Is HSBC’s voice identification really secure?

I was woken by Radio 4 this morning with news that HSBC (and First Direct) will be rolling out voice identification software as a replacement for the “cumbersome” password-based system currently in use. I’ve been using this cumbersome system for more than twenty years, and I can’t say I have any problem with it – ten seconds and you’re in; and time has proven it reasonably secure.

But this new biometric “voice-print” system sounds a tad more dodgy to me. It comes from Nuance Communications, and apparently it checks over 100 unique identifiers in someone’s voice, including speed and behavioural features and maps the sound it’s hearing back to physical features such as the shape of the larynx and nose. The technology might be better remembered as Dragon Dictate from the 1990’s, although Nuance has been working on the biometric aspects for some time, and recently announced Santander was going to use it in Mexico.

I’m naturally suspicious of any biometric identification method apart from retinae scans, having looked at many such schemes over the years. They’re generally vulnerable to amounts to “replay” attacks. Fingerprint or face recognition can usually be fooled relatively simply with a picture of the real thing. So what’s to stop a replay recording of someone’s voice? Nothing, as far as I can tell.

When the BBC asked about recordings being played back they were told that any recording process would lose the subtleties of live speech, and the BBC seemed happy with that. Well I’m not! The way telephones work these days, your voice is sampled, encoded in to very few bps and sent. How is this going to look any different to a recording? You can store and repeat a section of telephone call digital data easily enough and it’s bound to be indistinguishable.

I can see some solutions – the system could ask you to repeat some random phrase back instead, and word recognition could determine whether you said the right thing after the biometric recognition matched the voice print. But this isn’t the answer the BBC got.

I’m awaiting more information…

HSBC had a bad January with cyber-attacks. Is this some ill-conceived scheme to try and change the news agenda?