Bank’s Voice Recognition Fooled By Twin

Published on May 25, 2017

Last week, BBC Click reporter Dan Simmons reported that he had been able to fool HSBC’s biometric voice recognition system by passing his brother’s voice off as his own.

What Happened?

In an experiment that was filmed for the BBC Click technology digest TV programme, Mr Simmons initially set up an account with his own voice password, and then allowed his non-identical twin brother Joe to use the voice recognition account access procedure.

Despite claims that voice recognition is secure because of the unique aspects of each person’s voice, Joe’s voice was wrongly identified and authenticated as being Dan’s, and Joe was then granted access to his brother Dan’s bank account.
This granted him access to transfer and withdraw funds from the account, although this was not actually attempted.

Seven Attempts

Quite apart from the worrying fact that the voice recognition system could be fooled (albeit by a twin), the security procedure actually allowed the twin seven attempts before finally accessing his brother’s account using only his voiceprint.

Introduced By HSBC Last Year

Voice recognition software has been around for some years and was rolled out by Barclays in 2013. Other High Street Banks followed suit, with the expectation that by the end of this year, millions of banking customers will be using it.
A voice–based security system was first introduced by HSBC in 2016, and was designed to quantify 100 different attributes and traits of the human voice, used to validate a user’s identity.

When accessing HSBC and other High Street banking systems, a customer only needs to give their date of birth, account details, and then the command “My voice is my password”.

As each person’s voice is unique and always available (unless you’ve lost your voice of course), the system should be able to recognise a voice on the first attempt.

How It Works

In the same way that your fingerprint is unique, your voice is totally individual to you. Hackers and fraudsters may use their resourcefulness to guess or steal your passwords and PINs, but it should be impossible for your voice to be replicated.
Voice ID systems work by checking more than 100 physical and behavioural voice peculiarities, including the emphasis you place on certain words, the shape and size of your mouth, plus other less known physical and behavioural individualities.

HSBC To Increase Security

As a result of the recent “twin” findings, HSBC has now said that it intends to intensify the sensitivity of the software. Despite their discomfort of being duped by a BBC reporter and his twin, security experts still uphold that biometric voice recognition is undoubtedly a more effective and more secure means of accessing your bank account than using more traditional passwords.

What Does This Mean For Your Business?

The stubbornly high levels of cyber crime, as highlighted by many high-profile attacks including the recent WannaCry ransomware attack have led businesses to give greater priority to cyber and data security. Businesses would like (and expect) trusted institutions, such as banks, to give their security (on and offline) a very high degree of priority.

Some banks have notoriously old IT systems though, and many banks have been subject to attacks in recent times e.g. when money was actually taken from 9,000 Tesco current accounts earlier this year.

Password verification / authentication is known to be less secure than multi-stage and biometric security systems. A YouGov / GMX study back in August 2016, however, showed that UK people have a number of trust concerns about biometrics ranging from concerns about the providers to the technology itself.

Even though biometrics should be much more secure in theory, this report of a failure of a seemingly foolproof system will do nothing to improve the trust that business and home customers have in biometric banking security systems. Despite trust issues however, many customers accept that biometrics are still an important next step to beat the fraudsters, and that the loophole uncovered now in the voice-recognition system could mean that this avenue is now closed to fraudsters.