, so I hung up on them.

Now I let any caller ID I don't know go to voicemail.

Ollie JonesMay 12, 2017 7:04 AM

I don't know about the misuse of the "Yes" recording. I do know that I've been asked to "say your name and then Yes" when I approved of something or other on the phone.

I do know that robocallers in the US are using this kind of technique at the beginning of their automated pitches. I usually answer "can you hear me?" The robocalls just wait for a voice. They don't seem to care what the answering party actually says.

(It's surprising the phone companies aren't cracking down on all this stuff. SPAM-infested voice phone systems are compromising the value of their legacy product, the one invented by A. G. Bell.)

More to the ScamMay 12, 2017 7:04 AM

The word "yes" is spliced into a fabricated audio recording which is then introduced as evidence in court if the victim contests the charges.

Snarki, child of LokiMay 12, 2017 7:07 AM

"please say Orangutan Mary Archangel Transit"

I will now be answering all phone calls with "Orangutan Mary Archangel Transit"

It should cut down on repeat callers, I hope.

WayneMay 12, 2017 7:55 AM

Banks are getting into Alexa so people can tell it what bank transactions to do for them. Wait for that fun to start.

keinerMay 12, 2017 8:28 AM

@Sulevi

Same in Germany, they send people afterwards funny invoices and contracts they "ordered" by saying YES on the phone and if you don't wanna pay they come with a lawyer and their fabricated phone call tapes...

TSMay 12, 2017 8:41 AM

This kind of scam would easily be destroyed by making verbal agreements across the phone not binding by law.

SpaniardMay 12, 2017 8:44 AM

I don't know of any Spanish bank which lets you contact anything by phone. They may call you selling something, but if you agree they'll ask you to come to the banking office to sign all the papers.

However, as others have pointed out, recorded phone calls *are* used for utilities contracts, as most of these companies only have physical offices on very few cities so it's highly inconvenient to do anything with them in person.

I must admit I've never thought of this scam, and I'm truly scared as electric companies here are really prone to any kind of dirty trick to get customers. A few months ago a salesman for an electric company was arrested after he was found with electric bills apparenty stolen from mail boxes. This is bad because the data contained on these electric bill was enough to allow him to issue new contracts.

K.S.May 12, 2017 8:46 AM

"The word "yes" is spliced into a fabricated audio recording which is then introduced as evidence in court if the victim contests the charges."

This is all kinds of stupid move by scammers. First, you submit evidence of scam into official court record. Second, you identify yourself to courts. Third, you perjure yourself. Persecutors dream case.

keinerMay 12, 2017 8:57 AM

"Mr. Orangeman, can you hear me?"
"Yes"
"By this you actually resigned. Have a nice golf weekend!"

Sometimes the solution can be sooooo easy....

grantMay 12, 2017 9:22 AM

@keiner

> "Yes"
> "By this you actually plead guilty to tax fraud, conspiracy, treason. Have a nice golf weekend!"

If you're going to shoot for a fictional moon, then go ahead and really shoot that moon.

Notion #9May 12, 2017 9:27 AM

While we're on the subject of possible phone scams, I'd like to pick the brains of the good folks here...

I've been getting calls from unrecognized numbers, both at work and at my cell no. There are several variations:

1- There's only silence on the line. (I assume calls like that are robocalls waiting for me to speak first. I never found out what would happen if I spoke.)

2- One ring and it stops. (The apparent number of the caller is in the continental US, so tricking me to call an expensive international number seems not the motive.)

3- A recent one went like this:

(Desk phone rings. I pick up.)
Me: Hello.
Caller: Michel?
Me: Who's calling? (My tone sort of confirms to the caller that he reached the right person.)
(Caller hangs up immediately.)

My question is, what are the callers up to, especially in the last one?

keinerMay 12, 2017 9:39 AM

@Notion 9
What would you think if someone rings your doorbell ans asks for your name? Just close the door...

On the phone: checking validity of phone numbers from some (stolen) phonebook, may be from a device (phone...) or database from Amazon etc...

JimMay 12, 2017 9:40 AM

Me: "Hello?"
Caller: "Can you hear me?"
Me: "Hello?"
Caller: "Can you hear me?"
Me: "Hello?"

In short, I don't give them ANYTHING, not even an acknowledgement that I can hear them, if I am not sure of who I'm speaking with.

blablablagingerMay 12, 2017 9:42 AM

My bank uses a voiceprint of the recitation of my telephone number as the primary authentication for phone banking. To me this is unacceptable because I routinely recite my phone number to people and this could easily be recorded. I have resisted signing up for this method of authentication.

Moshe YMay 12, 2017 9:52 AM

Hi, this touches on my areas of expertise: speech technology and voice user interface design.

It's my opinion that the goal of the "yes" is to engage you in the programmed script -- that is, to distract you from the fact that you're talking to a recording. At this point many people have the reflex to hang up immediately on recorded phone spam, and a conversational segment cancels that reflex.

As for other speculations:

* No one uses a single "yes" as biometric authentication.

