HSBC voice recognition breached by ‘soundalike’
BANKS have been forced to review their voice recognition technology after a twin was able to access his brother’s account.
HSBC’s system allowed him to phone in and attempt to mimic his brother’s voice, before hanging up and trying again until he succeeded.
Voice password security systems allow customers to access bank accounts by phone without needing to give a password or answer security questions.
Major banks, including Barclays, HSBC and Santander, claim it is one of the most secure ways of verifying a customer’s identity as each person’s voice is unique.
But an investigation carried out by BBC reporter Dan Simmons and his non-identical twin, Joe, revealed it is possible to hack into someone’s account by mimicking their voice. Experts have now raised concerns that voice recognition technology may not be as safe as banks thought.
Mr Simmons set up an account with HSBC and registered for its voice ID service. this is done by saying ‘my voice is my password’ into the phone five times to create a so-called voice print.
After this, customers will only need to give their account number, sort code, date of birth and repeat the phrase. As long as their voice matches the recording on file they can access the account. HSBC claims its technology checks more than 100 behavioural and physical vocal traits such as how fast a customer talks, how they emphasise words and the size and shape of someone’s mouth.
But during the investigation the bank allowed the wrong brother access to the account. It took eight attempts for Joe to mimic his brother’s voice accurately enough to pass the security check.
After two failed attempts the bank will ask extra security questions. But if the customer hangs up and calls back they can keep trying to access the account using just their voice. Once he passed the voice test Joe could check his brother’s balance, see recent transactions and move money between accounts.
tom Harwood, of call experts Aeriandi, said: ‘As this experiment has illustrated no security technology is 100 per cent fool-proof. technology advances have shown that it is now possible to cheat voice recognition systems.’
However thomas Fischer, a security expert at data protection firm Digital Guardian, said: ‘It’s far more difficult to spoof someone’s voice, face or fingerprint than it is to guess their weak password.’
Last night HSBC said it is reviewing its voice recognition system following the breach. It is likely customers will no longer be able to register their voice just by saying the same phrase five times. the technology is also expected to be made more ‘sensitive’ to the nuances of customers’ voices.
A spokesman said: ‘the introduction of this technology has seen a significant reduction in telephone fraud and has proven to be more secure than PINs, passwords and memorable phrases. Our Voice ID system does allow us to make changes to different security settings, and we are reviewing these in light of this story.’
A Barclays spokesman told the Mail the bank would be ‘foolish’ not to review its own security measures. However, she said it requires customers to have multiple conversations before it will use their voice as identification.
Santander said customers also need a passcode for voice log ins.
‘Possible to cheat the system’