Voiceprint technology (for authentication)

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
azurekep
Posts: 1009
Joined: Tue Jun 16, 2015 7:16 pm

Voiceprint technology (for authentication)

Post by azurekep » Wed Oct 11, 2017 9:30 pm

At least two major brokerages are now offering voiceprint technology as part of their authentication process. Back in 2011, some Bogleheads seemed a bit skeptical of Vanguard's voiceprint system, fearing it was hackable, spoofable or otherwise unrelaible. Has voiceprint technology progressed to the point where everyone now agrees that it is trustworthy?

I'm particularly curious to hear the thoughts of those who have followed the technology.

I'm also interested in hearing from those who currently use it, or have used it, and have thoughts on how it works in practice.

LifeIsGood
Posts: 616
Joined: Mon Feb 11, 2008 8:43 pm
Location: Atlanta, GA

Re: Voiceprint technology (for authentication)

Post by LifeIsGood » Thu Oct 12, 2017 5:29 am

I've used it twice and it worked fine.

Call_Me_Op
Posts: 6576
Joined: Mon Sep 07, 2009 2:57 pm
Location: Milky Way

Re: Voiceprint technology (for authentication)

Post by Call_Me_Op » Thu Oct 12, 2017 5:52 am

All of the large brokerage firms are starting to use this technology. Its reliability is good but it should not be used as the sole means of identification. It should be viewed as an additional layer of security.

Given that brokerages do not have bullet-proof assurances that you will be reimbursed in the event of fraud, I'll take all of the added security layers I can get.
Best regards, -Op | | "In the middle of difficulty lies opportunity." Einstein

2015
Posts: 965
Joined: Mon Feb 10, 2014 2:32 pm

Re: Voiceprint technology (for authentication)

Post by 2015 » Thu Oct 12, 2017 11:04 am

Have it on VG and TIAA and wouldn't be without it. A voiceprint cannot be "socially engineered".

azurekep
Posts: 1009
Joined: Tue Jun 16, 2015 7:16 pm

Re: Voiceprint technology (for authentication)

Post by azurekep » Thu Oct 12, 2017 11:34 am

2015 wrote:
Thu Oct 12, 2017 11:04 am
A voiceprint cannot be "socially engineered".
That's one of the appeals. But if the voiceprint fails, isn't it just back to a regular authentication challenge?

I suppose one way to view it is that the lowest hanging fruit will always be picked first. If an imposter fails to get through voiceprint, they'll probably give up and move to an easier target. Does that sound reasonable?

boglesmind
Posts: 110
Joined: Sun Jan 05, 2014 1:07 pm

Re: Voiceprint technology (for authentication)

Post by boglesmind » Thu Oct 12, 2017 11:45 am

Google search of "security of voiceprint" brings up, among others,

In May 2017, BBC fools HSBC voice recognition security system http://www.bbc.com/news/technology-39965545.
What's really alarming is that the bank allowed me seven attempts to mimic my brother's voiceprint and get it wrong, before I got in at the eighth time of trying," he said
How many attempts does Vanguard allow? If Voiceprint fails, does it lock the account or prevent further attempts at using voiceprint?

Boglesmind

Nate79
Posts: 1436
Joined: Thu Aug 11, 2016 6:24 pm
Location: Portland, OR

Re: Voiceprint technology (for authentication)

Post by Nate79 » Thu Oct 12, 2017 12:06 pm

I have this with Vanguard and Wells Fargo. If their security experts believe in this technology who am I to doubt it? If I doubt it what other security measures are they screwing up also?

btenny
Posts: 4179
Joined: Sun Oct 07, 2007 6:47 pm

Re: Voiceprint technology (for authentication)

Post by btenny » Thu Oct 12, 2017 12:36 pm

Voice prints are like signatures. They vary a lot over time and circumstances so they are not really accurate. Plus they can be copied and mimicked by others. So they are like a second password, better security but not fool proof.

