Rendered at 08:13:46 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
pmw 7 hours ago [-]
TOTP can be used today to authenticate a couple to each other over an untrusted medium.
It’s rather high friction; you have to set it up in advance, and then read a six digit number over the phone. And I am not sure that it mitigates the threats… in this situation, I suspect it wouldn’t. It could even make the situation worse if the daughter is genuinely in trouble but can’t access the authenticator.
But I can’t think of a better solution. Any other ideas?
qnleigh 4 hours ago [-]
I think a verbal password works just fine here. But it has to be something that you are 100% positive the other person wouldn't forget, otherwise it's not effective.
Also sending this article to family members so they're aware of this kind of thing.
ProllyInfamous 1 hours ago [-]
My problem with this is that it's effectively one-time use, only, if you're a high-enough-value target.
Once you secret is "said" apart, over technology, it could be considered compromát.
----
Maybe have your "secret" be about a particular vacation or time period, using a novel recollection dependingupon severity of each conversation.
windexh8er 5 hours ago [-]
A confirmation phrase and a poison pill phrase, don't overcomplicate it. This can be generated, shared and changed easily and with no tech.
DecoPerson 4 hours ago [-]
My 76 old Dad loves checking the TOTP on his phone and asking me to verbally read it out when I need him to accept a 2FA push notification to let me log into his bank or government accounts so I can do something for him.
He says it “feels like 007 stuff.” “AI will never trick me!”
We also have a duress code word, listed in the notes of that KeePass(ium) entry with the TOTP.
duttish 4 hours ago [-]
I worked on an automatic partial solution (basically caller registering phone calls, receiver verifying them) but a primary problem was that iOS doesn't allow a good enough UX for a third party dialer, even with the new dialer roles etc so I moved on.
user68858788 7 hours ago [-]
A friend’s parents were recently targeted by AI scammers that impersonated family members. This shocked me because her parents are pretty poor, and I imagine it’s not free to make targeted scams like this. So, why were they targeted?
My guess is that my friend is listed on a company website as an executive, and scammers are using company pages to find targets worth spending money on. Scams like these aren’t free, but they’re cheap enough to cast wide nets. The nets are only going to get wider as AI becomes cheaper and more available.
Security by obscurity, as effective as it was, is coming to an end. AI enables scammers to spear phish indiscriminately.
daemin 7 hours ago [-]
This scam has existed for decades, just hasn't used "AI" before to fake the voice. My grandma was often a target of scammers calling up and pretending to be her daughters or grandsons and wanting to get money out of her. She was luckily mentally quick enough to realise what was happening and hang up.
zaphirplane 6 hours ago [-]
This sounds targeted, like 2 degrees of separation
daemin 5 hours ago [-]
It's just opportunistic people calling old people over the phone in hopes of tricking them into handing over some money for "an emergency" by claiming they're a relative. Really low effort scams, I'm not surprised they're using generative AIs to fake voices now, same sort of low-effort operation.
BenFranklin100 8 hours ago [-]
This seems to be partly a technological problem. We will soon need secured, authenticated modes of communication that can verify a person’s voice.
A similar problem is emerging for photos and videos. We also soon need cryptographically signed devices in order to be used in journalism or to be admissible in court.
Otherwise we are going back 150 years where we depend on in-person communication and eyewitness accounts.
sowbug 6 hours ago [-]
There's nothing wrong with those technologies, but they won't address this kind of crime.
Scammers aren't looking to defeat or even challenge voice identification. They're looking for that one person who's having a bad day and is susceptible to getting tricked. All they need is to find that person to earn their quota for the day. They'd actually appreciate it if 99% of the population used Voice Supr-Sure-Auth 3000™ technology, because that would make it more efficient for them to reach the 1% who don't.
This is why the Nigerian prince emails have typos. They're not trying to convince you their email is authentic. They're trying to find the person who isn't sophisticated enough to think in terms of email authenticity.
BenFranklin100 6 hours ago [-]
Fair points.
More broadly, I think this an instance of how AI/Deep Learning is turning over technologies (photos, video, voice communications) we have come to rely upon, and for us to continue to rely upon, they will need to be radically reworked with security as a starting point, not an afterthought.
sowbug 6 hours ago [-]
One of the least enjoyable parts of the Singularity, for sure.
bfkwlfkjf 6 hours ago [-]
> West suggested using a code word that only your family knows to be able to tell if it's actually them.
Wouldn't have helped in this case if the description of the events is accurate.
aaron695 9 hours ago [-]
[dead]
Cider9986 9 hours ago [-]
This is why we need to prevent data breaches by not collecting the data in the first place as well as move to non-persistant identifiers for contacts. Nobody could scam you if you only used Signal usernames or SimpleX addresses because you just change them for each contact and they don't get breached because services don't ask for them.
This scam wouldn't have been possible if the scammer couldn't easily look up someone's name, pay a few dollars, and see where they live, their phone numbers, email addresses, and family members. It's not as much of a problem in Europe because of the GDPR, but in France their government cybersecurity is nonexistant so everything has been breached repeatedly so it's the same effect.
It's insane this type of data broker hasn't been banned and why I will never register to vote.
Every piece of data you give away is a liability, not just for the services tracking you, which some people might defend, but for cybercrime and data breaches.
sowbug 7 hours ago [-]
I didn't downvote you, but I suspect you're getting downvoted because your recommendations wouldn't address the actual threat described in the article. This is the process the scam likely used:
1. Dial random phone numbers.
2. When someone answers, play a recording saying "we've kidnapped your daughter."
3. If a live human voice responds, transfer to a live operator who plays a muffled, staged recording of a panicked generic-sounding female voice.
