How to Make Voice Technology Secure with Uday Akkaraju, Matt Vaillancourt and John Iwasz
Matt Vallon Court the Director of NSP channel sales at Sonic Wall and John. I was the chief technology officer. Wetstein Technologies Inc. talk about how voice technology companies and anyone. Making their own voice can make them secure. How consumers can feel secure using voice and we answer some twitter questions we received from our audience. Hello inside of waste community yet. We are back with another live episode that we are doing today and we're basically a little different. I'm very excited about it. We have three guests on today. We are doing kind of a panel interviewed discussion about voice security. I three gentleman who have been on the show. The podcast show all before and so now. They're here together. Talking about voice security and with me John I was the CTO of wet stone technology's not Balan court the Director of NSP channels at Sonic Wall. And who do the CEO of on a is a welcome gentlemen. Thank you so much for being here today. So let's start For anyone watching. If you have questions you can post them in the comments of you will answer them throughout the show as well as at the end I do have some of you. That Henry Johnson me on twitter beforehand and will answer those questions as well but before we get into it. I'd love for each of you to give me three minutes about who you are your background as far as voice and security so John I will start with you sure so I Fire TO CO founded whetstone. I had spent twelve years at Microsoft and consulting services Traveling across the country from customer. Customer My most noteworthy engagements at that time was at the FDIC F- coincidently during the two thousand eight Banking crisis and I we architect at the Toying and reporting systems at the Bank examiners used to conduct their seventy process That put me on a path towards Fintech and in roles since stanton had been involved involved in Fintech tation security and my Prior project just before Couponing what's done was in creating a voice application for banking on Alexa Nat when you So I've been in the IT channel For over fifteen years now in different roles primarily in IT infrastructure So dealing more with the backbone into structure Obviously now I'm I'm with Sonic Wall So we're doing a lot of Cybersecurity but you know not just firewalls but also Cloud application work from home which is a big A buzzword right now so we enable folks to be able to remote back into their corporate network securely with a multitude of different products to make sure we provide those that layered security for them on a personal side I have been I I guess it's a strange hobby but it's my hobby is been dedicated to data privacy data scary things along those lines developing best practices surrounding them. I've been doing that for a little over three and a half years now As as you mentioned we've discussed quite a few times on some of the other podcasts And most recently as a consumer general consumer of voice I apply a lot of my processes to cybersecurity and Best Practices to the world of voice now as well Being that it's it's new. It's up and coming at an hack especially nowadays where you're not supposed to touch anything or anyone. It's great to able to shout out and have something happen and you know you don't have to worry about washing your hands for another five minutes so I've kind of picked up this in gotten deeper into this voice world over the past year At working with you but I think a lot of the best practices that I tend to preach allowed Really translate apply to the space as well. Yeah any day introduce yourself as well. Yeah so I founded on the ice. You've mentioned so my my expertise actually comes from a little different dimensions of my expertise yesterday's into a and data signs but it's more from the human center so my focus has always been understanding user or the user need and so it our company right so we create Watson conversation but financial institutions. And we actually do that. We we call our in an empty so any empty. I'm in the first thing. We have empathize with the consumer in the busted. It comes to mind your mind or anybody's find its privacy So yeah that's how that's how that has been my expertise of privacy Other psychologists Zimmer's how he acted transferred all that consumer concerns those security by design in applications wonderful and you know security is obviously a major concern in voice technologies a whole. I think it's one of the questions I get asked about. All the time from a consumer standpoint from businesses. How do we keep saying secure and Matt you and I had a conversation raised Personal story of something that happened with you with banking invoice? And I'd love you to share what happened and why it caused concern for you especially somebody who is in the security space so So a stems from one of our voice podcasts. I brought up A. It's not obscure to me because I lived through it. But movie from the nineties called sneakers with Dan ackroyd and a bunch of others and the plot of the movie was Part of the plot was they needed to get this guy's voice pass code so that they could access The bad guys business in stop the bad stuff from happening but what what came from that is I was doing some stuff with some financial institutions. Some pretty big ones across the country and I noticed that all of them were starting to push on their consumers. voice verification for phone in. Which I get right you know. We're we've had this old antiquated system where we ask people who call in questions surrounding data that is in their personal financial files or in their credit files like where. Where did you live in this year? And was that your phone number when you lived at this address and things along those lines which we all know nowadays from social engineering standpoint and even from a data breach standpoint you can find that information on the Internet. Answer those questions and and in fact it happened back in twenty twelve or twenty thirteen where people were getting that information and using it to access to file false tax returns for people because they had the information that they tend to be that person. Get the check in. Yeah so anyways. I get why. They're going to it but one of the ones that I called into quite literally flashbacks. That movie what they wanted me to speak and how they wanted to verify news they wanted to say at thanking company My voice is my password and that's the only verification for it so in talking with John it said I wonder if we can. You know it's not even really it's a hack but it's not really a hacked wonderful. We could get this thing to let me in without me actually with using recorded voice. So you know I. We tried just recording. My voice played it over speakerphone. Worked got in okay. You know probably going to be hard for someone to do. Then I went to some of our former podcast took my words spoken in in high. Def ON THOSE. Podcasts sliced them all up and put them in the correct order. And kinda smoothed them out a little bit. I used a fifty dollar audio editing program. This wasn't anything crazy. Hit play got it so then you know as John and I were talking. We got to out. What about biometric? What what about A simulated or deep fake voice. Could we right? And and I know Don's got some experience with that and I've been working on training assistance to so we can actually test it But I haven't gotten there yet but just the mere fact that slicing my words together allowed me to get in Was very very concerning. And I think my main points that and some of the other Financial institutions that I've worked with have jonbenet's thereby metric systems. If you random pass phrases that are different I knew call in Which is obviously far more secure because it's harder for me as the attacker to anticipate what words I need to queue up to be spoken at the time but this one is very large and I'm not going to name as dedicated. Whatever that was seven words that you need to speak to get into your account from the phone and that biometric validation is only when you speak the pass phrase so even after I push play and say it I can go back to using my regular voice of of the black hat and and continue on my conversation and get whatever it is I want. And there's there's no additional validation so very concerning. I Know John. Your thoughts on up to John. Have you actually talked first week as you and matt or going back and forth a part of the conversation? Lincoln that I've you've just texting back and forth about this all. Have you comment I? It's your part of the conversation initially short so this spun out of a little side project. I had going on creating a synthesized voice. I was giving a talk. At a local co kampe bans on how to create a effectively a deep fake voice using some technologies that are available on on Azure and My in my sample I had taken us some. Rayo clips of Winston Churchill from speeches that he made over the radio during during World War Two and created a synthesized voice Winston Churchill and I did have him successfully say Something that he never dare say in public. I'm too sexy for my shirt. Gravitas of his voice and You know it's it does take some effort to set that up it's It's it's not difficult but it is tedious. You need today out tomorrow. I'm sure I'll get much much easier. You know months from now year from now short I'll be a vastly easier but today I had the supply about one hundred different samples individual samples of about twenty second clips along with the short transcription of that clip to the speech. defeat into the speech and Lebron overnight and then I was able to get a a voice that would not necessarily fake any of us here on the caller or or any person. He would still say that doesn't quite sound writes But with more sat was unsure. You would have a much more convincing convincing voice.