HSBC voice recognition security system fooled by twins
Cybersecurity A security software programmed that HSBC uses to prevent bank fraud has been fooled by a BBC reporter and his twin brother. Dan Simmons, a BBC Click reporter, set up an HSBC account and then signed up to the bank s voice identification authentication service. The software has been advertised as HSBC as secure because each individual person s voice is unique, much like a biometric scan of an iris, or thumbprint.
However, Simmons non-identical twin, Joe, was able to access the account via the telephone after he mimicked his brother s voice. Following the investigation and publication on the BBC s website, HSBC said it would review ways to make the voice ID system more sensitive. HSBC introduced the voice-based security in 2016. The technology claims to measure 100 different characteristics of the human voice to verify a user s identity. Bank customers call up, give their account details and date of birth and then say: My voice is my password . The breach did not allow Joe Simmons to withdraw money, but he was able to access balances and recent transactions, and could have transferred cash between accounts. Of greatest concern is the number of attempts seven in all the system allowed Joe Simmons to make to crack his brother s account. He got it right on the eighth try. Separately, a Click researcher found HSBC Voice ID kept letting them try to access their account after they deliberately failed 20 times over 12 minutes.
An HSBC spokesman said: The security and safety of our customers accounts is of the utmost importance to us. He said that twins do have a similar voiceprint, but the introduction of the technology has seen a significant reduction in fraud, and has proven to be more secure than PINS, passwords and memorable phrases. Mike McLaughin, a security expert at Firstbase Technologies, said that if a voice ID authentication system allows for too many discrepancies in the voiceprint for a match, then it is not secure. In other efforts to test the security of voice ID systems, recordings of human voices can be manipulated. Start-up Lyrebird is working on ways to replicate a voice using recorded speech. The company is now working with security researchers to figure out the best way to proceed. Visit Europe s only large-scale security event in 2017 Taking place in London, 20 22 June 2017, IFSEC International gives you exclusive hands-on access to over 10,000 security solutions, live product demonstrations, and networking with over 27,000 security professionals.
Covering every aspect of security, from access control and video surveillance to smart buildings, cyber, border control and so much more.
Time is running out, register now to avoid missing out