Banks using voice biometrics to counter social engineering

More companies are turning to voice biometrics for security purposes (Digital Trends)

Technology known as voice biometrics seems to be the next big thing in keeping your accounts safe and sound, especially with the alarming rise in call-in center fraud. In this latest version of trickery, criminals take advantage of human error and human emotions when they dial into a customer service line, describe some fictional situation that garners the representative’s sympathy, and subsequently gain access to sensitive data and, of course, money. $10 billion worth last year, in fact.

The purpose of identity management technology is to force fraudsters into social engineering. Identity management technologies can still help with that, too.

US: Federal prosecutors want to use voice biometrics in court

Prosecutors want to use hi-tech evidence in trial to identify voices of terrorists (Daily Mail)

Terrorism prosecutors in Brooklyn want to use sophisticated voice recognition evidence — the same technology used to identify ISIS butcher “Jihad John” — for the first time in a federal trial in the U.S., the Daily News has learned.

The novel part of this that prosecutors wish to use the technology in a Federal trial.

Voice biometrics have made news in a criminal trial before. This 2012 piece by Jeff Weiner of the Orlando Sentinel describes voice biometrics used by an expert witness in the trial of George Zimmerman.

USAA adopts mobile biometrics for account verification

In Your Face: USAA Brings Biometric Logon to Mobile Users

“This will make USAA the first U.S. financial institution to offer facial and voice recognition on a mobile app as added protection against fraud and identity theft,” the company announced.

So how does it work? USAA’s facial recognition requires users to look at the screen and, when prompted, blink their eyes. For voice recognition, users must read a short phrase.

Voice biometrics and “the right to remain silent”

Passcode vs. Touch ID: A Legal Analysis (9TO5MAC)

With the suspect in handcuffs, the agent swipes the student’s finger across the phone to access his call history and messages. Once the FBI swipes the suspect’s finger and bypasses the biometric security, the phone asks for the student’s passcode. The FBI agent asks for his password but the student refuses to speak. How can the FBI agent access the phone? Whereas a fictional Federal Agent like Jack Bauer would simply pull out his gun, jam it in the suspect’s mouth and scream, “WHERE IS THE BOMB?”, in our example, the FBI agent would hit the proverbial brick wall.

This is where a gray area might still exist for hardware protected with voice biometrics.

I’m no criminal or constitutional lawyer, but it seems plausible that while a criminal suspect can be legally compelled to give over their fingerprint, the “right to remain silent” remains.

Commonwealth v. Baust probably isn’t the last word on all biometric modalities that could prove useful in criminal investigations.

Abu Dhabi bank to introduce voice recognition technology

UAE: End of the Pin number? ADCB to launch voice recognition service (The National)

The biometric technology used by ADCB works by comparing the caller’s voice to a pre-recorded sample given by the client, ADCB said.

That will allow customers to get on the phone with a bank representative quicker while reducing the chances of fraud.

“In this competitive environment we need to make sure that customer convenience and ease of access are effectively balanced with information and transaction security,” said Ravi Nair, the head of customer experience at ADCB. “The voice biometrics technology will play a vital role in ensuring increased security and convenience at the same time, while making client calls shorter and reducing our overall cost to serve.”

No need to mischaracterize voice biometrics in call centers

Amidst all the attention banks are receiving over the use of voice biometrics to prevent fraud, It’s worth noting a couple of things.

First, according to the widely linked AP article, “The technology, sometimes called voiceprinting, is aimed at bad guys rather than legitimate customers, but legal and privacy experts alike still have reservations about the practice.” So, the systems in place seem to work by collecting information on known and suspected fraudsters and placing them on a watchlist (listenlist?). This makes sense. Technically, it’s far easier to be on the lookout for a handful of persons of interest than it is to make a positive ID on every single caller.

Second, there are a lot of way over-hyped headlines out there that make it appear as though financial institutions are collecting voice biometric information on unwitting customers on a vast scale.

Take:
Some Banks Collect Voiceprints During Service Calls to Identify You (Salon) 

Technically, this Slate headline isn’t even true since according to the source it cites, the voiceprints are being used to identify fraudsters, not to verify the identities of account holders.

Then there’s this.

Banks Harvest Callers’ Voiceprints to Fight Fraud, which is the unfortunate headline of the very AP article that acknowledges that the systems function as criminal watchlists rather than a “harvest” of biometric information.

