Twins fool HSBC voice biometrics - BBC

Voice recognition software launched last year by HSBC in order to speed up access for phone banking customers has been successfully bypassed by a BBC reporter and his non-identical twin brother.

  26 4 comments

Twins fool HSBC voice biometrics - BBC

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

Joe Simmons was able to mimic his reporter brother Dan's voice and gain access to his account, thereby raising questions about the software’s security.

The voice ID service was introduced as a way to bring more convenience to customers of First Direct, HSBC’s phone banking business, without sacrificing any security.

Uttering the phrase “my voice is my password” was supposed to be the method for customers to gain “easier and safer access” access to their own accounts and the service was advertised as such.

“Voice ID can analyse your voice in seconds - checking over 100 behavioural and physical vocal traits, including the size and shape of your mouth, how fast you talk and how you emphasise words,” stated the bank.

However, in light of the BBC report, the bank has now said it will increase the sensitivity of the software. “The security and safety of our customers’ accounts is of the utmost importance to us,” it told the BBC.

The bank also insisted that voice ID is a very secure method of authenticating customers despite the vulnerability to vocal genetics. "Twins do have a similar voiceprint, but the introduction of this technology has seen a significant reduction in fraud, and has proven to be more secure than Pins, passwords and memorable phrases."

The bank also added that while the software gives users access to their accounts, it only allows them to check their balance and move money between linked accounts and not to third parties.

HSBC is not the only high street bank in the UK to employ voice recognition software. Others include Barclays and Santander as well as digital-only bank Atom.

And despite the embarrassment of being fooled by a BBC reporter and his brother, security experts have defended the use of voice recognition as a means of secure authentication and a more effective method than traditional passwords.

“The BBC is certainly not the first to research ways to fool voice recognition systems or bypass fingerprint sensors, but this is no mean feat and depends on the quality of the original biometric imprint,” says Thomas Fischer, threat researcher and security advocate at Digital Guardian says that it is still a better means of defence than traditional passwords. “Brute force cracking weak passwords, on the other hand, can be done with relative ease.”

Sponsored [Webinar] Money Mule Defence: Practical Applications and the Role of Technology

Comments: (4)

Hitesh Thakkar

Hitesh Thakkar Technology Evangelist (Financial Technology) at SME - Fintech startups (APAC and Africa)

Biometric Authentication is the way forward to provide priviliedge to the user to transact his accounts. There are several forms of it and comes with it's own limitations and unique usage.d

It's good that HSBC has take it in right sense and fine tuned it but it shows that, speech verification has it's own vulnerabilities while implementing it. If more services need to be allowed than it's better to have multiple factors for authentication ( it may cost trade off with usability and convenience).

 

Steve Cook

Steve Cook Digital Identity & Biometrics Consultant

Voice biometrics or authentication on its own needs to have other security measures in place such as device binding, random liveness functionality, behavioural signals, geolocation, or a process for step-up or multi-factor authentication should a situation arise whereby there are multiple attempts to hack into someone's account.  

Somewhere, HSBC policies on the number of attempts to log-in were not strong enough.  In the BBC report, it says they tried 20 times.  Your credit card locks you out after three attempts, why 20 were allowed HSBC have to resolve.  The issue over twins has been known in the biometrics industry for years.  They aren't many unique things that can separate them, apart from possibly fingerprints.  However if your twin wants to de-fraud you, you have a serious family issue.

Biometrics is not 100% (nothing is!).  They need to work in conjunction with other security checks, but they are far more secure than weak or stolen passwords.  An estimate of the number of hacked or stolen passwords is put at around 3 billion according to some experts.  

Face combined with voice or fingerprints together with the above security measures makes it much harder to circumvent.  Sadly, this kind of story doesn't help confidence with consumers unless they can understand how it properly works safely.

As HSBC stated publicly fraud levels are gone down as a result.

 

Lu Zurawski

Lu Zurawski founder, iKnowMe at Lu Zurawski

I'm not sure this will affect me; I have problems getting Alexa to acknowledge me, never mind getting personal.

But for those people who like this method of bonding, what is the real risk?

OK - families with twins may be exposed (Steve above makes a good point on that). 

Or perhaps famous people and celebrities are those at those most in peril here? I could imagine a Fraud startup business employing a few comedy impersonators (like Rory Bremner or Ronni Ancona) to hack into celebrities' accounts.

But it would take them quite a while to master each target. So as a potential investor in this fraud business, I'm out. (And there's no need to send an emergency celebrity warning tweet just yet).

Thing is, although this could be classed as an annoying bit of journalism, it does highlight the need to raise consumer confidence/education in emerging digital banking techniques.

 

Hitesh Thakkar

Hitesh Thakkar Technology Evangelist (Financial Technology) at SME - Fintech startups (APAC and Africa)

Thanks Steve for bringing vital aspect of incident - Unsuccessful authentication ( 20 in this case) and agree completly "Biometrics is not 100% (nothing is!)".

[Webinar] Trusted Transactions: The Future of Risk-Based AuthenticationFinextra Promoted[Webinar] Trusted Transactions: The Future of Risk-Based Authentication