Voice Biometrics for financial authentication

Question

From this article: http://www.bbc.com/news/business-36762962

Apparently, it takes us 45 seconds on average just to confirm who we are.

But by using computers to identify our voices, this authentication process can be cut to 15 seconds on average, saving the bank pots of cash and us lots of hassle.

Citi has just begun rolling out this kind of voice biometrics authentication for its 15 million Asian banking customers, starting in Taiwan, Australia, Hong Kong and Singapore.

Citi uses the "free speech" method to begin a more natural conversation with the customer immediately...

Free speech has another advantage: it's harder to fake a realistic conversation using recordings. With the passphrase method it's plausible that fraudsters could record a customer's voice as he or she says the phrase and then use this high-quality recording to try to spoof their way through security in future.

The drawback with the system is that banks need to obtain customers' permission before recording voiceprints.

From 2018, the European Union's General Data Protection Regulation will require organisations to say what data they collect on you, for which purposes, and to obtain your explicit consent.

Some customers say no, but usually only around a quarter, says Ms Thomson. Citi's Asian efforts seem to bear this out, with a 75% uptake so far.

And as the technology gets cheaper over the next five years, we could soon be talking to parking meters, vending machines, robot hotel concierges and driverless taxis, to pay for things and check in.

People's voice is public, which means is easy to record/process/reproduce, so how can that system be more secure than answering the usual security secret questions?

(that last paragraph scare me...)

Biometrics are dumb because it's a password you can't change — Neil McGuigan, Jul 13 '16 at 07:58
A link that could be of some relevance in the present context IMHO: mashable.com/2016/03/20/face-tracking-software/#WfhDDpyVGuqu — Mok-Kong Shen, Jul 13 '16 at 09:20
Banks doing awful stuff as usual, and yet they still can't even offer to use a strong password, instead relying on a 6-digit numeric code with a horrible on-screen keyboard. — André Borie, Jul 13 '16 at 11:16
Complementing @NeilMcGuigan : Voiceprints are dumb because they are a biometric that constantly changes (especially with illness and age). — Eric Towers, Jul 13 '16 at 15:41
[My voice is my password. Verify me.](imdb.com/title/tt0105435/quotes) — svavil, Jul 13 '16 at 21:10
People don't realize that you leave finger prints *everywhere* and paying with your fingerprint gives very little security. Paying *only* with fingerprints is even worse. Likewise for voice biometrics. — noɥʇʎԀʎzɐɹƆ, Jul 13 '16 at 21:14
Jon Briggs, (the UK voice artist of Siri) might want to steer clear of using this technology to secure his account. https://en.wikipedia.org/wiki/Jon_Briggs — Scott, Jul 13 '16 at 22:23
I wonder why "security people" behind such institutions recommend such path. Probably is a management decision and they just have to do it? — lepe, Jul 14 '16 at 02:12
@lepe I wouldn't be surprised if it had something to do with marketing. Rock solid authentication like passwords and 2FA is old and not so "hype" anymore. By introducing something new they give the illusion they're working on better security (even if the system ends up being cracked). — André Borie, Jul 18 '16 at 15:05

score 26 · Accepted Answer · answered Jul 13 '16 at 05:57

26

This will be abused and instead of password dumps we will see attackers trading voice sample dumps and building huge databases of identified voice samples from public documents and places like YouTube.

There are also other issues here that make this a bad choice. There's no plausible deniability if someone didn't want to be coerced into authenticating an attacker. With a PIN you might be able to say you forgot your code, you can't say you forgot your voice.

There's also the inability to protect what is being said from prying ears and recording devices. ATM makers learned this the hard way with ATM's and now we have shielding to help hide what numbers are being pressed. Similar attacks to ones that already exist will occur.

Finally is it too far-fetched for an attacker to have a large enough sample of someones voice to have some software capable of saying whatever you want them to say in their own voice ?

I think the technology could still take off simply because of a cool factor or because a big enough company forces it, but I'm not convinced this is the best security control for the task at hand and I share your concern.

answered Jul 13 '16 at 05:57

Trey Blalock

14,099
6
43
49

6

*With a PIN you might be able to say you forgot your code* You can't say that to [someone with a wrench](https://xkcd.com/538/). – A.L Jul 13 '16 at 11:55
2

@A.L. I just realized the comic doesn't mention how much the drug costs. – JAB Jul 13 '16 at 13:46
2

@JAB Alcohol is cheap, drugs are cheaper on the black market :D – cat Jul 13 '16 at 14:43
1

Related to PIN and plausible deniability: https://en.wikipedia.org/wiki/ATM_SafetyPIN_software – Federico Poloni Jul 13 '16 at 15:40
"*Finally is it too far-fetched for an attacker to have a large enough sample of someones voice to have some software capable of saying whatever you want them to say in their own voice?*" - Nope, see http://TalkObamaTo.Me/ for one example. – TessellatingHeckler Jul 14 '16 at 00:13
@A.L A wrench won't help if you actually did forget your code. So if you still keep saying that after being hit with the wrench several times, maybe you actually did forget the code. That's plausible deniability - of course, you still got hit with a wrench several times. – user253751 Jul 14 '16 at 08:20

score 19 · Answer 2 · edited Mar 17 '17 at 13:14

This keeps popping up every year as the next big thing.

