Saturday, July 01, 2017

The Master's Voice

In the film "Minority Report" Tom Cruise plays a futuristic cop in a dystopian world. Things seem great, with police able to prevent crimes before they happen. But then (surprise!) something goes wrong, and Cruise is suddenly the hunted and not the hunter. In trying to evade his pursuers, he has to deal with the fingerprint of the day, ID via scanning the retina of your eye. To outwit the system, he has an eyeball transplant. But knowing that his original peepers are the keys (literally) to unlocking the doors in his way, he keeps his old ones in a plastic bag, pulling them out and presenting them to the cameras when he needs to gain access to his old offices.

That scene came to mind when I went to move some money around in our accounts. No, no one asked me to peer into a device or take a picture of my eyeball to verify that, as Popeye said, I yam who I yam. But after I had gotten access to a rep by keying in my password sequence, he asked me if I wanted to be enrolled in the newest security scheme, technically known as voice-biometric technology, or more colloquially, voice print.

Voice biometrics works by comparing a person's voice to a recording of the same on file. It can be active, where you are asked to state a specific phrase that is compared against a previously recorded identical utterance, effectively making your voice itself a password. Alternatively, it can also be passive, where the system "listens” in the background of a conversation with a call center agent, authenticating you during a normal conversation by comparing your speech patterns to those in its data banks.

According to industry leader Nuance Communications, this analysis includes over 140 factors, including speaking under stress. They say this makes it nearly impossible to spoof or duplicate. Translation: that movie trope where the bad guy holds you at gunpoint, and makes you tell the representative to move your entire 401K to his Swiss bank account won't work. (There's also the one about using a hacked-off finger to get past a fingerprint scanner, but that's a discussion for another time.)

How secure is this? Nuance claims that the technology can not only determine between an authentic user and an impostor imitating his or her voice, but even a recording of a voice. And let's face it: it's harder for hackers to imitate or steal your voice than passwords, because it would require them to imitate the voice of a person they may or may not know. Plus, since voice printing would involve just one interaction in a full conversation, even the most rudimentary system would be unlikely to be taken in by a voice purporting to be you that only sounds like you when asked to say specific things.

But the real reason companies are starting to go this way is the weakness of passwords. According to a 2016 Verizon report, in 93% of the cases studied, it took hackers "minutes or less” to compromise a system. Was it their skill at understanding the defenses, or their stealthiness at slipping through firewalls? In a majority of cases, no. In 63% of the over 2000 data breaches examined, the key to gaining access was simply weak, default or stolen passwords. With voice biometrics boasting a 98% accuracy rate, the attraction is a simple case of math.

And so the rep had me ramble on for about two minutes to get a solid voice sample. I talked about the weather, my latest business trip, the plans we had for the weekend, and what we were thinking about for dinner. When I finally came up for air, he told me the system had me on file, and all was good to go. And so the next time I called in, all I did was talk with the rep a bit and the system popped up a confirmation on his screen that I was who I said I was.

So now I don't have to remember the name of my first dog, or where my mother was born, or the theme of my junior prom, none of which I can accurately recall. Even better, I don't have to worry about anyone stealing my eyeballs. But the finger thing? I'm not touching that one (see what I did there?)


Marc Wollin of Bedford uses a password manager. His column appears regularly in The Record-Review, The Scarsdale Inquirer and online at, as well as via Facebook, LinkedIn and Twitter.

No comments: