HSBC Voice Security Breached by Twin

If you’re a customer of HSBC or First Direct, you’ll know that by the fourth of fifth call you make to the company, they offer you the option to move to voice recognition security. Designed to help customers avoid remembering passwords, the voice recognition software uses a database of your vocal patterns to create a profile which automatically checks you against their system.

Upon launch, HSBC’s head of retail banking said that the system was secure, saying “just like your fingerprint, your voice print is unique”.

However, it now appears that this ostensibly secure system is easily breached, after a BBC investigation found that a customer’s twin mimicking his voice could gain access to his account.

The investigation was carried out by BBC Click reporter Dan Simmons, who set up a HSBC voice-ID authenticated account and found this his non-identical twin, Joe, was able to fool the system.

It’s bad news for HSBC customers who currently use the HSBC contact number to perform telephone banking functions, and HSBC have said that they’ll review security on their voice-accessed systems following the breach.

One key issue with HSBC’s system is that it doesn’t place a cap on the number of attempts you can use to log in with your voice. Joe Simmons tried seven times to mimic his brothers voice before HSBC let him into the account on the eighth attempt. The bank said that in the future, users will only be allowed three attempts to access the account.

The HSBC system asks users to say “my voice is my password” into the phone, which is then matched to an original recording of the person’s voice, allowing access to their account.

According to the BBC, Joe wasn’t allowed to withdraw money, but he was able to access balances and recent transactions, and was offered the chance to transfer money between linked accounts.

Voice ID is currently being rolled out to 15 million HSBC and First Direct customers. At launch, HSBC said: “The technology is now the ultimate way to bank safely and securely, without the need for passwords. With a couple of choice words, banking with HSBC is as easy as being yourself.”

However, following the breach, HSBC retained their bullish stance around the security, saying: “The security and safety of our customers’ accounts is of the utmost importance to us and Voice ID is amongst the most secure methods of authenticating customers.

“The introduction of this technology has seen a significant reduction in telephone fraud, and has proven to be more secure than PINs, passwords and memorable phrases. Our VoiceID system does allow us to make changes to different security settings, and following a review we have made changes to make it even more secure.”

HSBC do have a point in this regard, because it’s unlikely fraudsters would ever use this method to get into your account. The BBC managed to do so with a twin mimicking his voice, but nearly all fraud is committed by strangers who would have no idea how you sound.

Indeed, even if they managed to get a voice recording of you saying the entry phrase, HSBC’s system is sophisticated enough to distinguish between natural and recorded vocals.

So, should you be worried? We don’t believe so, however, it’s a stark reminder that no security system is without flaw.