Auraya Blog

HSBC Voice Biometrics Breached by Twin Attack

Pryathna Sankaranarayanan | May 25, 2017 | 6 minutes

Data breach by twin attack on HSBC bank accouny

A recent BBC article detailed a voice biometric breach that occurred when a journalist gained access to his twin brother’s HSBC bank account. The article exposes some common flaws in the design of legacy voice biometric solutions that reflect poorly on the industry as a whole.

A well-designed system would consider the threat model of adversaries so that the risks of a breach are well managed. It is disappointing to see these kinds of news stories when basic risk mitigation strategies already exist. While not every journalist has a twin brother, you can be sure that many readers will see this story as evidence that voice biometrics is broadly insecure.

However, the reality is many financial institutions who have implemented ArmorVox voice biometric technology are experiencing fantastic levels of security well above that offered by traditional PIN and password. Voice biometric systems that work quietly and efficiently just don’t get publicity.

The news article showed how repeated attempts eventually lead to a breach. Typically, security systems would introduce tighter constraints when there are signs of malicious activity. For example, an iPhone imposes an increasing time delay for each incorrect password attempt. Incredibly, the biometric solution as deployed at HSBC allowed the twin brother to keep trying to break into the system until on the eighth attempt he was successful.

ArmorVox technology from Auraya embeds numerous features to solve these kinds of problems.

1. Balancing security and customer convenience

ArmorVox sets limits on multiple retries and raises threat indicators when multiple failed attempts are made. The solution can allow genuine users an appropriate number of retries to ensure simplicity and convenience, and then temporarily raise individual security thresholds after a failed attempt.

2. Individual voice biometric models to improve system security performance

ArmorVox uses an individual voice biometric model for each person to improve security performance and reduce the risk of ‘near neighbour’ attacks (such as twins). This functionality provides additional security over legacy systems which use a single background model for all speakers.

3. Machine learning algorithms recalculate security thresholds

ArmorVox employs a machine learning algorithm that continually adjusts the security thresholds for each user in the system. This ensures a defined security threshold is maintained for each individual user consistent with the risk of the transaction type being undertaken. The machine learning algorithm also tunes the voice print and background model to ensure the best performance is maintained.

4. Proactively prevent fraud with the Random Challenge Response

ArmorVox thwarts fraudsters by issuing a random voice challenge. This ArmorVox capability prompts the caller to say a random digit string or random words that when verified must have the ‘true- users’ voice saying the correct random phrase. An attacker who plays a recording of the true speaker will find that the wrong phrase or digit string is rejected. This technique also makes it easy for users as they don’t need to remember what spoken token they have to say – they just need to repeat the phrase that ArmorVox tells them to say.

5. Synthetic speech recognition capability

Additionally, ArmorVox solutions are designed with the ability to recognise the underlying characteristics of a synthetic voice (where technology is used to manufacture speech to sound like the account holder). All synthetic speech machines have a distinctive characteristic that can be detected by ArmorVox’s voice verification technology. If an account is being attacked by a synthetically manufactured voice then security procedures can be invoked to protect that account and potentially identify who is trying to break in and increase security thresholds for identities that are under threat.

6. Location and device tracking

Additional security of the overall solution can be enhanced by using information about the device that is being used and the location that device is being used from. If there is a heightened uncertainty based on the device or location, then any potential threat can be thwarted by raising the security thresholds or adding more biometric steps. ArmorVox can detect if the device has changed and report this back to the security solution.


There are many other security features which are not publicised as some of these features help banks and other organisations to identify fraudsters and prevent identity theft. ArmorVox Biometric Solutions ensures user privacy, helps prevent identity theft and fraud and, of course, make it easier to deal with businesses and government departments as there is no PIN to remember, no password to forget.

“Voice biometric solutions that incorporate random challenge responses eliminate one of the key threats to a system. Users never have to worry about their ‘spoken token’ being used by someone obtaining a recording of them saying a fixed phrase. ArmorVox’s patented user specific background models plus empirically defined thresholds calculated on an individual by individual basis provide defined levels of security and convenient easy to use customer experience. The flexibility of individual spoken tokens and random challenge response again provide higher levels of security and better customer experience.”
Paul Magee, CEO of Auraya


sign up to our mailing list