* Using the pre-recorded "yes" to purchase a service would be an interesting scam, but would fail on any detailed analysis of the audio. As an aside, and this is outside my area of expertise, the idea of a scam makes little sense: a widespread attempt gather hundreds of thousands of "yes" responses and then use those to purchase services? The logistics of trying to use these recordings to extract money from some third-party service provider (a brokerage firm?) would be... interesting.

* Again, outside my area of expertise: if this is a scam, I would expect it to be a short-term one -- at this point, with speculation running wild, any attempt to use these recordings would a) hit the news and b) trigger security measures by service providers.

At last month's conference of speech technology providers, held annually, there was no interest in the topic; anyone who does speech for a living had come to the same conclusion.

Karl LembkeMay 12, 2017 10:12 AM

@Moshe_Y: I suspect you're right.

This subject came up in a friend's Facebook post, and the consensus was that if it's a scam, then:
A) Someone could possibly splice copies of a "Yes" answer into a prerecorded sales script, and introduce it into court when the victim disputed the purchase.
B) It would likely fail to hold up if it ever went to court.

My take is that for a small enough amount, people will be disinclined to spend the time and money on a court case fighting it, and will instead pay the money to make the issue go away.

Further, in a civil matter, the victim is the one who hires the audio expert to show that the responses were pasted into the recording. Such a consultant may only charge $100 an hour, spend an hour determining that fraud occurred, and then a day testifying, including travel and waiting to be called as a witness. That sets a definite lower limit on how much money it's worth suing over.

On the gripping hand, how many cases exist where actual people have been actual victims of such a scam?

ShinobiMay 12, 2017 10:44 AM

"yes" exclusively, is used for verbal recordings in sales calls. sounds like a boiler room thing to do.

voice recognition is however used at banks as a form of authentication, if explicitly agreed on beforehand. This is not agreed on and used on the same call. It's not used for IVR applications, but for human to human dialog with a computer listening and saying "yeah this guy is who he says he is".

there was a video for Adobe VoCo, which looks like it at least entertains the idea that this authentication method will be torn to shreds. https://www.youtube.com/watch?v=I3l4XLZ59iw

Neil DonovanMay 12, 2017 10:48 AM

It appears that electric energy suppliers can switch you to them from your current supplier without your permission.

My mother (a senior citizen) found one day that she was suddenly using Just Energy as her electric supplier. When I asked her why she made the change (from using the electrical distributor as her supplier to Just Energy), she said, "I didn't!

I called Just Energy and complained. They told me that she had agreed to the change after they had called her. I objected and told them that she was quite elderly and I proposed they had misled her. They apologized and claimed they try to be clear when seeking new customers over the phone. Shortly later I called the electrical distributor and changed my mother's supplier back to them.

I found out later that Just Energy was being sued in Canada and the United States. In Massachusetts, Attorney General Maura Healey wrote in a Press Release on January 06, 2015, "Consumers were allegedly switched from their distribution company to Just Energy without their authorization."

LeeMay 12, 2017 10:51 AM

I received a phone call from someone claiming to be a Emergency Responder calling about a medical emergency and asking, "Can you hear me?". I didn't answer and just hung up the phone. It's scary though, because what if a loved one was really in trouble and I end up hanging up the phone thinking it's a scammer calling!

These scammers will sink to any low in order to record you saying 'Yes' over the telephone. There is definitely some sort of scam going on with these 'Can you hear me?' calls.

k15May 12, 2017 11:30 AM

When you have the sense, in your life, that strangers are trying to get you to speak particular lines of dialog, it's not entirely out of this world, for it to be real?

keinerMay 12, 2017 12:10 PM

@Neil D

That's exactly this "call center has something on tape that might sound like "Yes", you have a contract!" number. Call centers are outsourced, paid on number of new contracts. any further questions?

Lot's of trouble to get rid of that stuff...

RachelMay 12, 2017 12:18 PM

'the scammer is believed to...'

which is an assumption, to start with.

a few ways to handle this. Firstly, answer a question with a question.
Never make statements. When someone calls you don't *personally* know, say 'who is speaking please?'
If someone calls, and says 'is that (your name]?' and you say YES, then you have socially enjoined, that is to say, contracted with them. Banks and repo crew know to do this on the phone. So if you are concerned about lawyers or debt collectors attempting to get you to contract [with their undisclosed terms and conditions] on the phone, this question is your golden rule you must NEVER deviate from. do NOT enter into conversation. You say 'That person is not here right now. Send all correspondence in writing, if you have the address. Good bye' [click]

however, if they don't know your name, you still pick up the phone with 'who is speaking, please?' and just keep repeating it.
Someone not dodgy will be more than pleased to identify themselves

another point. if you are presented with so called evidence of your voice saying yes to something. You don't refute it. You don't make statements or get into a situation you may incriminate yourself unwillingly. You simply ask questions. 'Can you prove this evidence is the same as my biological self and was not tampered with, and can you demonstrate you are not committing, amongst other things, the crime of fraud and impersonation, by making this claim and tendering this evidence?'
Can you prove I agreed to waive my unalienable rights by providing consent to the contract of which you speak?
If someone makes a claim the onus is on them too justify it. It is not on the defendant to justify their innocence.

and et cetera

I file this one under performance art

RegisMay 12, 2017 12:19 PM

I've seen similar warnings around for a few months - my local (Boston area) police department even passed one along on social media.