Banks Use Callers’ Voiceprints to Fight Fraud

Computers with voice recognition are being used–sometimes discreetly–to add extra security during calls with customers. (Inc.)

“We lost everything,” she said. “Can you send me a card to where we’re staying now?”

The card nearly was sent. But as the woman poured out her story, a computer compared the biometric features of her voice against a database of suspected fraudsters. Not only was the caller not the person she claimed to be, “she” wasn’t even a woman. The program identified the caller as a male impostor trying to steal the woman’s identity.

The mechanics of how the banks are using voice analysis are pretty interesting. By focusing on known or suspected fraudsters, it reminds me a little bit of the Nevada Gaming Commission’s Excluded Person List.

A case for voice for mobile ID

Many reasons to use biometrics to secure mobile payments (Payments Source)

Much is being researched and written on the subjects of mobile payment security and the use of biometrics as a replacement to traditional user names and passwords. As more mobile devices that contain our identification and personal information hit the market, the securing of these devices to recognize and authenticate their rightful owners will likely determine who succeeds and those who fail.

Author Mike Goldgof is the Vice President of Marketing at AGNITiO.

Mobile face and voice combo tested by Mastercard

Mastercard voice and face recognition acheives 98% success rate (Computer Weekly)

The payment card company created a mobile app to test voice and facial recognition technologies on more than 14,000 transactions.

Mastercard employees around the world carried out the tests on Android and iOS operating systems. The process took less than 10 seconds for most transactions.

We discussed why face and voice biometrics were likely to be strong candidates for mobile biometrics here in 2012.

More European biometric banking

NETHERLANDS: ING launches voice-recognition banking app (Computer Weekly)

Dutch banking group ING Netherlands has launched a banking application that can be navigated using voice recognition.

The firm hopes future generations of the app will use biometric voice recognition for user authentication to replace PINs.

Keeping in mind the difference between voice recognition and speech recognition, biometric ID management technologies sure seem to be gatting a lot of traction in the banking sector. This appears to be the case especially in Europe where banking security already far exceeds what you typically see in the United States as chip on card technology for bank cards has been standard in Europe for a long while now.

Perhaps it’s about time the United States gets in on the leap-frogging game. An interesting fact in this case is that a Dutch bank is implementing banking security two generations more advanced than US banks use and they’re doing it with voice recognition technology developed in the United States.

So this is what Microsoft has been up to…

SILICON REPUBLIC:  Xbox One dashboard video highlights biometric abilities of new console (with video)  “The Kinect camera comes with biometric capabilities that recognise the voice of each individual in the household, as well as their body shape because it reads their skeletal frame.”

The linked article comes at the technology on display from an Xbox One angle but I think it’s bigger than that. Is Microsoft just highlighting it’s vision for the Windows 8 world? Is it signalling that the future of Microsoft is going to be more bound up with hardware like the Xbox, Surface and Kinect? Biometrics in the OS? Taking it’s huge market share and moving to a business model that looks more like Apple’s?

More questions than answers, I know. But if you have 12 minutes, give it a watch and see if the same isn’t true for you.

To touch on the biometrics a bit, it looks like the capability billed as voice recognition is indeed true voice recognition and speech recognition rather than speech recognition alone. A post dealing with the distinction is here. Each of the two people in the video tell the system to “show my stuff” and the software shows different sets of “stuff” even though prompted in identical terms by the different users.

I’m not exactly sure what the presenters mean when they mention that the system distinguishes among individuals by skeletal structure, but in the Skype demonstration the technology does seem to recognize a dog as something worth paying attention.

Voice Recognition Capabilities At The FBI

Hirotaka Nakasone, Senior Scientist, FBI Voice Recognition Program, examines the use and effectiveness of current speaker authentication technologies at the FBI. In this IDGA exclusive, Nakasone also highlights the various challenges that are unique to voice recognition, and discusses what plans are in place for capturing voice recordings in line with the FBI’s Next Generation Identification (NGI project).

Definitely worth checking out.

A quick education into voice biometrics

Voice Biometrics detects 98% of fraudulent calls (IT Wire)

Traditionally ID verification is all about two or more things – something you know (knowledge factor), something you have (possession factor) and something the user is (biometric factor).

VB [ed. Voice Biometrics] is one of the strongest and most convenient of these three, with a few seconds of natural speech removing the need for pin numbers, date of birth, mother’s maiden name and so on. All of which are increasingly easy to get hold of from social media sources and targeted malware stealing pins and passwords.

