When Someone Else’s Voice is YOUR Bank Password

The BBC recently reported how they fooled the a major bank’s voice recognition security system and were able to access another person’s accounts. In the simple example they showed in the video, a reporter setup an account with the financial institution as part of the test. The bank has been advertising that customer’s voices are unique and their Voice ID makes account access secure.    

Well, it failed. The reporter’s brother was able to spoof his siblings voice, without any need for technical modulation or recordings, and was granted access via the phone.   

Technology is just a tool. It can be uses for good or malice. Even technology labeled ‘security’ can be undermined and leveraged in unexpected ways. We must know the limitations and be savvy when implementing security technology to reduce the risks.    

This is a good example of pushing security technology too far beyond its strengths. The result is usually a predictable failure. I suspect some security salesperson convinced a bank executive to adopt this technology, while showing them its effectiveness in pristine situations. But phone line sound quality varies, the health and activity of someone can change a voice, background noise, stress, and even age is a factor that must be compensated for. So, when such systems are deployed in the real world, they must be tuned for more flexibility, which makes it more vulnerable. This is true with many bio-metric identity authentication factors.    

Voice recognition, given the fact it must compensate for all the variances in how the sounds might be modified, is not a strong factor in remote situations where recordings, AI systems, and other sound modulations could easily be applied. I think it has merit to be used as a second factor or a “weighted factor” that is taken into account for more sensitive transactions (password changes, large transfers/withdraws, etc.). But to use it as a primary means to identify and authenticate someone for general access to financial accounts is a bit reckless as proven by the video in the BBC piece.    

Understanding the nuances of security is a specialized skill. One that should be in demand more than ever. Technology must not only be innovative, but also applied in a way to maximize benefit and minimize the introduction of new weaknesses.     

Interested in more? Follow me on LinkedIn, Twitter (@Matt_Rosenquist), Information Security Strategy, and Golos to hear insights and what is going on in cybersecurity.