PORTLAND, Ore.—Researchers at Georgia Tech say they have identified a digital fingerprint hidden within voice signals
that can reveal fraud and thwart voice phishing scams.
When caller ID identifies a trusted caller—like your credit-card bank—it would seem natural during the course of the call to ask you to give your
password for security purposes. Unfortunately, it is relatively easy for criminals to fake caller ID and use the same sort of phishing scams they use on the
Georgia Tech's voice authentication technology can be added onto any phone to positively identify the caller with 100 percent accuracy, according to
professor Mustaque Ahamad, director of the Georgia Tech Information Security Center (GTISC), who worked on the project with professor Patrick Traynor and
doctoral candidate Vijay Balasubramaniyan. Unlike email, which is untraceable, Balasubramaniyan said, audio leaves telltale traces that reveal the order and
type of each network that a voice call must traverse—from state-of-the-art VoIP to wireless cellular to legacy land lines.
Their technique cannot reveal a precise location or IP address, but it can identify trusted callers with whom you have spoken several times before, plus
alert you when the caller's phone does not match what the caller ID says. The system works independently of the telephone with which it is being used and
requires no actions on the part of the carriers or the phone makers. Instead it just "listens for" the embedded signatures in the audio in order to trace
what the researchers term a "call's provenance" (origin and routing method).
"Audio inherently embeds details of the networks it traverses. This is what allows us to determine the provenance of a call at the recipient's end," said
Balasubramaniyan. "For example, when an audio packet is lost on the Internet, it stays lost, but it is not perceptible to the human ear."
Telephone call are difficult to authenticate today because they are repeatedly
decoded and re-encoded each time pass through a network gateway.
By compiling these imperceptible audio cues, such as the sound of dropped packets, the researchers have crafted an algorithm called Pindrop, which learns the
unique digital signature of every phone from which your receive calls. After just one phone call, Pindrop can identify the caller with 90 percent accuracy,
according to Balasubramaniyan. Since the system continuously learns, after two calls its accuracy jumps to 96 percent and by the time a fifth call is made,
the researchers say Pindrop has 100 percent accuracy at identifying the caller.
The researchers are also looking to expand Pindrop's capabilities, with built-in capabilities that identify the country of origin of a call even if you have
never received a call from there before. So far they have gained experience in learning the difference between audio call signatures coming from connections
to Australia, India, United Arab Emirates, United Kingdom and France.
What I see is an invention that is able to verify the hardware that a call has come through, not the number. What it provides is "one sided assurance", meaning it can tell if a caller is not the "trusted caller", which in itself is quite valuable. At that point, callers not verified can be assumed to be frauds. What I am looking for is a system that will save the first caller ID number that arrives, not the second one that is sent by the calling party. My ultimate goal would be to send a disconnect signal when a second number is sent, so that I would not even get those calls.
It's quite an interesting invention. And I do agree that looks more like a solution looking for a problem to solve. It identifies the origin then? that means if there are 5 different callers using the same far-end phone will these 5 different calls be identified as the same?
What I can think of in regards an application is the mother that wants to know the thruth about where her adolescent is calling from...
I'm with you, regarding passwords which should never be given out over the phone. In fact, today even when a trusted caller does ask for positive identification, they usually just ask for "the last four digits" or some such, so as not to reveal the entire secret over an unsecured line. Unfortunately, in my experience some people will volunteer almost anything about themselves when presented with the chance to get something-for-nothing. Greed is a hard thing to quell with education, but I agree--we should try our best to do just that.
Your are right--in many ways, this is just a solution looking for a problem. However, the innovation that should not be overlooked, is that users can perform these trusted authentications without having to depend on infrastructure. True, it can only identify whether the caller is using the same phone they've used in the past, nevertheless that is still better than what we have now!
What would be the incentive for a telephone manufacturer to add this to their product? Technology solutions to security problems are great, but the better solution is to educate people to never provide their password over the phone to someone that calls them. Customer service operations that are designed well will provide capabilities to their customer service agents that will allow them to help their clients without ever having access to their passwords.
An interesting concept - but the information provided doesn't explain how it could work - or demonstrate cases in which it would be useful. The phone system sends calls on available routes - which differ between calls as does the quality of the call. Furthermore, legitimate callers may use different telephone instruments to make calls (different extensions at home or different cubicles at a call center). Finally, legitimate calls from banks are rare and the staff changes by shift so the probability of repeat calls coming from the same individual on the same phone are low. It would therefore seem that false negatives on legitimate callers would be common. This sounds like an interesting technology - but perhaps the use case needs to be reconsidered.
Right now it has only been shown to be capable of recognizing calls (outgoing or incoming with 100 percent success) from your most trusted callers--phones with which you have connected at least five times. It can't block faked caller ID, but it can identify "private number" calls, but again only if they have called you at least five times before.
This appears to have a great deal of potential. However, there are questions unanswered here such as: can it learn from outgoing calls; or can it be used by the service providers and networks to block faked number calls; or can it be used to identify "private number" calls?