BenMay 12, 2017 12:33 PM

I answer every question posed to me by a telemarketer with "maybe."

It often causes an amusing interaction.

"Is this the head of household?"

"Maybe."

...


RoastbeefMay 12, 2017 12:48 PM

Regarding the calls with nobody there: I believe a lot of high-volume call center operations will call four or five numbers concurrently for just a single human pitch-man. This is on the theory that only 20% of the calls will result in somebody picking up the phone. Whichever call gets picked up connects to the human pitch-man, the other calls get dropped. If you happen to be picking up one of those calls just as someone else is picking up, you discover that you were being called with nobody there.

The latest on the calls I get are these huge elaborate spiels before getting down to what they're selling. Usually the minute someone starts to recite their pitch I just interject "What are you selling?" Usually by the time they say two or three words I'm saying "Not interested" as the phone is already moving back to the cradle.

Clive RobinsonMay 12, 2017 1:10 PM

@ Notion #9,

1, Probably a bot but could be a variation on 3 bellow.

2, I've read in the past that not all US looking numbers are as they appear and have been premium rate fraud in the past. You can cut-n-paste the number if it's a smart phone into a google search to see what it actually is (though be aware that some of the checking services just love to use JS to make money out of you).

3, A phone number has no value to sell unless it's valid and might be worth a fraction of a cent. However with a name it becomrs a lot more valuable. Older people have a habit of answering "Smith speaking"[1] on picking up younger people often fall for "is nancy there" and give their name instead such as "no it's lucy" or some such. Likewise if somebody had a fuller but older record they can be checking that it's still the same person, such records are often worth a lot more.

It can also be a debt collector, when you fill in paperwork for warranties on goods and such like your name, number, zip/postcode house number and purchase details etc get sold on. A debt collector may only have a persons name and a last known address. If your name matches the debtor and you purchased new "household goods" within a few months of the debt going bad they will assume you are probably the debtor to start chasing down for their bounty. Some buy up end of contract debts, such as those of the EE Phone Company that would illegaly try to force a disconnection fee etc. They then sold these at pennies of to dedt facilitators who would then put effort into establishibg who you are to then hit you with hundreds if not thousands of pounds of fees etc on threat of making you bankrupt and homeless. Obviously you only have to get lucky once in ten or twenty calls to start getting a large cash stream comming in. Often a tracker working from home would having got a contact sell it on for a reasonable sum to someone else more practiced at running up the fees who would then sell it on to a bunch of licenced thugs whilst the resale value might only be a few pounds the fees you face can be eye wateringly large.

Some people are waking up to the fact that the old advice of deal with debt agents quickly to negotiate nolonger works as they have no ibtention of negotiating only running up the fees as far as the local legislation alows. Thus with these sorts of people having no contact at all means they drop it or sell it on for pennies untill a statutory time limit is reached when it just gets binned.

Thus when you get the first sort of call just hang up or cough. The second type allways use the internet to check the number. With all other unknown numbers answer with very quiet "Sorry can you speak more clearly and say who's calling" and just repeat untill you get some kind of info on who they are or they give up.

As I advise people who are having problems in their lives be they money, human or other, the best thing to do is treat a phone like a bugging device with hostile intent. Unless you 1, know the number 2, recognise the voice 3, recognise their normal way they speak treat with caution. The last point is important because it may be the equivalent of a wire tap where the other party is trying to get you to say something of importance to a third party. Most people can not disguise their intent when doing this so asking a simple "are you all right" will generally throw them and similar harmlesd questions will derail the intent of the call.

Clive RobinsonMay 12, 2017 2:21 PM

@ More to the scam,

For what it's worth: The evidence stood up in court. Snopes can't go against a court judgment.

Which court which case?

And any links?

We know legal cases produce funny results often because people are not properly represented. So if you have the details we can see where / why it went wrong and the judgment was issued.

albertMay 12, 2017 3:25 PM

@Clive,

I listen to music, mostly on youtube. Once I was listening to a tune, but had no video, comments, etc. to glean any information from.

I determined that it was not from the US. How did I do it?

. .. . .. --- ....

ab praeceptisMay 12, 2017 3:44 PM

Rachel

Actually I usually turn it around and drive them (or their system) insane, haha.

Like:

Caller: Am I speaking with ab praeceptis?
Me: I'm not allowed to tell you that.
C: Pardon me, can I speak with ab praeceptis?
M: I don't think so. a.p. has been abducted by aliens. At least that's what his cat is telling.
C: Pardon me, can I speak with ab praeceptis?
M: I'm under strict order to hand out some secret information, namely a.p.'s very secret preferred prime number, but only to a certain person. Are you a certain person?
...

Clive RobinsonMay 12, 2017 3:50 PM

@ Albert,

I determined that it was not from the US. How did I do it?

I don't know how good your ears are, but...

As a first guess the frequency and harmonics of the mains hum the US is 60hz Europe 50Hz other countries it depends. Some places it might even be 400Hz but they are vanishingly rare these days.

However if the original music was transmitted over TV or Radio before being recorded for U-Bloob un compressed and if you had young ears you might detect the pilot tone or aliased back sampling artifacts of it.

