The alarming attack was demonstrated in a specially designed test set up by the BBC. Reporter Dan Simmons created a new bank account with HSBC and registered for the company’s voice ID authentication facility.
The technology was launched in 2016 and is described as being a secure service. Users provide their account details and date of birth before authenticating themselves by saying “My voice is my password.” A “unique” fingerprint of their voice is created by assessing over 100 attributes of their speech. This is used to validate future login attempts.
Voice ID was thought to be a good way to prevent bank fraud. The BBC’s investigation proves otherwise. When Simmons’ non-identical twin brother Joe mimicked his voice over the phone, Dan was shocked to find the system still enabled access. Joe could monitor the account and move money around. It’s believed it’s the first successful attempt to compromise Voice ID.
Security researchers have expressed concern at the development. HSBC is pitching the technology as a more secure way of keeping an account private. The discovery suggests a close friend, family member, colleague or neighbour could gain access to an account by reproducing a known voice. Although the “voice fingerprint” concept is based on science, it seems as though HSBC’s measurement of 100 characteristics isn’t sufficient to eliminate all discrepancies between two close matches.
HSBC has also been criticised for appearing to enable an unlimited number of retries after a failed access attempt. Joe gained access to Dan’s account on the eighth try, following seven consecutive failures. Another BBC reporter made over 20 access attempts to an account over a 12 minute period. The system did not block the behaviour or report it to the bank.
Experts said that the voice matching technology should be able to determine a user’s identity within two attempts. This suggests allowing anything more than three could put the system at risk of brute force attacks. Although HSBC does request more information after two unsuccessful attempts, the user can hang up and call again to start from scratch. HSBC has refused to comment on the BBC’s findings, instead reiterating that the technology is “very secure.”
“The security and safety of our customers’ accounts is of the utmost importance to us,” a spokesperson said. “Voice ID is a very secure method of authenticating customers. Twins do have a similar voiceprint, but the introduction of this technology has seen a significant reduction in fraud, and has proven to be more secure than PINs, passwords and memorable phrases.” The system is still online today but has reportedly been upgraded to feature improved sensitivity. HSBC hasn’t disclosed whether it will re-evaluate the system in the wake of the BBC’s investigation.
Similar voice authentication mechanisms are used by other major banks in the UK including Barclays and Santander. Until now, the technology hasn’t been scrutinised to determine its real value. One way of improving the system would see it used in conjunction with a second factor, such as a code sent to a smartphone or a traditional PIN.
