Banks & Voice ID - a failure of the technology or deployment?
Biometric security has been in the news today following a BBC investigation which appeared to show weaknesses in the Voice ID authentication process at a leading bank. A BBC reporter teamed up with his twin brother, and the non-account holder was able to access (but not withdraw money) from his brother’s account using the Voice ID function.
19 May 2017
One of the more interesting facets of the story is that the "fraudulent" twin attempted to access the account seven times via voice and each time was declined…however, on the eighth attempt he was successful.
Does this mean that voice recognition is now no better than the scene from the 1992 Robert Redford film Sneakers - "my voice is my passport"? No, of course not. Biometrics systems such as Voice ID authentication are safe and secure, provided such systems are designed with the necessary steps (and combinations) in the process to handle unique risk factors. In this case, twins typically have higher than normal thresholds so special considerations should be made around such scenarios.
The key lesson is that a single (or even dual) means of authenticating a user is never enough. Firms should always use a multi-layered fraud approach, including meta and network voice fingerprinting, behavioural characteristics and multi-factor authentication as well as biometrics, ensuring that no single factor is relied upon. This needs to be backed up with process intervention, with limits on attempted account access in place. More simply, in this case the suspicious activity should have been flagged to a live agent (i.e. a real person) before the 8th successful attempt.
Some of these methods should be invisible to the actual user. So for example, the bank should know the number you usually call from, and should also have an idea as to what time of day you usually call. Looking beyond just Voice ID, it is possible to track devices that the user commonly uses, so if users log in from a different machine or even a different country, there will be a further level of authentication that needs to take place. With Voice, it is also possible to apply analytics to assess if a caller is stressed…or is potentially giving false representation. Either way, in the BBC example the caller should have been either locked out of the system or forced to provide additional authentication. In this case, it appears that it was the deployment of the technology that was at fault - i.e the process rather than the technology itself.
It’s important to take a step back from the BBC report and recognise the importance biometrics can and should play in our never-ending fight against fraud. Traditional defence methodology is simply not enough; banks need another powerful tool in the armoury against fraud, and Voice ID is one such solution. No technology is 100% foolproof, but when used in combination with other methods it can come pretty close. Bear in mind that up to 15 million customers in the BBC report are successfully using the service and that cases of a biological twin imposter breaching the security are going to be incredibly rare.
Looking ahead, Voice ID uses machine learning. Simply put, this means it gets better every single day and whilst occasional slip ups do occur with every technology, these will be gradually eliminated as processes and technologies steadily evolve.
Want to know more about how GCI's Voice ID solutions can benefit your business? Get in touch at email@example.com.
Head of Propositions