Was it it tested with a DVR?
They're cheap and the reproduction is great. I'd like to think they'd taken this into account.
Barclays is abolishing passwords for its telephone banking customers in favour of voice recognition. The UK high-street bank – which has been trialling voice recognition technology with a limited number of customers for three years since 2013 – said that technology that identifies a caller based solely on their voice is a “ …
"made up of over 100 characteristics based on the physical configuration of the speaker's mouth and throat."
Presumably, a speech synthesiser program which has these 100 variables as parameters is relatively straightforward to create.
In other words: if someone steals your vocal fingerprint, they'll easily be able to login to the bank and issue arbitrary commands. Even if it sounds like a robot, that doesn't matter as long as it convinces the computer at the other side.
"Only as part of 2FA."
Apparently the Barclays tech and management, team did not watch Star Trek, The Next Generation, where on the episode "Brothers" Commander Data mimics Picard's voice to take control of the ship. After this event, 2FA is implemented with access codes (passwords) on top of the voiceprint recognition.
Life imitates art, indeed. This won't end well.
Presumably, a speech synthesiser program which has these 100 variables as parameters is relatively straightforward to create.
It is, but these are variables, each can take a wide range of values, so the possible combinations are huge.
Even so, it's a crap idea. Getting speech recognition to work over the compression and distortion of POTS or VoIP phone lines is non-trivial, and often involves substantial watering-down of algorithms, which makes faking the pattern easier.And as already pointed out, this is useful for recognizing the person (i.e. the equivalent of a username) but it should never be used for authentication (a password). If I had a Barclay's account I'd cancel the telephone banking service now.
Anyone care to take bets on how long before the first exploit is published?
"Then we can look forward to voice recognition AND remembering a password!"
BVR:"Hello, Your voice identifies you as Captain DaFt. Please enter your password to continue."
Me:" Uh.... Dammit, I can never remember that damned thing!"
BVR:"Password confirmed as matching previous entries, you may continue."
I love how I get 2 down votes and people who have never seen this in action get the up votes for saying it will work with a DVR, which is utter bollocks
Go to to a comms trade show and visit Nuance and see it in action.
No I don't work for them and no I don't even use it. But I have seen it, tried it and tested it.
But I still wouldn't make it the only method, no more than I would a single password.
Voice control in my 2016 Ford:
I say: "Play "One Vision"."
It hears: "Dial Elisa?"
I gave up after that. It has a touchscreen so I just use that instead.
And, no, the audio is crystal clear and the road-noise absolutely minimal (i.e. people think I'm in the office when I answer from the car using the same internal mic/speakers).
The only audio command that I can "almost" get working is "USB - Play All", and that's got about a 90% success rate and the only reason I use it is when a passenger hits the wrong button and it goes onto radio, because it's a bark to get it back especially when you're trying to tell the passenger what to press to do so.
Even then, I once had the following exchange:
I say: "USB"
It heard: "Navigate".
I haven't even TRIED to get it to recognise Destination Home because it's so finicky on everything else and I've had little success. When you're training YOURSELF to the car system rather than the other way around, you know it's time to just press buttons instead.
Probably the same as in their computers & phones, works adequately with a good microphone close to your face. But even then you find yourself training yourself to the software. I'll bet you anything (5p to be precise) Ford didn't bother to install the various regional voice recognition files.
The VC in my Honda used to be horribly hit and miss. It could take several minutes of me getting increasingly irate before I finally got it to dial a number. Honda have fixed that in the latest version though.
Now you can only dial using the touch screen or through phrases you have recorded and attached to contacts.
But then their oh-so-wonderful infotainment unit has so many bugs that cutting out features seems a wise decision. It comes to something when you pay £18k for a car and sometimes it can't play music for ten minutes because it's struggling to boot.
Never trust a hardware manufacturer to write software. In this case apparently the head unit is supplied by Pioneer.
