Mass theft of personal information is a near daily occurrence, sparking high-profile coverage on nightly news and in national news magazines. In one particularly noteworthy week, files disappeared from a leading public institute of higher education, a company specializing in secure transport of corporate files, one of the Big Three North American credit reporting companies and the leading aggregator of legal proceedings, public records and corporate reports.
These thefts were so unnecessary – really! If all that a criminal needs is a few choice items of personal information to use to create a false identity, the raw material is readily available. On May 18, The New York Times reporter Tom Zeller, Jr., wrote an article for the ‘Technology’ Section entitled “Personal Data for the Taking.†The premise of his piece is that American citizens leave electronic “tidbits†about themselves in the course of voting, buying a house, making political contributions or carrying out other routine transactions.
Those tidbits are available to just about anyone with an Internet connection and as little as $25. Journalists, private investigators, insurance companies and so-called ‘data brokers’ like ChoicePoint, LexisNexis, Acxiom and Equifax use this data all the time to support arguably benign causes like background checks, credit approvals and the ever-popular skip tracing.
The dark side is that identity thieves, Phishers and other ‘bad actors’ also avail themselves of these personal tidbits as the fundamental components of identity theft. There is no way to bottle up the Genie of personal privacy. Yet we have only begun to scratch the surface of how to prevent the bad actors from leveraging their access to easily aggregated personal data into full-fledged assumption of one’s identity at the point-of-sale.
As a matter of practicality, it is important to separate the tasks underlying ‘identification’ from those associated with authentication. The former is blanket activity best left to the government entities that issue birth certificates, driver’s licenses and other broadly accepted forms of personal identification. The latter involves a series of real-time query-and-response sessions (a.k.a. ‘Conversations’) whereby an individual provides a PIN (personal identification number), perhaps accompanied by answers to challenge questions that are culled from a number of sources. Come to think of it, the grist for the ‘challenge question’ mill are the very things that are becoming ‘too easy’ to obtain from the Internet or other public sources.
PINs Fall Short
PINs are deployed as the most common cure for unwanted access to personal accounts and information. However, the dirty little secret surrounding PINs is that they suffer from many of the shortcomings of other security systems that depend on publicly available information. Even though employers and financial services companies provide guidelines for building secure PINs, users commonly use a limited number of mnemonic devices to generate their PINs. Knowing only an individual’s middle name (backwards and forward) and a narrow subset of personal information, like street names, children’s names and the like, security experts were able to crack 80% of user generated PINs.
What’s more, individuals have a bad habit of writing their PIN numbers on the very cards that they may be carrying to give them access to cash in an ATM or to gain access to their place of business.
Enter Biometrics
In a world where the answers to ‘challenge questions’ are just a few mouse clicks and twenty dollars away, the value of uncontestable proof of identity (a.k.a. authentication) should be at a premium. Indeed, the past year has witnessed the proliferation of the pantheon of biometric readers. Fingerprint readers are in vogue as gatekeepers for high-end computers from IBM, HP and ultimately Microsoft. As of May 12, shoppers at Piggly Wiggly throughout South Carolina and Georgia will be able to “pay for groceries†with the scan of a finger using a service called “Pay by Touch.†The service is based on technology from Cogent Systems of South Pasadena, CA.
The management of Piggly Wiggly went so far as to observe that their “guests loved paying for their groceries with a quick finger-scan†thanks to the convenience when compared to pulling out their wallets, sliding a card through a magnetic-stripe reader and entering a PIN. The company believes that its customers choose their stores over competitors thanks to this new service.
Voice Bests Them All
Fingerprints figure prominently in the authentication arena because they are highly personalized and thought to be unspoofable. In point of fact, they are susceptible to both environmental factors, like humidity and temperature, and working conditions. The appeal of alternative biometric measurements, such as retinal or facial scans, should be called into question because they require highly specialized (and expensive) equipment at the point of transaction (an ATM or merchant’s counter) in order to work.
