Voice: The New Fingerprint?
Prevailing security methods used to protect against identity theft are losing ground to fraudsters. In fact, the total cost of identity fraud in the United States in 2006 reached $56.6 billion, up 6.4percent from $53.2 billion three years earlier, according to the 2006 Identity Fraud Survey Report from Javelin Strategy and the Better Business Bureau. What’s more, mean resolution time for these cases has risen to 40 hours and costs $6,383 per person, up from 33 hours and $5,249 per person three years ago, according to the same report.
The overwhelming damage to organizations forced the government to step in. New laws designed to protect people from identify theft, such as the Bank Secrecy Act, are requiring higher levels of user authentication for financial transactions.
“PINS and passwords are a joke, and they are where a lot of identity theft is coming from,” says Judith Markowitz, president and founder of J. Markowitz Consultants, a Chicago-based consultancy specializing in speech and biometrics. “It has stimulated interest in speaker verification and biometrics, especially in the financial services industry.”
Rather than requiring someone to answer challenging questions, voice biometrics can authenticate and verify a person’s identity by analyzing voice patterns and recognizing voiceprints, all within seconds. Voice biometrics, including speaker recognition, identification, and verification technologies, can be used to find out if a caller is who he claims to be. The sound of a person’s voice is represented as a sequence of mathematical values. Algorithms are written that process information and return results within a few seconds.
CellMaxSystems in Israel uses a voice verification algorithm to register and authenticate secure voice-based transactions over telecommunications networks. “The good thing about voice biometrics is that all you need is a phone or a computer with a microphone,” says Israel Ronn, CEO of CellMax Systems. “We are a software-only company.”
CellMax’s system includes a voice registration unit for providing unique initial identification by finding the user’s voice parameters in a voice registration sample and storing them in a large database.
The company is finding opportunities deploying its software in the call centers of financial institutions. Call center providers are interested not only in the security aspects of voice biometrics, but also in saving money by reducing the password reset process from between 20 and40 seconds to just a few seconds. “A few seconds extra spent per caller might come to $10,000 or $100,000 simply being spent on authentication,” Ronn says. “It also reduces wait times, which adds to your return on investment. Time is money, especially in the call center environment.”
New York-based T3 Telecom Software, a unified messaging vendor, offers a messaging system as part of its T3 Platform, an integrated telephony solution combining messaging functionality with automated attendant, speech recognition, and interactive voice response capabilities, employing the voice biometrics technology provided by CellMax.
“As identity fraud claims victims rise at an increasing rate, securing access to data from telephony applications has become an urgent requirement of IT and security personnel, whether in the government, public, or private space,” says Yaniv Livneh, CEO of T3 Telecom Software.
Voice biometrics provides an interesting alternative to PINS and passwords, but faces its own security obstacles. Even without passwords, there are many ways for a thief to pretend he is someone else. Voiceprints can be mimicked, digitally recorded, or scrambled. “Criminals have gotten more technically savvy in committing fraud and identity theft, using such approaches as phishing, spyware, Trojans, and other cyber attacks with increasing sophistication,” stated Forrester Research analyst Jonathan Penn in a recent study titled “Strategies for Combating Criminal Fraud.” Penn noted that more effort and resources are going into the design and perpetration of these attacks, and so they have become far more technically complex, both in their exploitation of vulnerabilities and targeting of particular organizations and user groups.
“The issue is that the fraudsters are really clever people, and some just exist to destroy systems,” Markowitz says. “Sometimes they are hacking into systems for bragging rights, other times for monetary gains.”
Types of Attacks
Two troubling fraudster techniques are spoofing and noise interference. A spoofing attack occurs when one person or program successfully masquerades as another by falsifying data and thereby gains an illegitimate advantage. Markowitz says spoofing is the biggest challenge to speaker recognition, especially in situations where a user has a close same-sex relative with similar voice physiology and DNA.
However, newer technologies can overcome many of these problems. CellMax’sproduct, for example, can adapt to voiceprint changes caused by things like a cold or flu, according to the company. Its voice biometrics technology measures voice sample quality, and then corrects and cleans the sound to produce cleaner data, says Ziv Barzilay, its founder and chief technology officer.
The Cellmax algorithm method performs fractal analysis, where raw data is investigated and each sound sample gives off a set of non-dimensional numbers that uniquely characterize a speaker’s voice. It also produces a vector that measures, tracks, and analyzes 15 physical voice parameters ranging from those stemming from the nasal cavity to the sound emanating from the lungs. Then, it almost instantaneously investigates the raw data to generate a uniquely identifiable pattern, Barzilay says.