Read the whole thing. Voice biometrics seem to be improving rapidly and there is a huge installed base of networked hardware — land line phones — for which voice is the only biometric option.

Biometric authentication for cloud storage

Intel’s McAfee brings biometric authentication to cloud storage (Computer World UK)

Intel is introducing new ideas to secure the public cloud, offering a service in which online files can be accessed after users are verified by an authentication scheme including face and voice recognition.

McAfee, a unit of Intel, is adding a product called LiveSafe that will offer 1GB of online storage that can be accessed through biometric authentication. LiveSafe has a Web-based management dashboard, and users can be authenticated through face recognition, voice or by punching in a PIN. LiveSafe also includes antivirus and other security features.

Consumers seem eager for banks to add voice biometrics

Can voice biometrics help banks restore consumer faith? (Finextra)

Voice Biometrics offers many advantages including the ones below:

  • It removes the human operator from the authentication process
  • It prevents the information obtained through data breaches from being used
  • It removes the need for complex passwords and PINs
  • When properly integrated, it can remove the need to duplicate the authentication process.

Voice is the ideal biometric modality for telephone call center ID.

The challenges confronting any new biometric modality

[ed. This post reflects a substantial rewrite of an earlier post of January 24, 2013: Not the bee’s knees]

Every once in a while a version of the following paragraph finds itself in the news…

Biometrics Using Internal Body Parts: Knobbly Knees in Competition With Fingerprints (Science Daily)

Forget digital fingerprints, iris recognition and voice identification, the next big thing in biometrics could be your knobbly knees. Just as a fingerprints and other body parts are unique to us as individuals and so can be used to prove who we are, so too are our kneecaps. Computer scientist Lior Shamir of Lawrence Technological University in Southfield, Michigan, has now demonstrated how a knee scan could be used to single us out.

Forget digital fingerprints, iris recognition and voice identification, the next big thing in biometrics could be your ______________.

Examples are numerous and fecund:

Heartbeat?
Rear-end?
Ear?
Bone structure or electric conductivity?
Footsteps?
Nose? (ed. Link added later. I forgot about that one.)
Body odor?
Brain prints?
Lip movements?
Kneecap?

While I suspect that any definable aspect of the human anatomy could be used as a biometric identifier — in instances where teeth are all that is known about an individual, they are used for high confidence identification — I’m afraid that, for the foreseeable future, the cards are stacked against any new biometric modality catching on in any big way.

The reasons for this are both scientific (research based) and economic (market based).

On the science side, a good biometric modality must be: unique, durable, and easily measurable. If any of these are missing, widespread use for ID management isn’t in the cards. If something is unique and durable but isn’t easily measurable, it can still be useful but it isn’t going to become ubiquitous in automated (or semi-automated) technology. Teeth and DNA fit this model. Teeth have been used to determine the identity of dead bodies with a high degree of certainty for a long time, but we aren’t going to be biting any sensors to get into our computers any time soon — or ever. Likewise with DNA.

There is also the challenge of proving that a modality is in fact unique, durable and easily measurable which requires a whole lot of experimental data and (especially regarding uniqueness) a healthy dose of statistical analysis. I’m no statistician, and from what I understand, the statistical rules for proving biometric uniqueness aren’t fully developed yet anyway, so let’s just leave things in layman’s terms and say that if you’re wanting to invent a new biometric modality and someone asks you how big a data set of samples of the relevant body part you need, your best answer is “how many can you get me?”

In order to ascertain uniqueness you need samples from as many different people as you can get. For durability you need biometric samples for the same person taken over a period of time and multiplied by a lot of people.

Ease of measure is more experiential and will be discovered during the experimentation process. The scientists charged with collecting the samples from real people will quickly get a feel for the likelihood that people would adapt to a given ID protocol.

For two common biometric modalities, face and fingerprint, huge data repositories have existed since well before there was any such thing as a biometric algorithm. Jails (among others) had been collecting this information for a hundred years and the nature of the jail business means you’ll get several samples from the same subject often enough to test durability, too, over their criminal life. For face, other records such as school year books exist and were readily available to researchers who sought to test the uniqueness and durability of the human face.

The first hurdle for a novel biometric modality is the competition for the attention of scientists and researchers. Getting the attention of science and technology journalists by making a pronouncement that the space between the shoulder blades is the next big thing in biometrics is one thing. Getting academic peers to dedicate the time and research dollars to building the huge database of interscapular scans required for algorithm development is quite another. Any new modality has to offer out-sized advantages over established modaities in order to justify the R&D outlay required to “catch up”. This is highly unlikely.

