Nuance Powers New Telephone Banking Voice Authentication System for Barclays
Barclays Bank announced on Monday that it will commence rolling out voice security authentication to all customers, replacing the existing password-based method.
A Barclays spokesperson told SecurityWeek this will make its “telephone banking service easier to use and more secure than ever.” Traditional passwords have been losing favor for many years — their complex and intrusive nature prompts many users to use simple and guessable passwords. Biometrics, such as voice recognition, require very little effort from the user, and are claimed to be very secure.
A recent survey by Visa concluded that two-thirds of European consumers are ready to use biometrics for payment transactions.
“Each person’s voice is as unique as their fingerprint, made up of over 100 characteristics based on the physical configuration of the speaker’s mouth and throat,” explains a Barclays statement released today. “Therefore, when a customer calls up to use telephone banking, the technology will be able to identify them simply from the first few words that are spoken.”
In general, voice biometrics systems come in two flavors: active-mode and passive-mode. In active mode, explains Alan Goode, MD of mobile and biometrics consultancy Goode Intelligence, “a customer records a phrase and then repeats this phrase every time they access the service.” In passive-mode, he added, “the customer doesn’t need to repeat specific words but talks naturally.” The Barclays spokesperson subsequently confirmed to SecurityWeek that the system will operate in passive-mode, and will require at least two conversations before it can be used.
A traditional security fear for voice biometric authentication is a covert recording of the user concerned. This would make active-mode less secure than passive-mode since a recording of any authentication phrase would be all an attacker would need. The Barclays spokesperson told SecurityWeek that every voice-authenticated inquiry will involve at least some interaction with a Barclay’s operative, thus making any voice recording effectively unusable. The technology supplier is Nuance.
Voice security will be available to all personal banking customers, but not yet for corporate or business clients. In order to register for voice security, customers must call Barclays telephone banking service, which will start the process of creating a digital voice print. Once Barclays has collected a sufficient voice print over the course of multiple phone calls (approximately three) customers can opt to use voice security technology rather than a password to identify themselves.
Collecting and storing user biometrics does have some data privacy implications in some jurisdictions. However, in this case it is initially instigated by the user which should solve most consent issues. It is likely that Barclays will have incorporated a methodology for removing voice recordings if the user changes banks since this will become a legal requirement within the European Union under General Data Protection Regulation (GDPR).
The technology has been trialled by Barclays since 2013. “The success of the trial,” says the official statement, “means that they are now making it available to all customers, which will be rolled out in August 2016.” According to a report on the BBC, this trial successfully thwarted several fraud attempts.
A bank or the service provider, Alan Goode told SecurityWeek, “will often have a voice database of bad actors and known fraudsters that they can identify if they attempt fraud over the telephone banking channel. Companies like NICE are strong here.” It isn’t known whether the thwarted fraud attempts were from voice rejections by the technology or from voice matching with the database of known fraudsters.
Atlanta-based Pindrop Security is another company focused on combating phone-based fraud. The company explains that by integrating voice biometrics, its technology can match voice signatures to identify a caller, with “phoneprinting”, which analyzes the entire audio spectrum of a call to identify indicators of attack. The startup recently announced that it had raised $75 million in a Series C funding round led by Google Capital, bringing the total raised by the company to $122 million.