BBC Prank of HSBC Voice ID System Overlooks Millions of Successful Authentications

Many of you may have had your Google Alerts buzzing this week with the recent “Twins fool HSBC voice biometrics – BBC” article — I know mine has! Between Twitter, Linked-In and a flurry of internal emails I couldn’t help but ponder on the saying: “Success has a million parents; failure is an orphan.” But today, as far as voice biometric implementations go, millions of successes are taken for granted and failure has a million critics.

In the aftermath of such a high-profile ‘fail,’ I want to chime in with a summary of the positive attributes that made HSBC (and other prominent banks) confident about deploying voice biometrics at such a large scale, and why Opus Research believes voice authentication and fraud detection is here to stay and will grow significantly.

  • Voice Biometrics is a significant improvement on traditional contact centre authentication methods in terms of customer experience, efficiency and security
  • No biometric is perfect, and must therefore be used in combination with other modalities, in a holistic multi-layer security strategy
  • Twins/triplets etc., sometime referred to as ‘multiples’ pose a particular threat for biometrics, and customers should be encouraged to disclose that they are part of a set of multiples so that they can be separately flagged for additional processing – the leading voice biometrics technologies are able to set individual thresholds for selected groups such as multiples, and additional step-up authentication can also be applied.
  • In this particular case, Active or Text-Dependent Voice Biometrics was used, for which additional strategies are available such as (and this is the one that got most attention), reducing the number of attempts within a timeframe, and/or stepping up the acceptance thresholds. Other techniques include the flagging of caller identification (ANI/CLI), value/risk of the transaction and a range of clever alerting mechanisms that many banks, telcos and other organizations have implemented.

One of the most important aspects that is often overlooked is the performance of voice biometrics over the alternatives. For contact centers, the most common is security questions (or my favorite “mother’s maiden name”), followed by token-based methods such telephone banking PIN (static) or One-Time-PIN. Both of these are plagued with usability issues, not to mention security risk of guessability and man-in-the-middle, including Sim-Swop risks, respectively.

This incident certainly opens all our eyes to the risks of Voice Biometrics, but it is vital that we take a breath and view this in the context of the specifics of the actual implementation, the alternatives and the overall scalability of the “experiment.” There is no ‘silver-bullet’ solution on the fight against fraud; and sometimes it takes a couple of very ingenious pranksters to remind us never to let our guard down.

Categories: Conversational Intelligence, Intelligent Authentication, Articles

Tags: , , , ,

1 reply

  1. As the developers of ArmorVox voice biometric technologies; I completely agree with Opus Research comments that the BBC prank by twins overlooks the millions of successful verifications performed by these system and more importantly; the millions of fraud attempts thwarted by the technology and fraudsters caught by these systems. In comparison to traditional authentication method using PINs, passwords and knowledge questions, voice biometrics is thousands of times more secure. After all, if I have your PINs; your password or your personal information, I have a 100% chance of getting into your account. And I don’t need to be your twin. In fact, I don’t even need to know who you are, what your gender is nor do I even need to speak the same language as you!

    As developers of the underlying technology; Auraya has developed many ways to protect systems from fraudulent attempts as presented in the BBC. This not only involves setting individual speaker thresholds as discussed in the article, but more advanced techniques using individual speaker specific background modelling that better characterise the acoustic characteristics of individual speakers.

    ArmorVox is not reliant on a single phrase – such as the ubiquitous but somewhat cringeworthy “My voice is my password” for all customers. Instead ArmorVox’s machine learning technology allows bank customers to enrol whatever phrase they like. The system then learns the way that customer says that phrase and recognises only that customer saying that phrase. This way each customer can have their own favourite phrase; such as their phone number; which a fraudster would need to know to have any chance of breaking in.

    This is only one of a number of techniques that Auraya uses to beat and catch fraudsters. If you want to know more go here