Putting money where your mouth is

voice biometrics has moved into the IT security mainstream in the last few years
voice biometrics has moved into the IT security mainstream in the last few years

Thanks to tremendous strides in hardware processing power and advances in software codec techniques, voice biometrics has moved into the IT security mainstream in the last few years.

This trend has been marked by the arrival of several specialist firms offering voice biometrics systems and software to quite specific markets, including financial services.

Aviva, Britain’s largest insurer, is among those already using the technology for fraud detection. “We use voice biometrics to an extent at the moment, when we’re dealing with the claims side of life,” says Paul Wood, group business protection officer.

But Wood believes voice biometrics could also provide a good way to authenticate customers, both for them and for Aviva. “It does seem to look promising in terms of enhancing the customer experience, because customers will only have to interact with you for five or 10 seconds as opposed to maybe a minute and a half’s interaction around probing personal questions,” he says.

“It’s whether the technology can deliver what it’s promising,” Wood adds, although as it was first used to check US prisoners on release, he reckons it has already passed some challenging tests, with reported 97% to 99% successful authentication rates.

A reliable speaker

Voice biometric technology has been around for many years, but it is only in recent times that it has evolved to the point where a person’s voice can be clearly identified across a cellular or internet telephony connection, a key requirement in today’s modern communications environment.

Mark Pawleski, British Telecom’s technical group leader, says the company’s involvement in voice biometrics stretches back to the mid-1980s. By 1987, the telco had developed its technology sufficiently to stage a trial with a major UK retail bank, centring on the recognition of numbers spoken by customers.

The trials were a great success for the time, says Pawleski, but the 5% error rate on regular phone lines was commercially unacceptable. It took another 15 years before BT was able to get this error rate down to more acceptable levels, allowing the telco’s research staff to work on the problem of getting voice biometrics to work across telephony connections other than a full-frequency landline.

"Cellular and internet telephony connections have their own unique problems such as dropouts, echoes and delays"
Mark Pawleski, BT

“Cellular and internet telephony connections have their own unique problems such as dropouts, echoes and delays,” says Pawleski. He told a conference on voice biometrics in London late last year that it took BT until the early part of the current decade to develop its voice biometric technology to the point where error rates were acceptable across even the worst cellular or internet telephony connection. And with a packet data rate of just 4800 bits per second on the poorest quality cellular telephony circuit, you can begin to understand why. BT’s voice biometrics technology – known as URU – has been refined to the point where the telco is getting ready to offer a commercial service called URUPlus to third-party organisations.

The system, which relies on a verified set of voice biometrics being stored on BT’s computers, allows customers of several companies using the BT service to register their biometrics only once. After that, says Pawleski, they can use any service that uses the BT URUPlus facility.

Walking the talk

Pawleski believes that the problems facing voice biometrics developers, especially those planning to offer their service to financial services companies, are that the technology has to be strong enough to operate in wide range of environments and across very different communication channels.

“The technology has to be robust against intra-speaker differences and similarities, as well as resilient to recording replay attacks and, of course, the ageing of a person’s voiceprint,” he says.

As people age, their voice box shape changes, resulting in a change in their voice biometric. “If someone uses a voice banking biometric system on a regular basis, then the system can compensate for the changes, but what happens if they dial in a few years later and with a cold?” says Pawleski.

It is for this reason, he says, that voice biometric developers have to come up with a process that allows users to be identified using specifics other than their voices, and so allow themselves to be re-verified and their latest voiceprints entered into the system. This is exactly what the Allied Irish Bank (AIB) did last September when it launched its automated password update trial for employees. AIB, one of the largest banks in Ireland, developed an internal voice biometric system for its IT help desk in resetting employee passwords.

"The trial system, which uses technology from VoiceVault, has been rolled out progressively to service the needs of more than 5700 bank employees in various locations"
Brian Sweeney, AIB

“The trial system, which uses technology from VoiceVault, has been rolled out progressively to service the needs of more than 5700 bank employees in various locations,” says Brian Sweeney, AIB’s service desk manager. “If an employee forgets their password, they can dial in and verify themselves using just their voice and be given a new password automatically, without human operator intervention.”

The bank has learned a lot from the trials and has greatly reduced the number of IT help desk calls it handles. It is now convenient for employees to change passwords at any time, night or day, seven days a week.
AIB now plans to implement VoiceVault’s password reset service for a further 15 000 staff in its head office, in its branches and for the employees of its capital markets operation. On top of this, the bank may extend the technology to its offices in Poland, which could potentially expand voice biometrics to a further
10 000 staff. So is the technology good enough to roll out to the bank’s customers yet? On this subject Sweeney remains coy.

Voice over internet payment

Nigel Phillips, head of product marketing with VoiceVault, says that it is, which is exactly what his firm has done in conjunction with Nick Ogden of WorldPay fame, with his new venture, VoicePay.

VoicePay, which is now being offered to a number of web retailers, uses VoiceVault technology to allow payment cardholders to identify themselves using their voice biometrics across a cellular connection, for example.

“VoicePay’s service, which can be integrated with an e-banking or web retailing application, dials up the user’s mobile and asks them to identify themselves using purely their own voice,” says Phillips. “The technology automatically authenticates the user and allows the transaction to proceed, with the retailer and/or bank secure in the knowledge that the user really is who they say they are, and not just someone with a card number and the user’s PIN.”

According to Phillips, while voice biometrics is now at the stage where it can be commercially rolled out to real customers of real banks and retailers, it’s rare that the technology on its own is accepted by the financial services industry.

“What we’ve found is that you have to integrate the technology with another function – such as facilitating transaction authentication, as is the case with VoicePay – before financial services managers sit up and take notice,” he believes.

What’s hot on Infosecurity Magazine?