HSBC’s voice recognition security breached by customer’s brother

HSBC’s voice recognition software – launched last year and hailed as highly secure – has been successfully foiled by the brother of one of its customers. HSBC’s systems wrongly accepted the voice as proof of the account holder’s identity and permitted access to the account. The investigation was carried out by a BBC reporter and his non-identical twin. The discovery has raised questions about the safety of “biometric” banking security systems.
HSBC has responded by saying the “sensitivity” of its voice recognition testing will be increased.

The voice ID processes were introduced to help speed up phone-banking users’ access to their accounts. By saying the phrase “my voice is my password”, customers can access account information and move money between accounts. Both HSBC and its offshoot First Direct use the technology,  boasting that it is “easier and safer access to your account”. Advertising by the bank claims that “your voice is unique”. HSBC says: “Voice ID can analyse your voice in seconds – checking over 100 behavioural and physical vocal traits, including the size and shape of your mouth, how fast you talk and how you emphasise words.”

However, when non-identical twin Joe Simmons used his voice to mimic his brother Dan’s, he was granted access to Dan’s accounts. HSBC’s system allowed him eight attempts to get the voiceprint correct. HSBC said it has increased the sensitivity on its voice recognition system after the discovery of the breach. An HSBC spokesman told the BBC: “The security and safety of our customers’ accounts is of the utmost importance to us. Voice ID is a very secure method of authenticating customers. “Twins do have a similar voiceprint, but the introduction of this technology has seen a significant reduction in fraud, and has proven to be more secure than Pins, passwords and memorable phrases.” Using the voice recognition system gives customers access to balance information and lets them move money between linked accounts. It does not permit them to move money to third party accounts.