All three systems require an enrollment or registration process in order to initiate a validation service. Given that each requires repeated entry of a biometric to support future authentication, there is no real difference among the modalities with regards to the time required and difficulty of enrollment. The major difference is the ability to deploy in a mass market without need for special biometric ‘readers’ at each point of deployment.
Most Importantly: It’s Conversational
More than a year ago, David Nehamoo from IBM Labs demonstrated ‘conversational authentication’ at SpeechTek West. The salient take-away is that when a customer calls her broker, a voice response platform can authenticate an inbound caller using several factors, including voice biometrics, in order to deliver extremely high levels of confidence that an individual is the person she says she is.
There’s no such thing as a conversational fingerprint. If other factors are going to be incorporated into the authentication process, it will be through magnetic stripe or PIN – neither of which can be accommodated by a standard telephone or wireless handset. Voiceprints are one of many factors to be employed as part of an authentication process. Integrating voice authentication with basic IVR services, for example as the ‘greeting’ to a financial services company, provides a mechanism for other factors to be taken into account in a comfortable, conversational interaction.
The ‘Sneakers Scenario’
With the user interface taken care of, the overriding question is: “Why has it taken so long for voice biometrics to take off?†There are a few major concerns, but few of them are grounded in reality.
The most commonly cited public concern stems from the 1992 movie “Sneakers.†In this movie, Robert Redford’s character was able to ‘spoof’ a security system simply by recording his target’s voice and splicing together the phrase “My voice is my passport. Verify me.†The image of the ‘digital replay attack’ has embedded itself even into the psyche of security specialists, making many believe that someone with a tape recorder and the ability to cut-and-paste snippets of audio could crack a correctly configured voice biometric security system.
Redford’s tactic wouldn’t work in real life because current voice biometric systems detect not only what is said, but also how it is said. The leading providers of telephone-based voice biometric solutions have failed to overcome the ‘Sneakers Factor’ because they treat voice biometrics like any other speech-enabled application. Their inability, or unwillingness, to realize how important it is to see voice authentication as a ‘security mechanism’ first and as a ‘voice application’ second downplays voice biometrics as one of the most powerful mechanisms to confirm a claimed identity.
It is much more important to curry favor with internal security specialists among prospective deployers than it is to demonstrate voice authentication as an extension of traditional voice applications to the contact center management. Poorly implemented voice biometric solutions by application vendors who are unskilled in security methodology cast public doubt on the whole industry.
‘Common Criteria’ Key to Conversational Authentication
The most tangible evidence that voice authentication is ready for primetime is the adherence to a globally established set of ‘Common Criteria’ for security. Common Criteria is an international effort that is managed in the United States by the National Institute of Standards and Technology (more information is available at the Web site http://csrc.nist.gov/cc/ and at
http://www.commoncriteriaportal.org) and provides independent and externally verifiable security ratings (EAL or Evaluation Assurance Level) to everything from firewalls to biometric authentication systems. For most voice technology software providers, the expense of getting certified has not been justified by the revenue potential associated with conformance. However, some voice biometric solutions are making their way through the Common Criteria process with the first approved solutions expected later this year.
Recognition that voice biometrics has intrinsic advantages over alternatives (especially in multifactor, conversational installations) can break through the chicken-and-egg business decision that has kept voice authentication on the back burner, while biometric alternatives such as fingerprints, retinal scans and facial scans are taken seriously. In the end, voice biometrics is the only system that requires a user to be conscious, unlike palm scans. Unlike fingerprint verification, a voice print can’t be passively lifted using simple household items such as Krazy Glue and Jell-O. Finally, unlike fingerprint, retina, palm and facial biometrics, voice biometrics does not require end users to invest in hardware; the only requirement to use the system is a phone.
Concern for identity theft built on purloined tidbits of personal data will elevate public acceptance of conversational biometrics as the most cost-effective alternative for identity authentication in real time. In the meantime, the only thing that can stop the uptake of voice biometrics is the voice biometrics industry itself.
Categories: Articles