BBC fool HSBC voice recognition security systems


#1

Face ID not all it is cracked up to be
(Bob) #2

I’m with First Direct who uses the same system but I’m good… I don’t have a twin :joy:


(Alex Sherwood) #3

To be fair, this is the important point -

“Twins do have a similar voiceprint, but the introduction of this technology has seen a significant reduction in fraud, and has proven to be more secure than PINS, passwords and memorable phrases.”


(Danny) #4

I wonder if this would work if you are trying to call late on a Friday night during a heavy session :laughing:


(Rhys Short) #5

I wonder what it would be like if you set up during a heavy session :laughing:


#6

A friend set up his account when he had a sore throat and heavy cold…it would not work after he got better :slight_smile:


(Andrew Archibald) #7

Yeah but the twin also had all the other account info that his brother gave to him. So it’s not like it was just voice mimic that got him in. Bit of a non story in my opinion


(Danny) #8

It’s just like my other half calling up say Sky to change the package but the account is in her sisters name.

People have been doing it for years


#9

Typical BBC Tech story. A guy who knows little about IT trying to write a scare story


(james_e_bell) #10

I havent seen this before - I was interested in that it implies its the same challenge sentence every time. Its both interesting that with the same sentence people arent more similar but also why its not possible to have different challenge sentences?


(Chris Lavender) #11

The BBC seem to gloss over the fact that the person’s sort code, account number and DOB, were already known by the supposed ‘fraudster’.

It’s great the companies are seeking new and better technologies to deter fraudsters, but nothing is ever going to be 100%. Sadly, this sort of reporting simply makes people less likely to try new and important updates to protect themselves. It stifles change, and just makes people scared.

What I’d like them to show, is how easily they could trick or con someone vulnerable into providing security info. And how easily they could access an account with this info, Vs when voice ID is active. Let’s see how successful the attempt would be then.


(Rika Raybould) #12

All of these can be gained easily if you were being targeted. In the UK, we don’t consider these sensitive information. It’s like giving someone your (email or physical) address but for banking.

In any case, voice passwords in general are awful, easy to fake and VERY easy to fall into situations where you’re being non-inclusive.


(Adam Williams) #13

The security and safety of our customers’ accounts is of the utmost importance to us.

>doesn’t use HSTS
>insecure voice recognition with unlimited tries
>Symantec EV cert which Chrome will ignore the EV status of, and truncate the validity to 9 months
>doesn’t store passwords securely

10/10 HSBC :clap:


Regardless of how many legacy banks try and play catch up and roll out new technology, they have shown time and time again they don’t have a clue when it comes to building a modern, reliable and secure system - and for this reason I won’t be looking back once Monzo launch current accounts.


(Marta) #14

I’d be careful with this one. There are secure technical means to decrypt password with a password to compare n-th letters from secondary password. I’m not sure what’s at step 1&2, but I’m assuming there’s something that allows them to decrypt password in order to compare letters. I would be wildly surprised if HSBC was not storing passwords securely (hashed with something decent).


(Tommy Long) #15

Agreed. HSBC WILL be storing passwords securely, I’m pretty confident they’d be in breach of all sorts of legislation otherwise.


(Adam Williams) #16

Encryption != using a secure password hash function (bcrypt, PBKDF2, scrypt). I don’t consider the former to be (as) secure.

They could be using a HSM + a reversible form, which would be marginally better than handling encrypted passwords directly (but would still require a lot of thought in terms of key management), but to be honest I doubt it for a bank.

Using (a)symmetric crypto on the passwords is absolutely still less secure than a proper password hashing function (though it may well be compliant with PCI-DSS). The bank should not be physically able to recover the plaintext and these schemes violate that since I don’t remember HSBC’s site asking me for any sensitive information prior to the password digits.

Worth reading: https://security.stackexchange.com/questions/38744/taking-password-letters-not-whole-one-is-this-secure