BBC fool HSBC voice recognition security systems

I’m with First Direct who uses the same system but I’m good… I don’t have a twin :joy:

1 Like

To be fair, this is the important point -

“Twins do have a similar voiceprint, but the introduction of this technology has seen a significant reduction in fraud, and has proven to be more secure than PINS, passwords and memorable phrases.”

1 Like

I wonder if this would work if you are trying to call late on a Friday night during a heavy session :laughing:

I wonder what it would be like if you set up during a heavy session :laughing:

A friend set up his account when he had a sore throat and heavy cold…it would not work after he got better :slight_smile:

Yeah but the twin also had all the other account info that his brother gave to him. So it’s not like it was just voice mimic that got him in. Bit of a non story in my opinion

It’s just like my other half calling up say Sky to change the package but the account is in her sisters name.

People have been doing it for years


Typical BBC Tech story. A guy who knows little about IT trying to write a scare story


I havent seen this before - I was interested in that it implies its the same challenge sentence every time. Its both interesting that with the same sentence people arent more similar but also why its not possible to have different challenge sentences?

All of these can be gained easily if you were being targeted. In the UK, we don’t consider these sensitive information. It’s like giving someone your (email or physical) address but for banking.

In any case, voice passwords in general are awful, easy to fake and VERY easy to fall into situations where you’re being non-inclusive.


The security and safety of our customers’ accounts is of the utmost importance to us.

>doesn’t use HSTS
>insecure voice recognition with unlimited tries
>Symantec EV cert which Chrome will ignore the EV status of, and truncate the validity to 9 months
>doesn’t store passwords securely

10/10 HSBC :clap:

Regardless of how many legacy banks try and play catch up and roll out new technology, they have shown time and time again they don’t have a clue when it comes to building a modern, reliable and secure system - and for this reason I won’t be looking back once Monzo launch current accounts.

1 Like

I’d be careful with this one. There are secure technical means to decrypt password with a password to compare n-th letters from secondary password. I’m not sure what’s at step 1&2, but I’m assuming there’s something that allows them to decrypt password in order to compare letters. I would be wildly surprised if HSBC was not storing passwords securely (hashed with something decent).


Agreed. HSBC WILL be storing passwords securely, I’m pretty confident they’d be in breach of all sorts of legislation otherwise.

Encryption != using a secure password hash function (bcrypt, PBKDF2, scrypt). I don’t consider the former to be (as) secure.

They could be using a HSM + a reversible form, which would be marginally better than handling encrypted passwords directly (but would still require a lot of thought in terms of key management), but to be honest I doubt it for a bank.

Using (a)symmetric crypto on the passwords is absolutely still less secure than a proper password hashing function (though it may well be compliant with PCI-DSS). The bank should not be physically able to recover the plaintext and these schemes violate that since I don’t remember HSBC’s site asking me for any sensitive information prior to the password digits.

Worth reading:

1 Like