NewThe detectors that scored perfect collapsed the hardest under attack.
Back to Research
Fraud story

A cloned voice that said the password, and the bank let it in.

Of the control bypasses worth studying, voice authentication is the one where the evidence is least ambiguous, because the people defeating it published exactly how, and the targets were live production systems.

Article · June 2026 · 6 minute read

Voice authentication, the bank security model where your voiceprint is your password, has been defeated repeatedly with AI voice clones. A reporter cloned his own voice and accessed his account. A BBC reporter passed two banks' voice-ID systems. University of Waterloo researchers reported defeating voice authentication with up to 99 percent success within six attempts.

The demonstrations

A journalist at Motherboard cloned his own voice using a consumer tool and used it to get past his bank's voice-based authentication and into his account. A BBC reporter ran the same test against two UK banks' voice-ID systems, using an AI clone to speak the enrollment phrase, and was admitted to the accounts. These are not lab abstractions. They are reporters defeating the live authentication of named banks with off-the-shelf voice cloning.

The research backs the anecdotes. University of Waterloo researchers described a method that defeated voice-authentication systems with success rates reported up to 99 percent within six attempts. That is not a marginal edge. That is a control that does not hold.

What actually got bypassed

The mechanism is direct and worth stating precisely. A voice-authentication system enrolls a model of the acoustic properties of a speaker's voice: pitch, formant structure, spectral characteristics. At login it compares a new sample against that enrolled model and returns a match score. A high-quality clone reproduces those same acoustic properties closely enough that the matcher returns a passing score.

So the control did exactly what it was built to do. It compared acoustics and found a match. The problem is that acoustics are now cheap to reproduce from a short sample of someone's voice, and there is an abundance of such samples: podcasts, webinars, earnings calls, voicemail greetings, social video. The biometric is no longer scarce, so it is no longer a secret, so it is no longer a credential.

The industry already agrees

What makes voice the clearest case is that the defenders concede it. A BioCatch survey found that a large majority of US banks, reported around 91 percent, were rethinking voice biometric authentication in light of AI cloning. And in mid-2025, OpenAI's chief executive said publicly that it terrified him that some financial institutions still accept a voiceprint as authentication, calling it a crazy thing to still be doing and stating that AI has fully defeated it.

When the people building the AI and the people defending the banks both say the control is beaten, the debate is over. The only open question is operational: which deployments still rely on it.

What this means

If voiceprint sits anywhere in your authentication or account-recovery flow, treat it as defeated for the purpose of standing alone. As a low-friction signal inside a layered system it can still contribute. As a gate that grants access on its own, it is the weakest link, and a cheaply reproducible one.

More broadly, voice is the leading indicator for every biometric control. The same logic, a matcher comparing a property that generative models can now reproduce, applies to face and to document checks. Voice got there first because cloning got cheap first. The others are on the same path, which is the pattern our detector benchmark measures directly.

The question is never whether a clone or a fake sounds or looks convincing. It is whether the control reads a property the attacker cannot supply. That is what Margen measures, as an independent third party, with a number and a margin of error.

Sources