4. Continue standard pig-butchering script.
I doubt the caller ever said the daughter's name. I don't think AI voice cloning was used. These kind of criminals know how to prey on people's instincts. It's not by compiling databases of accurate personal information. It's by scaring people with emotional, exigent, and plausible circumstances.
Even if 999 of 1,000 these calls are not to English-speaking people with a daughter who kind of sounds like the voice on the recording, the 1,000th is profitable enough for the scheme to continue.
7 hours ago [-]
Cider9986 9 hours ago [-]
66 trackers blocked in Brave on this website. Can someone explain what all these trackers are needed for versus on websites with less? Facebook or Discord or Twitter only have 1 or 0 blocked and I'm sure they are tracking my just as much.
valleyer 6 hours ago [-]
They're needed for extra revenue for KGO-TV. (Which is owned by Disney.)
Cider9986 4 hours ago [-]
That doesn't address my question but I appreciate your reply.
valleyer 3 hours ago [-]
Sorry, maybe I should have been more explicit.
Facebook, Discord, and Twitter may sell "your data", but when they do, it's likely by selling distillations of their internal databases. (Or, of course, through vulnerabilities like the one the Cambridge Analytica Facebook app used.)
Small-ball Web sites like KGO, on the other hand, just get proposals from data aggregators to plop a snippet of HTML/JS on their site, and they get money for it. There's no control on the number of quality of them.
Big sites can't do that because they'd risk introducing serious vulnerabilities that would compromise accounts. No one has a KGO "account" to compromise. And the amount of revenue they'd provide is likely peanuts to someone like Facebook.
It’s rather high friction; you have to set it up in advance, and then read a six digit number over the phone. And I am not sure that it mitigates the threats… in this situation, I suspect it wouldn’t. It could even make the situation worse if the daughter is genuinely in trouble but can’t access the authenticator.
But I can’t think of a better solution. Any other ideas?
Also sending this article to family members so they're aware of this kind of thing.
Once you secret is "said" apart, over technology, it could be considered compromát.
----
Maybe have your "secret" be about a particular vacation or time period, using a novel recollection dependingupon severity of each conversation.
He says it “feels like 007 stuff.” “AI will never trick me!”
We also have a duress code word, listed in the notes of that KeePass(ium) entry with the TOTP.
My guess is that my friend is listed on a company website as an executive, and scammers are using company pages to find targets worth spending money on. Scams like these aren’t free, but they’re cheap enough to cast wide nets. The nets are only going to get wider as AI becomes cheaper and more available.
Security by obscurity, as effective as it was, is coming to an end. AI enables scammers to spear phish indiscriminately.
A similar problem is emerging for photos and videos. We also soon need cryptographically signed devices in order to be used in journalism or to be admissible in court.
Otherwise we are going back 150 years where we depend on in-person communication and eyewitness accounts.
Scammers aren't looking to defeat or even challenge voice identification. They're looking for that one person who's having a bad day and is susceptible to getting tricked. All they need is to find that person to earn their quota for the day. They'd actually appreciate it if 99% of the population used Voice Supr-Sure-Auth 3000™ technology, because that would make it more efficient for them to reach the 1% who don't.
This is why the Nigerian prince emails have typos. They're not trying to convince you their email is authentic. They're trying to find the person who isn't sophisticated enough to think in terms of email authenticity.
More broadly, I think this an instance of how AI/Deep Learning is turning over technologies (photos, video, voice communications) we have come to rely upon, and for us to continue to rely upon, they will need to be radically reworked with security as a starting point, not an afterthought.
Wouldn't have helped in this case if the description of the events is accurate.
This scam wouldn't have been possible if the scammer couldn't easily look up someone's name, pay a few dollars, and see where they live, their phone numbers, email addresses, and family members. It's not as much of a problem in Europe because of the GDPR, but in France their government cybersecurity is nonexistant so everything has been breached repeatedly so it's the same effect.
It's insane this type of data broker hasn't been banned and why I will never register to vote.
Every piece of data you give away is a liability, not just for the services tracking you, which some people might defend, but for cybercrime and data breaches.
1. Dial random phone numbers.
2. When someone answers, play a recording saying "we've kidnapped your daughter."
3. If a live human voice responds, transfer to a live operator who plays a muffled, staged recording of a panicked generic-sounding female voice.
4. Continue standard pig-butchering script.
I doubt the caller ever said the daughter's name. I don't think AI voice cloning was used. These kind of criminals know how to prey on people's instincts. It's not by compiling databases of accurate personal information. It's by scaring people with emotional, exigent, and plausible circumstances.
Even if 999 of 1,000 these calls are not to English-speaking people with a daughter who kind of sounds like the voice on the recording, the 1,000th is profitable enough for the scheme to continue.
Facebook, Discord, and Twitter may sell "your data", but when they do, it's likely by selling distillations of their internal databases. (Or, of course, through vulnerabilities like the one the Cambridge Analytica Facebook app used.)
Small-ball Web sites like KGO, on the other hand, just get proposals from data aggregators to plop a snippet of HTML/JS on their site, and they get money for it. There's no control on the number of quality of them.
Big sites can't do that because they'd risk introducing serious vulnerabilities that would compromise accounts. No one has a KGO "account" to compromise. And the amount of revenue they'd provide is likely peanuts to someone like Facebook.
So: they're for revenue.