To counteract the chance of being asked something you haven' made a recording for, all you'd need to do is go through the process yourself, making mistakes and seeing what you were asked to say. Then record enough of your victim to get a supply of necessary words, use some cheap music-editing to splice up into responses and off you go.
I've only been a Barclays customer for a couple of months and so far I'm not impressed. Features absent from their online service, Indian call centre staff saying "Sorry sir you can't do that online you will have to visit your branch". Long queues in the local branch, the clerk at the bank then not being able to handle my request so needing to make an appointment to see someone at the bank several days later. The clerk at the subsequent appointment having problems with her computer and having to process everything on paper instead and mail it to head office. Duff advice via their call centre from someone with a poor grasp of English and several weeks delay in anything happening resulting in me missing a critical financial deadline. Wonder if I can use voice recognition to tell them where to shove their account as I'm going to close it? They might want to consider investing in the basics of banking and customer service before investing in high-tech features of dubious reliability / security. Anon for obvious reasons.
Barclays are absolute scum. My local branch replaced all their humans with some absolutely crappy machines. Thing is I'll trust a machine to scan my groceries, or to withdraw cash, but to do anything more complicated? No f*cking way. And if you want to talk to a person to do something instead the staff get really arsey about it. Terrible customer service, terrible bank.
I've just phoned the person at Barclays we saw three weeks ago, using the number on her business card. The number leads to a nightmare telephone maze, and I ended up stuck in a queue so long that I used the option for them to call me back instead. Half an hour later someone phoned me from India who had to repeat everything several times so I could fathom what he was saying through his heavy accent. Predictably, he couldn't help me and eventually tried to transfer my call back from India to my local Barclays branch to the person who's business card number I'd actually phoned. Stuck waiting for five minutes listening to background music and finally he said all the lines are busy, try phoning them again in a couple of hours or go to my branch in person.
I was assured my original request would take three days. Three weeks later and nothing, no response and virtually impossible to speak to anyone at Barclays to resolve this. So my options are to try via the nightmare telephone maze and Indian call centre again and have to explain everything from scratch again or to stand in a queue at my local branch for twenty minutes to see the cashier only to be told I need to make an appointment to come back again another day. Barclays bank sucks.
They really are a bunch of clown shoes...
They don't support Google pay, because they think they can do better with their own system, and none of their ping-it, mobile banking apps will have anything to do with a rooted Android device (because "security!")... And then they introduce a daft system like this... Who's advising them on security issues? Some government "expert"?
Assuming it has as much trouble understanding Drunk Mongo as everyone else, it should mean less starting in outrage at bank statements (only to sadly admit their plausibility). Now if Amazon and Ebay enable it too then I'll have to fall back upon flea markets for cluttering up the house with ill -considered tat.
Nationwide have added TouchID to their iOS app. Touch isn't great and at least this is an alternative to the usual PIN. But voice just seems the most variable biometric to choose. What if you've a cold. Or it's windy, Or you're on a train. Or haven't good signal. Or are in a car...
So much bullshit in that article. A pity the only "expert opinions" are from people who make money out of biometrics. Should have sought opinions from people who a) know something about security and b) don't have a dog in the fight.
As to the claim that people have over 100 passwords for different accounts, that's straight up bullshit. He needs to justify that ridiculous statement with some actual evidence. Most people I know probably have about 3 passwords across maybe 20 accounts/devices.
The biggest problem with this is that biometrics are the equivalent of a username, not a password, and yet time and again these companies insist on getting that point wrong.
The big danger here is that as this becomes more and more routine everyone starts using it. At which point all I've got to do is hack the server at Tony's Kebab Hut which is poor securely and unencrypted because they bought some off-the-shelf system from a cheap provider. At that point the venn diagram of kebab fans and Barclays customers becomes very useful for side-channel attacks.
It used to be said that defending your data was a full-time thing and the attackers only had to get lucky once. As idiot companies jump on the shiny bandwagon of biometrics that's still true, but after the attackers get lucky once, you're compromised forever.
