Voice biometrics and banks – will your money be safe?
Speaker recognition (commonly called “voice biometrics”) offers fast, convenient security, but how secure is it?
Scammers today are using a range of clever techniques to gain access to information, including voice recording using Voice over Internet Protocol (VOIP) technology (also known as “voice phishing”), to gain access to personal information. This form of “sampling technology” is likely to see a rise in scammers overrunning voice biometric security using your actual voice and information in playback in order to fool banks.
Despite this, banks are moving quickly to implement voice biometrics to verify the identity of a caller when accessing bank-related information. Banks advise that this new security feature is more secure than fingerprints, but serious concerns exist due to the increase of modern technological techniques such as those mentioned above.
Banks appear to be making the move to voice biometrics largely based on the assumption that everyone’s voice is unique, but research on this is based only on a small sample (as most quantitative research is), leaving open the question as to whether everyone actually does have a unique voice signature. Further, these assumptions have been developed from a misguided idea that the sample is clean, pure and not open to interference. However, the FBI notes that voice recognition is not perfect and should be only one of the steps in a multiple-step security procedure (see Further reading section below).
The ability of scammers to use VOIP technology to record information gives rise to two problems. First, it allows scammers, even with low technical expertise, to simply replay the recording for bank authentication and thereby gain access. Second, voice recordings are able to be manipulated by more sophisticated scammers in a reproduction of their choice and thus to fool all manner of authentication systems.
The dangers involved in banks and other institutions using new voice biometrics technologies are clear, but we are only just beginning to understand how much harm can be caused when the technology is misappropriated. So why have banks been so quick to accept it as the only form of phone authentication?
In an article from the BBC (see further reading section below), the CEO of Barclays Bank, Steven Cooper, claimed it was to reduce frustration of forgetting passwords and the ability to speed up the process. Further, James Daley, founder of consumer website Fairer Finance, said anything that speeds up the security process would be welcomed by customers. But would this be true if customers were aware of the potential security flaws?
Legally, questions arise as to liability if things go wrong with this type of technology. UK banks appear to have considered this, making comments such as: “Banks will need to be ready to reassure people that this new technology is genuinely secure. New security processes can make customers nervous – and it is important that this does not lead to any loss of confidence in bank security” and "In reality, consumers should have little to fear, as banks are still liable for any fraud unless they can prove that a customer was negligent. So if this technology does lead to any increase in fraud, it will be the banks that have to pick up the bill, and not customers” (see Further reading section below).
But when push comes to shove, will banks really accept such liability? The onus will be on the customer to prove it was not he or she who authenticated the call. The burden of evidence in this case will be high and is likely to rest on questions of location, activity at the time of the call and any witness to the customer’s activities. I see significant issues with the burden of proof and the difficulties with proving the authentication was forged.
These issues do not appear to have been given full consideration. New Zealand banks would do well to think carefully about how they adopt voice recognition authentication methods so as to minimise risk for customers.
• http://www.newsweek.com/science-voicerecognition- fingerprints-barcleys-511561