On the market side, in order to displace established (finger/hand and face/eye) biometric modalities in wide scale deployments, the academic work must be complete and the new technology must produce a return on investment (ROI) in excess of that offered by existing technologies designed to accomplish the same function.

That’s not to say that modalities that didn’t have the advantage of a 100 year head start on data collection are impossible to bring to market. Iris, voice, and the vascular biometrics of the hand (palm, finger) have joined face and fingerprint biometrics in achieving commercial viability despite the lack of historic data repositories. But there were several things recommending them. They either occupy prime real estate on the head and the end of the arm (Iris, vein) making them easy to get at, or they are the only biometric that can be used over a ubiquitous infrastructure that simply isn’t going anywhere (voice/phone), or they offer advantages over similar established modalities. With hand vascular biometrics: they’re harder to spoof than fingerprints; no latency; avoidance of the “fingerprinting = criminality” stigma; can work with gloves; users can avoid touching the sensor, etc. With iris: harder to copy than the face; harder to spoof; easier to measure than retina vasculation; and extremely low/no latency. Yet even despite gaining the required academic attention, iris and voice have had great difficulty overcoming the market (ROI) hurdle, which brings us back to knees.

Is there any database of kneecaps of significant size to allow researchers to skip the time-consuming task of building such a database themselves reducing the cost of development? Is there any deeply embedded ubiquitous infrastructure that is already an ideally suited knee-sensor? Is there any objection to modalities that have a head start on knees that knee biometrics would overcome? Is there any conceivable, repeatable, scalable deployment where a potential end user could save a whole lot of money by being able to identify people by their knees? I’m at a loss but these are exactly the kind of questions any new biometric modality must be able to answer in the affirmative in order to have any hope for wide-scale deployment.

So, it’s pretty clear that knee biometrics are not something the average person will ever come into contact. Does that mean there is no value in exploring the idea of the kneecap as a feature of the human anatomy capable of being used to uniquely identify an individual? Not necessarily.

In order to thrive as high value-added tools in highly specialized deployments a novel modality just needs to help solve a high value problem. This has heretofore been the case with teeth & DNA. The analysis of teeth and DNA is expensive, slow, requires expert interpretation, and is difficult to completely automate, but has been around for a long, long time and isn’t going anywhere anytime soon. That’s because the number of instances where teeth and DNA are the only pieces of identifying information available are frequent enough, the value of making the identification is high enough, and the confidence level of the identification is high enough that people are willing to bear the costs associated with the analysis of teeth and DNA.

Beyond teeth and DNA, any biometric modality can be useful, especially when it is the only piece if information available. The CIA and FBI even invented a completely novel biometric approach in an attempt to link Khalid Shaikh Mohammed to the murder of Daniel Pearl using arm veins. But how likely is something like that ever to be the case for any of these novel modalities, knees included? It’s possible that the situation could arise where a knee bone is discovered and there is an existing x-ray or MRI of a known person’s knee and a comparison would be useful. That, however, is not enough to make anyone forget about any already-deployed biometric modality.

Sorting out voice technologies

On the occasion of Amazon’s purchase of Ivona, The Verge has a good article sorting out various voice technologies.

 Key bit:

  • Text-to-speech: reads text that’s already been written into something approaching a human-sounding voice (Ivona, AT&T, Microsoft, many others);
  • Speech-to-text: transcribes what you say word-for-word into text (Dragon, Yap);
  • Voice recognition: biometric that knows who you are based on your voice (like in Sneakers);
  • Natural-language AI: transcribes speech and/or parses text, looking for keywords and structure to turn ordinary sentences into computer queries (Siri’s core technology).
  • Those interested in voice tech should click through.

    Hardware & ID Security: PC vs Mobile

    Mobile banking to hit 1 billion users by 2017

    Fortunately for the consumer, mobile devices often contain technologies such as GPS that track the user’s location, front-facing cameras that can be used for face-recognition, and other biometric tools such as voice recognition technology and in some cases fingerprint technology. In December, Ben Knieff, head of fraud at financial crime and technology specialist NICE Actimize told Banking Technology that mobile banking could eventually become safer than online banking.

