BBC tricks HSBC voice security with twins
19 May 2017 17:51 GMT

A journalist from the BBC has successfully spoofed a voice recognition security system being used by global banking grouop, HSBC.

In a report by a BBC reporter and his non-identical twin,  the latter tricked the system in accepting his voice as proof of the accountholder's identity and permitted access to the account.

In response, the bank has said thresholds in the voice recognition testing will be increased.

Voice ID processes were introduced to help speed up phone-banking users' access to their accounts. By saying the phrase "my voice is my password", customers can access account information and move money between their own accounts.

Both HSBC and its offshoot First Direct use the technology,  boasting that it is "easier and safer access to your account". Advertising by the bank claims that "your voice is unique".

Experts have said that the finding underlines that biometric technology is not a panacea for all security problems.

“Biometrics technology has been widely shown to significantly reduce fraud – but it’s not the whole solution. And as this experiment has illustrated no security technology is 100% fool-proof. Technology advances have shown that it is now possible to cheat voice recognition systems. Voice synthesiser technology is a great example. It makes it possible to take an audio recording and alter it to include words and phrases the original speaker never spoke,” said Tom Harwood, Chief Product Officer at Aeriandi.

Others said it was important to note that biometric security is still superior to passwords.

Thomas Fischer, threat researcher and security advocate at Digital Guardian, said:  "It’s really hard to remember a hundred different, complex passwords and so biometrics have been widely accepted as a strong step towards better security and a way to make it easier for consumers. After all, it’s far more difficult to spoof someone’s voice, face or fingerprint than it is to guess their weak password. The BBC is certainly not the first to research ways to fool voice recognition systems or bypass fingerprint sensors, but this is no mean feat and depends on the quality of the original biometric imprint. Brute force cracking weak passwords, on the other hand, can be done with relative ease. Biometrics are certainly not perfect, but anything we can do to make it more difficult for attackers to win and easier for consumers, has to be a good move."