A BBC reporter's twin brother successfully broke through HSBC's voice ID authentication service to access his account.
HSBC's voice ID authentication service allows third parties multiple attempts to access a user's account by mimicking his voice.
Introduced last year, HSBC's voice ID authentication service claims to be more secure than PINS, passwords and memorable phrases as it can measure 100 different characteristics of the human voice. This way, it can assess all unique markings of a human voice which simply cannot be mimicked by another. To access his/her account, a user is required to say the phrase "my voice is my password."
As it turns out, it isn't as secure as HSBC claims.
BBC Click journalist Dan Simmons recently set up an HSBC account and activated the voice ID authentication service. Following the opening of the account, Joe Simmons, his twin-brother, mimicked his voice not only to gain access to his account but was also able to access balances and recent transactions.
"What's really alarming is that the bank allowed me seven attempts to mimic my brother's voiceprint and get it wrong, before I got in at the eighth time of trying," Joe said. The discovery was backed up by another BBC Click researcher who claimed that the system had allowed him 20 attempts to access an account inside twelve minutes.
Following the revelation, HSBC reiterated that the introduction of voice ID authentication service has significantly reduced fraud, but also confirmed that they have increased the system's sensitivity following the breach.
Despite HSBC's claims, the fact remains that biometric authentication, though many times safer than passwords and pins, is not impenetrable. There have been reports on stolen fingerprints and iris patterns, but the voice recognition glitch may put the entire banking system at risk.
“BBC’s investigation, which successfully bypassed HSBC’s voice recognition security system, highlights the limitations of relying on one form of protection to defend consumers against phone-based attacks. Fraudsters are continually finding new ways to hack organisations, and they are increasingly using the phone channel to do this," said Nick Gaubitch, Head of Research, EMEA, Pindrop.
"While organisations using voice recognition technology like voice biometrics is a good step forward to tackling this problem, this investigation shows, the use of voice biometrics on its own isn’t enough,” he added.
To tackle this, Gaubitch suggests that a multi-layered verification process is imperative. Not only should phone channels verify voices of users, but should also verify where a call is coming from, the phone number, the device being used and whether the device has been used to contact the company before.
“Most security breaches happen at the ‘front door’ – at the user authentication level. To avoid becoming the next victim of attack, businesses need to change their approach to cyber security beyond merely adding more or stronger locks on the door," said Richard Parris, CEO at Intercede.
"The priority should be proving the identity of the individual before giving them keys. This means looking at measures that incorporate three distinct elements – possession (something you have, such as a smartphone), knowledge (something you know, such as a PIN) and inherence (something you are, such as an iris scan). This allows businesses to verify that the person accessing the service is who they say they are, in addition to limiting the amount of times an individual can attempt access if any of these elements are missing or incorrect," he added.