21 August 2017
visit www.avoka.com

Twins fool HSBC voice biometrics - BBC

19 May 2017  |  12282 views  |  4 HSBC sign

Voice recognition software launched last year by HSBC in order to speed up access for phone banking customers has been successfully bypassed by a BBC reporter and his non-identical twin brother.

Joe Simmons was able to mimic his reporter brother Dan's voice and gain access to his account, thereby raising questions about the software’s security.

The voice ID service was introduced as a way to bring more convenience to customers of First Direct, HSBC’s phone banking business, without sacrificing any security.

Uttering the phrase “my voice is my password” was supposed to be the method for customers to gain “easier and safer access” access to their own accounts and the service was advertised as such.

“Voice ID can analyse your voice in seconds - checking over 100 behavioural and physical vocal traits, including the size and shape of your mouth, how fast you talk and how you emphasise words,” stated the bank.

However, in light of the BBC report, the bank has now said it will increase the sensitivity of the software. “The security and safety of our customers’ accounts is of the utmost importance to us,” it told the BBC.

The bank also insisted that voice ID is a very secure method of authenticating customers despite the vulnerability to vocal genetics. "Twins do have a similar voiceprint, but the introduction of this technology has seen a significant reduction in fraud, and has proven to be more secure than Pins, passwords and memorable phrases."

The bank also added that while the software gives users access to their accounts, it only allows them to check their balance and move money between linked accounts and not to third parties.

HSBC is not the only high street bank in the UK to employ voice recognition software. Others include Barclays and Santander as well as digital-only bank Atom.

And despite the embarrassment of being fooled by a BBC reporter and his brother, security experts have defended the use of voice recognition as a means of secure authentication and a more effective method than traditional passwords.

“The BBC is certainly not the first to research ways to fool voice recognition systems or bypass fingerprint sensors, but this is no mean feat and depends on the quality of the original biometric imprint,” says Thomas Fischer, threat researcher and security advocate at Digital Guardian says that it is still a better means of defence than traditional passwords. “Brute force cracking weak passwords, on the other hand, can be done with relative ease.”

Comments: (4)

Hitesh Thakkar
Hitesh Thakkar - FIS Payments Software and Services India - India | 19 May, 2017, 11:46

Biometric Authentication is the way forward to provide priviliedge to the user to transact his accounts. There are several forms of it and comes with it's own limitations and unique usage.d

It's good that HSBC has take it in right sense and fine tuned it but it shows that, speech verification has it's own vulnerabilities while implementing it. If more services need to be allowed than it's better to have multiple factors for authentication ( it may cost trade off with usability and convenience).

 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Steve Cook
Steve Cook - Daon - London | 19 May, 2017, 14:12

Voice biometrics or authentication on its own needs to have other security measures in place such as device binding, random liveness functionality, behavioural signals, geolocation, or a process for step-up or multi-factor authentication should a situation arise whereby there are multiple attempts to hack into someone's account.  

Somewhere, HSBC policies on the number of attempts to log-in were not strong enough.  In the BBC report, it says they tried 20 times.  Your credit card locks you out after three attempts, why 20 were allowed HSBC have to resolve.  The issue over twins has been known in the biometrics industry for years.  They aren't many unique things that can separate them, apart from possibly fingerprints.  However if your twin wants to de-fraud you, you have a serious family issue.

Biometrics is not 100% (nothing is!).  They need to work in conjunction with other security checks, but they are far more secure than weak or stolen passwords.  An estimate of the number of hacked or stolen passwords is put at around 3 billion according to some experts.  

Face combined with voice or fingerprints together with the above security measures makes it much harder to circumvent.  Sadly, this kind of story doesn't help confidence with consumers unless they can understand how it properly works safely.

As HSBC stated publicly fraud levels are gone down as a result.

 

4 thumb ups! 4 thumb ups! (Log in to thumb up)
Lu Zurawski
Lu Zurawski - ACI Worldwide - London | 19 May, 2017, 16:53

I'm not sure this will affect me; I have problems getting Alexa to acknowledge me, never mind getting personal.

But for those people who like this method of bonding, what is the real risk?

