Analysis: CommBank alone on voice biometrics

The Commonwealth Bank stands alone as the only top tier bank in Australia with its sights on biometrics as a means to improve security for its customers -- but critics say the technology is still too young.
Written by Liam Tung, Contributing Writer

The Commonwealth Bank stands alone as the only top tier bank in Australia with its sights on biometrics as a means to improve security for its customers -- but critics say the technology is still too young.

The Commonwealth Bank is "actively monitoring" voice biometrics to boost banking security, a spokesperson for the bank told ZDNet.com.au.

"A likely initial deployment is to use voice biometric technology for enhanced customer authentication," said the spokesperson.

Voice biometrics is being touted as the next step for banks seeking to improve authentication processes for banking, ahead of other biometrics such as fingerprint, facial or vein recognition.

With voice biometrics, consumers are asked to submit a voice sample to the bank, which becomes a secondary "signature". When customers make a transaction, either by phone, on the Internet or at a branch, their voice is compared to the signature held by the bank to verify the transaction.

While proponents of the technology say it is ready for deployment, most Australian banks prefer to distance themselves from it.

Spokespeople for Westpac and St George told ZDNet.com.au that they are monitoring the technology. Similarly, ANZ -- which last month became the first Australian bank to allow customers to make banking transaction on their mobile phones -- also said it prefers to keep a watching brief.

National Australia Bank declined to comment on voice biometrics. However, general manager of technology, risk and security, Gary Blair, told ZDNet.com.au: "We have a world class SMS two-factor authentication system. At this stage, this is the best technology available for protecting customer transactions."

Two-factor authentication -- soon to be rolled out by St George Bank, and currently used at Commonwealth, NAB, and ANZ -- has a limited lifespan, however.

SMS two-factor authentication will become redundant within three years, according to NAB's Blair as increased mobile banking will render the SMS verification less secure.

Proponents of voice biometrics argue that the technology, unlike SMS authentication, can be employed regardless of whether customers are using the Internet, phone banking or credit cards to make a transaction.

"It is a very effective means of authentication if you're on your mobile and making a transaction. You can do voice authentication within band rather out of band," Mike Webber, Unisys' Enterprise Security Initiative Asia Pacific manager, told ZDNet.com.au.

There is even the possibility that customers will be able to authenticate their voice using a microphone stationed at a PC, according to Dr Clive Summerfield, director of voice biometric company Auraya Solutions.

"Voice authentication allows multi-factor authentication for telephone banking ... In fact, it provides the same for the Internet as it does for phone. So, you can have the same security solution across both channels," Summerfield told ZDNet.com.au.

Hurdles to overcome
Although the technology is available to make voice biometrics a reality, there are significant hurdles to be overcome.

Voice biometrics is still considered an "early stage technology" according to Commonwealth Bank's spokesperson. "[But] we see this being mitigated quite quickly as time passes and more organisations adopt the technology."

RSA's banking and finance specialist Geoff Noble said: "Voice biometrics isn't there at the moment. Most banks think that the destination is chips such as the EMV chip and PIN cards being issued by banks now."

There are also challenges to how voice will fit within the compliance framework banks face.

"[Voice biometric authentication] is technically possible, but there are issues around the management of privacy, business process and the enrolment of customers," Unisys' Webber said.

This month, the International Organization for Standardization published a standard for the use of biometric data within the financial sector, covering the security of biometric data as well as its retention.

Although the standard won't be used by most banks for some time, Webber said customers will benefit most from its introduction.

"Customers are going to move from saying they don't understand the technology to the point where they understand the benefits and also some of the risks. Over the next few years, we'll see a move from customers being happy with PIN, to 'I want increased levels of security over my transactions'," he said.

Editorial standards