Your browser isn't supported
It looks like you're using an old web browser. To get the most out of the site and to ensure guides display correctly, we suggest upgrading your browser now. Download the latest:

Welcome to the MSE Forums

We're home to a fantastic community of MoneySavers but anyone can post. Please exercise caution & report spam, illegal, offensive or libellous posts/messages: click "report" or email forumteam@.

Search
  • FIRST POST
    • mgdavid
    • By mgdavid 19th May 17, 10:22 AM
    • 5,159Posts
    • 4,331Thanks
    mgdavid
    HSBC voice recognition insecure?
    • #1
    • 19th May 17, 10:22 AM
    HSBC voice recognition insecure? 19th May 17 at 10:22 AM
    http://www.bbc.co.uk/news/technology-39965545
    A salary slave no more.....
Page 1
    • Pincher
    • By Pincher 19th May 17, 11:57 AM
    • 6,516 Posts
    • 2,487 Thanks
    Pincher
    • #2
    • 19th May 17, 11:57 AM
    Easy or not easy, that is question
    • #2
    • 19th May 17, 11:57 AM
    http://www.moneysavingexpert.com/news/banking/2016/10/first-direct-customers-locked-out-of-their-bank-accounts-after-voice-id-system-fails-to-recognise-them

    HSBC asked me on Wednesday 17th May, if I wanted voice recognition, and I gave them a categorical NO.

    It's just not secure enough.

    It's probably fine for read only mode, where you want to check money has turned up.
    • Malcnascar
    • By Malcnascar 19th May 17, 2:24 PM
    • 1,116 Posts
    • 1,220 Thanks
    Malcnascar
    • #3
    • 19th May 17, 2:24 PM
    • #3
    • 19th May 17, 2:24 PM
    My mobile app has a digital secure key password, my internet banking has my user name with a question and code which i generate on my phone. All of these could be compromised with effort.
    My phone banking used to have random numbers from a code which I forgot because I so rarely used it. It now has voice recognition.
    The staff at my local branch may recognise me but have my signature on file if they need it. But most value transactions could be validated by a forged letter. Oh and my debit card has a 4 digit chip and pin.

    All of my banking security has potential for abuse. For me I will not readily accept "the Spanish Inquisition" treatment for routine day to day banking. I accept there will be risks in everything I do in this life. Whilst the actions of the BBC are understandable I was not aware that HSBC claimed their system was 100% secure. I am comfortable with the security/convenience trade off and see no reason to panic. Is this any difference to ATM, Chip & PIN scammers, internet banking retailers hacking my details scams etc etc.
    • mt99
    • By mt99 19th May 17, 2:37 PM
    • 297 Posts
    • 129 Thanks
    mt99
    • #4
    • 19th May 17, 2:37 PM
    • #4
    • 19th May 17, 2:37 PM
    Yes I agree with the above there is inherent insecurity in any method of signing in - in the BBC case they used a person's brother but realistically what are the chances of someone being able to use their voice to sign in to your account? in any case you can't really do much once you've got in you can't even make a payment as I understand it

    You might just want to check what the banks terms conditions are in terms of reimbursing you should anyone managed to bypass voice security
    • Pincher
    • By Pincher 19th May 17, 4:13 PM
    • 6,516 Posts
    • 2,487 Thanks
    Pincher
    • #5
    • 19th May 17, 4:13 PM
    • #5
    • 19th May 17, 4:13 PM
    Effectively, Contactless payment has NO security, because the sums are trivial.

    I can allow voice recognition on accounts with small amounts.

    For accounts with real money in, never.
    In fact, I would really like a Harry Potter Gringotts bank, where you must turn up in person to get your money.
    • Shakin Steve
    • By Shakin Steve 19th May 17, 5:25 PM
    • 770 Posts
    • 562 Thanks
    Shakin Steve
    • #6
    • 19th May 17, 5:25 PM
    • #6
    • 19th May 17, 5:25 PM
    I suppose it depends on your outlook on life. I walk my dog in the woods every morning, along with hundreds of others. Someone mentioned that a dog had been bitten by an adder. Some people immediately stopped letting their dogs roam lose and kept them on a lead. I weighed up the chances and let mine carry on as normal.
    There will always be people who are so risk averse that it stifles their life.
    I came into this world with nothing and I've got most of it left.
    • Lith
    • By Lith 19th May 17, 5:34 PM
    • 854 Posts
    • 237 Thanks
    Lith
    • #7
    • 19th May 17, 5:34 PM
    • #7
    • 19th May 17, 5:34 PM
    Everytime i phone them.... they always hassle me NO MEANS NO