OK - families with twins may be exposed (Steve above makes a good point on that). 

Or perhaps famous people and celebrities are those at those most in peril here? I could imagine a Fraud startup business employing a few comedy impersonators (like Rory Bremner or Ronni Ancona) to hack into celebrities' accounts.

But it would take them quite a while to master each target. So as a potential investor in this fraud business, I'm out. (And there's no need to send an emergency celebrity warning tweet just yet).

Thing is, although this could be classed as an annoying bit of journalism, it does highlight the need to raise consumer confidence/education in emerging digital banking techniques.

 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Hitesh Thakkar
Hitesh Thakkar - FIS Payments Software and Services India - India | 20 May, 2017, 12:07

Thanks Steve for bringing vital aspect of incident - Unsuccessful authentication ( 20 in this case) and agree completly "Biometrics is not 100% (nothing is!)".

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

ANZ to use voice prints for mobile authentication

ANZ to use voice prints for mobile authentication

03 April 2017  |  5566 views  |  1 comments | 3 tweets | 10 linkedin
Voice biometrics prove a hit for Citi in Asia Paficic

Voice biometrics prove a hit for Citi in Asia Paficic

23 March 2017  |  5830 views  |  0 comments | 10 tweets | 20 linkedin
HSBC and Barclays customers hit by technical problems

HSBC and Barclays customers hit by technical problems

27 February 2017  |  9100 views  |  0 comments | 10 tweets | 8 linkedin
DBS to roll out voice authentication; OCBC to take biometrics nationwide

DBS to roll out voice authentication; OCBC to take biometrics nationwide

24 May 2016  |  7272 views  |  0 comments | 7 tweets | 12 linkedin
HSBC to cut 850 IT jobs in UK

HSBC to cut 850 IT jobs in UK

16 May 2016  |  8506 views  |  0 comments | 10 tweets | 13 linkedin
Santander launches 'voice banking' technology

Santander launches 'voice banking' technology

22 March 2016  |  16223 views  |  0 comments | 48 tweets | 53 linkedin
HSBC to roll out voice and Touch ID to 15 million UK customers

HSBC to roll out voice and Touch ID to 15 million UK customers

19 February 2016  |  12955 views  |  0 comments | 19 tweets | 25 linkedin
HSBC online and mobile services downed by cyber attack

HSBC online and mobile services downed by cyber attack

29 January 2016  |  10881 views  |  5 comments
Sorry start to the New Year for HSBC as online problems continue

Sorry start to the New Year for HSBC as online problems continue

05 January 2016  |  6464 views  |  1 comments | 7 tweets | 9 linkedin
Atom Bank to launch with face and voice biometrics

Atom Bank to launch with face and voice biometrics

16 December 2015  |  14291 views  |  0 comments | 35 tweets | 33 linkedin
HSBC tops UK bank social media customer service table

HSBC tops UK bank social media customer service table

27 September 2013  |  17374 views  |  0 comments | 28 tweets | 11 linkedin

Related company news

 

Related blogs

Create a blog about this story (membership required)
visit www.niceactimize.comvisit www.vasco.comdownload the paper now

Who is commenting?

A Finextra member Finextra Member Commented on: Real-time payments in...
A Finextra member Finextra Member Commented on: Barclays uses sensors...

Top topics

Most viewed Most shared
Mobile contactless spending accelerating in UKMobile contactless spending accelerating i...
11585 views comments | 26 tweets | 23 linkedin
Barclays pairs banking data with third party apps for SmartBusiness DashboardBarclays pairs banking data with third par...
9873 views comments | 22 tweets | 31 linkedin
hands typing furiouslyWhy Is Risk Analytics Important?
9674 views 0 | 5 tweets | 1 linkedin
Norwegian banks and startups form fintech clusterNorwegian banks and startups form fintech...
9383 views comments | 19 tweets | 23 linkedin
RBS to bring Silicon Valley to EdinburghRBS to bring Silicon Valley to Edinburgh
9333 views comments | 10 tweets | 8 linkedin

Featured job

Competitive
London, UK (or flexible)

Find your next job