Are banks' voice biometric authentication technologies secure enough against data breaches?

Some experts say fingerprints and voice patterns should not be relied upon.

Back in 2014, when a group of fraudsters tried to steal millions of dollars from a bank, they did not expect that it would be one of Brett Beranek’s customers that have just installed voice biometrics authentication – a technology that is now becoming a key component in banking security worldwide.

“One of our banking customers had leveraged our voice biometrics solution to identify a series of prolific fraudsters and then worked jointly with local law enforcement to arrest and eventually prosecute individuals that were responsible for millions of dollars in fraud losses,” recounts Brett Beranek, director, voice biometrics at Nuance who has spent the past five years deploying voice biometric implementations for financial institutions.

That was two years ago, and since then more and more banks are using voice biometrics to deter cybercrimes such as online fraud and customer data theft. Citi and Standard Chartered, for example ,have launched voice biometrics authentication systems that are designed to protect millions of banking customers across multiple markets.

Voice and fingerprint biometrics authentication have been spurred on by the global adoption of smartphones, users of which are predicted to reach 6.1 billion by 2020, which equip banking customers with the necessary voice and fingerprint capture technology.

Beranek says voice biometrics, in particular, provides a significant improvement in security over knowledge-based authentication methods such as PINs, passwords and security questions. Voice biometric authentication has become advanced enough that even if perpetrators do get a hold of a voice recording of a banking client, it will not automatically grant them full access.

“In the case of a password or PIN, if the fraudster is successful in the phishing attack, then they have gained full access to the victim’s account and can perpetrate fraud.In the case of voice biometrics, a successful phishing attack, where the fraudster socially engineers the user in speaking the voice passphrase, won’t necessary lead to fraud.”

“The reason for this is that the fraudster will then need to playback the recording of the victim’s voice to the system they are attempting to compromise. Recording detection algorithms are used to detect such attacks, and prevent thefraudster from getting through.”

Major banks roll out voice biometrics
Recognising the security benefits, Citi Hong Kong in July became the first bank in the territory to launch a voice biometrics authentication feature for its consumer banking clients.

“The new technology, which has been successfully implemented in Taiwan, Singapore and Australia, allows clients to use their voiceprints for authentication rather than having to remember multiple PINs or respond to questions used for verifying their identities,”says Angel Ng, country business manager at Citibank Global Consumer Banking.

“We understand that having to remember different PINs and answer multiple questions may not be entirely customer friendly at times. With this new capability, our clients can access banking services faster, and in a more secure and convenient way.”

The authentication system will analyse clients’ recording and create their unique voiceprint, which will be securely stored in the system. After that, voice verification is automatically completed within 15 seconds while clients speak with our CitiPhone officers when they call CitiPhone Banking, our 24-hour service hotline, a reduction from the previous average of 45 seconds.

The bank plans to roll out voice biometrics authentication in phases from 2016 through 2017 to cover all 12 of Citi’s consumer banking markets in Asia Pacific, representing more than half of the 19 consumer markets it operates in globally.

Likewise, Standard Chartered Bank announced in August that it will rolling out voice, as well as fingerprint, biometric technologies across Asia, Africa and the Middle East in 15 markets for more than 5 million clients.

“Fingerprint and voice biometric technologies give our clients more convenience and security when they want to access their bank balances, cards and investments, wherever they are and whenever they want. We’re bringing the latest digital technologies to all our markets so that we can offer easy, convenient and secure banking to our clients,” says Karen Fawcett, CEO of retail banking at Standard Chartered.

Standard Chartered will introduce voice biometric technology to provide enhanced phone banking security for clients in India and the UAE by end of this year, before rolling it out in more markets next year, subject to regulatory approvals.

Part of wider system of checks
Even as voice biometrics rises in use among banks, the technology has its fair share of critics that point out its fallibility as a security measure, especially when used by itself.

Fingerprints and voice patterns should only be relied on as part of a wider system of checks, and not as a solitary security measure such as when unlocking smartphones, according to Hugh Mclachlan of the Daily Mail, citing experts that say fingerprints and voice patterns should not be relied upon totally for security systems on their own because these cannot be assumed to be unique to each person.

But he and other security experts recognise the value of voice biometrics in enhancing existing security systems for financial institutions.“Human voice patterns or iris recognition need not be assumed to be unique to be useful tools for protecting private access to our bank accounts," says Mclachlan.

Also, biometric authentication has emerged as one of the most cost-effective and strongest among available authentication mechanisms,says i-Sprint, an identity and access management solutions provider headquartered in Singapore, in its annual security survey report.

i-Sprint says that banks are moving away from the single method of authentication and into multi-factor authentication, combining two or more of the following: Passcodes, one-time password (OTP) tokens or digital certificates link to each device for security, voice and facial biometrics link owner to the device, and time and location from which user is accessing.

“Single method of authentication is a thing of the past and the current popular method is multi-factor authentication, which requires the use of two or more of the above mentioned factors. With smart device technology that allows for the capture of image and voice and with touch sensors, we believe more companies will consider using biometrics as a multi-factor authentication method,” says i-Sprint.