User avatar
jabberwockOG
Posts: 1063
Joined: Thu May 28, 2015 7:23 am

Re: Voiceprint technology (for authentication)

Post by jabberwockOG » Thu Oct 12, 2017 12:37 pm

Nate79 wrote:
Thu Oct 12, 2017 12:06 pm
I have this with Vanguard and Wells Fargo. If their security experts believe in this technology who am I to doubt it?
It is a healthy instinct and very smart to always doubt the opinions and assertions of the supposed "experts". Unless you enjoy being sheared, be mostly a wolf and never a sheep.


Every authentication scheme is subject to failure and can be hacked given enough talent, time and resources. Probably best defense is to try to give yourself multiple layers of security protection. IT personal security has become one of those things in life that cannot be ignored. These days anyone with assets real or monetary must attain a fairly high level of expertise on IT personal security techniques and methodologies in order to protect themselves. Trusting the experts is a risky path to take.
Last edited by jabberwockOG on Thu Oct 12, 2017 12:44 pm, edited 1 time in total.

User avatar
HueyLD
Posts: 5164
Joined: Mon Jan 14, 2008 10:30 am

Re: Voiceprint technology (for authentication)

Post by HueyLD » Thu Oct 12, 2017 12:40 pm

I like the availability of voice recognition software. Since I signed up for it a few years ago, problems only arose once.

The one time that such a system didn't work was when I had a nasty cold and my voice was definitely not my usual cheerful self. Somehow the system could not identify me thru other means in the system after I was prompted to say different sentences. So, a human answered the phone and was able to authenticate me the old way.

The system is obviously not perfect, but it is very good IMO.

daveydoo
Posts: 951
Joined: Sun May 15, 2016 1:53 am

Re: Voiceprint technology (for authentication)

Post by daveydoo » Thu Oct 12, 2017 12:46 pm

Avoid. One more thing to steal. Biometrics suck for this reason. Will you change your voice after this is hacked? My fingerprints and all personal data were stolen from a large federal database. I have a year of free credit monitoring. Pretty sure my fingerprints will stay the same long after that.

whomever
Posts: 684
Joined: Sat Apr 21, 2012 5:21 pm

Re: Voiceprint technology (for authentication)

Post by whomever » Thu Oct 12, 2017 12:56 pm

Disclaimer: Vanguard/Fidelity/etc haven't given me any inside knowledge on their precise security protocols, for obvious reasons.

"...bank allowed me seven attempts to mimic my brother's voiceprint ..."

I don't find that particularly surprising or alarming. With the disclaimer that this is all surmise: I'd expect the match wouldn't be a binary match/nomatch kind of thing. Your voice varies depending on whether you have a cold, the quality of the voice connection, yadda, yadda, yadda. I'd expect the match algorithm would rate the match from 1 to 10 or whatever. An alto from Brooklyn and a base from South Carolina might barely match. A twin brother who knows your voice well and tries to mimic it would be a better match. And it still took seven tries.

Security always has tradeoffs. If people were calling up with slight colds and nailing all the security questions but the voice matches were only 8/10 and were rejected and their accounts locked, people would be marching on Malvern with pitchforks. Conversely, if you let anyone in to scam funds, that gets expensive.

A couple of weeks ago I called Fidelity and Vanguard. One or the other wanted to know the month I started my most recent job. I told them that I hadn't a clue - 1990 was a long time ago. They didn't bat an eye and tried some other questions. It's not foolproof, but it's also not trivial to scam. If the actual start date was last year, saying 'too long ago to remember' is a pretty suspicious answer. A voice print that's not close is suspicious. A caller ID from Mongolia is suspicious. A voice print that's an 8/10 match, and a few questions right, and caller ID from your home phone, ..., and at some point it's a reasonable risk for the company to take. Especially in my case, where the net effect of the call was 'mail me some paperwork' at my address of record :-)

Nate79
Posts: 1436
Joined: Thu Aug 11, 2016 6:24 pm
Location: Portland, OR

Re: Voiceprint technology (for authentication)

Post by Nate79 » Thu Oct 12, 2017 1:29 pm

jabberwockOG wrote:
Thu Oct 12, 2017 12:37 pm
Nate79 wrote:
Thu Oct 12, 2017 12:06 pm
I have this with Vanguard and Wells Fargo. If their security experts believe in this technology who am I to doubt it?
It is a healthy instinct and very smart to always doubt the opinions and assertions of the supposed "experts". Unless you enjoy being sheared, be mostly a wolf and never a sheep.