There are also other audio tell-tales that can be found with relatively simple test equipment. Even audio spectrum analysers are fairly easy these days when you consider it a spin-off of GNU-Radio SDR software, or you use Intels --at one time free-- FFT software library.

Freezing_in_BrazilMay 12, 2017 5:37 PM

That would depend on the language, I`d say. In Portuguese, for example, people answer that question differently. They employ the first person of the verb that the remote caller used in the question. Like* "Can you hear me?" Answer: "I can!" [without the "yes"]. It is very unusual to a Brazilian to respond "yes" ["sim" in pt_BR] on the phone. They will only reply with a flat YES [SIM] when they are mad.

Portuguese seems to be more `secure` in this respect. The other romance languages are more like English, and they would answer "Si", "Oui", etc. The question would have to be carefully crafted for the desired effect.

________________________________________

(*) "Pode me ouvir?" - Answer: "Posso!"

albertMay 12, 2017 5:37 PM

@Clive,

Obviously, The Clive cannot be easily fooled. I'm a musician but I don't have perfect pitch. Still, the hum sounded too low. Old timers are very familiar with mains hum. (and tape hiss) :)

G 40.090
G# 42.474
A 55.000
A# 58.270
B 61.735

The difference between any two notes is about 6%. The ratio is the 12th root of 2. 60Hz mains is badly out of tune, and 50Hz is horribly off. Even non-musicians can accurately determine small pitch differences.

I never heard of 400hz mains, but aircraft use 400Hz systems. 400Hz hum would be extremely annoying, especially in music.

Ears are remarkable organs.

I agree with anyone here who thinks voiceprints are a Really Stupid Idea (RSI) It's an acronym that applies to an awful lot of topics on this blog. Not faulting @Bruce in any way. It's the nature of the biz.

. .. . .. --- ....

SteveMay 12, 2017 6:29 PM

I've been seeing this story circulating for a couple of months and as of yet I've not seen a single confirmed incident where someone had an actual loss because of it.

It's classic "friend of a friend of a friend" urban legend fodder.

Snopes calls it "unproven."

Think of it this way: if the scammer has your credit card number or other information, why would they need a recording of you saying "yes?" Why not just run the card and be done with it?

I'm prepared to change my opinion if anyone actually documents a case but until then, I call BS.

JackMay 12, 2017 6:42 PM

Seriously, if I were running this scam would I be more likely to (A) Plead my case to a third party with a fabricated voice recording and perhaps risk getting caught or (2) Move on to the next potential victim. Which is the better use of my time? What does the risk/reward ratio look like?

More to the ScamMay 12, 2017 7:22 PM

@Jack

Seriously, if I were running this scam would I be more likely to (A) Plead my case to a third party with a fabricated voice recording and perhaps risk getting caught or (2) Move on to the next potential victim. Which is the better use of my time? What does the risk/reward ratio look like?

The mobster in charge of this type of scam makes a little "hint" or "suggestion" to the judge and/or attorneys involved that they'd better not impeach the veracity of the recording. Goodness no, they wouldn't directly threaten the jurors....

Notion #9May 12, 2017 7:42 PM

@Steve

if the scammer has your credit card number or other information, why would they need a recording of you saying "yes?"

It could be an ill-conceived scheme to fabricate evidence of consumer consent, e.g. to switching electric supplier.

When the scammer has a recording of someone saying "yes", he can create a fake recording like this:

SCAMMER: (Beep) Sir, thanks again for choosing XYZ Electric. We're almost done here. Before we can complete the transaction, I need to ask for your consent. (Beep) This part of our conversation is going to be recorded. Mr. Anderson, do I have your permission to switch your electric supplier to XYZ Electric?
VICTIM: Yes.

Maybe it's a littlle far-fetched, but it's not completely unbelievable.

DroneMay 13, 2017 6:21 AM

Are there really banking systems that use voice recognition of the word "yes" to authenticate?

"Yes"

Doh!

AndrewMay 13, 2017 6:29 AM

So hacking tools were released, noone cared. Why bother, those backdoors could still be useful.

Now that the shit hit the fan and people probably die in hospitals because of this, Microsoft is throwing patches after patches, even for unsupported versions of Windows.

I think I'm going to puke.


AnonMay 13, 2017 6:55 AM

I thought about this "yes" attack years ago. Unless you have a specific target in mind, it doesn't seem very useful. I considered it from the angle of recording someone with a digital recorder hidden away (easier to do in plain sight today as everyone holds their mobile phone).

O/T: I'm surprised there isn't any mention of the massive cyber attack. It's notable not just for its scale, but who has been hit.

Microsoft have been forced to patch an OS they said they wouldn't support (are they legally liable here? It's not like they didn't know major organizations and Governments rely on Windows XP).

What is also of note, is not so much that these systems "were asking for it by running an unsupported operating system", but that every other line of defense utterly failed, if it was present to begin with.

keinerMay 13, 2017 6:55 AM

...I guess IBM security is in big trouble this weekend, so no Squid this time...

Ergo SumMay 13, 2017 7:15 AM

@Anon...

Microsoft have been forced to patch an OS they said they wouldn't support (are they legally liable here? It's not like they didn't know major organizations and Governments rely on Windows XP).

