HSBC has been left red-faced after a BBC reporter and his twin tricked its voice ID authentication service.
The BBC says its “Click” (a weekly TV show) reporter Dan Simmons created an HSBC account and signed up to the bank’s service. HSBC states that the system is secure because each person’s voice is “unique”.
As Banking Technology reported last year, HSBC launched voice recognition and touch security services in the UK, available to 15 million banking customers. At that time, HSBC said the system “works by cross-checking against over 100 unique identifiers including both behavioural features such as speed, cadence and pronunciation, and physical aspects including the shape of larynx, vocal tract and nasal passages”.
According to the BBC, the “bank let Dan Simmons’ non-identical twin, Joe, access the account via the telephone after he mimicked his brother’s voice.
“Customers simply give their account details and date of birth and then say: ‘My voice is my password.’”
Despite this biometric bamboozle, Joe Simmons couldn’t withdraw money, but he was able to access balances and recent transactions, and was offered the chance to transfer money between accounts.
Joe Simmons says: “What’s really alarming is that the bank allowed me seven attempts to mimic my brothers’ voiceprint and get it wrong, before I got in at the eighth time of trying.”
Separately, the BBC says a Click researcher “found HSBC Voice ID kept letting them try to access their account after they deliberately failed on 20 separate occasions spread over 12 minutes”.
The BBC says Click’s successful thwarting of the system is believed to be “the first time the voice security measure has been breached”.
HSBC declined to comment to the BBC on “how secure the system had been until now”.
An HSBC spokesman says: “The security and safety of our customers’ accounts is of the utmost importance to us. Voice ID is a very secure method of authenticating customers.
“Twins do have a similar voiceprint, but the introduction of this technology has seen a significant reduction in fraud, and has proven to be more secure than PINS, passwords and memorable phrases.”
Not a great response is it? But very typical of the kind of bland statements that have taken hold in the UK. There is a problem and HSBC needs to get it fixed.
The rest of the BBC report just contains security experts saying the same things – like “I’m shocked”. Whatever. No point in sharing such dull insight.
You can see the full BBC Click investigation into biometric security in a special edition of the show on BBC News and on the iPlayer from 20 May.