A voice ID authentication biometric security measure put in place by HSBC has been tricked by twins, one of whom is a BBC reporter.
BBC reporter Dan Simmons set up a HSBC account and signed up for the bank’s voice ID service. The bank, however, then let Dan’s non-identical twin brother access the account via telephone after he mimicked his brother’s voice.
The twins found it concerning that the system allowed multiple attempts to get into the account using voice recognition, in this case the reporter’s brother took eight attempts before gaining access.
Joe Simmons, brother of BBC Click reporter Dan Simmons raised a pertinent question, saying: “Can would-be attackers try as often as they like until they get it right?”
When entry was achieved, the option to transfer money between accounts was made available, as was transaction history and balances.
HSBC said when the system was first put into action in 2016 that it had measured 100 characteristics of the human voice. Customers merely have to give their account details and date of birth and then say: “My voice is my password” to gain access to their account.
The bank said that it would review ways to make the authentication service more sensitive following the twins’ investigation.
Biometric security is being looked to as a solid layer of defence that can be implemented to bolster security that is often left weak by poor passwords, and the failure to change them regularly. This instance may cause banks to rethink allowing the voice recognition system to solely stand guard over important information and capabilities.
Despite the fact that the two individuals were twin brothers, the instance displays a failing in the sophistication of the system, proving that there is a possibility that someone else could mimic your voice and gain access to your bank account.
Tom Harwood, chief product officer at Aeriandi said: “Biometrics technology has been widely shown to significantly reduce fraud – but it’s not the whole solution. And as this experiment has illustrated no security technology is 100% fool-proof. Technology advances have shown that it is now possible to cheat voice recognition systems. Voice synthesiser technology is a great example.”
Unlike a password, biometric security cannot be changed or refreshed, and this instance is a reminder that biometric authentication is not yet a security silver bullet.
Thomas Fischer, threat researcher and security advocate at Digital Guardian said: “It’s really hard to remember a hundred different, complex passwords and so biometrics have been widely accepted as a strong step towards better security and a way to make it easier for consumers. After all, it’s far more difficult to spoof someone’s voice, face or fingerprint than it is to guess their weak password.
Nick Gaubitch, Head of Research, EMEA at Pindrop offers an idea on how security measures such as this can be reinforced, he said: “To better tackle fraudulent attempts on the phone channel, a multi-layered form of defence is imperative. One that not only verifies the voice, but also verifies the call itself for example solutions that ‘phoneprint’ (like a voice finger print). Phoneprinting analyses 147 unique characteristics of a call, such as the geographical location in which the call is coming from, the device being used and whether the device has been used to contact the company before, to build a far more resilient form of defence.”