May 23, 2017 -
HSBC’s voice ID authentication software designed to prevent bank fraud has been duped by BBC Click reporter Dan Simmons and his non-identical twin, according to a report by BBC News.
Simmons created an HSBC account and signed up to the bank’s voice ID authentication service. His non-identical twin, Joe, was able to access the account via the telephone by impersonating his brother’s voice.
HSBC said it would “review” ways to make the ID system more sensitive following the BBC investigation.
“The security and safety of our customers’ accounts is of the utmost importance to us,” said a spokesman at HSBC. “Voice ID is a very secure method of authenticating customers. Twins do have a similar voiceprint, but the introduction of this technology has seen a significant reduction in fraud, and has proven to be more secure than PINS, passwords and memorable phrases.”
The bank rolled out the voice-based security feature in 2016, which it said measured 100 different characteristics of the human voice to verify the identity of the customer.
Customers are prompted to provide details of their account and their date of birth, and then say out loud, “My voice is my password”.
Even though Joe Simmons was unable to withdraw money after the breach, he was able to access balances and recent transactions, and was given the option to transfer money between accounts.
“What’s really alarming is that the bank allowed me seven attempts to mimic my brother’s voiceprint and get it wrong, before I got in at the eighth time of trying,” Simmons said. “Can would-be attackers try as often as they like until they get it right?”
In addition, a Click researcher found HSBC Voice ID kept allowing him to attempt to access his account even after failing 20 separate times over a span of 12 minutes.
Robert Capps, vice president of business development for NuData Security believes that while biometrics provides an effective strategy for financial institutions, they should not rely on a single biometric modality.
“It takes a layered approach combined with behavioral analytics along with passive biometrics to review hundreds of behavioral points to determine if the person conducting the transaction is really the customer,” Capps explained in an email to Biometric Update. “While you might be able to spoof a voice or fingerprints, hackers cannot reproduce individual behavior.”
In January, HSBC appointed a new technology advisory board of senior CEOs from around the world tasked with figuring out how the bank can benefit from technological innovation, fight against cybercrime, and ultimately leverage its global infrastructure.