Last week we discussed a number of requirements for phone authentication solutions. Ideally, we want both high accuracy and strong security. This means low false negatives and false positives even in the presence of threats that will likely target voice biometric solutions. For example, we do not want an adversary to be able to impersonate us either by capturing our voice from an answering machine or other recording and then automatically generating similar voice using a voice conversion technique. Phone fingerprinting, the focus of this week, has emerged as a solution to such threats.
The Georgia Tech Information Security Center is a top academic research center in the information security field and one of its goal is to launch forward looking research projects that will help address new and emerging security threats. In this context, we launched a project to explore security of VoIP technology with initial support from Tom Noonan, the CEO of then Internet Security Systems (now part of IBM), and Fran Dramis, CIO of BellSouth (which soon was acquired by AT&T). Vijay Balasubramaniyan was the first PhD student to work on this project, and he soon realized that call meta-data such as caller-id can easily be spoofed in VoIP calls. He set out to explore how one could determine the source or provenance of a telephone call more securely.
Vijay focused on artifacts in the call audio, using them to form a “fingerprint”. Because of his strong security background, he was clearly interested in features for the fingerprint that are robust and not easy to manipulate for an adversary. He was surprised to find he could achieve a level of precision well beyond what he expected. He was able to determine a location to the precision of an area the size of France. He was able to determine the originating calling device type, either landline, cell phone or a specific VoIP provider (Google Voice, Skype, etc.). And he was able to form a precise enough signature to use it for authentication. This fingerprint formed the core of Pindrop Security’s technology. More technically inclined readers can find details in a research paper that Vijay published in ACM CCS, one of the top security conferences.
So what makes a Pindrop phone fingerprint robust against various threats? First, it relies on analysis of the call audio to create a fingerprint that includes over 140 features. These include features which depend on the source of the call and the path that the call audio takes from the source to the call center. The fact that the method of delivering the call creates the artifacts is critical to why Pindrop technology is extremely hard to spoof. You can manipulate the input by altering the call audio. You can even try to manipulate the path which is lot harder. But the signal will still contain artifacts of the origin and the originating device.
As opposed to voice printing, phone fingerprinting contains inherent anomaly detection capabilities. By determining location and type, you can identify malicious activity such as Caller ID spoofing as well as merely suspicious activity such as a high risk call origination location or a high risk service provider (other wise known as bad phone neighborhoods). Any of these things can tip your off to a suspicious caller the very first time they call, as opposed to a system that only matches a “bad” signature to a caller after they have been identified as “bad” by some other process, usually a detected fraud. This can eliminate months of unfettered access by a bad guy.
The phone fingerprint also provides lots of information on the adversary and opens up doors to fight back. Phone fingerprints can reveal that multiple callers are calling from the same source and location. In a recent initial customer evaluation, we immediately identified 27 fraud rings preying on the customer by using different caller id but using the same facility to make calls. The bank had previously identified some of the attackers but many were unknown and none had been linked. This becomes even more powerful when information is shared across our customer network.
In the security business, we need to use every tool we have in our arsenal to deal with what the adversary will send our way. Next week we will discuss how voice biometric and phone fingerprint technologies can even work synergistically to better secure the phone channel.