Twins trick HSBC voice biometrics security

Voice recognition software introduced last year by HSBC to provide phone banking customers with faster access has been successfully bypassed in the UK by a BBC reporter and his non-identical twin brother.

The voice ID service was launched by First Direct, HSBC’s phone banking business and was promoted as offering customers greater convenience without any loss of security. However, the BBC’s Joe Simmons successfully mimicked his brother Dan’s voice and access his account, thereby raising questions about the software’s security.
At its launch, the service was promoted with the phrase “my voice is my password” as the method by which customers would gain “easier and safer access” access to their own accounts.

“Voice ID can analyse your voice in seconds – checking over 100 behavioural and physical vocal traits, including the size and shape of your mouth, how fast you talk and how you emphasise words,” stated the bank.

First Direct responded to the BBC report by promising to strengthen the sensitivity of the software. “The security and safety of our customers’ accounts is of the utmost importance to us,” it commented.

The bank maintains that voice ID is a very secure method of authenticating customers despite the vulnerability to vocal genetics. “Twins do have a similar voiceprint, but the introduction of this technology has seen a significant reduction in fraud, and has proven to be more secure than personal identification numbers (PINs), passwords and memorable phrases,” it stressed.

First Direct added that while the software gives customers access to their accounts, it only allows them to check their balance and move money between linked accounts and not to third parties.

Tom Harwood, chief product officer at voice security specialist Aeriandi commented: “Biometrics technology has been widely shown to significantly reduce fraud, but it’s not the whole solution. As this experiment has illustrated no security technology is 100% fool-proof. Technology advances have shown that it is now possible to cheat voice recognition systems.

“Voice synthesiser technology is a great example. It makes it possible to take an audio recording and alter it to include words and phrases the original speaker never spoke. The good news is that there is a way to protect against phone fraud beyond biometrics – and that’s fraud detection technology. Fraud detection on voice looks at more than the voice print of the user; it considers a whole host of other parameters. For example, is the phone number being used legitimate? Increasing phone fraud attacks on UK banks come from overseas. Voice Fraud technology has been proven to protect against this as well as domestic threats.”

Thomas Fischer, threat researcher and security advocate at for data protection platform Digital Guardian, said: “It’s really hard to remember a hundred different, complex passwords and so biometrics have been widely accepted as a strong step towards better security and a way to make it easier for consumers.

“After all, it’s far more difficult to spoof someone’s voice, face or fingerprint than it is to guess their weak password. The BBC is certainly not the first to research ways to fool voice recognition systems or bypass fingerprint sensors, but this is no mean feat and depends on the quality of the original biometric imprint.

“Brute force cracking weak passwords, on the other hand, can be done with relative ease. Biometrics are certainly not perfect, but anything we can do to make it more difficult for attackers to win and easier for consumers has to be a good move.”


Related reading