Con Watch: Is Voice Recognition for Banking Safe?

Steve Weisman is a lawyer, college professor, author, and one of the country’s leading experts in cybersecurity, identity theft, and scams. See Steve’s other Con Watch articles.

“Is it live or is it Memorex?” was an advertising slogan for Memorex audio tapes in the 1980s where the company suggested you couldn’t tell if you were listening to a live performance or a recording. The stakes were not particularly high if you guessed wrong. Today, however, the question of whether audio is a cloned voice made with AI or the voice of a real bank customer is a more serious one.

As we all know, passwords as a method of authentication for your accounts are not particularly secure. Passwords may be stolen or compromised in a data breach, and security questions have also become increasingly vulnerable, particularly with the data harvesting capabilities of AI. Biometrics such as a fingerprint are a good verification tool for opening your phone, but what about using biometrics to access your bank account? Many banks such as Bank of America, Capital One, HSBC, and Barclays offer voice verification, where your voice on the phone acts as your password, allowing you access to your account.

Voice biometric authentication generally is done using two different methods. In one method, the customer is required to speak a specific phrase such as “My voice is my password,” which is then matched against a recording of their voice they used when they first set up voice verification. With the second method, the customer converses normally without having to say any particular phrase, which is again verified against an earlier voice recording.

With so many people now doing their banking on their cell phones, banks are using biometric voice authentication on mobile banking apps. Banks using this technology say that it is a safe and secure option.

But how secure is it?

British reporter Shari Vahl of the BBC used an AI clone of her voice to access accounts at two banks — Santander and Halifax. Both banks accepted the AI generated voice to grant her access to the accounts. British reporter Joseph Cox also used readily available voice cloning technology to access his account at Lloyds Bank.

The banks will tell you that voice biometric authentication is a sophisticated technology that analyzes more than 100 unique vocal characteristics including tone, pronunciation patterns,  speech rhythm, and accent. Voice patterns are considered to be as unique as fingerprints. However, in the best of all worlds there can be problems using voice recognition. Background noise can interfere with the analysis of the voice by the bank’s system and voices can change due to advancing age, illness, or even emotional states. Further, different phone connections can also affect recognition accuracy.

But even worse is the threat of AI voice cloning by identity thieves. Due to now widely available AI voice cloning technology, it can be a simple matter for someone to clone your voice from as little as 30 seconds of audio from social media.

It must be noted that there have not been reports of widespread hacking of bank accounts through voice cloning (most banks have other safety measures in place, such as the call coming from a previously verified device). But with the vulnerability of present voice verification systems, the problem will only grow.

So how can you protect yourself?

As I always urge you to do, you should use dual factor authentication whenever possible, including if you are using voice verification for your bank account.

Further, just as we all should be protective of personal information we post on social media that can be leveraged against us for scams and identity theft purposes, we should now consider whether we wish to take the risk of posting audio. If you do post audio, take the time to research the latest tools available to prevent voice cloning, such as AntiFake.