"Each person's voice is as unique as their fingerprint...Therefore, when a customer calls up...the technology will be able to identify them...".
"Barclays voice recognition technology...has been "fully tested".
You couldn't make this stuff up. Do you think they really believe it?
... and suddenly becomes a great big target. That'll be when it gets real testing. I think my adult male family members (dad, brothers, older nephew) could easily be confused with me and/or each other over the 'phone. Lots of characteristic mannerisms in the upbringing.
Any trained Thespians here? Your perspective would be interesting: how much can a trained voice do over and above the rest of us?
If it works as well as the voice control on my car or iPhone (which is to say with a 95-99% failure rate) I can see this being a great step.
Of course I gave up on Barclays about 20 years ago because of their complete ineptitude, so it make no difference to me.
What the hell is wrong with proper 2FA like every other secure service in the damn world?
Abandoned Barclays years ago.
In fact, I've been through most of the High Street banks. I've had run-ins with NatWest, Barclays, HSBC, etc. They just don't want my money, I can tell.
But Barclays was an especial "piss off" on several occasions.
A Barclays cheque, in my name, sent to my uni for my grant, from a government Barclays account, trying to put it into my Barclays account, in the in-university branch of Barclays (to the exclusion of all other banks because they'd obviously "bought" the uni). And they refused. Apparently I'd need ID to do that. And wait a week for clearance (I tell you what, I won't ID, you put it in and if in a week's time it's not been bounced, we'll call it okay, yes?).
I blacklisted them after that.
The hoops I've had to jump through for Internet banking for them (same reason I scrapped NatWest who at the time only supported IE4/5/6 and not Netscape at all - shows my age - because "it's more secure"!). And I wouldn't touch them because of the Android Pay refusal and the issues my colleague has with them trying to get into their account (You'd think an IT guy would be able to login without forgetting passwords, passcodes, etc.? Maybe it's just your system, and the four-day "go to your branch" debacle every time he needs it reset because it doesn't work).
Sorry, but if I had an account with them, I'd be removing it for this stupidity. Voice recognition may shortcut the "who are you" but it cannot ever provide the "prove it" section of actual authentication. And, hell, state-of-the-art voice recognition systems in the latest gadgets, on the bank phone lines and other places can't get my name right 5 times out of 10, barely understand one-word requests from a list of options, and have no idea how to interpret Cockney accents, run-on sentences, or even slight noise on the line. The false-positives must be unbelievable. Let alone trying to identify WHO I am. Hell, half my work colleagues that see me day in, day out can't do that - my colleague and I are constantly answering the phone and people think they are talking to the other one of us.
I'm honestly considering moving my account again at the moment because an online savings account I set up has been so wonderfully simple and easy to use, even online, even with smartphone apps, etc. that I'm that impressed I want to give them my money over the current idiots. But that's mainly because the current idiots talked me in circles when I lost their secure login keypad thing and told me to "just go onto online banking, log in (with the keypad I don't have) and order a new one". Now why didn't I think of that?!
But Barclays? Wow, they were on the blacklist before I even left university. Not quite as bad as HSBC who literally laughed in my wife-at-the-time's face when we asked for a mortgage. So we went next door to the branch where a guy sold us one at a better rate with no faffing at all and we paid every month, on-time, in full and when we sold that house, the increase in value paid that sucker off in full - with all the interest, and some profit. Amazing what non-shite customer service can do for your business.
Are you suggesting me?
Apparently banks no longer want me to put all my salary into their accounts, spend 90% of it on bills that I pay every month, never ring them, never bother them, don't even use ATMs (don't use cash at all), never visit a branch (I do everything online), never phone them (waste of time and I can do what I want online when it works), don't care about interest on my savings or any such restrictive pittance and will quite happily pay a reasonable monthly fee to achieve this? Quite where are they expecting to get money from then, as a high street bank? Hell, I don't even want them to print anything out. I just want them to hold a number and then send fractions of that number to other banks as required.
