olly - Fotolia

HSBC voice authentication tricked by twins

Twin brothers managed to trick HSBC’s voice recognition security system into giving account access to the wrong person

A BBC journalist and his twin brother have successfully carried out an experiment to trick HSBC voice-based authentication software into providing account access to the wrong person.

Dan Simmons, a reporter at BBC Click, opened an HSBC account and enrolled for the bank’s voice ID service. By copying his voice, identical twin brother Joe was able to access his account.

Using HSBC’s voice-based authentication, customers give their name and date of birth and confirm that their voice is their password. Dan Simmons’s brother was able to access account details and could move money between accounts but not withdraw money.

He told the BBC that he was given multiple attempts to copy the voice and it was not until his eighth try that he gained access.

In February 2016, HSBC announced a planned roll-out of voice biometric security technology, with more than 15 million customers in line for voice and fingerprint authentication services. Barclays bank also uses voice recognition technology instead of passwords to identify customers over the phone.

HSBC promotional material for the voice security said: “Your voice is unique – just as your fingerprint is – which means you can create your own voiceprint with us.”

“Voice ID can analyse your voice in seconds – checking over 100 behavioural and physical vocal traits, including the size and shape of your mouth, how fast you talk and how you emphasise words.”

The BBC said HSBC would not comment on how secure the system had been since its introduction, but a spokesperson told the BBC: “The security and safety of our customers’ accounts is of the utmost importance to us. Voice ID is a very secure method of authenticating customers.

“Twins do have a similar voiceprint, but the introduction of this technology has seen a significant reduction in fraud, and has proven to be more secure than pins, passwords and memorable phrases.”

Read more on Endpoint security