HSBC's much-touted voice recognition software, used by half a million customers to verify their identity and secure their bank accounts, has successfully been duped by the brother of one of its customers. In an investigation carried out by BBC Click reporter Dan Simmons and his non-identical twin, Joe, the brothers revealed that it was possible to breach an HSBC customer's account by mimicking their voice.
Launched in 2016, HSBC's voice recognition ID system asks users to simply say "my voice is my password" into the phone to verify their identity and grant them access to their account.
HSBC says its Voice ID system can "analyse your voice in seconds" and check "over 100 behavioural and physical vocal traits, including the size and shape of your mouth, how fast you talk and how you emphasise words" to match a user's voice to an original recording and allow access to telephone banking.
After Dan Simmons set up his own HSBC voice-ID authenticated account, his twin Joe attempted to access the account by providing his account details, date of birth and saying the simple phrase. After seven repeated attempts to mimic his brother's voice print, the bank granted him access on his eighth try.
Although Joe was not able to withdraw any money from the account, he was able to access balances, recent transactions and even transfer money between accounts, the BBC reports.
"What's really alarming is that the bank allowed me seven attempts to mimic my brother's voiceprint and get it wrong, before I got in at the eighth time of trying," Joe said. "Can would-be attackers try as often as they like until they get it right?"
Many banks have turned to voice recognition software and other biometric security solutions in recent years in an effort to bolster security and reduce fraud.
Biometric security solutions are increasingly seen as more convenient and secure forms of authentication since they do not require a user to memorise specific information and instead relies on a person's unique characteristics that are difficult for a hacker to steal or replicate.
In the wake of the breach, HSBC said it has reviewed its system and will limit users to three attempts to access their accounts via voice ID before they are blocked.
"The security and safety of our customers' accounts is of the utmost importance to us and Voice ID is amongst the most secure methods of authenticating customers", HSBC said in a statement following the breach. "The introduction of this technology has seen a significant reduction in telephone fraud, and has proven to be more secure than PINs, passwords and memorable phrases.
"Our VoiceID system does allow us to make changes to different security settings, and following a review we have made changes to make it even more secure."
Intercede CEO Richard Parris says HSBC's rollout of voice recognition technology was a "promising step in the right direction". However, the newly discovered breach highlights the fact that "not all biometric authentication is strong or resistant to potential attack."
"Most security breaches happen at the 'front door' – at the user authentication level," Parris told IBTimes UK. "To avoid becoming the next victim of attack, businesses need to change their approach to cybersecurity beyond merely adding more or stronger locks on the door. After all, you could have the valid keys or codes to gain access, but still be the wrong person having acquired them through illegitimate or criminal means."
Instead, he says firms should focus on proving the identity of a user and implement measures that incorporate three elements - "possession (something you have, such as a smartphone), knowledge (something you know, such as a PIN) and inherence (something you are, such as an iris scan)".
"A more proactive and robust approach would ensure that management teams aren't left with some serious explaining to do and compensation to pay out," he said.