    Not secure AT ALL.
    • HSBC (Main A/C)
    • Halifax Back up A/C
    • Lloyds (Spending) A/C
    • RBS Back up A/C
    • Barclays Old A/C
    • Nationwide Old A/C
    • Pincher
    • By Pincher 20th May 17, 12:30 AM
    • 6,516 Posts
    • 2,487 Thanks
    Pincher
    • #8
    • 20th May 17, 12:30 AM
    • #8
    • 20th May 17, 12:30 AM
    Yes I agree with the above there is inherent insecurity in any method of signing in - in the BBC case they used a person's brother but realistically what are the chances of someone being able to use their voice to sign in to your account? in any case you can't really do much once you've got in you can't even make a payment as I understand it

    You might just want to check what the banks terms conditions are in terms of reimbursing you should anyone managed to bypass voice security
    Originally posted by mt99
    There is nothing to stop the determined thief.
    My house was totally locked down, and he just needed a crowbar to get through the window.

    The hackers get through via the weakest link.
    They are getting away with the proceed of house sales by intercepting e-mails, and telling the solicitor to send the money to a different account.

    If they get through to see your account profile, by voice recognition, they will get your e-mail address, as well as most of your personal information. Phishing e-mails to your e-mail account follows, and if you click on it, good night Vienna.
    • EachPenny
    • By EachPenny 20th May 17, 11:24 AM
    • 1,120 Posts
    • 950 Thanks
    EachPenny
    • #9
    • 20th May 17, 11:24 AM
    • #9
    • 20th May 17, 11:24 AM
    If they get through to see your account profile, by voice recognition, they will get your e-mail address, as well as most of your personal information. Phishing e-mails to your e-mail account follows, and if you click on it, good night Vienna.
    Originally posted by Pincher
    And some banks still invite you to provide your mother's maiden name as a security question which, for many people, is as secure as clicking on freebmd dot org dot uk. Try it and see how long it would take someone who knows your name and year (not even exact date) of birth to find your MMN.

    Ford Money should kindly take note
    "In the future, everyone will be rich for 15 minutes"
    • mt99
    • By mt99 20th May 17, 11:34 AM
    • 297 Posts
    • 129 Thanks
    mt99
    You don't have to give your mother's real maiden name of course you can make one up and just use it - as you say freebmd will tell you exactly what your real mother's maiden name is although to be fair if you have a common name then there will be a lot of hits to choose from if you have an unusual name then often it will be the only hit.
    • mgdavid
    • By mgdavid 20th May 17, 12:03 PM
    • 5,159 Posts
    • 4,331 Thanks
    mgdavid
    And some banks still invite you to provide your mother's maiden name as a security question which, for many people, is as secure as clicking on freebmd dot org dot uk. Try it and see how long it would take someone who knows your name and year (not even exact date) of birth to find your MMN.

    Ford Money should kindly take note
    Originally posted by EachPenny
    very hit and miss.
    Firstly it requires the subject to be born in this country.
    Second, it would appear to be a good reason for women to adopt husband's surname upon marriage, as without their maiden name they are untraceable.
    Also anyone born or married since 1984 is safe as the records aren't there yet.
    Then you need the middle name(s) and/or initials to reduce the number of hits.
    And finally if there are multiple hits (as there will be for common names) you need to have knowledge of the approximate place of birth,
    probably a 1 in 4 chance of locating it this way, at best.
    A salary slave no more.....
    • EachPenny
    • By EachPenny 20th May 17, 1:01 PM
    • 1,120 Posts
    • 950 Thanks
    EachPenny
    very hit and miss.
    Firstly it requires the subject to be born in this country.
    Second, it would appear to be a good reason for women to adopt husband's surname upon marriage, as without their maiden name they are untraceable.
    Also anyone born or married since 1984 is safe as the records aren't there yet.
    Then you need the middle name(s) and/or initials to reduce the number of hits.
    And finally if there are multiple hits (as there will be for common names) you need to have knowledge of the approximate place of birth,
    probably a 1 in 4 chance of locating it this way, at best.
    Originally posted by mgdavid
    I wouldn't disagree with most of what you say, but I was talking about many people, not everybody.

    I also wouldn't use the word 'safe'. FreeBMD has the records going up to 1983, but commercial sites have later records which are easily accessible, often for free. These records cover the period for most people appearing on the GRO registers who will be old enough to have a bank account with likely amounts of money in them big enough to be attractive to fraudsters.

    The marriage trick won't work either if the marriage appears on the GRO register then it is a relatively trivial exercise, in many cases, to find the marriage and work out the maiden name. Usually.

    The marriage itself may provide the source of middlenames and/or initials.

    If someone knows enough about you to identify your first and last names, year of birth, and who you bank with, then middlenames, quarter of birth, and even approximate location of birth may well be known already, or not that difficult to work out - especially for people who pass the time of day posting their life history on FB.