Every authentication scheme is subject to failure and can be hacked given enough talent, time and resources. Probably best defense is to try to give yourself multiple layers of security protection. IT personal security has become one of those things in life that cannot be ignored. These days anyone with assets real or monetary must attain a fairly high level of expertise on IT personal security techniques and methodologies in order to protect themselves. Trusting the experts is a risky path to take.
The security experts at Vanguard better be and I am extremely confident are far far far far more qualified than anyone on this site and in this thread to be making any type of actual assertions about the quality of the security in place. If not then there are far more serious issues at play. My doubts and probably most people in this thread are meaningless if they are not qualified to judge (and they do not have even have a smidgen of information about how these systems are actually setup at Vanguard). Any comments by anyone about Voiceprint at Vanguard is pure speculation.

Yes, everyone on the web is a self proclaimed expert. I don't care how much google searching someone does on this topic unless you are an actual expert and have inside knowledge of how the actual system works at Vanguard then no I don't think their opinion and doubt matters one bit.

daveydoo
Posts: 951
Joined: Sun May 15, 2016 1:53 am

Re: Voiceprint technology (for authentication)

Post by daveydoo » Thu Oct 12, 2017 1:53 pm

Nate79 wrote:
Thu Oct 12, 2017 1:29 pm
Any comments by anyone about Voiceprint at Vanguard is pure speculation.

Yes, everyone on the web is a self proclaimed expert. I don't care how much google searching someone does on this topic unless you are an actual expert and have inside knowledge of how the actual system works at Vanguard then no I don't think their opinion and doubt matters one bit.
Biometrics are great for them and terrible for you. See above. Security experts don't look at the "for you" part. The risk is all yours. I'm not a security expert. For this, I don't need to be. You don't need a car expert to tell you to keep your eyes open when you drive.

Experts are great. I love experts. Cherish them -- they are going away. Experts protected your data at Equifax and are "dealing with" the aftermath. They gave my fingerprints to the Chinese government. :D

2015
Posts: 965
Joined: Mon Feb 10, 2014 2:32 pm

Re: Voiceprint technology (for authentication)

Post by 2015 » Thu Oct 12, 2017 7:56 pm

Nate79 wrote:
Thu Oct 12, 2017 1:29 pm
jabberwockOG wrote:
Thu Oct 12, 2017 12:37 pm
Nate79 wrote:
Thu Oct 12, 2017 12:06 pm
I have this with Vanguard and Wells Fargo. If their security experts believe in this technology who am I to doubt it?
It is a healthy instinct and very smart to always doubt the opinions and assertions of the supposed "experts". Unless you enjoy being sheared, be mostly a wolf and never a sheep.


Every authentication scheme is subject to failure and can be hacked given enough talent, time and resources. Probably best defense is to try to give yourself multiple layers of security protection. IT personal security has become one of those things in life that cannot be ignored. These days anyone with assets real or monetary must attain a fairly high level of expertise on IT personal security techniques and methodologies in order to protect themselves. Trusting the experts is a risky path to take.
The security experts at Vanguard better be and I am extremely confident are far far far far more qualified than anyone on this site and in this thread to be making any type of actual assertions about the quality of the security in place. If not then there are far more serious issues at play. My doubts and probably most people in this thread are meaningless if they are not qualified to judge (and they do not have even have a smidgen of information about how these systems are actually setup at Vanguard). Any comments by anyone about Voiceprint at Vanguard is pure speculation.