O/T: That's a good question, albeit, I have my doubts MS would be liable...

I am somewhat surprised by the timeline of the XP patch release; WannaCry appeared out of nowhere yesterday and today MS has the patch for XP. That's the fastest MS has released a patch, at least to my recollection. It certainly seems like MS knew exactly what need to be changed. Alternatively, MS just released the repackaged MS17-010 patch for XP...

What is also of note, is not so much that these systems "were asking for it by running an unsupported operating system", but that every other line of defense utterly failed, if it was present to begin with

That's a big if to start with. The other aspect is that generally speaking, state sponsored malware designed for disabling all type of defenses, or at the very least exempt itself from being evaluated by these defenses.

keinerMay 13, 2017 8:30 AM

@Anon

ad 1+1... A vulnerability of "Equation Group" and MS has the patch in stock... ;-)

Roger WolffMay 13, 2017 8:34 AM

> My mother (a senior citizen) found one day that she was
> suddenly using Just Energy as her electric supplier. When
> I asked her why she made the change (from using the
> electrical distributor as her supplier to Just Energy),
> she said, "I didn't!

You are of course inclined to trust the elderly lady.

Your statement that they can just switch you over is basically correct. THEY provide a list of people whom they CLAIM have authorized them to do so. On the other hand, just switching a batch of people over without having any sort of authorization is kind of stupid. The shit would hit the fan quite quickly.

So, they probably call around, supply misleading information and get an OK even if the person on the other side is not agreeing.

Here in the netherlands, people who ask for something on paper they can study are pressed to agree to the contract, and told they can read it once they have agreed. And that if they want they can cancel the contract within XX time. Of course, the "cancel" happens less than if you'd ask them to return the signed contract.

I got a call from an energy company this week. They told me that I'd save 37% when I'd switch. So on a total of about $2000, there is about $55 that is eligible for the 37% rate reduction. I'd save about $20 per year.

Previous calls of the sort were more aggressive. I have the impression they got slapped on the wrist for unfair practices.

Clive RobinsonMay 13, 2017 8:41 AM

@ Anon,

Microsoft have been forced to patch an OS they said they wouldn't support (are they legally liable here? It's not like they didn't know major organizations and Governments rely on Windows XP).

I suspect thr "legal liability" is dependent on the jurisdiction and how the end user came to be using it. For instance hospital equipment and test and instruments often had not normal XP with reduced features etc issued under different licences, which in effect moved the OS from "software" free of most "fit for" legislation to actual "products" which have all sorts of end user protections.

But the legal liability is perhaps not the problem Micro$haft are worrying about. They tried to blackmail government agencies into paying vast sums of money for continued support of XP. Many in these times of austerity said "no can do". Micro$haft later tried to force issues with the auto update to Win10 which again failed.

Some cities have proved they don't have to go down the Micro$haft route and in some respects this is getting easier day by day.

Thus Micro$haft main argument has always been "cost of ownership" and "availability of support". Newspapers are already claiming this MS OS malware is going to kill people for various reasons. Thus the argument for Micro$haft as a solution suddenly changes, and when alligned with their realy shabby behaviour with trying to blackmail governments and forcing Win10 upgrades on people that did not want it because their hatdware could not support it Micro$haft have a real fear that the lucrative government agency money will disappear compleatly. But worse their image will get ravaged in national media which again will effect future revenue...

Thus for Public Relations a "quick reverse ferret" untill things blow over and they can get back to the bad old ways thay are infamous for.

@ ergo sum,

I am somewhat surprised by the timeline of the XP patch release; WannaCry appeared out of nowhere yesterday and today MS has the patch for XP.

I found out that Micro$haft had a patch for XP at the same time as more modern OSs back in march.

But it was only available to those paying a kings ransom ($300/year according to some sources) to get the continued XP support.

Thus the only thing Micro$haft has done is made it more generaly available, but I'm told "there are catches" involved, which I'm still trying to get to the bottom of.

@ Anon,

What is also of note, is not so much that these systems "were asking for it by running an unsupported operating system", but that every other line of defense utterly failed, if it was present to begin with.

Many people had no choice but to run XP in what is in effect a very insecure way. The reason "embedded" systems where the OS came built in to medical, technical, test, telecommunications equipment and thus could not be patched and still function correctly or at all.

As for the other defenses the attack vector is in the SMB/CIFS code that Micro$haft have been pushing on people since Win for Workgroups, NT3, Win98 (which I'm assuming are also vulnerable). Also Microsoft Windows Network and Active Directory, network printing and quite a number of other services. In effect Micro$haft have embedded SMB and some CIFS functions deeply into Windows of all flavours and many things can break if it's not disabled correctly.

In the past Micro$haft tried every trick it could to force SMB and CIFS on users to get the Novell, Wind River and other LAN systems business, and they had no care as to how they forced SMB onto people.

Jim BurrowsMay 13, 2017 10:03 AM

While all the speculation is interesting, I don't believe there is any evidence that this is actually a scam, per se. Rather, I suspect that it is a filter used by robodialers to winnow the humans from the answering machines, and select those people who are willing to engage to be handed to the next available spammer/operator/pest.

