HSBC'S VOICE RECOGNITION security system can be spoofed by someone who sounds a lot like the actual customer, the BBC has found.
The Beeb did this by getting one of its journalists, who has a twin, and making that twin commit a fraud on a bank by pretending to be his brother and talking a bit like him. It's quite alarming that it is as simple as that, but apparently it is.
"BBC Click reporter Dan Simmons set up an HSBC account and signed up to the bank's voice ID authentication service. HSBC says the system is secure because each person's voice is 'unique'," it explains.
"But the bank let Dan Simmons' non-identical twin, Joe, access the account via the telephone after he mimicked his brother's voice."
This is great news for impressionists who have fallen on hard times, but bad news for Barclays customers with, for example, strong accents or who are Michael Caine.
HSBC launched the technology in 2016 and of course it reckons that it is as tough as steel walnuts. Dan Simmons' brother says that it was bested after seven attempts of his mimicry. "What's really alarming is that the bank allowed me seven attempts to mimic my brothers' voiceprint and get it wrong, before I got in at the eighth time of trying," he said. "Can would-be attackers try as often as they like until they get it right?"
Don't ask HSBC, it isn't commenting on that sort of thing or whether there have been incidents like this in the wild. It told the BBC that it works a lot of the time, but that twins are anomalies.
"The security and safety of our customers' accounts is of the utmost importance to us. Voice ID is a very secure method of authenticating customers," said a spokesperson.
"Twins do have a similar voiceprint, but the introduction of this technology has seen a significant reduction in fraud, and has proven to be more secure than PINS, passwords and memorable phrases."
Bad news then for anyone with an evil twin.
Thomas Fischer, threat researcher and security advocate at Digital Guardian couldn't let the BBC have its moment, but admitted that what it achieved is "no mean feat".
He added: "The BBC is certainly not the first to research ways to fool voice recognition systems or bypass fingerprint sensors, but this is no mean feat and depends on the quality of the original biometric imprint," he said.
"Brute force cracking weak passwords, on the other hand, can be done with relative ease. Biometrics are certainly not perfect, but anything we can do to make it more difficult for attackers to win and easier for consumers has to be a good move." µ
But not they saw paid-for advertising
INQ takes a nosey around before it opens to the public on Friday
UK regulator says it has 'huge concerns' about the breach
Chancellor also says he'll crack the whip on tax avoiding tech firms