Access the full text logs of this transmission for compliance and review purposes.
Actual (00:00)
Welcome to Status Secure. Today we’re looking at a bank heist where no one wears a mask, no one holds a weapon, and the thief uses the exact voice of your most loyal customer. In 2026, AI isn’t just writing code, it’s cloning identities. So let’s paint a picture for the financial sector. Your call center receives a call, the caller ID matches a high net worth client. The voice on the other end is the client and they sound slightly panicked saying,
They lost their wallet while traveling and need an emergency wire transfer. The rep does their job. They ask security questions. What’s your favorite or what was your first car? What was your mother’s maiden name? The caller gives all the right answers. And so the wire goes through. Well, an hour later, the real client logs into their app and sees money missing. 100 bucks, a thousand bucks, maybe $25,000. Maybe that won’t happen over a wire transfer like.
just off a phone call, but still. So, CISO, we used to laugh at those robotic scam calls. How did we get to the point now where AI can spoof a real phone number, clone a real voice perfectly, know the answers to the secret questions that only the bank and the customer should know?
CISO (01:06)
you know it’s gotten really harder for to protect because you know it only takes like three seconds of audio from a tick-tock a voicemail or a LinkedIn video and everyone posts these days and there’s very few people who don’t who are not online and have a video of themselves somewhere so
To perfectly clone someone’s voice using AI, the technology is cheap, it’s accessible, and it’s getting more and more terrifyingly accurate. It can capture your cadence, your accent, and even emotional inflection. The quality is based on the duration and where they’ve gotten the audio from. But it only needs three to 10 seconds of clean audio.
And what that can do is simulate your voice exactly. Even you would have a hard time discerning that it wasn’t you. Any more than that, and it gets even better and better. So that’s how they get your voice. Now for the questions, the security questions, because that used to be a big thing. Banks used that a lot, ⁓ the security questions. So what you know, because the dark web, because years of massive data breaches,
aquifax, healthcare systems, social media scapes. There’s just a ton of information about you out there. And so a lot of times they just collect all of that. They’ve been collecting it. And now they have a massive dossier on almost every person. These LLMs,
The large language models can aggregate all this stolen PII, which is your personally identifiable information in milliseconds, your address, all of your previous addresses, your relatives. The AI isn’t guessing, it’s reading their file now that they’ve collected on you.
Actual (02:56)
Yeah. And you know, the reason I wanted to discuss this topic today was because I was in conversation with someone in the banking industry and we had a discussion about how over the holidays break really, you know, new years, Christmas, new years, all of that in that timeframe, they had a huge uptick in these AI scam, you know, customer cloning phone calls. and it just, they,
They seemed so real. it was very, it took a while for them to realize these aren’t real people and this, and it was a whole thing. And so if the caller ID is spoofed, the voice is identical. They know the name of my first pet. So how is a $20 an hour call center rep, you know, someone at the bank who’s on the phone, who’s doing, going through the steps, you know, verifying, okay, check, check, check,
How are they supposed to stop this? We’re putting the entire weight of the bank’s security on this customer service rep, trying to spot a turing test, passing AI, if you will. So what do we do?
CISO (03:58)
You can’t blame the rep. This is a systemic failure of knowledge-based authentication. Security questions are pretty dead. If an answer can be Googled, found on a Facebook profile, or bought on the dark web for 50 cents, it’s not a secure authenticator anymore. The bad guys have automated the attack. They use AI bots to simulate calls to the bank and the customer at the same time.
So intercepting SMS codes in real time or confusing the customer into approving a push notification. I mean, this happens all the time. It’s not new anymore. It’s a man in the middle attack supercharged by voice generation. What is it there? What you know, what you have. If those two are easily compromised, then what do you have left? It’s just what you have, right? But we know single factor is not strong enough.
So what now? Well, then it has to be a risk-based authentication. That’s the new one. So contextual controls. So you’re talking about conditional access policies, device compliance checks, IP, reputation, geolocation. Where is this coming from? So that’s the new. Those have to be added now and looked at.
Actual (05:07)
So I’d imagine just like any other industry, this becomes a regulatory nightmare for these banks, right? So you’re looking at this weird shakeup of there’s these security protocols we’ve had that we’ve used, there’s new threats and now we’re in this gap of, well, shoot, we need a new standard. And so I guess in this weird phase that we’re in,
You know, the question might sound something like who is really liable here, right? If the bank is following the protocols, but the protocols have been beaten, right? Who’s eating the loss?
