In a land not so far away, in a time, not so distant (actually, within the next month), there will be a kickoff meeting where my voice shows up.  Our Client’s team will hear me say hello to everybody, ask one of the team how she likes her new role, remind them that I’m just here for oversight purposes, and then mute myself.  During the meeting, I will chime in, even answer a couple of questions, after fumbling with the mute button like I always do.

But I will not be there.

We want to offer our voice cloning service during the next pretext calling engagement with this Client.  We seek permission to clone one of their voices, and use that clone in our testing.

All we need is their permission, the rest will be easy.

Deepfake a voice?  Easy Peasy!

The team has decided to keep me on standby, in case we frighten, instead of enlighten, our Client.  But we want to demonstrate that it’s not very hard at all to clone a voice, and to trick smart people into believing the cloned voice is real.

Here’s a link to my cloned voice:

All it took was two minutes of my voice to create this clone.   This is just one little blurt that can be used at the beginning of a virtual meeting, to give the impression I’m actually there.

But we won’t have to use predesigned clips.  Our team can actually type in what I “need to say,” and get really good spoofs of me, saying things on the spot, in seconds.

In seconds, folks.

Couple that with the fact that people would assume I’m slow at unmuting, and we have a problem, don’t we?

You might be thinking, “is Dan nuts?  He’s letting his team clone his voice?”

Hours and hours of my voice reside on the internet.  It’s too late for me, and most executives in the world.  We have too much out there to avoid cloning.

But think about it:  I’d rather a friendly person teach voice authentication controls with a clone of my voice, than a malicious person teach us the value of awareness testing, with a clone of my voice.

How do we control the voice cloning threat?

If you’ve already been controlling pretexting risk, you already have the control against voice cloning in place.  We must double down on what we’ve been calling “out of wallet questions.”

For those who are not banks, out of wallet questions seek identity verification information that cannot be found in a “wallet” or on social media.  A social security number can be found in a wallet.  A mother’s maiden name and our birthday’s can be found on social media.  It’s why banks ask you the amount of your last deposit when you call asking for a balance.  It’s why the healthcare industry, using our birthday for authentication, exudes how much they value your privacy.

When we say “double down on out-of-wallet questions” what we mean is that you should:

a) Address voice cloning in your awareness training:  there is a new threat – your co-worker’s voice.

b) Encourage employees to authenticate their coworkers when making requests over the telephone.

c) Encourage employees to develop a “voice code” in their family life.

Voice codes are not that hard.  You could go with a word everybody remembers, but then you’ll start wondering if you shoudl change it, and how often, and all the other considerations that come with a password.

We recommend going with a dynamic but static question.  So when you say to your mother, “sure I’ll transfer that money, but first, what’s the voice code,” your family could know that the voice code is always the next holiday, or the last holiday, or the next birthday, etc. 

The key is to develop a method of authentication and make sure everybody is aware of it.  Simplicity is key.   

For those who have not been mitigating voice risk, you may need to develop a safe word which, for politeness reasons, we are calling the Voice Code (until we see what the rest of the world decides to call it.)  But even with the voice code, we believe that teaching out of wallet questions may be what EVERYBODY has to adopt. (Why have one more thing to remember, when we can just ask our co-worker what we did the last time we met?)

The Likelihood of Voice Cloing

It’s eerie how prevalent my voice is on the Internet, because of all the movies and podcasts I’ve been involved in, since the founding of infotex.   I’d rather our team learn to authenticate me against a clone made by an auditor, than a clone made by a malicious actor.   So maybe it’s easier for me to offer my voice to be cloned.  There is a higher likelihood someone could attack us with a clone of my voice.

What is that likelihood?  We’re not sure.  I’ve written elsewhere about that debate. 

But the impact would be Black Swan.   Think about it: our Clients trust us to empower them to manage risk mainly because we act as an example to them in that regard.  (If our little company can do it, so can theirs.).

But do you see how important a Security Culture really is?  Our team is not gonna have any problem asking me out-of-wallet questions.   

Now, I wonder if that Client reads my blog posts . . . .