rmoonen@hvlpa.att.com (04/12/91)
Barton.Bruce@camb.com wrote: > Wouldn't it be nice to simply speak into the phone and say 'my friend > Tony Jones's third office line please', and from the random pay phone be > voice recognised as you and thereby indicating which Tony Jones is > being refered to. To which David Gast <gast@cs.ucla.edu> replied: > On the other hand, do we really want the phone company (and every COCOT > sleeze since the example above includes a pay phone) or the government > to recognize our voice on a routine basis? Our every move would be > tracked. This can already be done: Make a cash withdrawal from an ATM; the bank now knows where you are. Place a calling card call from a payphone; the phone company now knows who you called, and where you are. Walk into a moderately sized department store, and video cameras will track you're every move. Getting paranoid already? :-) > Additionally, this particular scenario has a huge security hole: I > call someone, they record my voice, then they call someone, but pipe > their input through a device that simulates my voice. > Perhaps we should close some the existing security holes before we make > new giant ones. Just as with the ATM cards, of course, there should be some security check. After saying, "I'd like Jane Doe's office line please." The computer should answer with something like: "What is your Personal ID Number, please?" And a couple of other methods also could be implemented to counter fraud. And the Moderator noted: > [Moderator's Note: And what, pray tell, is the difference between this > and sending someone a written letter who then forges my handwriting > and signs off on some fraudulent documents for me? Maybe we should > stop allowing handwritten communication between people (or individuals > and companies) before this 'existing security hole' gets worse. How > inconvenient do you want things to be just to accomodate your fears > about 'what might happen'? PAT] While I agree with the Moderator on the general idea, I think that first, 'this existing security hole' IS getting worse. Desktop forgery is as easy as sh*t, and only takes a mildly computer-educated person to do. The point is, however, one should not make it easier to commit fraud, even though you know that it will be done by the persistent ones. I mean, you _do_ lock the doors of your car, don't you? While you know that they're gonna get in if they want to. Therefore, it is not so much the fear of 'what might happen', but more the fear of what _will_ happen. We just have to try not to let it get widespred. On a 'voice simulation' related topic: Here in the Netherlands, we have the equivalent of the American 900 numbers. Here they start with 06-3. Recently a company started the Tele-Jackpot (06-32035000) at $0.26 per minute. The system works as follows: after blabbing a little and stalling the actual game to earn more money on you, the first reel of the tele-one-armed-bandit starts to run. You hear: "cherry-plum-grape-plum-cherry-star-plum-bar-cherry- grape- etc." The trick is to shout STOP into the phone when you hear "bar". Then the second reel starts running and the same process is repeated. If you get a bar on all three reels, you record your telephone number, name and address on a tape, and you will receive a prize (a Walkman or CD's or something). My idea was: build a simple voice recognition unit, that recognises only the words cherry, plum, grape, star, bar, and outputs STOP whenever it hears "bar". This could earn me a lot of CD's, as the computer would have a lot faster reaction speed than I do. Haven't gotten around to trying this yet, though. Ralph Moonen rmoonen@[hvlpa|ihlpb].att.com (+31) 35-871380
David Gast <gast@cs.ucla.edu> (04/25/91)
Re my comments about how a voice recognition facility by the phone company would further reduce our privacy by tracking every phone call we make and to whom we make it. rmoonen@hvlpa.att.com said: > This can already be done: Make a cash withdrawal from an ATM; the bank > now knows where you are. Place a calling card call from a payphone; > the phone company now knows who you called, and where you are. Walk > into a moderately sized department store, and video cameras will track > you're every move. Getting paranoid already? :-) These examples are true, but having a record of every single phone call we make would be worse than knowing that once per week a cash withdrawal was made by someone with my ATM card or that someone unnamed walked into the store. Additionally, I can pay cash for my phone calls and the phone does not know who made the call (under most circumstances), if voice recognition is on, then they would know (unless I disguise my voice with some type of electronic device that might also change words et al). And the Moderator noted: > [Moderator's Note: And what, pray tell, is the difference between this > and sending someone a written letter who then forges my handwriting > and signs off on some fraudulent documents for me? Maybe we should > stop allowing handwritten communication between people (or individuals > and companies) before this 'existing security hole' gets worse. How > inconvenient do you want things to be just to accomodate your fears > about 'what might happen'? PAT] I think there are several differences. I hear Bush'es voice almost every night on the news. I could record his voice and then easily impersonate him. It would be more difficult, but not impossible, for me to send out letters on his official stationary with his signature on them. It would be easy for someone to call up my bank and say this account 12345 and the last four digits of my SSN are 1234, please send a cashier's check to the ABC Company for $1000. It is harder for that individual to do the above through the mail. It is even more difficult for the individual if the bank confirms the proposed transaction with me before doing it. Additionally, I have heard many complaints about phreaks from you. Why give them another toy that won't do me any good? I don't consider the proposed system convenience. We must pay more attention to security, not less. If I want an eight digit PIN for my phone card or my ATM card, I should be able to get it. If I want to limit myself to $100 per day withdrawals, I should be able to. Is it convenience that I am only allowed to get a four digit PIN that is typically chosen for me and is publically available information like the last four digits of my zip code? You can bet that if a bank, for example, got on the internet, I would not under any circumstances want them to accept any instructions that came through the internet, it is just too easy to impersonate others. On the other hand, I am not so paranoid that I refuse to have an account on the internet. David