HSBC's voice recognition security system was successfully bypassed by a customer's twin brother who mimicked his voice after eight attempts, gaining unauthorized access to account balances and transaction history.
HSBC deployed a voice recognition security system called Voice ID to half a million customers, analyzing 100 behavioral and physical vocal traits to authenticate users. The system requires customers to say 'My voice is my password' and was claimed to be secure because voiceprints are unique like fingerprints. BBC Click reporter Dan Simmons set up an HSBC account with Voice ID authentication, and his non-identical twin brother Joe was able to access the account by mimicking Dan's voice on the eighth attempt. The breach allowed Joe to view account balances and recent transactions and was offered the ability to transfer money between accounts, though he could not withdraw funds. HSBC initially allowed seven failed attempts before granting access, and a separate test found the system allowed 20 failed attempts over 12 minutes. Following the BBC investigation, HSBC said it would review security settings and reduce the number of allowed attempts to three. The bank acknowledged that twins have similar voiceprints but maintained that Voice ID had significantly reduced telephone fraud compared to PINs and passwords.
Domain classification, causal taxonomy, severity scores, and national security assessments were LLM-classified and may contain errors.
Vulnerabilities that can be exploited in AI systems, software development toolchains, and hardware, resulting in unauthorized access, data and privacy breaches, or system manipulation causing unsafe outputs or behavior.
AI system
Due to a decision or action made by an AI system
Unintentional
Due to an unexpected outcome from pursuing a goal
Post-deployment
Occurring after the AI model has been trained and deployed