I looked, and could only find one reported incident anywhere of someone claiming to be scammed, and there was precious little to tie the $100 bogus credit card charge to the call other than they happened on the same day.

On the other hand, I checked with a friend whose job is supporting autodialers, and he says that this fits perfectly with the sort of filtering that is done on bulk autodial calls.

Lots of fun here, but not a lot of "here" here. SPAM, not SCAM, if you follow the distinction.

keinerMay 13, 2017 1:45 PM

@Jim B

Yepp, no evidence. Except some weeks and dozens of cases with the same trick in Europe over the last weeks. Some fun from counterfactual debate?

hermanMay 13, 2017 3:32 PM

@keiner - I think the squid got caught by ransomware. Bruce admitted in the past that he uses MS Windows. It would be too funny if he got rick rolled also.

AnonMay 13, 2017 5:01 PM

@Ergo Sum @Clive Robinson

Microsoft have a common codebase for their operating systems. When they fix an issue for one, they fix it for all in that component, *unless the component was deleted or added for the new version*, then it only applies from that build forward.

When MS build their updates, they use the same source for each version, but with different options. This is why the XP patch was already available though not released, because it was the same piece of code they fixed for later versions.

What is important to understand is since Windows 2000 Workstation, XP, Vista, 7, 8.x, and now 10, share the same core components. The UIs might have got an overhaul between major version releases and new additions "under the hood", but the core is otherwise the same.

Are we any closer to knowing what the purpose of this attack was beyond the obvious attempt at fraud? The choice of establishments to hit world-wide is interesting to say the least.

I thought the UK Government were slow to convene COBRA, too.

Anonymous CowardMay 13, 2017 6:53 PM

@Bruce Schneier

This article feels like hyperbole:

The scam has arrived in Australia after being used in the United States and Britain.

The scammer may ask several times "can you hear me?", to which people would usually reply "yes."

The scammer is then believed to record the "yes" response and end the call.

That recording of the victim's voice can then be used to authorise payments or charges in the victim's name through voice recognition.

Are there really banking systems that use voice recognition of the word "yes" to authenticate? I have never heard of that.

Wasn't this in a US newspaper last year, or very early this year?
They might not use "yes" but the principle stands since many do use some phrase that people could record you saying.
Isn't this where how the term "replay attack" was coined, back when cassette recorders were the most advanced technology of the time?
Of course recording and replaying isn't needed for this, as voice forgery was provided by Adobe over a year ago. Any watermarker in their proprietary binary that makes the forgery detectable can surely be removed by anyone familiar with IDE Pro or similar, it shouldn't be any harder than removing Sony's rootkit or Starforce, as countless random hackers have been doing since the invention of vacuum tubes.

Anonymous CowardMay 13, 2017 6:55 PM

@moderators
Blockquote on this website seems to malfunction when it encounters CRLF. Could one of you possibly edit my post above so what I'm quoting doesn't appear like I'm the one saying it?

Christopher R FroehlichMay 13, 2017 10:10 PM

per @Notion #9's comment, I have had a similar number of calls recently against my Google Voice account, which isn't publicly available.

I've responded in similar fashion to many other commenters. I recognize the FUD in the scam scare and the corresponding hysteria from those that have received similar calls, but I do wonder: what is the objective of these calls? I get a few dozen of these a week at this point, and--say what you will about the virtues of trusting a service like Google Voice, I can block each and every number that attempts these call originate from, which is part of the risk analysis one does when letting any third party privy to sensitive information. GV as a secure platform is a whole other question, so I don't want to dwell on that too much.

Still, I have causal concern and empirical evidence that calls of this nature are happening to me. I'm one datapoint in a few billion, so I don't know what that means or how to evaluate it--but it is at least interesting that the FUD articles at least partially describe a behavior that I experience regularly (and newly within the past few months).

It seems presumptuous to assume that these hackers intent is to get a vocal recording of "yes", but it seems rational to assume that these calls are intended to achieve some objective? What is that objective?

elliotMay 13, 2017 10:28 PM

When a telemarketing call ends within a few seconds of starting... it's not because they are done recording your voice... it's because you answered and they don't have an agent available to speak with you yet... They're not going to wait for an agent to be available before they call you, because that would be a waste of their time.

Clive RobinsonMay 14, 2017 2:59 AM

@ Anonymous Coward,

Any watermarker in their proprietary binary that makes the forgery detectable can surely be removed by anyone familiar with IDE Pro or similar, it shouldn't be any harder than removing Sony's rootkit...

Actualy it's a lot harder than most people assume, for a number of reasons.

Due to what are in effect cross modulation techniques the mains power "humm" remodulates the entire audio bandwidth. In the process it adds both amplitude and phase information. To remove it to the point it can not be heard is actually quite difficult, and usually there will be some artifacts left, which can be shown with the appropriate equipment.

However not having mains hum effects apparent on a recorded telephone conversation would in it's self be deeply suspicious.