Honestly, all I want is my wages in, my bills out, be able to edit the bill's account number and amount and add new ones, and a card that works in most shops and online (which I can get for a pittance on a PAYG basis with any card company you can name). I don't see that's asking a lot from a bank, like it's never been.
I'd like to do that without being a) literally laughed out of the branch for asking for a mortgage that I was given in the next shop along without question, b) treated like a moron when it comes to simple things (contesting a £50 fee because they deliberately withheld paying a cheque (the ONLY cheque that was ever delayed in processing to the full extent they allow) to let a £10 transaction go through and charge me £50 for doing that. I'd rather they just refused the £10 transaction entirely), c) treated like a influent foreigner every time I phone up my own bank to ask about something out of the ordinary, d) treated like a criminal every time I want to log in and their system is down so I have to jump through the security hoops, e) treated like a robot every time I visit a branch and made to stand in line to press buttons on a machine that I could have done from home.
Hell, my current bank STILL send me a letter every month congratulating me on choosing paperless billing. On paper. In an envelope. Franked and posted. Every month. For the last three years.
I'd pay good money to have a bank that was just a bank and really didn't care. I don't ask for credit. I don't phone up and cause lots of hassle. I don't cash cheques, or withdraw cash from ATMs, or do complicated investments and share portfolios. I just want a Visa / Mastercard that works, that takes the numbers off my account, that takes my salary and puts the numbers back on my account, and that lets me log into a website to see the numbers. I don't think that's a lot to ask for, but apparently almost every bank I've ever had can't manage that with any consistency.
You hit the nail on the head. They do not want to provide a service. There is no[t enough] money in that. They wish to sell you. Not even sell a product to you any more, they just want all your money in their pockets. If there is a guise of a product, then perhaps they may suggest one, but if they can get it through other means, they will try.
" I don't ask for credit."
There's your problem. You don't earn them enough money. Salary in, bills out, no debt. That's all the signs of the worst possible customer to the big high street banks. The WANT you to be in debt and taking their credit and paying them interest. This is why they are all trying their damnedest to get customers to "upgrade" their free current accounts for new, "better" current accounts that include silly and pointless extras such has low grade travel insurance and memberships of wine clubs etc, all for a low, low monthly fee.
I find the Co-op to be pretty good. They did send me a device, but I don't need this to log in and do basic banking, only to set up new direct debits and such-like which I can have them do by calling up their very pleasant UK call-centre staff. Everything gets done in a jiffy on the phone. I do not work for them, I am just a satisfied customer.
I worked at a telephony shop not that long ago. We tested using voice identification, instead of using passwords, just on our internal voice mail system.
During the time we tested it, I was able to get access to every single C- level execs voice mail simply by mimicking their voice. When I demonstrated this during a meeting the whole concept was quickly dumped. Now, it only worked about 6 out of 10 attempts but that degree of success is incredibly high and certainly high enough to make the attempts worthwhile. To be clear, that's 6 out of 10 times of attempting to imitate Bob.
I'm not an "impressionist" by any stretch of the imagination. However, it doesn't take an Einstein to realize that there are probably quite a few people with those skills...
Personally, I think biometrics in general is a bad idea. Although I can certainly understand our desire to uniquely identify a single person, the fact is that these things can be faked with a high degree of confidence and shouldn't be used in a vacuum.
If Barclays have been testing this for several years before deciding to roll it out, then give them a little credit for having cause to believe it will work. An authentication session that takes two minutes might well require the customer to repeat random phrases, so DVR recordings of subject being spoofed would be useless.
As for voiceprint corruption from VOIP losses, etc: Even if this does turn out to be a problem, the effect will be a false negative, and worst case you'll have to authenticate some less convenient way.
I for one am quite interested in hearing of alternatives to passwords. If this does actually work, we'll probably see a lot more of it.
The time spent and Barclays claims have zero effect on reality. The proof is in the pudding.
