HSBC voice recognition security system spoofed by BBC

A BBC Click reporter, Dan Simmons, reported that his non-identical twin brother was able to access his bank account through the newly developed voice-recognition verification system launched recently by the HSBC bank.

How does the voice recognition ID system work?

Most of you may have heard of the voice recognition system before. It was also launched by the Barclays Bank in early 2013 for some of its wealthiest customers and seeing its success, the bank planned to launch it so that it can be available to its retail customers.

On another note, HSBC too developed a voice recognition system where customers only need to say “My voice is my password” after entering their personal details. Therefore, to access their account, they need to record their voice until the system matches it with the original recording.

According to the claim made by HSBC officials regarding the mechanism, the voice recognition technology is supposedly the safest way to the bank and protects customers from breaches. However, this claim was made invalid when it was tested by one of BBC reporter’s twin brother.

More:  4 Security Vulnerabilities That Affected Voice Recognition Technology

Joe Simmons successfully infiltrated his brother’s account

Dan Simmons non-identical twin brother, Joe Simmons, tested the system and was successful enough to mimic his brother’s voice and breach his account. However, what is more, surprising is the fact that despite failing seven times to imitate his brother’s voice, Joe was finally in the eighth time he tried. This is therefore not like the traditional password systems where a user is blocked out if he or she fails to enter the correct password thrice. Nevertheless, even though Joe was able to access his brother’s account, he was not able to withdraw any money. All he could do was view his brother’s recent transactions and make transfers.

What does HSBC have to say?

After the issue had been made public, the officials at HSBC reported that they will be working to make the system more secure and will allow users only three attempts to enter the correct password. However, one of the officials also said that the breach does not imply that fraud can be committed using the voice recognition ID.

This is because, according to the official, Joe knew the voice of his brother and was hence able to mimic it while sitting beside him. Fraudsters, on the other hand, would not know someone’s exact voice and would not be able to pass the rigorous authentication algorithm integrated with the system. An HSBC spokesman told the BBC:

  • “The security and safety of our customers’ accounts are of the utmost importance to us. Voice ID is a very secure method of authenticating customers. Twins do have a similar voiceprint, but the introduction of this technology has seen a significant reduction in fraud, and has proven to be more secure than Pins, passwords and memorable phrases.”

Tom Harwood, Chief Product Officer at Aeriandi commented on the issue and said that: 

“Biometrics technology has been widely shown to significantly reduce fraud – but it’s not the whole solution. And as this experiment has illustrated no security technology is 100% fool-proof. Technology advances have shown that it is now possible to cheat voice recognition systems. Voice synthesizer technology is a great example. It makes it possible to take an audio recording and alter it to include words and phrases the original speaker never spoke. The good news is that there is a way to protect against phone fraud beyond biometrics – and that’s fraud detection technology. Fraud detection on voice looks at more than the voice print of the user; it considers a whole host of other parameters. For example, is the phone number being used legitimately? Increasing phone fraud attacks on UK banks come from overseas. Voice Fraud technology has been proven to protect against this as well as domestic threats.”

Thomas Fischer, threat researcher and security advocate at Digital Guardian said that:

  • “It’s really hard to remember a hundred different, complex passwords and so biometrics have been widely accepted as a strong step towards better security and a way to make it easier for consumers. After all, it’s far more difficult to spoof someone’s voice, face or fingerprint than it is to guess their weak password. The BBC is certainly not the first to research ways to fool voice recognition systems or bypass fingerprint sensors, but this is no mean feat and depends on the quality of the original biometric imprint. Brute force cracking weak passwords, on the other hand, can be done with relative ease. Biometrics are certainly not perfect, but anything we can do to make it more difficult for attackers to win and easier for consumers has to be a good move.”

Is the system effective?

Statistics show that the system is indeed useful as customers find it highly efficient to use their voice to access their accounts simply. Also, the technology enables the creators to upgrade security more easily and more efficiently that in the case of password-protected systems.

Nonetheless, as with every other progress made in technology, minor bugs are inevitable. Such biometric verification IDs are certainly the future of security and are likely to improve with enhanced security features being built into them.


DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.

Jahanzaib Hassan