Wet Banana and Other Secrets: A Family Plan for Deepfake Defense
This is another post in what is becoming an unintended series aimed at the technically savvy among us who care for older family and friends.
The Problem
Phone scams have been with us for some time and over the years they've become ever more elaborate. Spoofing caller ID coupled with presenting a victim's personal details during a phone call can make the victim think they are speaking with a trusted agent when, in fact, they are not. Most folks have learned to spot these scams. Alas, the elderly are still particularly vulnerable and the scammers' bag of tricks only continues to grow.
Many of us looking after aging parents have drilled into our wards that they should not trust anyone, and if they have concerns they should pull us in to help. In my case, this has done wonders and we've avoided more than a few scams by having my aging parents and in-laws check in with me prior to taking any actions. Unfortunately, that simple defense may soon falter thanks to the advent of deepfakes. For the uninitiated, deepfakes are synthetic audio or video created using AI that convincingly mimic a person's real voice or appearance.
Deepfakes, like phone scams, have been around for a while. The big difference is that while phone scams relied more on social engineering, and therefore had a low cost of entry; deepfakes required much more technology and financial resources and so remained the purview of nation states. Until now.
There are now several documented cases of deepfakes being generated in real time to go after large corporations with success. 404 Media published an interesting podcast that included a story about one unfortunate business that lost millions. But going beyond that, the barriers are low enough now that bad actors can now generate models that mimic anyone's voice and speech patterns in matters of minutes for low cost using only a relative few sound samples from media clips you could expect to find online.
The result? Scammers are able to sound like you or me when they interact with our parents. In the past, we could simply rely on the fact that our parents would be able to recognize us on the phone and therefore trust what we were telling them. Not so any longer, now that our voices can be so easily stolen.
So how, without being in person, are our family members to know who they are talking to? How can we easily authenticate who we are to one another?
Password Managers
Authentication relies on a shared secret. I can authenticate I am who I say I am if I can present a passphrase that is known only to me and the family member I want to communicate with.
Having a secure way to share that phrase and change it periodically is where the password manager comes in.
Many password managers, like 1Password or LastPass have the ability to store an encrypted note. If you use a Mac, you can also store a secure encrypted note in the Notes app. In my case, my family uses 1Password and we have set up a shared database that everyone in the family can read and edit. We can use this characteristic to store a nonsensical passphrase like “Wet Banana”.
The way the authentication would work is when a family member wants the person on the call to prove they are who they say they are they can request the passphrase. The other person would only need to open 1Password and check the shared note.
I know some folks who have a standing secret passphrase. While this approach will work, the password manager has the added benefit of being updatable by any member of the family without coordination with the other members. In fact, if one member of the family was suspicious that the caller had somehow learned an old passphrase they could simply update the note and ask the caller to read the update in real time. Voila, authenticated!
Potential Gotchas
Shared Access
First, you're going to need a way to share the secure note. I'm fortunate in that I got my parents and other family members into password managers awhile back so they are all comfortable with them. An older person who hasn't used a password manager before may struggle with this. Maybe the shared note approach would be better in that case but it doesn't carry the same security that a password manager does.
Platform Compatibility
Second, not all platforms are interoperable. In the case of LastPass and 1Password, you would be able to deal with Uncle Bob who swears by his Windows machine and Aunt Alice who will only use a Mac. But there are several combinations that may not interoperate so you might have to do some research there to find the simplest solution.
Cost Considerations
Third, and last, many of the password managers come with a cost. There are free versions out there but the two I mention for sharing with a family will cost you. If you don't want to spend any money, again, you'll have to do some research. Again, if you're in Apple's ecosystem like I am, a shared note will work for no added cost.
Final Thoughts
I've said on this blog before that it's important the more technical among us take care of our family members. As the potential for ML and deepfakes makes it increasingly likely that a scammer can spoof our voice as easily as our phone numbers, we need to take additional steps now to protect our less savvy family members from the worst of us.