Security experts have warned about the limitations of biometric authentication systems after a BBC reporter’s twin brother was able to access his HSBC account via the bank’s voice ID service.
Reporter Dan Simmons’ non-identical twin Joe logged in as his brother using the biometric security system launched by the lender in 2016.
After inputting account details and date of birth, the user is required to say "my voice is my password” in order to access their account.
However, Simmons was apparently allowed seven attempts at cracking his brother’s voice before getting it right on the eighth.
The bank is set to restrict user log-in attempts in future to three.
It’s important to note that access to the account did not allow Joe Simmons to withdraw funds; only view balances and transactions and make transfers. A real fraudster would also be unlikely to know the voice patterns of the person they’re trying to rip off.
HSBC claimed its Voice ID system was still a “very secure method of authenticating customers.”
"Twins do have a similar voiceprint, but the introduction of this technology has seen a significant reduction in fraud, and has proven to be more secure than PINS, passwords and memorable phrases", it added in a statement.
Alex Mathews, lead security evangelist at Positive Technologies, argued the report proves that using voice biometrics alone isn’t enough.
“As is always the case with security, a layered approach is best,” he added. “Rather than relying on it as a sole authentication method, it should be used as an additional tool, in tandem with other security practices."
However, Digital Guardian security advocate Thomas Fischer, argued that biometrics are a step in the right direction.
“The BBC is certainly not the first to research ways to fool voice recognition systems or bypass fingerprint sensors, but this is no mean feat and depends on the quality of the original biometric imprint,” he explained.
“Brute force cracking weak passwords, on the other hand, can be done with relative ease. Biometrics are certainly not perfect, but anything we can do to make it more difficult for attackers to win and easier for consumers has to be a good move."