Yes, everyone on the web is a self proclaimed expert. I don't care how much google searching someone does on this topic unless you are an actual expert and have inside knowledge of how the actual system works at Vanguard then no I don't think their opinion and doubt matters one bit.
I agree. Other threads have posted links from security sites advocating 2FA and voice verification. I feel much more secure with VV than without. It's one more layer.

azurekep
Posts: 1009
Joined: Tue Jun 16, 2015 7:16 pm

Re: Voiceprint technology (for authentication)

Post by azurekep » Thu Oct 12, 2017 8:40 pm

daveydoo wrote:
Thu Oct 12, 2017 12:46 pm
Avoid. One more thing to steal. Biometrics suck for this reason. Will you change your voice after this is hacked? My fingerprints and all personal data were stolen from a large federal database. I have a year of free credit monitoring. Pretty sure my fingerprints will stay the same long after that.
I feel your pain.

I'm generally against biometrics but am not sure voiceprints are the same as fingerprints in terms of uniqueness. A fingerprint is a fingerprint is a fingerprint no matter where you go, but every organizaiton has a different method for developing voiceprints. So one organization's voiceprint is different than another organization's voiceprint... even though they identify the same person. So it's not as if there is a single, agreed-upon voiceprint unique enough to be included in something analogous to law enforcement's Automated Fingerprint Identification System (AFIS) (only this time being for voice). And a voiceprint developed at Fidelity wouldn't be usable at Vanguard.

azurekep
Posts: 1009
Joined: Tue Jun 16, 2015 7:16 pm

Re: Voiceprint technology (for authentication)

Post by azurekep » Thu Oct 12, 2017 9:02 pm

whomever wrote:
Thu Oct 12, 2017 12:56 pm
"...bank allowed me seven attempts to mimic my brother's voiceprint ..."

I don't find that particularly surprising or alarming. With the disclaimer that this is all surmise: I'd expect the match wouldn't be a binary match/nomatch kind of thing. Your voice varies depending on whether you have a cold, the quality of the voice connection, yadda, yadda, yadda. I'd expect the match algorithm would rate the match from 1 to 10 or whatever. An alto from Brooklyn and a base from South Carolina might barely match. A twin brother who knows your voice well and tries to mimic it would be a better match. And it still took seven tries.
Those are good examples. Plus, X out of 10 is a useful way of thinking about the match.

One of the reasons I'm focused on the technology aspects vs one brokerage vs another is that I frequently encounter "I'm sorry, I wasn't able to get that" with certain voice recognition systems. And we've all seen people on their phones talking to a business saying "The name is Jones." "I said JONES" (shouting). I said JO-ONES!!! (really shouting). I assume there are different degrees of frequency resolution in voice-recognition systems and that phone companies or ISPs have a coarse resolution and brokerages have a fine one...at least when it comes to their actual voiceprint systems.

In addition to resolution (which I'm postulating here and would like to have confirmed), from what I understand, there are behavioral characteristics in one's voice that are folded into "professional" voiceprint systems. Certain speech patterns uinque to a person. Even then, I know my own speech differs if, for example, the market is about to close and I want to ask something fast. My voice is likely to be more focused and faster than if it's a lazy Sunday and I have all the time in the world to talk with the rep and joke around a bit. And BTW, Is my laugh part of the voiceprint? :)

wrongfunds
Posts: 915
Joined: Tue Dec 21, 2010 3:55 pm

Re: Voiceprint technology (for authentication)

Post by wrongfunds » Fri Oct 13, 2017 8:09 am

I don't think most of you are getting it at all. It does not matter if the technology being used is voice-print or chip embedded in your cranium.

The issue is what is the fallback mechanism? That fallback mechanism has hole large enough to drive truck through after Equifax hack.

Nobody is talking about making changes to the fallback mechanism.

azurekep
Posts: 1009
Joined: Tue Jun 16, 2015 7:16 pm

Re: Voiceprint technology (for authentication)

Post by azurekep » Fri Oct 13, 2017 10:28 am

wrongfunds wrote:
Fri Oct 13, 2017 8:09 am
I don't think most of you are getting it at all. It does not matter if the technology being used is voice-print or chip embedded in your cranium.

The issue is what is the fallback mechanism? That fallback mechanism has hole large enough to drive truck through after Equifax hack.

Nobody is talking about making changes to the fallback mechanism.
Okay, here's my specific issue. Maybe you can weigh in.

