Avatar photo

Freelance journalist

Author Bio ▼

Experienced freelance B2B journalist and editor, specialising in fields of renewable energy, energy storage, smart grids and nanotech.
May 26, 2017

Sign up to free email newsletters


Whitepaper: Multi-residential access management – The move to digital


HSBC voice recognition security system fooled by twins

A security software programmed that HSBC uses to prevent bank fraud has been fooled by a BBC reporter and his twin brother.

Dan Simmons, a BBC Click reporter, set up an HSBC account and then signed up to the bank’s voice identification authentication service.

The software has been advertised as HSBC as secure because each individual person’s voice is unique, much like a biometric scan of an iris, or thumbprint.

However, Simmons’ non-identical twin, Joe, was able to access the account via the telephone after he mimicked his brother’s voice.

Following the investigation and publication on the BBC’s website, HSBC said it would review ways to make the voice ID system more sensitive.

HSBC introduced the voice-based security in 2016. The technology claims to measure 100 different characteristics of the human voice to verify a user’s identity.

Bank customers call up, give their account details and date of birth and then say: “My voice is my password”.

The breach did not allow Joe Simmons to withdraw money, but he was able to access balances and recent transactions, and could have transferred cash between accounts.

Of greatest concern is the number of attempts – seven in all – the system allowed Joe Simmons to make to crack his brother’s account. He got it right on the eighth try.

Separately, a Click researcher found HSBC Voice ID kept letting them try to access their account after they deliberately failed 20 times over 12 minutes.

An HSBC spokesman said: “The security and safety of our customers’ accounts is of the utmost importance to us.”

He said that twins do have a similar voiceprint, but the introduction of the technology has seen a significant reduction in fraud, and has proven to be more secure than PINS, passwords and memorable phrases.

Mike McLaughin, a security expert at Firstbase Technologies, said that if a voice ID authentication system allows for too many discrepancies in the voiceprint for a match, then it is not secure.

In other efforts to test the security of voice ID systems, recordings of human voices can be manipulated.

Start-up Lyrebird is working on ways to replicate a voice using recorded speech. The company is now working with security researchers to figure out the best way to proceed.

Related Topics

Notify of
Inline Feedbacks
View all comments