Blog article
See all stories »

Voice recognition and card security

At this weeks Purchasing Card Forum, Nick Ogden, founder of WorldPay and currently chairman and CEO of Voice Commerce Group presented the use of voice recognition as the next big thing in security. He outlined that so far the methods used for card security have all been found to have fallen short and a straw poll of the audience appeared to justify his statement. However, I did ask follow up questions to clarify that voice security is not just another fanciful solution, ready to be blown apart by today's clever criminals.

The obvious question was how unique is a persons voice? Nick said that as far as can be proved everyone's voice is unique. But what about imitators and Nick again batted this question back with the response that voice impersonator Rory Bremner had been engaged to try and break the system and failed.

What about background noise distorting the voice? But again Nick retorted that the system would simply recall you. However, this does seem to be a weak aspect as it is not always convenient to have to wait for a recall and no guarantee that any recall would be at an acceptable location or at an agreeable time.

What about recording the card holder's voice and then fraudsters taking the place of the account holder? Again this can be detected by the system according to Nick.

As fraudulent activity is on the increase and with electronic payments and receipts becoming more the norm, the idea to introduce new technology to strengthen security has to be applauded. I have no idea if voice recognition is the final answer or the forerunner of yet another idea but it's very comforting to learn that there are people putting their brains and efforts into finding the final security solution.

Due to a technical issue please click on this link to see Nicks response to Stephens comment below: 

Technical Issue is now resolved, so you can also see his comments below.


Comments: (3)

Stephen Wilson
Stephen Wilson - Lockstep Consulting - Sydney 29 January, 2009, 19:33Be the first to give this comment the thumbs up 0 likes

Nick said that "as far as can be proved everyone's voice is unique."

Sorry but once again we see here a serious misrepresentation of biometrics.  The term "unique" in the context of biometrics is utter hyperbole.  Even if it were true that voice patterns are "unique", the critical question is whether a biometric mechansim is capable of telling all voices apart.  And the truth is that no biometric apparatus is perfect.  In fact, most biometrics fall so far short of perfection that I believe use of the word "unique" constitutes false advertising.

All biometrics commit two sorts of error.  A False Match (or False Accept) is when the apparatus is presented with an imposter but wrongly confuses them for an enrolled user. And a False Non Match (or False Reject) is when the apparatus fails to recognise a legitimate user.  It's worth repeating, all biometrics commit both sorts of error to some degree.  So already the claim of "uniqueness" is wobbly. 

The False Accept Rate (FAR) and the False Reject Rate (FRR) can be traded off to produce a sort of performance compromise that makes sense according to the application.  If the application is access control on the door to a nuclear missile silo, then the system will be biassed towards lower FAR because the consequences of admitting an imposter are dire.  But if the application is an ATM, or an e-commerce system, then the proper tradeoff is a tough choice.  Is customer convenience more important than security? 

For voice recognition, typical results are:

When tuned towards security: FAR can be reduced to 0.1% (1 in a thousand) but the FRR rises to 6% (1 in 16 legitimate attempts will be rejected)

When tuned towards convenience: The FRR can be reduced to 3% but the FAR rises to 20% (1 in 5 imposters are admitted).

[Reference:Biometric Product Testing Final Report by the National Physical Laboratory for the Communications Electronics Security Group (CESG) 2001.  Note that indications in the more recent report by Mitre Group for the FBI shows no great general improvement in commercially available voice biometric systems.  Technology Assessment for the State of the Art Biometrics Excellence Roadmap October 2008.]

Finally, the nail in the coffin for "uniqueness" is what's called the "Zero Effort Imposter" assumption, which leads to a systemic over-statement of the security of biometrics.  Pardon me for getting technical, but this is really worth understanding.  All standardised biometric testing uses the assumption that False Matches are the random results of instrumentation error and algorithmic imprecision.  That is, the testing assumes that an imposter has made zero effort to fool the system.  As stated in the Mitre/FBI report of October 2008: "When a dedicated effort is applied toward fooling biometrics systems, the resulting performance can be dramatically different". 

That is, the published performance specifications for biometric security systems do not apply to people who are actually trying to break in. Where does that leave banks when trying to evaluate these solutions for their ability to resist attack?


Stephen Wilson, Lockstep.

Gary Wright
Gary Wright 29 January, 2009, 20:04Be the first to give this comment the thumbs up 0 likes

Wow Stephan what a detailed and informative responce!

Thank you so much with for this and i am sure Nick would welcome a conversatation with you

Nick Ogden
Nick Ogden - - London 30 January, 2009, 11:23Be the first to give this comment the thumbs up 0 likes

Stephens’s comments are very interesting and to be clear as I said at the meeting no biometric system, including DNA and fingerprints have been tested on everyone, but the probability is that they are unique. All biometric systems have their own individual challenges as well, and for those who heard me talking on Tuesday morning and didn't on Tuesday night laryngitis is a serious software bug for voice biometric systems!

We have developed a highly complex system and have gone through all the challenges of false accept and false reject to get to a system that will give us a 99.6% FTA (first time authorisation). Our platform uses what we call a "voice signature" which is a complex device that uses voice biometrics as part of its overall score to then approve or decline a transaction. We probably, like Stephen, have gone through discussions with various " voice biometric software vendors" who as opposed to delivering a system that works, attempt to pass the buck onto the customer to set FAR's and EER's and FRR, and any other acronym that their marketing department happens to have invented at the time, to try and make their software sound more complex.  Our biometric verification core, which is developed on the Nuance platform who we have a very close development and working relationship and this platform is working 24x7x365 within 300 organisations, today.  Some of the issues that Stephen raises are also the reasons behind why last year, Voice Commerce Group, started to establish a framework for global interoperability on voice signatures within financial services, and why we are members of PCI.   

In 2001 whilst CEO at WorldPay I convinced my Board that we should guarantee Internet payments, which we did, and this protection is still in place today. Today with Voicepay and our voice signature system we are again using our own systems for our own payment processing services and we guarantee our transactions against repudiation. Over the next few years no doubt we will create improvements and refinements to our systems, and also why we have 2 R+D teams working 6 days a week on our future technologies.

Sometimes if you don’t do, you can’t learn, and every day we learn. By having the advantage of our own global customer base from which to draw experience, and from the fact that we know the solution works, we trust it and the fact that we underwrite it financially gives us a lead, and if we find from that real experience that some changes are required, we will be the first make them.

Gary Wright

Gary Wright


BISS Research

Member since

19 Sep 2007



Blog posts




More from Gary

This post is from a series of posts in the group:


A place to discuss MiFID

See all

Now hiring