The problem for any scamers is that the National Mains frequency is very accurately monitored and kept as a record. Because it's frequency varies by the load on the network, and power generators are contractually obliged to maintain the frequency in a narrow limit. Because of the random nature of the load and the slow response of high power generator sets, not just the frequency, but the phase and amplitude is known very accurately as there are millions riding on it. Thus this information provides a time based fingerprint that is acurate to within a few very few fractions of a second. Likewise telephone companies keep very accurate time records for billing purposes.

If someone did make a recording and used it fraudulently the time stamps would not align, further analysis would get the artifacts out and thus helo determin the real time the audio recording was made or that the recording as presented was a fake.

Thus any audio recording presented by the forging party could be challenged and found to be forged. At which point any civil proceadings the forging party had started against an individual would stop and in all probability criminal proceadings would start against the forging party.

The cost of trying to fake the time finger prints beyond simple measurment detection in time and resources would be rather more than any likely gain that could be made.

Worse for any attacker is the "not knowing" if the person they are phoning is recording and logging any inbound calls. The law in many jurisdictions is unclear in some areas. But it basically boils down to the fact that there is a requirment that if you are the call orriginator you must inform the called party that you are recording the call as quickly as is practical. However if you recieve an unsoliscted call you are alowed to record the call and there is still a requirment to notify the calling party, but the restrictions on when you notify them are a lot looser unless it is obvious to the caller that a recording is being made.

Thus there is the "answerphone loophole" if all your calls get answered by an answerphone, then it is obvious to the caller a recording is being made. If you pickup whilst it is still in answerphone mode many answerphones will keep recording as long as there is "voice on the line"... Thus from the legal point of view you have forfilled the notification without being explicit about it.

Any way in most civil cases these days the court cares not a jot for the legality or not of the making of the recording. And once it's allowed in a court as part of the records it becomes admissable in other courts... Likrwise in criminal cases the defendant is usually given more leeway than the prosecution for this sort of thing due to the burden of proof the prosecution has to clear of "beyond reasonable doubt".

But there is a further loophole. It's always legal to make an audio recording at any time as an "aide-memoire" to the writing up of contemporaneous notes shortly after the conversation. The trick in court is to enter the "contemporaneous notes" as evidence pte trial. If the other party challenges you enquire why they are chalenging. The only valid challenge is one of doubting the accuracy, thus at that point you can let slip that there was an audio record available that was an "aide-memoire", at which point the objecting party is kind of court in their own argument and the tape becomes supporting evidence and is admissible. The other party can at this point make noises about needing time to get an expert to verify the audio recording, but the judge is very unlikely to give them much once a trial has started.

Another trick is at the meeting get out a notebook and pen and say "You have no objection to me making a record of this meeting do you?" at wich point if they do not object and continue they have consented, if they object then you say you will not take part in the meeting as your legal rights are being violated.

The point of making the written noyes is to break up their flow and control of the meeting as well as give you thinking time before making an answer. Yousually it's best to say as little as possible and get them to repeate over and over as you write ever so slowly. If you suspect or know it's an LEO or equivalent there are jurisdiction specific ways of dealing with an interview. However at short notice something allong the lines of "No comment at this time". That way you are not refusing to answer, or lying or a number of other things various jurisdictions have to make the innocent criminals. If you get challenged on the "No comment at this time" the best answer is usually "When I've received independet legal advice".

faMay 14, 2017 5:10 AM

@Clive R.

You seriously overestimate the usability and reliability of using mains hum as a watermark.

First, to match any recording containing hum against the database you'd need several minutes, otherwise the result will be very ambiguous. The reasons for this are that 1) the frequency changes only very slowly and 2) you can't use the absolute value, only the variations as a function of time.

Second, if it is possible to extract the mains hum accurately and long enough for matching, then the same technique will allow you to remove and/or manipulate it.

Third, anybody can keep a record of mains frequency (I once did it for a period of two months), and then just use that data to add a fake watermark. As long as that is 20 dB or so higher in level than the original (after that was at least partially removed), it will be in practice impossible to detect the manipulation.

I'm not saying this could be done by an amateur using some commercial software. But for someone with the required DSP knowledge and able to program some ad-hoc software it wouldn't be so difficult at all.

Ciao,

RatioMay 14, 2017 5:59 AM

@Anonymous Coward,

Blockquote on this website seems to malfunction when it encounters CRLF.

Try wrapping each of the quoted paragraphs in <p>...</p>, like this:

<blockquote>
<p>Paragraph one.</p>
<p>Paragraph two.</p>
</blockquote>

The above yields:

Paragraph one.

Paragraph two.

Hope that helps.

ModeratorMay 14, 2017 12:56 PM

@Anonymous Coward: Your formatting is now fixed. To keep a blockquote from reverting to paragraph formatting, add <br> to the end of each line within the blockquote.

SteveMay 14, 2017 8:25 PM

@Notion #9

It could be an ill-conceived scheme to fabricate evidence of consumer consent, e.g. to switching electric supplier.

Yeah. It could be but I'm still waiting for a verified case with a real, known victim.

Until, I'll be skeptical (and let the machine catch the incoming call -- saves a ton of annoyance no matter what the scam).