I won't downvote you, but if this is used for anything more than identification (and even then that is risky) then it is very dangerous and error prone.
As posted lower down, even the Banks suggest not using such systems internally and externally in their own training material.
"An authentication session that takes two minutes might well require the customer to repeat random phrases, "
The two minutes refers to how long it takes a phone banking customer who's forgotten their password to get through the alternative security protocols.
In fact, in the article, Barclays says "the technology will be able to identify them simply from the first few words that are spoken,", so possibly less than a second or two to authenticate by voice.
So this is recognition as in identifying who you are, not recognition as in understanding what you're saying? I hate systems that attempt the latter, they don't like my voice at all. Contrast this with my wife, who breezed through the whole thing after I failed repeated attempts.
I think it was UFO where they had voice recognition in the room-lift that took people down to SHADO HQ and I think it was Foster who never bothered giving his name for the voice ID but quoted a bit of poetry.
I'm not sure if this post will be buried under all the others, but since the day dot of telephone banking, security training has been "don't go by voice recognition alone".
Even Mr Mannering may have demonstrated how Mr/Miss Smith Jr sounds an awful lot like Mr/Mrs Smith Sr!
The best part of those calls, was waiting until the end to catch them and asking "Thank you Mr Smith, can I please have your Dad's card number for security..." With the response "Yes, his number is... oh **** [sound of phone being slammed down]!"
From the article at Infosec:
" The users of voice recognition software, such as “Siri” or “Google Now”, can easily enhance their own security by regularly removing the headphones from their devices and creating own custom words that can be used for launching their software."
Sooo, something like passwords!
I had no problem with that Bank, but as a vanilla wage slave with no business add ons / and a tendency not to use telephone banking, pingit or similar systems I suppose I wouldn't.
However, when the ISA I had with them ceased to provide a return against even the low inflation now existing the method of removal was so... that I ended leaving £1 in it and walked away - I probably owe them money now. if I could be bothered to check.
Barclays are bastards. Yeah I know all banks have their problems but we've (my family) been unfortunate to have a couple of deaths in the family over the last couple of years and every other bank we've dealt with (Natwest, Co-op, Lloyds) have been professional and at least shown some human decency but not Barclays. Barclays do not deal with deaths in branch offices face to face you have to ring up a call centre. They emptied my brother's partner's account as they had an unsecured loan with them (no Barclays, you do not get paid before HMRC), took months to give account information, delayed payment for funeral expenses, only reversed actions that were illegal when threatened with the banking ombudsman and were generally as utterly obnoxious to deal with as they could possibly be.
Sadly, Barclays in its wisdom made all the staff redundant back in the 90/2000 who actually could be classed as bankers.there is no.one in the branches today who have general banking knowledge to pass on. But hey, does Barclays or any other bank care. Of course not. It's all about TheMoney. But as we read daily, the amount of fines paid by Barclays and the other High Street banks for the incompetence of the staff it now employs is proof that a little bit of knowledge is a dangerous thing,but training and experience keeps the customers happy.
Like all good techs, and university professors, they like to toot their horn and praise their technical prowess.
So it was with HSBC when they started pulling e-mail addresses and pushing voice calls. I chatted with one of their operators and she said they were experimenting with 'voice id' instead of the lists of questions.
Anyone who has used Nuance Dragon software are very familiar with what can go wrong.
It is possible to emulate another persons voice, borrowing from the Moog synthesiser crowd, and now my PA, a female, is able to impersonate me very well, electronically. On one test we started off with my voice and over a period of 2-3 minutes we slowly morphed from my simulated voice to her natural voice.
Eventually something clicked at the HSBC end and she said "But you are not ..." at which point we flicked back to the simulation. The woman said there is something very wrong because "our equipment is 'infallible'!"
Voice ID suffers from all the usual imperfections of distortion, phase distortion, clicks, etc. You name it.
The real danger is the banks will start saying their equipment is PERFECT and the person who sucked your account dry was YOU! And then they will try to stick you with the losses.