For Finextra's free daily newsletter, breaking news and flashes and weekly job board.
An article relating to this blog post on Finextra:
National Australia Bank (NAB) has introduced biometric voice verification for its telephone banking customers.
10 Jun 2009
While this may have some use in preventing any Tom Dick or Harry ringing up and and impersonating a customer, it does not prevent the sort of fake call centre scam proving popular with criminals at the moment.
ie. the bank call centre is not authenticated to the customer.
It merely closes just one of the many doors open to criminals.
I suppose the customer could check if the NAB call centre was genuine - simply ask a friend to try and change your account details, if they fail the voice recognition - you'll know they're talking to the bank, but NAB might lock your account.
It may be problematic in cases where there is an audio record of your conversation, either recorded by your employer, your mobile provider ie. google android, or the carrier, and of course the bank will record your responses for posterity to cover potential
liability. It won't be long before the master tape gets lost on the way to the data centre or some other mishap and they'll be back where they started and your voice will be worthless for authentication.
Bumometrics in action.
"It merely closes just one of the many doors open to criminals."
Dean, are you saying banks should, instead, leave all the doors open and not bother? Seems to me that closing any door possible is better than leaving it open. Anything to lower the ROI for a fraudster is going to dissuade them from attacking you personally.
Thanks for the comment David and I did agree it would be some use... even if only temporarily, going on past performance.
It does remind me of the 1950's - they used voice recognition then, only it was the lady at the bank who recognised your voice.
No physical security advisor would ever suggest you make your front door like a Mosler vault whilst leaving not even a flyscreen on the back door or window. Is this any different?
I also a fan of giving the customer the minimum processes to perform interactions and voice recognition is impractical for all but phone banking. Why not add voice recognition to your ATM's? POS terminals Why not use viop voice-rec for internet banking?
It won't fly.
Let's be honest here, voice recognition is expensive, and a Titanic solution - the investment is worthless if it is breached, although I suspect there are minimal start up costs for the banks - the on-goings of voice recognition will become as draining as
It will provide no assurance that criminals won't come after these customers, nor is it likely to withstand attacks when they do come. The bank will no doubt try to automate the process over the phone and give opportunity for fraudsters to defeat it.
While every little effort helps, a piece-meal approach doesn't appear to work. Remember Chip an PIN. Billion plus? Savings? I suppose a breach of the voice recognition system is not going to happen (just like that little collapse of the financial system).
What's plan B?
There are are solutions which cannot be mass breached. There are solutions you can recover from even after, heaven forbid, a massive breach or individual compromise, without trashing your whole investment, and issuing a whole new solution and retraining
your customers. This is not one of them.
This is not the mass media so we can use the spin dryer here and the customers and the board probably won't notice. Of course while these sort of patchwork approaches continue the banks are effectively allowing themselves to be divided and conquered. In
the initial stages it's ok while there are many diversified methods, but as they're rolled out the criminals roll in.
The problem is bigger than one patchwork solution or bank. Banks are the little guys now. There are just more criminals than there are bankers, who don't even have a mechanism capable of catching virtually any of the criminals.
How embarrassing is the actual number of frauds - either attempted or successful - compared with the number of offenders caught and prosecuted? I don't think I can find a single comparison of such a bunch of losers in any field of endeavour in history.
To banks I say "Stick to your core business and get together as an industry to solve the fraud issues or face dis-intermediation, disappearing money and vanishing customers."
Better to get together and provide a practical solution to the problem which is not just the problem of banks before shareholders tire of the continuous spin cycle of new security failures, while they bear the costs.
I imagine after the chip and pin business there isn't much chance of that.
As for security, I have worked out that I am actually safer with one of my banks to not ever set up phone banking, because they won't let you change your account details or even get your account number from the bank over the phone unless you have phone banking
set up. Voila no phone banking - no acount hijack -although it is not what the bank had in mind. I'll leave you to guess which bank.
That's the best account security I've seen so far and they did it accidentally.
19 Mar 2009
This post is from a series of posts in the group:
A place to share stuff that isn't at all fintec related but is amusing, absurd or scary.
Diederick Van Thiel