CaseyMay 14, 2017 9:17 PM

Bruce, i agree with you. Its really outrageous to be sampling a single "Yes" and use it as a voice print for any user. But in real life, there could be a lax implementation of a well-intention policy statement; IS policy could dictate a much complex vocabulary to be used as voice print, but another team that implements that policy may not understand the policy completely and unintentionally cuts corner to sample a simple "Yes" from customer. If everyone in the organisation has IT security "common sense" and awareness, then such blatant lack-of-security implementation hopefully will be reduced to NULL.

TSMay 15, 2017 2:16 AM

On topic but to go into a totally different direction for avoiding this scam,.

Always keep a"Duke Nukem Soundboard" handy by your phone :)
Or terminator, or other fictional figure.

CallMeLateForSupperMay 15, 2017 7:23 AM

@Jim Burrows

[can-you-hear] "fits perfectly with the sort of filtering that is done on bulk autodial calls."

Consistant with, yes. There are businesses that but make cold calls to determine phone numbers with human ears on them. They then sell their lists to phone banks as a value-added thing.

I was harassed by these and other types of junk phone calls for .... forever, until I began 100% call screening and turned off my (landline) phone's ringer. It took several weeks for the calls volume to fall significantly, but in less than 5-7 weeks, junk calls had fallen from 5-6 per DAY to 1-3 per MONTH.

That was a year or two ago (so long ago that I don't remember!). The only probing call I get now is a type that popped up this past winter:
(my ans machine picks up)
Very brief sound burst resembling... music?... followed by obviously synthesized voice: "Hello?" (3 sec. silence) "Hello?".

The two hellos are identical, and subsequent calls are identical. I kept three recordings, which I played to guests, as a sort of ice-breaker/party-trick.

More InformationMay 15, 2017 9:07 AM

@Freezing_in_Brazil

That would depend on the language, I`d say. In Portuguese, for example, people answer that question differently. They employ the first person of the verb that the remote caller used in the question. Like* "Can you hear me?" Answer: "I can!" [without the "yes"]. It is very unusual to a Brazilian to respond "yes" ["sim" in pt_BR] on the phone. They will only reply with a flat YES [SIM] when they are mad.

Portuguese seems to be more `secure` in this respect. The other romance languages are more like English, and they would answer "Si", "Oui", etc. The question would have to be carefully crafted for the desired effect.
________________________________________
(*) "Pode me ouvir?" - Answer: "Posso!"

That is almost exactly as it is in the Finnish language, as well. It would be rare to answer, «Kyllä!» ("Oh yes! Of course! Absolutely! Certainly!") on a telephone call with a stranger, and instead, just as you have mentioned, the first person of the verb is used to respond to a question, either affirmatively or negatively.

— «Osaatko sinä puhua suomea?» ("Can you speak Finnish?")

— «Osaan.» ("I can.")

— or —
— «En osaa.» ("I cannot.")

vas pupMay 15, 2017 3:40 PM

@Bruce:"Are there really banking systems that use voice recognition of the word "yes" to authenticate? I have never heard of that."
Sberbank in Russia started using customer's voice print as one of the tools for fighting fraud, but not just one word 'yes/da' is used. Voice print is created when account set up - base line, then used to compare with voice print of the person calling to the bank and claiming to be a customer.

vas pupMay 16, 2017 8:48 AM

@all: new on behavioral biometric and banks as well:

http://www.bbc.com/news/business-39881924

"By using the accelerometers and gyroscopes in your phone we can gauge your wrist strength, your gait, and we can tell you apart from most other people with a one in 20,000 accuracy - roughly equivalent to the accuracy of a fingerprint," says Zia Hayat, chief executive of Callsign, a behavioral biometrics firm.

So even if a fraudster has stolen your bank log-in details or downloaded malware onto your phone, such behavioral software should be able to spot that it's not really you trying to make that money transfer to a foreign bank.

These behavioral idiosyncrasies are as unique as our voices, tech firms say. This is why Morse code operators could be identified simply by the individual way they tapped out messages.

"We can even measure air pressure using the barometer on the latest smartphones, which can give us another indication of where the phone is and whether that corresponds to where the user says he is."

Even the size of your fingers - how much surface is covered when you tap on the screen - can help build up a pretty accurate signature profile, he says.

"We're moving to a password-less world," says ForgeRock chief executive Mike Ellis. "So these days we need multiple layers of authentication, and behavioral biometrics is one of those layers.

"Identifying the device, its geo-location, and typical behavior is another layer."

=>More banks are rolling out voice authentication as a more secure and less intrusive way for customers to establish their identity.

The advantage of this type of security is that "everything we do is seamless and frictionless - it all happens in the background without the user knowing," he says.

TomMay 16, 2017 2:20 PM

My voice is my passport. Verify me.

Nobody has a sense of history any more.

Anonymous CowardMay 18, 2017 6:12 PM

I have received several of these calls. They hang up if I do not answer very quickly. The numbers are not blocked, but every time I return the call, I am greeted by an ordinary person who swears they were not making any call to anyone. No ordinary person ever greets me if I answer in time; instead, someone tries to sell me something.

Caller-ID spoofing? Yes, but not just that. They also collect voice-prints of people saying "Hello?" so their own prompts aren't recognized as an artificial voice. If you call back after hanging up, you get the same person whose voice you heard - and innocent consumers get angry at each other, with the third-party responsible walking away untracked.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.