Can Voice Biometrics Hack Computer Security?
In April, hackers broke into Sony's PlayStation 3 Network, gaining access to data from roughly 77 million user accounts. A month later, Sony's systems were breached again, compromising the account data of 25 million users of the company's Online Entertainment PC-based gaming service.
As a result of those two attacks—considered among the largest and most pervasive ever—the Japanese electronics maker shut down its PlayStation Network and related services for nearly a month. In addition, Sony spent more than $170 million on identity theft insurance and free content for customers whose data might have been compromised, improvements to network security, customer support, legal fees, and an investigation into the attacks.
Sony is not the only company that has taken a hit. This year alone, some other very high-profile and very costly cases involved Citibank, RSA (the company that makes the widely used SecurID tokens for computer access), Google's Gmail service, and U.S. defense contractor Lockheed Martin. Other cases costing hundreds of millions of dollars go back five years or more. Understandably, the spate of attacks is sparking interest in voice biometrics applications to protect customer data.
On a Smaller Scale
Large-scale attacks, like the one on Sony, are the exception; most cyber crimes occur on a much smaller scale, typically involving theft of a single individual's personal or financial information to make fraudulent purchases or bank transactions. In most cases, the thieves gain access either through programs installed directly on the victim's computer or via a company's servers.
Symantec, which makes Norton Antivirus software, estimates that the cumulative bill for these kinds of cyber crimes in 24 countries totaled $388 billion last year: $274 billion in lost time and $114 billion in cash costs, including money stolen or spent resolving the cyber attacks. The company also reports that 431 million adults experienced some form of cyber crime last year, equating to nearly 1.2 million people per day, or 14 per second.
When those types of attacks occur, it isn't the interactive voice response (IVR) system or call center that is breached but, rather, the databases that support them, explains Judith Markowitz, president of J. Markowitz Consultants, which specializes in voice security.
"A lot of them end up in identity fraud, with people pretending to be other people," Markowitz says. "It's all part of a whole pattern of attacks against call centers. These are becoming more and more vicious, and they're being done by professionals as part of a global effort."
Although voice security can do little to stave off large attacks, like those that happened at Sony, some applications can go a long way toward protecting consumer information in the smaller, more targeted attacks. Using speech technologies, companies can limit access to personal accounts and related data by blocking anyone whose voice characteristics do not match a stored voiceprint.
"You can't steal a person's voiceprint the way you can get their PIN or Social Security number," says Dan Miller, senior analyst at Opus Research. "Voiceprints are stored differently—as a binary representation of the voice file. They are usually encrypted and stored separately, so the voice files are meaningless without another file to give them context."
According to Miller, most attempted hacks involving voice technologies are replay attacks, in which fraudsters try to gain access to voice-guarded systems with recordings of the voice. To prevent those attacks, he recommends changing passwords. Companies also can install security software that can detect whether an audio input is live or recorded.
Additionally, recent research from contact center technology provider Convergys found that consumers do not like giving personal information to agents. According to that study, 70 percent of consumers would prefer to use an IVR system with biometrics than speak to an agent. The perception is that automation reduces the risk of fraud and that an agent might try to steal information, whereas an application cannot, says Jenny Burr, senior manager of speech science and global professional services at Convergys.
Of course, most agents are honest, but the fear among consumers is real. "It's more paranoia, but there have been a few instances," Burr notes.
Still, that's good news for voice biometrics technology vendors, who have garnered more interest and a sharp spike in sales in recent months.
For What It's Worth
That interest is expected to translate into real dollars for the vendors of such technology. In fact, according to research firm RNCOS, the technology has been "stupendously growing" in recent years because of rising personal security concerns and a greater awareness of identity theft.
In a report, "Global Biometric Forecast to 2012," RNCOS indicated that as the technology improves, prices will fall and consumers will become more accustomed to using biometrics to prove their identities and make secure transactions. RNCOS's findings also suggest that voice biometrics will gain popularity in the coming years as its superiority over other technologies, such as face, iris, and fingerprint recognition, is recognized. The voice recognition market is expected to grow at a compound annual rate of about 13 percent through 2013, according to RNCOS.
As a further demonstration of the industry's growth, Miller noted, providers of voice authentication solutions generated about $100 million in revenue in 2010. "By our own very conservative estimates, we expect that to grow to about $320 million by 2015," he says, "but it could even be significantly larger than that."
