British banking giant HSBC protected almost £249 million ($346 million) of customers' money from fraudsters just in the past year, thanks to a voice recognition technology that does a better job of identifying a user during a telephone call.
The voice system, called Voice ID, was introduced in 2016 to increase the security of bank transactions carried out over the phone. So far, the results seem promising: the rate of attempted telephone fraud this year was down 50% compared to the previous one.
Since 2016, Voice ID has identified 43,000 fraudulent telephone calls and prevented £981 million ($1.3 billion) of customers' money from falling into the hands of malicious hackers, said HSBC.
SEE: Security Awareness and Training policy (TechRepublic Premium)
"Scammers are sophisticated and it's a constant challenge to keep ahead of them but this is promising," said Kerri-Anne Mills, head of customer service at HSBC UK. "We've seen a 50% drop in reported telephone banking fraud year-on-year."
Telephone banking enables HSBC customers to carry out various sensitive operations, ranging from checking their balance to making payments and transferring money.
Voice ID was introduced to replace the requirement to provide complex security numbers made of random digits, or to answer security questions that some users might struggle to remember.
Customers sign up to the service by registering their voiceprint. When, at a later stage, they phone their bank for a particular operation, they will first be asked to say a short phrase, which is analyzed by Voice ID against the original record to make sure that the voices match and that the caller is genuine.
In addition to making the process more convenient, HSBC argues that the technology is more secure: while hackers can steal or guess personal codes or passwords to pass security checks, it is much harder to replicate someone's voice.
To identify a customer, Voice ID checks over 100 behavioral and physical voice traits, including how fast the speaker talks or how they emphasize words, according to HSBC. The bank maintains that the technology is sensitive enough to detect if someone is impersonating the speaker or playing a recording – while also being capable of correctly identifying a voice even if the caller has cold or a sore throat.
The bank has seen a recent increase in customers signing up to Voice ID, and the technology has now been adopted by 2.8 million users. According to Mills, 14,000 customers currently enroll in Voice ID each week.
This is because, partly driven by the fast digitization of services caused by the COVID-19 pandemic, customers are turning to new channels to manage their finances, which don't require physically going into a bank.
"We've seen unprecedented challenges as the pandemic and lockdown restrictions transformed our lives significantly and, unsurprisingly, more people have turned to online and mobile banking to take control of their finances, utilizing other channels for very particular interactions," said Mills.
But although Voice ID has been praised for its security benefits, it is easy to see why things might become thorny if hackers manage to find a way around the voice recognition technology.
To demonstrate the potential shortcomings of HSBC's feature, in fact, in 2017 a BBC reporter and his twin brother successfully fooled the technology. One of the brothers managed to gain access to their twin's account via telephone, and was able to see balances and recent transactions.
The issue is not restricted to voice recognition. As more and more services are carried out digitally, biometrics of all sorts are projected to be used to authorize sensitive processes.
A recent report from Juniper Research, for example, estimates that digital payments made with a handset will increasingly be based on biometric identification such as facial, voice or iris recognition, as well as fingerprints.
SEE: Hackers are actively targeting flaws in these VPN devices. Here's what you need to do
Biometric capabilities such as Apple's Face ID will reach 95% of smartphones globally by 2025, according to Juniper; by that time, users' biological characteristics will be authenticating over $3 trillion-worth of payment transactions.
While the security advantages of using biometrics to prove identity are evident, those technologies are a double-edged sword. On top of the risk that a malicious actor might imitate a user's biological characteristics to gain access to critical services, there are also concerns to do with the opportunities to hack stored biometric data.
"The risk with biometrics in general is that you can't change biometric characteristics," Nick Maynard, lead analyst at Juniper Research, tells ZDNet. "You can't change a fingerprint or your face."
"So if somebody comprises that data, you can't change it, and that information becomes very risky," he continues. "That means that vendors have to adopt very strong security principles around how they handle that data."