Security software designed to prevent bank fraud has been fooled by a BBC reporter and his twin.
BBC Click reporter Dan Simmons set up an HSBC account and signed up to the bank’s utter ID authentication service.
HSBC reads the system is fasten because each person’s utter is “unique”.
But the bank let Dan Simmons’ non-identical twin, Joe, access the accounting via the telephone after he simulated his brother’s voice.
HSBC introduced the voice-based security in 2016, saying it measured 100 different characteristics of the human utter to substantiate a user’s identity.
Customers simply give their accounting details and year of birth and then add: “My utter is my password.”
Although the infraction did not allow Joe Simmons to withdraw coin, he was able to access matches and recent events, and was offered the chance to transfer coin between histories.
“What’s truly fright is that the bank allowed me seven attempts to mimic my brothers’ voiceprint and get wise erroneous, before I came in at the eighth season of trying, ” he told.
“Can would-be attackers try as often as they like until they get it right? “
Separately, a Click researcher met HSBC Voice ID deterred making them try to access their accounting when they are intentionally failed on 20 separate occasions spread over 12 hours.
Click’s successful frustrating of the system was considered to be the first time the utter security measure has been breached.
HSBC declined to comment on how secure the system had been until now.
A spokesman told: “The security and safety of our customers’ histories is of the increased importance to us.
“Voice ID is a extremely secure technique of certifying clients.
“Twins do have a similar voiceprint, but the introduction of information and communication technologies has realise a significant reduction in fraud, and has proven to be more secure than PINS, passwords and memorable phrases.”
“I’m shocked, ” told Mike McLaughin, a security expert at Firstbase Technologies.
“This should not be allowed to happen.
“Another person should not be able to access your bank account.
“Voices are peculiar – but if the system allows for too many differences in the voiceprint for a parallel, then it’s not secure.
“And that seems to be what’s happened here.”
Prof Vladimiro Sassone, an expert in cyber-security, from the University of Southampton, told biometrics could, in general, be an effective security stratum, but there were hazards if companies put too much sects in something that was not 100% lock.
“In principle there should be no area for inaccuracy at all, ” told Prof Sassone.
“It should be good at the first attempt.”
“Voice identification is not like a password system.”
“You can’t forget your utter or get the erroneous one.
“After two struggles, methods should be able to say whether it’s a parallel or not and notify the bank and user if further struggles are made.”
Prof Sassone told expending peculiar biometric attributes as a verifier should make it harder for intruders – but if there is a requirement to imitated by crooks, consumers could not then change their utter, face, or fingerprint as they are able to a password.
“If you have to prove it wasn’t you who retrieved your accounting – that it was either a mimic or computer software – then how are you going to do that? ” he requested.
“Especially if the bank is claiming the system is perfect.”
Security expert Prof Alan Woodward, from the University of Surrey, said it was dangerous to rely on one biological quality to authenticate someone, even if “its one” peculiar to that person.
“Biometric located security has a biography of measurements being imitated, ” he told.
“We’ve realise fingerprints being imitated with everything from gummy assumes to photographs of people’s hands.
“Hence, biometrics, just like other aspects of security, will always have to evolve as measurings rise to threaten them.
“Security is a legend of measure and counter-measure.”
He told HSBC possibly needed to reassess its technology and ideally add another “factor” alongside the voiceprint check to authenticate identity.
“As well as necessitating something “you think youre”, it would require something you are familiar with or something “youve had”, like a PIN, ” he told.
“That prepares it much more difficult to compromise.”
It “wasnt just” the capacities of human rights to clown computers that is worrying some high-tech companionships.
Start-up Lyrebird is working on ways to replicate a utter expending merely a few minutes of recorded speech.
Co-founder Jose Sotelo said there was no doubt this had “implications” for utter identification systems.
“We are working with security researchers to figure out best available behavior to start, ” he told Click.
“This is one of the reasons we have not published this to the public hitherto.
“It’s a spooky application but we believe that we should be careful and should not be scared of technology and we should try to offset best available out of it, ” he said.
“One idea we are considering is to watermark the audio samples we develop so we are able to detect immediately if it is us that engendered this sample.”
You can see the full BBC Click investigation into biometric security in special edition of the demo on BBC News and on the iPlayer from Saturday, 20 May.