Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Barclays Unveils Voice Authentication for Phone Banking

Nuance Powers New Telephone Banking Voice Authentication System for Barclays

Nuance Powers New Telephone Banking Voice Authentication System for Barclays

Barclays Bank announced on Monday that it will commence rolling out voice security authentication to all customers, replacing the existing password-based method.

A Barclays spokesperson told SecurityWeek this will make its “telephone banking service easier to use and more secure than ever.” Traditional passwords have been losing favor for many years — their complex and intrusive nature prompts many users to use simple and guessable passwords. Biometrics, such as voice recognition, require very little effort from the user, and are claimed to be very secure.

A recent survey  by Visa concluded that two-thirds of European consumers are ready to use biometrics for payment transactions.

“Each person’s voice is as unique as their fingerprint, made up of over 100 characteristics based on the physical configuration of the speaker’s mouth and throat,” explains a Barclays statement released today. “Therefore, when a customer calls up to use telephone banking, the technology will be able to identify them simply from the first few words that are spoken.”

In general, voice biometrics systems come in two flavors: active-mode and passive-mode. In active mode, explains Alan Goode, MD of mobile and biometrics consultancy Goode Intelligence, “a customer records a phrase and then repeats this phrase every time they access the service.” In passive-mode, he added, “the customer doesn’t need to repeat specific words but talks naturally.” The Barclays spokesperson subsequently confirmed to SecurityWeek that the system will operate in passive-mode, and will require at least two conversations before it can be used. 

A traditional security fear for voice biometric authentication is a covert recording of the user concerned. This would make active-mode less secure than passive-mode since a recording of any authentication phrase would be all an attacker would need. The Barclays spokesperson told SecurityWeek that every voice-authenticated inquiry will involve at least some interaction with a Barclay’s operative, thus making any voice recording effectively unusable. The technology supplier is Nuance.

Voice security will be available to all personal banking customers, but not yet for corporate or business clients. In order to register for voice security, customers must call Barclays telephone banking service, which will start the process of creating a digital voice print. Once Barclays has collected a sufficient voice print over the course of multiple phone calls (approximately three) customers can opt to use voice security technology rather than a password to identify themselves.

Advertisement. Scroll to continue reading.

Collecting and storing user biometrics does have some data privacy implications in some jurisdictions. However, in this case it is initially instigated by the user which should solve most consent issues. It is likely that Barclays will have incorporated a methodology for removing voice recordings if the user changes banks since this will become a legal requirement within the European Union under General Data Protection Regulation (GDPR).

The technology has been trialled by Barclays since 2013. “The success of the trial,” says the official statement, “means that they are now making it available to all customers, which will be rolled out in August 2016.” According to a report on the BBC, this trial successfully thwarted several fraud attempts.

A bank or the service provider, Alan Goode told SecurityWeek, “will often have a voice database of bad actors and known fraudsters that they can identify if they attempt fraud over the telephone banking channel. Companies like NICE are strong here.” It isn’t known whether the thwarted fraud attempts were from voice rejections by the technology or from voice matching with the database of known fraudsters.

Atlanta-based Pindrop Security is another company focused on combating phone-based fraud. The company explains that by integrating voice biometrics, its technology can match voice signatures to identify a caller, with “phoneprinting”, which analyzes the entire audio spectrum of a call to identify indicators of attack. The startup recently announced that it had raised $75 million in a Series C funding round led by Google Capital, bringing the total raised by the company to $122 million.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...