keltan's Shortform

keltan

keltan's Shortform

post by keltan · 2024-04-25T12:07:41.753Z · LW · GW · 4 comments

4 comments

Comments sorted by top scores.

comment by keltan · 2024-04-25T12:07:41.833Z · LW(p) · GW(p)

A potentially good way to avoid low level criminals scamming your family and friends with a clone of your voice is to set a password that you each must exchange.

An extra layer of security might be to make the password offensive, an info hazard, or politically sensitive. Doing this, criminals with little technical expertise will have a harder time bypassing corporate language filters.

Good luck getting the voice model to parrot a basic meth recipe!

Replies from: lahwran, Dagon

↑ comment by the gears to ascension (lahwran) · 2024-04-26T08:07:39.805Z · LW(p) · GW(p)

Good luck getting the voice model to parrot a basic meth recipe!

This is not particularly useful, plenty of voice models will happily parrot absolutely anything. The important part is not letting your phrase get out; there's work out there on designs for protocols for how to exchange sentences in a way that guarantees no leakage even if someone overhears.

↑ comment by Dagon · 2024-04-25T20:33:58.373Z · LW(p) · GW(p)

Hmm. I don't doubt that targeted voice-mimicking scams exist (or will soon). I don't think memorable, reused passwords are likely to work well enough to foil them. Between forgetting (on the sender or receiver end), claimed ignorance ("Mom, I'm in jail and really need money, and I'm freaking out! No, I don't remember what we said the password would be"), and general social hurdles ("that's a weird thing to want"), I don't think it'll catch on.

Instead, I'd look to context-dependent auth (looking for more confidence when the ask is scammer-adjacent), challenge-response (remember our summer in Fiji?), 2FA (let me call the court to provide the bail), or just much more context (5 minutes of casual conversation with a friend or relative is likely hard to really fake, even if the voice is close).

But really, I recommend security mindset and understanding of authorization levels, even if authentication isn't the main worry. Most friends, even close ones, shouldn't be allowed to ask you to mail $500 in gift cards to a random address, even if they prove they are really themselves.

Replies from: keltan

↑ comment by keltan · 2024-04-25T22:03:56.626Z · LW(p) · GW(p)

I now realize that my thinking may have been particularly brutal, and I may have skipped inferential steps.

To clarify, If someone didn't know, or was reluctant to repeat a password, I would end contact or request an in person meeting.

But to further clarify, that does not make your points invalid. I think it makes them stronger. If something is weird and risky, good luck convincing people to do it.