I was talking on the phone with Fidelity, asking about their latest efforts at increasing security. For part of this time, we were talking about voice authentication, but it was just talk. They indicated it would work regardless of whether you have a cold, etc. etc. They indicated that as a fallback, there would be questions asked, though no specifics were gone into.

At the end of the convo, the rep told me that he had created a voiceprint out of my side of the conversation and I was now enrolled in their voiceprint authentication system. Since my intention was to just gather information, I was a bit stunned and didn't ask any follow-up questions. I decided to stay with it, get more information, then decide whether to stay for good or revert.

So I'm basically trying to figure out which system is more secure (when I use the phone): the current one where I provided a username and password (which I've been happy with) and the voice recognition one. Both will have fallbacks, but I'm uncertain if one primary authentication system is better than the other.

wrongfunds
Posts: 915
Joined: Tue Dec 21, 2010 3:55 pm

Re: Voiceprint technology (for authentication)

Post by wrongfunds » Fri Oct 13, 2017 1:59 pm

I am talking about the case when somebody who has your Equifax hacked data calls the Fidelity and is in position to answer *all* the questions that Fidelity rep will ask him. The person has "forgotten" the password for the account and the phone connection is not the best one as he is probably calling from some "unknown" country!

The point was as long as there is a way to use the Equifax hacked data to gain access to your account, all other implemented security features are irrelevant. The toughness of the primary security scheme does not matter if the fallback security system has been already compromised. Is this hard concept to follow?

I am really struggling to understand why most of you are not getting it. May be I am the one who is wrong here??

whomever
Posts: 684
Joined: Sat Apr 21, 2012 5:21 pm

Re: Voiceprint technology (for authentication)

Post by whomever » Fri Oct 13, 2017 3:06 pm

Wrongfunds: with, again, the disclaimer that I'm not privy to Vanguard's protocols, so I'm only talking about what's possible, here's why voice can help.

Let's suppose that you're a VG rep. A customer calls and answers the security questions correctly, and wants all the funds mailed to Nigeria. The customer is named Betty Ingvarssun, address in Minneapolis, age 78. But the voice on the phone sounds like a deep voiced young man with a thick foreign accent. Again, I don't know what VG's protocols are, but one can at least imagine the phone rep can raise some kind of alert if the totality of details about the transaction aren't adding up. I don't know what they do, but I'd sure hope they might start asking for a notarized form to be mailed to the Minneapolis address or something.

I would hope that, similarly, the quality of a voiceprint match might be used as an additional indicator of trouble. Sure, it's not foolproof, but it's not likely to hurt anything either.

I don't think that a brokerage is contractually bound to wire money because you answer these N specific questions correctly; they are free to (and should!) refuse to accept the transaction if they think it's fraudulent. Voice matching can help make that determination more accurate, in a fairly convenient way. Mimicking voices is one more hassle for an attacker, and hassling attackers is a Good Thing.

2015
Posts: 965
Joined: Mon Feb 10, 2014 2:32 pm

Re: Voiceprint technology (for authentication)

Post by 2015 » Fri Oct 13, 2017 3:15 pm

wrongfunds wrote:
Fri Oct 13, 2017 1:59 pm
I am talking about the case when somebody who has your Equifax hacked data calls the Fidelity and is in position to answer *all* the questions that Fidelity rep will ask him. The person has "forgotten" the password for the account and the phone connection is not the best one as he is probably calling from some "unknown" country!

The point was as long as there is a way to use the Equifax hacked data to gain access to your account, all other implemented security features are irrelevant. The toughness of the primary security scheme does not matter if the fallback security system has been already compromised. Is this hard concept to follow?

I am really struggling to understand why most of you are not getting it. May be I am the one who is wrong here??
So a hacker has your personal data...

First, they would have to do something like fail to respond to the voice verification prompt in order to get through to a csr;
Then, they would have to state they had forgotten/lost/the dog ate their Yubkkey, along with their username and password;
Then, they would have to state they had forgotten/lost/the dog ate their security question answers which you've hopefully by now have already replaced with gibbeish answers.