Porticus Technology in Needham, Mass., relies on physiological aspects of the human vocal tract, which it says makes its software less susceptible to background noise, recorded playback, and intraspeaker variabilities, such as voice deviations caused by a cold or flu. Its Versona software has been tested on impersonators, twins, and digital recordings to prove that it is not susceptible to being spoofed.
Each person’s voice is unique due to relatively stable characteristics, such as vocal chord length—which affects pitch, and nasal cavity size and shape. Transient characteristics such as health, emotional state, and environment do not impact an individual’s voiceprint.
At last year’s SpeechTEK East trade show in New York, Porticus unveiled Versona for applications where positive user identification is necessary. “The Versona architecture was designed for easy integration,” says Germano Di Mambro, founder and CEO of Porticus. “By using multifactor authentication, customers eliminate wasted time spent trying to verify identity, while adding a layer of security that is being demanded in today’s threat-filled digital environment.”
Noise interference may not be a sophisticated way of bypassing security efforts, but it is effective nonetheless. A fraudster trying to gain access to a financial account can inject noise and pretend he cannot use the system to bypass automated security mechanisms, and then sweet-talk an inexperienced call center agent into providing confidential data or even wiring funds. In addition, using mobile phones in crowded public spaces such as train stations or airports often distorts the sound of a caller’s voice. However, mobile phone manufacturers are starting to deploy speaker verification technology as a way to protect the increasing amount of personal data stored on people’s cell phones.
In Japan, where people already use their mobile phones to pay for prepaid train tickets and other financial transactions, protecting personal data has become a top priority for mobile device makers. For example, a voice recognition phone by Mitsubishi Electric picks up on voice patterns when a user says a previously designated phrase, according to an article in The Wall Street Journal’s Feb. 15, 2007 issue (“Japan Cellphones Get Security Check.”)
With both spoofing and noise interference, there is no 100 percent foolproof method, but the pros usually outweigh the cons. It’s an overstatement to say these obstacles are no longer a problem, says Chuck Buffum, senior product evangelist of phone authentication with RSA, the Bedford, Mass.-based security division of EMC Corp. “There is an error rate associated with any speaker verification solution that is not huge but measurable,” Buffum says. “Nothing is airtight, foolproof, or perfect, but voiceprint technology has been good enough for 10 years. What’s missing is a multifactor verification approach and what’s needed is an overall intelligent solution that doesn’t overly compromise customer convenience.”
Customer implementation of voice biometrics is not necessarily new. JPMorgan Chase conducted the first of two New York branch pilots in 1995. Fidelity Investments began testing voice verification 10 years ago. However, some regulations have brought voice biometrics back into the spotlight for many large institutions. As financial services firms grapple with new security regulations from the Federal Financial Institutions Examination Council (FFIEC) and health organizations slice their way through the complex Health Insurance Portability and Accountability Act (HIPAA), voice biometrics and authentication has emerged as a viable piece of the puzzle when it comes to protecting people’s identities.
“The main obstacle is not the technology, which has been there for years, but convincing corporate America that voice printing technology really works,” Buffum says. “Secondly, will customers engage and enroll in these programs?”
Although voice biometrics has been around for years, there has still been a relatively high degree of customer hesitation. RSA’s prediction is that 2007 is the year of pilots and proof of concepts, along with some limited deployments, and 2008 will be the year of broad-sweeping deployments, at least among financial companies. “Once the financial services firms break the seal on themarket, it will show if the technology works and whether the consumer will use it,” Buffum says. “When that happens, I can see this broadening into other applications and markets.”
Intervoice formed a new voice authentication practice last year to work with customers to deliver the best possible implementation strategy. Financial services clients have expressed the most interest in voice biometrics, but other industries have also started to take notice, according to the vendor. Intervoice works with healthcare institutions that want to verify that a provider calling from a doctor’s office isthe actual doctor claiming to make a request. Likewise, banks are investigating solutions involving bank tellers. Intervoice offers a three-tiered approach to security, starting with basic single-factor authentication involving an account number and PIN, a second tier that adds in voice biometrics, and a third that also incorporates technology from RSA.
Intervoice expanded a previous alliance with RSA in late March. The new partnership enables Intervoice to integrate its Voice Portal with RSA’s Adaptive Authentication for Phones. The partnership was driven by the desire to bolster financial institutions’ contact centers with multifactor authentication for their telephone banking requests, as well as offering enhanced functionalities like speech technologies, says Ken Goldberg, senior vice president of corporate development and strategy for Intervoice. The companies expect the solution to expand into other markets, including healthcare, transportation, and online retail commerce. RSA, meanwhile, intends to partner with other companies, including call center and speech technology vendors.