    “While consumers didn’t like biometrics ten or even five years ago, rising usage of the technology on sites like Facebook has made it more acceptable,” he said. “Consumer sentiment is changing, and I believe there could actually be an opportunity to use some of these technologies to make mobile banking even safer than internet banking is today.”

    The whole article is worth reading but two points in the second paragraph quoted above are especially thought-provoking.

    That’s the first time I’ve seen the Facebook face recognition issue turned on its head like that. Stories of outrage at the Facebook facial recognition app are easy to find. Whether this has more to do with Facebook’s User Agreement policies or biometric technology is a subject for another day, but is it possible that as suggested above, by putting people into contact with the technology the Facebook face rec kerfuffle has made biometrics more acceptable to the networked public?

    Another fascinating item in the second paragraph is the notion that mobile banking can be inherently safer than online banking conducted through desktop or laptop computers. We discussed some of the reasons for this in Mobile Devices and Biometric Modalities, but the reasons why authentication via mobile devices may be more rigorous than that using other hardware go beyond biometrics. Mobile devices are quite simply capable of covering all of the factors listed below. In a multifactor authentication model, the more factors that can be determined simultaneously, the higher the confidence in the authentication transaction.
    Here they are.

    Something you have (tokens: key, prox card, mobile phone, etc.)
    Something you know (passwords, PINS, codes, high school mascot, etc.)
    Something you are (biometrics: eye, voice, face, fingerprint)
    Where you are (location: IP address, cellular signal, GPS, in the bank branch)
    When you are (time)

    Mobile hardware supports all the factors above and, in the factors with bold face, mobile platform security exceeds the security attributes of PC hardware. Mobiles make better tokens because they aren’t often shared, they have blue tooth, near filed communication (NFC), wi-fi capabilities for external signaling and, of course, they’re mobile. They support passwords (OK, maybe not quite as conveniently as PC’s). Two biometric sensors, the camera and microphone, come stock on all mobiles. They know where you are at all times.

    The what time it is question is a draw in the current discussion. Both technologies in question (mobile vs. PC) are equally ignored here because the question of time is answered on the server side; i.e. you can’t avoid late fees by setting the clock back on your PC when you make last month’s payment online. Payees have their own clocks. I just included it because it’s a real factor and there are ID/security applications where an individual is treated differently at different times of the day. Time also comes up in combination with location. Credit cards run fifteen minutes apart in gas stations separated by 1,000 miles raise suspicion.

    That’s the theory anyway. In theory, mobile hardware can facilitate higher confidence ID authentication. In practice the security vulnerabilities of the PC world are better understood. There are several household names offering services that maintain PC hardware as a virus/trojan/worm free environment. Uptake of similar technologies has yet to take off with mobile hardware. That will change, though, if more people use mobile hardware to handle their finances.

    Is voice the killer app for mobile ID?

    The Rise of Voice Biometrics for Mobile Phones (MIT Technology Review) 

    Analysis of voice verification technology from a security angleThe question of course is which biometric system to use. Face, fingerpint and iris recognition are all topics of intense research. But the most obvious choice for a mobile phone is surely voice identification. However, this approach has been plagued with problems.

    For example, people’s voices can change dramatically when they are ill or in a hurry. What’s more, it’s relatively easy to record somebody’s voice during authentication and use that to break the system. So many groups have steered away from voice biometrics.

    That could be set to change.

    Mobile devices already contain the hardware required to deliver two biometric modalities: a camera for facial recognition and a microphone for voice. These modalities present challenges not usually associated with fingerprint biometrics — in the case of facial recognition challenges include lighting and the well-publicized photograph hack; for voice, background noise (etc.) can be a problem — but they offer the advantage that the hardware is “free” and never going to be yanked out of mobile devices. That’s quite an advantage, and it points to why face and voice biometrics are the front-runners for handset biometrics.

    This post has a longer discussion of mobile ID management and hardware.

    Microsoft Acquires Mobile Hardware Security Firm

    Microsoft Boosts Mobile Security with PhoneFactor Acquisition (CMS Wire)

    Microsoft will be able to tout these features as built-in or an option once the acquisition and integration is complete. PhoneFactor currently offers services for enterprise, government, banking healthcare and other verticals, while also supporting Citrix, IBM Tivoli and VMWare.

    It claims that the PhoneFactor Agent service reduces the risk of compromise and increases security with benefits including; instant fraud alerts, biometric voice authentication and transaction verification, with the advantage of no extra dongles or training needed.