Compliance Management, Threat Management, Privacy

HSBC and First Direct rolling out biometrics to retail customers

HSBC is introducing voice pattern recognition for online banking for its retail banking operation and First Direct customers in what it is claiming is the largest implementation of biometric security in the UK.

In addition to voice recognition, customers will also be able to use fingerprint recognition systems for identification verification. It is hoped the technology will be rolled out to the banks' 15 million customers by summer.

Last year, RBS rolled out fingerprint authentication for online banking customers and voice recognition technology has been in use by Tatra Bank in Slovakia since 2013.

HSBC says it is an effort to overcome the weaknesses in current online security systems. Passwords are widely recognised as being insecure, not least because users tend to use the same, simple passwords for myriad services.

The other option is multi-factor authentication but the need to enter multiple passcodes and refer to external devices such as mobile phones for SMS messages is at odds with the drive for ever greater customer convenience.

“A bank is looking to make it easy for customers,” said Clayton Locke, CTO at Intelligent Environments. “Multi-factor authentication will still be used for large transactions but to get in to view your bank statement, multifactor is a hassle, so they want to use biometrics because it's more secure than a PIN.”

The technology for the service has been outsourced to Nuance Technologies, perhaps better known for its Dragon voice recognition software.

The bank points to consumer research into password security to justify the introduction of the new technology. For instance, 37 percent of consumers agree that traditional passwords are an outdated security measure, according to YouGov research.

YouGov also found that 38 percent of users admit to using the same password on all of their online accounts. Apparently, three-quarters of respondents are already prepared to use their body as a default password.

Angela Sasse, director of the UK Research Institute in Science of Cyber Security, has been a longtime proponent of biometrics as a secure replacement for passwords. She told that consumers show every sign of being ready to switch to biometrics because of the convenience and extra security.

“People really weigh the convenience against the risks [of biometrics], but things have changed since the introduction of the iPhone 6 where you very rapidly have about six million users who have the fingerprint sensor on their phone and use it,” she said.

She concedes that biometrics alone will not be enough to stop the fraudsters from accessing bank accounts. “If you rely just on the biometrics, the attackers will almost certainly try to insert themselves into it,” she said, pointing out that biometrics won't stop man-in-the-middle attacks, website spoofing and social engineering attacks.

“The other really important thing we are going to need is really reliable, mutual authentication between the customer and the bank,” she said, so customers could easily authenticate their bank's identity. “We need some really strong but simple processes that people can follow and very clear identification of the different parts involved if we want secure interactions.”

The voice print itself is secure. According to the experts we talked with today, it is almost impossible to spoof voice recognition software with a digital recording.

Far more concerning, according to Clayton Locke, is the security of the token that's created after the biometric print has been taken. “It isn't your biometrics [signature] but the token that's being shipped around – that's what the hacker is after,” he said. “He just wants to convince the system that he has a valid token, to get into the logic of the program to make sure that every time the system asks if this is a valid voice print, it answers back yes.”

In Slovakia, Tatra Bank has enrolled about a third of its customers or about 250,000 voice samples, and although it takes on average around 27 seconds to verify a customer, some 85 percent of all calls to the bank's contact centre that require authentication are verified by voice, according to Martin Hummel, voice biometrics consultant at Soitron UK.

Hummel said: “Voice biometric security has been with us for a few years now, and while experts claim that it's the future of security, the reality is that the uptake has been relatively slow to date. However, it has the potential to replace the password or PIN-based identity verification, which we all acknowledge is antiquated and has many failings from both the business and consumer perspectives."

However, there are concerns about the privacy implications of biometrics. David Mount director of security solutions consulting EMEA at Micro Focus, said: “I think as we see biometrics being used more and more, it's going to open up a raft of privacy concerns such as, what does the biometric data say about me and my physical and emotional state?”

He also pointed out that there may be cultural and trust issues around its adoption. “There's this element of trust around it and how accurate will it be and how accurate will it be in identifying me?” he said.

“If you get examples where voice recognition doesn't work, it introduces creeping distrust. It hasn't authenticated me this time, OK is there capability for it to mis-recognise someone else as me? And you get this creeping mistrust which could affect adoption.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.