What’s the weakest link when it comes to protecting your bank balance, stock portfolio and other financial accounts? Chances are, it’s not your password – especially if you’ve taken the effort to choose a strong one. No, the real soft spot is likely your bank’s customer service phone line. When hackers stole millions of debit and credit card accounts from Home Depot and Target, some thieves were able to reset customers’ PINs and make fraudulent cash ATM withdrawals through social engineering and exploiting weaknesses in automated bank customer service lines.
Thankfully, banks are working to shore up their vulnerable phone lines to prevent these kinds of impersonations. And they’re turning to voice fingerprinting to do it. According to phys.org, companies across the world are collecting samples of your voice for identification purposes. At the Vanguard mutual fund company, customers are required to authenticate with their own voice, speaking the phrase “at Vanguard, my voice is my password” for access. English banking giant Barclays is rolling out voice authentication for all its 12 million customers following a successful test of the tech, as well.
Voice fingerprinting works because each person has a unique way of speaking. These systems analyze the way air moves up through your lungs, vocal cords and mouth, comparing your live sound to past recordings. Modern voice tech is smart enough to ID you even if your voice is altered due to a cold, just as its smart enough to be able to tell the difference between the speech patterns of identical twins.
There are some drawbacks to voice fingerprinting, though. First, there’s an issue of cost: Voice fingerprinting is more expensive for banks to use than traditional methods due to computing and storage requirements. Secondly, a person could theoretically record your voice and play it back later to trick an automated system. And, of course, an estimated 8 out of every 10,000 adults are mute and unable to use their voice at all.
Still, the benefits of voice fingerprinting appear to outweigh these drawbacks enough for the banking industry to move forward with it. There is currently an estimated 65 million voice fingerprints on file at public and private institutions around the globe. “The general feeling is that voice biometrics will be the de facto standard in the next two or three years,” confirms Iain Hanlon, an executive at Barclays.
[Man banking by phone via Shutterstock]
From Hitoshi Anatomi on October 15, 2014 :: 2:00 am
Whether static or behavioral or electromagnetic, biometrics cannot be claimed to be an alternative to passwords UNTIL it stops relying on a password for self-rescue against the false rejection altogether while retaining the near-zero false acceptance in the real outdoor environment.
Biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunction or (2) by OR/disjunction. I would appreciate to hear if someone knows of a biometric product operated by (1). The users of such products must have been notified that, when falsely rejected by the biometric sensor with the devices finally locked, they would have to see the device reset. It is the same with the biometrics operated without passwords altogether.
Biometric products like Apple’s Touch ID are generally operated by (2) so that users can unlock the devices by passwords when falsely rejected by the biometric sensors. This means that the overall vulnerability of the product is the sum of the vulnerability of biometrics (x) and that of a password (y). The sum (x + y - xy) is necessarily larger than the vulnerability of a password (y), say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by a password.
It is very worrying to see so many ICT people being indifferent to the difference between AND/conjunction and OR/disjunction when talking about “using two factors together”.
Reply
From Josh Kirschner on October 15, 2014 :: 11:38 am
I would also be curious to know more about how easily biometric passwords - whether voice or otherwise - can be stolen via database hacks versus traditional passwords. We’ve seen a number of cases where hackers stole login information from unencrypted or poorly encrypted user databases. Would the same vulnerabilities hold true for biometric passwords help in poorly secured databases?
Reply
From Hitoshi Anatomi on October 18, 2014 :: 10:44 pm
Biometrics vendors say that they do not have to store the whole biometric data, but only the characteristic feature points from which the original data cannot be recovered in view of the criticism that we cannot change our biometric features if stolen.
Also worryng is something like
http://mashable.com/2013/09/11/girl-fingerprint-scanner/
Anyway, I wonder how many people will keep using the biometric sensor while knowing that it is bringing down the security.
Reply