“Multifactor authentication allows you to check more facts, such as where a call is coming from, while providing more flexibility in conducting transactions,” Goldberg says. “Banking, because of the regulation requirements, is seeing a lot of the demand.”
“Customers are still figuring out how they are going to comply with all these requirements,” says Kimberly Drobny, director of product marketing services at Intervoice. “We are focused on a full discovery process, such as the business challenges and how to best implement a solution. We are letting them know we do have expertise around these requirements.”
Intervoice plans to market these consulting services as part of its service practice repertoire, focusing on specific vertical markets like financial services and healthcare. It also is creating marketing tools and campaigns designed to educate the company’s sales and marketing staff on the range of services it offers. Requests have been growing over the past few months, says Jenny Burr, manager of global consulting services at Intervoice.
“We’ve seen a spike due to the FFIEC pushing our customers to have more security and tighter regulations,” Burr says. “For our third-tier offerings, our partnership with RSA brings extra layers to security such as behavior profiling.”
Nuance Communications is helping contact centers battle fraud and identity theft with biometric security options for self-service telephone applications. The service, launched last year, overcomes the price constraint problems with finger, iris,or facial biometrics because its voice authentication is completed over the telephone with no additional hardware or software required for the end user. During a brief enrollment process, callers speak their IDs and passwords. The Nuance speaker verification system captures and analyzes the speech to create a voiceprint that is stored in the system database.
Several financial institutions have enlisted in pilot programs, and Nuance has expertise on the general security infrastructure deployed by banks and the issues they face when trying to balance effective security procedures with convenient service, said Dan Faulkner, director of product management and marketing, during a recent Web broadcast. “The key advantage with voice biometrics compared to PIN numbers and passwords is you can’t lose or forget it,” Faulkner said. “In addition, customers are incurring no significant new hardware costs.”
Nuance has implemented voice biometrics for several large-scale clients. The vendor’s technology provides enforcement of prisoner calling privileges at more than 30 U.S. correctional facilities, handling more than 100,000 transactions per day. “Unlike most speaker verification applications, this calling population has a highly motivated imposter set, which is successfully detected,” Faulker said. Nuance also works with a cable television provider, offering speaker verification for pay-per-view orders. The solution simplifies calls and shortens wait times while adding security for parents with underage children by preventing them from ordering R-rated movies or other inappropriate material. The company has also integrated voice biometrics for several financial institutions, and for a major healthcare insurance provider that implemented the system for HIPAA support.
As these projects are completed, companies may become more amenable to speech technology. This is particularly true for call centers that do not automate all of their functions today. “Speech recognition technology can handle changes of addresses and other processes that can be automated, but companies rarely deploy them because of security risk,” Buffum says. “Once you get that stuff installed, with more speech recognition and speech technology vendors, all the boats will rise.”
Voiceprint technology, as part of an overall security strategy, has become more appealing. Analysts at Frost & Sullivan have predicted that voice biometrics in the financial sector will grow at a compounded annual rate of 41 percent through 2011, reaching $193 million by then. “A lot of people still don’t know that voice biometrics actually works, and is not just laboratory technology,” Markowitz says. “But vendors and new regulations are pushing it forward.”
New Service Verifies by Voice
Voice Pay supplements PINS and passwords for secure transactions
Ina move that will substantially reduce the threat of credit and debit fraud, a British company in late April released a system that uses the customer’s own voice as a means of digitally signing and authorizing payments.
Voice Pay, as the service is being called, incorporates VoiceVault voice biometric authentication technology that is already in use by global banks, insurers, and public-sector organizations. Voice Pay is already in talks with several banking institutions and hopes to begin its first deployments toward the end ofthe year.
With its use of biometric, anti-phishing, and anti-fraud technologies, Voice Pay can provide payment guarantees to consumers and business users processing transactions of any size.
“UsingVoice Pay is secure, quick, and easy. No special software or hardware is required, just access to a phone,” says Nick Ogden, CEO of VoicePay. “Consumers complete a short, one-time-only enrollment process, during which a few spoken words are used to generate a unique biometric voiceprint. Subsequently, whenever a purchase is made, the user voice verifies the transaction over the phone or Internet.
“Security of personal data and credit card fraud remain at the forefront of people’s minds,” Ogden says. “Voice Pay hands power and control of the transaction to the consumer, who for the first time, can digitally sign every transaction using their voice and benefit from a guarantee.”
Consumers are not the only group to gain from the service. Voice Pay also offers merchants low-cost credit and debit card payment processing services. In addition, merchants that use Voice Pay for payment processing benefit from other voice technologies, including click-to-call integrated telecommunications capabilities for their businesses.