CISO (05:40)
Well, ultimately, it’s the institution that suffers. Even if the bank tries to claim the customer is negligent, the reputational damage is fatal. Plus, regulatory bodies like the CFPB, which is a consumer financial protection borough, they’re holding financial institutions accountable to failing to implement modern, reasonable security measures against known threats. That’s one of the first tests when you
when you go to court is due diligence. Did they do their diligence? If we know that what you know, what you have are not as strong anymore and who you are is not enough because that’s only single factor there, then they still have to do better for their customers, for their consumers.
So if you’re bank and you’re still relying on mother’s maiden name in 2026, regulators will argue you are negligent. You are not doing your due diligence. You are not protecting your customers enough.
Actual (06:38)
Okay, so let’s play a little defense. I’m the VP of fraud, or the CISO at a mid-sized regional bank or credit union. I’m listening to this podcast. I’m going, yep, I’ve seen it. It’s been happening to us. And depending on how this has happened, maybe it’s a point of…
Like I’m sweating a little bit, like this is kind of frustrating and it’s happening. I don’t want it to happen again and we’re hoping that we can do what we can. So the question for them is how do we actually stop this deep fake threat from draining our customer accounts?
CISO (07:12)
You have to deploy defensive AI. Modern voice biometric systems don’t just match the sound of the voice. They analyze the acoustic properties. Is there a synthetic hum? Is the breathing pattern unnatural? Because for now, AI doesn’t breathe. So defensive AI can spot a deepfake faster than a human ear. You can’t expect a $20 rep to do all of that.
You must break the chain of the phone call. If someone calls requesting a high risk transaction, direct triggers of push notification to the user’s authenticated mobile app. The user has to use face ID or their thumbprint on their physical device to prove it. You move the authentication off the compromised voice channel and onto a cryptographically secure hardware channel. You watch the money, not just the caller. Does this customer usually wire 50,000?
to an overseas crypto exchange on a Tuesday. Banks already do this, right? I’ve seen where I’ve tried to do a transaction, like I’m on travel, because I go to conferences a lot. I’m on travel. I’ve just tried to use my credit card for a large purchase, and it declines, because I now have to call my bank and say, hey, it’s me. I’m getting ready to do this.
or I have to go into my mobile app and I have to prove it and then I have to try the transaction again. So, you know, they’re starting to do it, but they have to do more.
Actual (08:35)
Yeah. And on that note of doing more, we’re at that point where we’re going, Hey, okay, let’s you’ve been listening. You’re going, okay, I got it. Maybe I have that problem. Maybe I have a friend or a colleague that is in this situation right now. So what are our marching orders to them? So if there’s a bank that’s still relying on caller ID, a list of security questions, what’s one step that they can take tomorrow that can help them improve in this area?
CISO (09:00)
Well, an immediate action is audit your call center protocols immediately. Identify all the high-risk transactions that have been processed. Wires, password resets, address changes, those kind of high-risk transactions, and mandate secondary out-of-band authentication. Stop using public information as secret passwords. Strategic action, something that you can do over the next
you know, several months or a year is you need a comprehensive identity and access management overhaul. You know, look into implementing FIDO 2, the FAST ⁓ Identity Online Standards and passwordless authentication. Bring in a firm to stress test your call center with ethical defake attacks. Find out if your reps will hand over the keys before a real threat actor does because they need practice and muscle memory. They need to build that.
So do exercises, test them, not in a punitive way, but to teach them and educate them and actually get them aware of looking for these deep fakes.
Actual (09:59)
Yeah, you know what this reminds me of? It sounds a lot like how a lot of, I would say enterprise type companies, bigger companies, they’ll do those phishing emails to their own people, right? To see if they click and kind of monitor like how they’re performing and if they need to re-educate because that’s a human error issue. And that’s what this sounds like. It’s almost like this is a new phishing email campaign, but it’s for phone call, right? It’s for that specifically for
If I were to think about, mean, there’s other aspects where this could be helpful, but specifically for banks for this specific targeted attack. It’s this is like your new fishing training is getting phone calls in to make sure everyone’s on their toes. And then you can see where you have your gaps that need to be improved and worked on. And maybe it’ll help you identify, okay, well, we need a new solution to this problem.
CISO (10:49)
You are required by most regulators to do role-based security awareness training. Most companies do it for their executives, for leadership, and for system administrators, your technology people. But you have to do this role-based security awareness training, especially for your folks who are touching your customers directly.
and the customer reps are one of those roles that needs additional training and testing.
Actual (11:18)
Yeah, you so it’s kind of go back to the old phrase of trust, but verify, right? So the perimeter here isn’t just your firewall anymore. It’s the very identity of your customers. And if you can’t verify who’s on the other end of that line, you don’t have security. You have an open vault. So let’s trust, but verify cryptographically. Right? So that’s it for today. We’ll see you guys next week. Mission success. It’s about resilience.