Miller uses another ruler to measure growth. Currently, about 6 million people have enrolled their voiceprints in some way. By 2015, that number is likely to reach 30 million, he says.
But the key will be to get consumers to consent to having their voiceprints stored on file. Local and federal law-enforcement agencies in some countries, such as Mexico, have been collecting voice samples as part of the arrest process, in much the same way that suspects are fingerprinted.
For consumers to consent, the collection process must be seamless, according to experts. "The user interface is the key to all of this," Burr says. "You need a consistent, clean interface."
For enterprises, finding a way to collect voice data without irritating customers or compromising security causes the greatest concern regarding any security application. With modern solutions, the two do not need to be mutually exclusive. "Privacy and security are not antagonistic," Markowitz says.
Miller says, "Voice biometrics is not yet completely a must-have, but it's making its mark in some very difficult markets." He notes that the technology has penetrated the telecommunications, finance, law enforcement, and government sectors and is poised to gain traction in healthcare and insurance.
"Growth has been very small for the past three years, but now it's starting to pick up," he adds.
While some say the soaring interest in voice biometrics is unprecedented, others report having seen steady growth all along. The technology's "been around for years and grown little by little over time," Markowitz says. "The interest has been there; it's not sudden."
What have changed, according to Markowitz, are the technology itself and the prices that vendors charge for it. "It's more attractive now to organizations that do not want to spend $500,000 to put something in," she says. Voice biometrics vendors are "making it possible for call centers to use" their products.
The Cloud Conundrum
Vendors are making their products more accessible by using software-as-a-service (SaaS) models. "With SaaS, these applications are cheaper to get into," Burr says. "SaaS is making the costs go way down."
Graham Allen, director of product management at Convergys, says, "Look for more SaaS deployments. It's a going-forward strategy."
But while the cloud is good for those who would deploy voice security solutions, it is also contributing to the need for greater security. The threat risk grows as more data is stored in the cloud and on mobile devices, such as smartphones and tablets, experts warn. While much of the data stored in the cloud is encrypted, "each network has its own vulnerabilities and ways to get in," says Valene Skerpac, president of iBiometrics, a voice security consulting firm. "Mobile phones are also subject to malware and phishing attacks. The same way people can get to PCs, they can get to mobile phones."
Consumers are expressing fear. According to a recent survey by ThreatMetrix and the Ponemon Institute, only 21 percent of U.S. consumers feel "completely" safe when conducting mobile banking transactions, such as checking account balances, transferring funds, or making payments. In that survey, 48 percent of consumers said they felt "somewhat protected," and 23 percent said they did not feel protected at all.
Those perceptions have made consumers less willing to use mobile banking. Only 29 percent of those surveyed said they have done banking on their mobile phones, and 51 percent said they have not used mobile banking applications for fear of diminished protection.
"Mobile, in particular, is difficult to protect from fraud," Julie Conroy McNelley, senior fraud and risk analyst at the Alite Group, said in a statement. "With around 4,000 different device types to secure, it's often a daunting task. On top of that, few consumers are using antivirus or anti-spyware software on their mobile devices. Mobile, just like more traditional e-commerce transactions from a desktop, has the potential to become a hotbed for fraud."
To illustrate that point, a team of researchers from the University of Indiana and the City University of Hong Kong this year demonstrated a malware program it had created for Android mobile devices that keeps an ear out for credit card numbers spoken aloud or entered on a phone's keypad. Called Soundminer, the program could attach itself to the phone's microphone and then capture the credit card data. Soundminer was able to send that data to a companion program, called Discoverer, which could covertly transmit the stolen data to the hacker.
In several tests, the low-profile applications avoided detection by the phone's owner and installed antivirus software. What made the applications so stealthy was that they coded the sensitive data to resemble a system file for the phone's vibration, volume, or wake-up settings.
Lucky for Google, the applications were not the product of malicious hackers but, rather, of researchers who simply wanted to expose the weakness in the Android operating system.
That is a common practice, according to Skerpac. "Companies like Google let and encourage developers to hack their systems to uncover vulnerabilities," she says. "It's not like years ago when there were a lot of denials."
In response to these and other threats, the smartphone security market is expected to grow wildly in the coming years.