VG has other means of verification, such as asking you the details of various transactions over time, which no hacker is going to know. VG is good about locking an account during investigations. In fact, Amazon did the same thing for me lately when a certain someone-who-should-know-better got his account hacked because he had forgotten to change his ridiculously weak password. :oops:

azurekep
Posts: 1009
Joined: Tue Jun 16, 2015 7:16 pm

Re: Voiceprint technology (for authentication)

Post by azurekep » Fri Oct 13, 2017 4:27 pm

wrongfunds wrote:
Fri Oct 13, 2017 1:59 pm
I am talking about the case when somebody who has your Equifax hacked data calls the Fidelity and is in position to answer *all* the questions that Fidelity rep will ask him. The person has "forgotten" the password for the account and the phone connection is not the best one as he is probably calling from some "unknown" country!

The point was ais long as there is a way to use the Equifax hacked data to gain access to your account, all other implemented security features are irrelevant. The toughness of the primary security scheme does not matter if the fallback security system has been already compromised. Is this hard concept to follow?

I am really struggling to understand why most of you are not getting it. May be I am the one who is wrong here??
I think your information is not up-to-date. Fidelity, for quite some time, has not solely used the type of information compromised in the Equifax breach for authentication purposes. So I was just assuming that this current practice remains in place and only the front end of authentication changes, i.e., voice verification instead of traditional username/password.

So again, I'm only concerned about whether voice verification is an improvement over a traditional username/password logon.

Without knowing more about voiceprint technology, the only real benefit I see from voice verification is that it would discourage social engineering. Once a would-be imposter fails voice verification, they might just hang up rather than try to run the gauntlet of Fidelity's fallback questions. But I don't have a full understanding of the process, which is why I'm trying to gain a better handle on things.

2015
Posts: 965
Joined: Mon Feb 10, 2014 2:32 pm

Re: Voiceprint technology (for authentication)

Post by 2015 » Fri Oct 13, 2017 5:48 pm

azurekep wrote:
Fri Oct 13, 2017 4:27 pm
wrongfunds wrote:
Fri Oct 13, 2017 1:59 pm
I am talking about the case when somebody who has your Equifax hacked data calls the Fidelity and is in position to answer *all* the questions that Fidelity rep will ask him. The person has "forgotten" the password for the account and the phone connection is not the best one as he is probably calling from some "unknown" country!

The point was ais long as there is a way to use the Equifax hacked data to gain access to your account, all other implemented security features are irrelevant. The toughness of the primary security scheme does not matter if the fallback security system has been already compromised. Is this hard concept to follow?

I am really struggling to understand why most of you are not getting it. May be I am the one who is wrong here??
I think your information is not up-to-date. Fidelity, for quite some time, has not solely used the type of information compromised in the Equifax breach for authentication purposes. So I was just assuming that this current practice remains in place and only the front end of authentication changes, i.e., voice verification instead of traditional username/password.

So again, I'm only concerned about whether voice verification is an improvement over a traditional username/password logon.

Without knowing more about voiceprint technology, the only real benefit I see from voice verification is that it would discourage social engineering. Once a would-be imposter fails voice verification, they might just hang up rather than try to run the gauntlet of Fidelity's fallback questions. But I don't have a full understanding of the process, which is why I'm trying to gain a better handle on things.
From a security standpoint, absolutely. A hacker attempting to override VP, who has "forgotten/lost", etc. Yubikey/login credentials, who fails to then correctly answer any of the one's gibberish security questions, as well as failing to provide other verification (i.e., knowledge of your account transactions), is going to fail the "social engineering" threat. That same hacker is most likely to move on to an easier target, one without all of these protections in place. IMO, it is most definitely an added layer of protection worth having.

tbradnc
Posts: 1484
Joined: Wed Apr 02, 2008 8:30 am

Re: Voiceprint technology (for authentication)

Post by tbradnc » Sat Oct 14, 2017 7:20 am

One of the best and least talked about online security options is the ability to "Restrict account access from unrecognized devices".

Upside: Only the devices you've logged into Vanguard with can get in.

Downside: If your recognized device becomes unrecognized (deleting cookies, device dies...) you can't get back in - so you'd need a backup recognized device.

Post Reply