Twin brothers Joe and Dan Simmons have successfully bypassed the HSBC Voice Recognition Software, raising doubts over bank’s security measures.
Joe Simmons was able to mimic his reporter brother Dan’s voice and gain access to his account, thereby raising questions about the software’s security.
The voice ID service was introduced as a way to bring more convenience to customers of First Direct, HSBC’s phone banking business, without sacrificing any security.
Uttering the phrase “my voice is my password” was supposed to be the method for customers to gain “easier and safer access” access to their own accounts and the service was advertised as such.
“Voice ID can analyse your voice in seconds – checking over 100 behavioural and physical vocal traits, including the size and shape of your mouth, how fast you talk and how you emphasise words,” stated the bank.
However, in light of the BBC report, the bank has now said it will increase the sensitivity of the software. “The security and safety of our customers’ accounts is of the utmost importance to us,” it told the BBC.
The bank also insisted that voice ID is a very secure method of authenticating customers despite the vulnerability to vocal genetics. “Twins do have a similar voiceprint, but the introduction of this technology has seen a significant reduction in fraud, and has proven to be more secure than Pins, passwords and memorable phrases.”
The bank also added that while the software gives users access to their accounts, it only allows them to check their balance and move money between linked accounts and not to third parties.
HSBC is not the only high street bank in the UK to employ voice recognition software. Others include Barclays and Santander as well as digital-only bank Atom.
And despite the embarrassment of being fooled by a BBC reporter and his brother, security experts have defended the use of voice recognition as a means of secure authentication and a more effective method than traditional passwords.
“The BBC is certainly not the first to research ways to fool voice recognition systems or bypass fingerprint sensors, but this is no mean feat and depends on the quality of the original biometric imprint,” says Thomas Fischer, threat researcher and security advocate at Digital Guardian says that it is still a better means of defence than traditional passwords. “Brute force cracking weak passwords, on the other hand, can be done with relative ease.”