A report by Goode Intelligence, "Mobile Phone Biometric Security: Analysis and Forecasts 2011-2015," pegs the current mobile phone biometric security market at slightly more than $30 million, rising to more than $161 million by 2015, for growth of more than 536 percent, the agency predicts.
More Is Better
Early growth will be driven by embedded fingerprint sensors and voice biometrics that will be used together as part of multifactor authentication solutions, the report says.
Experts agree that to truly secure mobile devices, multifactor authentication will have to be the industry standard. Multifactor authentication is already being mandated as part of the Health Insurance Portability and Accountability Act (HIPAA), governing the personal protection of patients' private health information. Since April, the U.S. federal government, through the National Strategy for Trusted Identities in Cyberspace, has proposed a voluntary national "identity ecosystem" based on multifactor authentication. Moreover, the Payment Card Industry's Data Security Council has made multifactor authentication part of its compliance guidelines. In some cases, failing to comply could result in steep penalties, including fines and increased transaction fees from credit card issuers.
Businesses also face mounting pressure from their partners and customers to demonstrate compliance.
But, despite the push, voluntary adoption of multifactor authentication hasn't been significant yet. That is sure to change, according to most experts.
"There's already a better understanding on the buyer side for solutions that are multifactor," Miller says. "With phones now more vulnerable, why wouldn't you look at it?"
Skerpac agrees with Miller: "Everything is leading to multifactor, multimodal authentication."
Convergys's Burr says, "You'll see more deployments in the mobile and Web space as banks and other companies put out more apps for the smartphone."
Most applications of multifactor authentication use PINs or passwords as the first line of defense and supplement them with a voice security application. Others combine voice with more complex methods, such as iris or fingerprint scans. But those tend to be far more expensive to implement, and the public views them as intrusive.
"To go across the different channels, you need to get to where the technology runs in the background, just pulling out the pieces of a normal conversation that it needs," Convergys's Allen says.
One company already involved is Sensory, which about a year ago released versions of its Truly Handsfree Trigger software for mobile devices running Apple's iOS and Google's Android operating systems. The software lets the devices constantly listen for voice commands that wake them up and guide them through user queries. In addition, the company has developed voice-activated chips to unlock phones and applications.
Todd Mozer, CEO of Sensory, acknowledges that some of the other biometrics, such as fingerprint or iris scans, might be more accurate than voice, but voice security is the most convenient for mobile, especially since all phones have microphones built in.
To keep mobile phones safe, Mozer recommends, users should install software that requires them to speak their passwords or other trigger phrases before the devices connect to their networks. That can be accomplished through the device's digital signal processor, allowing the user to activate components of the phone without the operating system, he says. "Once you're in the OS, the device is already opened and connected, so it's better to do it pre-OS," Mozer states.
Mozer expects to see many other security applications become available for mobile phones, and not all of them will relate to voice. "All phones have cameras now, so you can use that to perform some sort of visual check of the person for access purposes," he says.
Shoring up security in other ways helps, Skerpac advises. "Keep data in separate systems, so that even if [would-be thieves] hack into one system, you can make sure they can't get into the others."
In addition, swap out legacy text-dependent systems for ones that are text-independent. The prevailing trend in voice biometrics has been text-dependent, meaning a person enrolls his voiceprint by repeating a standard phrase. But now there's a move toward systems that are text-independent, in which users can utter any phrase to register their voiceprints. Because these systems can be easily randomized, they're a lot harder to crack with recordings, analysts point out. "It's the area where we are seeing the most research," Skerpac says.
Text-dependent systems traditionally have worked well in quiet environments and not so well in noisier locations. To circumvent that, Sensory is tying voice biometrics to its Truly Handsfree Triggers, which filter all other environmental noises and carry out a command only when a trigger word is spoken. Early tests have shown that when used with hands-free triggers, voice security technology "becomes very reliable in noisy environments," Mozer says.
While that research is important, Skerpac says, studies will have to be done to determine the effects of aging on biometrics solutions. "In the long term, this could produce real problems for systems," she argues.
"Nothing is 100 percent," Skerpac says, admitting that even voice biometrics could do a better job at times. "But what we have now is certainly better than what we had before."
And, more than that, it's better than nothing at all.
News Editor Leonard Klie can be reached at lklie@infotoday.com.