    Only by having a very common surname and firstname, with no middlename, can you be relatively confident the GRO indexes will not help a fraudster identify your MMN.

    True, you don't have to give your real MMN when registering with a bank, but how many people are aware of the risk, and how many people would feel uncomfortable about lying about a 'fact' the bank are asking them to provide as part of a financial application? It would be far better for the banks to restrict themselves to asking for a 'memorable name' rather than specifically MMN.

    These news headlines are about the scenario in which someone who has a twin was able to partially fool a system. The number of people who can do that is miniscule in comparison to the number of people who have an easily identifiable MMN - and that was really my point, the banks ask for MMN yet we rarely see the same kind of loud headlines pointing out how insecure that piece of information might be.
    Last edited by EachPenny; 20-05-2017 at 1:03 PM. Reason: Formatting
    "In the future, everyone will be rich for 15 minutes"
    • Masomnia
    • By Masomnia 20th May 17, 1:17 PM
    • 16,996 Posts
    • 37,339 Thanks
    Masomnia
    If you put on a good enough Mexican accent it won't ask you any questions at all.

    Badum tish!
    “I could see that, if not actually disgruntled, he was far from being gruntled.” - P.G. Wodehouse
    • Pincher
    • By Pincher 21st May 17, 10:41 AM
    • 6,516 Posts
    • 2,487 Thanks
    Pincher
    Remember Dark Star, the movie by John Carpenter?

    They had to talk the bomb into ignoring the previous command to explode, which followed correct procedure
    Genuine users can't log in (First Direct example), fake users can(BBC Click example). It's a farce.

    How do you get into a speakeasy? You say: "Antonio sent me." into a slot in the door. A lot like typing something into a Pop Up window, doesn't it? One thing is for sure, it's cheaper than having real people checking signatures and documents.

    One of these days, they will say, the management takes no responsibility for your valuables. You leave your money with us at your on risk. You can buy insurance against theft, 2% a year please.
    Last edited by Pincher; 21-05-2017 at 10:44 AM.
    • polymaff
    • By polymaff 21st May 17, 12:42 PM
    • 1,552 Posts
    • 667 Thanks
    polymaff
    You don't have to give your mother's real maiden name of course you can make one up and just use it ...
    Originally posted by mt99
    Ditto all the other publicly available data, First School, Second School, First Car etc. etc.

    Do all banks accept crazy answers, though? In the Nineties I had to beat up the Halifax's Head of Savings to get this practice accepted.
    • EachPenny
    • By EachPenny 21st May 17, 12:56 PM
    • 1,120 Posts
    • 950 Thanks
    EachPenny
    Do all banks accept crazy answers, though? In the Nineties I had to beat up the Halifax's Head of Savings to get this practice accepted.
    Originally posted by polymaff
    I once had an interesting conversation with a CSA who refused to accept the answer I gave for my mother's maiden name on the basis 'nobody would be called that' despite my answer exactly matching the stored answer. I was told I would be having my account passed to the fraud department because I had given false information. A polite request to speak to a manager quickly overcame the situation

    The problem is many people do not realise they don't have to give a true answer to those questions, or are far too honest for their own good, which was why I was suggesting the banks could help by making the questions more generic - such as "The name of a school" rather than "Your first school".
    "In the future, everyone will be rich for 15 minutes"
    • polymaff
    • By polymaff 21st May 17, 2:08 PM
    • 1,552 Posts
    • 667 Thanks
    polymaff
    ... I was suggesting the banks could help by making the questions more generic - such as "The name of a school" rather than "Your first school".
    Originally posted by EachPenny
    To be fair, some do - such as the Yorkshire Bank, who ask for things like a memorable place, film and meal.

    Needless to say, my three answers have nothing to do with geography, cinematography - or scoff-ology
    • EachPenny
    • By EachPenny 21st May 17, 2:46 PM
    • 1,120 Posts
    • 950 Thanks
    EachPenny
    True.

    Let me guess, the answer you've used for all three questions is your mother's maiden name?
    "In the future, everyone will be rich for 15 minutes"
    • polymaff
    • By polymaff 21st May 17, 3:30 PM
    • 1,552 Posts
    • 667 Thanks
    polymaff
    True.

    Let me guess, the answer you've used for all three questions is your mother's maiden name?
    Originally posted by EachPenny
    my three answers have nothing to do with geography, cinematography - or scoff-ology
    Originally posted by polymaff

    ... or ancestry
    Last edited by polymaff; 21-05-2017 at 3:48 PM.
Welcome to our new Forum!

Our aim is to save you money quickly and easily. We hope you like it!

Forum Team Contact us

Live Stats

155Posts Today

1,255Users online

Martin's Twitter