The voice identification system used by the federal government has a serious security flaw, an investigation has found.
Voiceprint, the voice recognition software used by Centrelink and the Australian Taxation Office (ATO), can be fooled by an AI-generated voice based on the user, an investigation by Guardian Australia has found.
Both Centrelink and the ATO give people the option of using a ‘voiceprint’, along with other personal details, to verify their identity over the phone.
The user records a short verbal message, which is then scanned by software to identify distinctive features in your voice, such as its cadence, tone and rhythm.
It’s billed as being just as secure and unique as a fingerprint, but Guardian journalist Nick Evershed was able to make a ‘clone’ of his voice using artificial intelligence, which he was then able to use to gain access to his Centrelink self-service account.
To gain access to the account, someone must also have the Customer Reference Number (CRN). A CRN is not usually public information, but is printed on any correspondence someone receives from the government.
Gaining access to a customer’s account grants access to a range of sensitive information such as payment records, bank details and the ability to order replacement healthcare and concession cards.
The investigation demonstrates that a suitably motivated person could obtain someone’s CRN from discarded mail, make a clone of that person’s voice using AI and then access an account.
Commenting on the Guardian findings, Services Australia head Hank Jongen defended the voiceprint system and his department’s security record.
He said Services Australia “has the capacity to continually assess risks and update processes accordingly” and that voice recognition is a “highly secure authentication method”.
“We continually scan for potential threats and make ongoing enhancements to ensure customer security,” he said.
“If we identify unusual circumstances in how customers use our authentication systems, we apply additional tests to confirm a caller’s identity.”
According to Centrelink figures, the voiceprint system is used by more than 3.8 million clients as at the end of February. At the ATO, more than 7.1 million taxpayers have registered their voiceprint.
Greens senator David Shoebridge told CyberSecurity Connect his party is calling on the government to use federal cybersecurity funding to regulate the collection of biometric data (including voice data) and to also protect against the misuse of AI.
“The concerns here go beyond the use of AI to trick voiceprint,” Mr Shoebridge said.
“There are few, if any, protections on the collection or use of our biometric data to feed and train corporate AI systems.”
He added that government use of voice recognition in place of more traditional identification methods was intended to reduce costs to the department.
“The government’s main objective with the use of such technologies is to cut operating costs as opposed to what is best for the millions of Australians who rely on government agencies and services,” he said.
“These government savings are almost always paid for by Centrelink clients.”
Have you registered your voiceprint with Centrelink or the ATO? Are you concerned about security? Let us know in the comments section below.
Also read: Who is calling you from that number?
Yes, indeed but I still can’t maneuver around the program so it’s a bit useless to me. I call Centrelink if I need help and even after waiting for extended periods, it is much quicker in the long run and far less confusing.