2016:Citi

2015:ING

2013:Barclays

This 2014 paper Automatic speech recognition for under-resourced languages: A survey. Speech Communication by Besacier, L., Barnard, E., Karpov, A., & Schultz, T. (not open access) discusses the state-of-the-art of speaker recognition technologies. The survey concludes that evaluation metrics are still not robust enough, while acknowledging the vulnerabilities and the likelihood of an arms race. Nothing in this paper indicates readiness for large-scale adoption.

This community already has plenty of posts warning about the promises and risks of biometrics (see here) especially because of non-revocability.

People's voice is public, which means is easy to record/process/reproduce, so how can that system be more secure than answering the usual security secret questions?

Despite all of those warnings, I must admit that the survey shows speaker recognition systems with built-in contermeasures that have extremely low FAR/FRR (False Accept / Reject Rates) even when faced with noise, impersonation, recorded playback etc..

On the other hand, answers to security questions are hardly secret, easily social engineered, and rarely provide adequate security (remember this?)

So it does seem plausible that voice will replace "security questions", at least as a backup authentication system for interacting with support. The bottleneck has largely been privacy concerns for a while now. If it does take off, it is because the current auth system for support interactions has a human-in-the-loop and easier to fool; whereas this is cheaper and systematic.

I have my own concerns about whether this widespread adoption of biometrics can truly scale, but it does seem inevitable.

In Australia ANZ and the taxation office joined the ranks too. — Alex Ixeras, Jun 06 '18 at 07:05

Peteris · Answer 3 · 2016-07-13T20:40:09.617

"Username" vs password

Biometrics is uniquely tied to you, but possible to copy/fake, likely to be given out inadvertently (when you don't intend to authenticate anything) and nearly impossible to change. This means that biometrics, including voice, is a great replacement for factors such as usernames or customer IDs, but still would require additional confirmation factor such as 'something you know' or 'something you have'.

In comparison with the rather common practice of needing two things to login - your email address as user-id and a password that's usually short, simple and likely crackable; replacing it with email+voice would change the risks but IMHO make them slightly worse, but replacing it with voice+password (even if the password is just as bad as before) would be a big improvement.

For financial authentication, a good rule of thumb is to ask "Would the customer's parents, children or spouse be able to satisfy these criteria?" - if yes, then these criteria are not sufficient for financial authentication. Voice biometrics alone obviously fail this test, since they are trivial for any family member to record.

score 2 · Answer 4 · answered Jan 02 '17 at 20:28

Finally is it too far-fetched for an attacker to have a large enough sample of someones voice to have some software capable of saying whatever you want them to say in their own voice?

Adobe VoCo allows you to change words in a voiceover simply by typing new words.

From BBC article: Adobe Voco 'Photoshop-for-voice' causes concern

The risks extend beyond people being fooled into thinking others said something they did not. Banks and other businesses have started using voiceprint checks to verify customers are who they say they are when they phone in. Voice waveformImage copyright One cybersecurity researcher said the companies involved had long anticipated something like Adobe's invention. "The technology is new but its underlying principles have been understood for some time," said Dr Steven Murdoch from University College London. "Biometric companies say their products would not be tricked by this, because the things they are looking for are not the same things that humans look for when identifying people. "But the only way to find out is to test them, and it will be some time before we know the answer."

Also From this article: Adobe's new 'Photoshop for voice' app lets you put words in people's mouths - sciencealert.com

Adobe says it is aware of the potential for misuse with Project VoCo, so is already working on technologies that will make it possible to detect if a recording has been tampered with – such as embedding hidden audio watermarks, which could potentially trigger voice security features used in systems like digital banking.

They may prevent misusing that application but not replicating such functionality. Which means, voice biometrics security should not be used even if Adobe implement such measures (like audio watermarks). Great addition to this question. — lepe, Jan 03 '17 at 15:24

Voice Biometrics for financial authentication

4 Answers4

"Username" vs password

Linked