A man was able to fool a bank's voice recognition security system to access his brother's account over the phone.
BBC Click reporter Dan Simmons allowed his nonidentical twin brother, Joe, to mimic his voice in order to test the bank's voice ID authentication service's ability to determine whether or not it was his own "unique" voice.
After several attempts Joe Simmons managed to to accurately mimic his brothers voice in order to gain limited access to the account.
He was not permitted to withdraw money, but he was given the opportunity to access balances and recent transactions and transfer funds between accounts.
"What's really alarming is that the bank allowed me seven attempts to mimic my brother's voiceprint and get it wrong, before I got in at the eighth time of trying," Joe Simmons said.
Another BBC researcher was able to access his or her account after deliberately failing the voice check 20 times in a span of 12 minutes.
"Can would-be attackers try as often as they like until they get it right?" Simmons said.
An HSBC spokesperson said the Voice ID system, implemented in 2016, can identify a user's voice in seconds by identifying more than 100 behavioral and physical vocal traits "including the size and shape of your mouth, how fast you talk and how you emphasise words."
The bank also said it has worked to increase the sensitivity of the voice recognition system after being made aware of the breach.
"The security and safety of our customers' accounts is of the utmost importance to us. Voice ID is a very secure method of authenticating customers," the spokesperson said. "Twins do have a similar voiceprint, but the introduction of this technology has seen a significant reduction in fraud, and has proven to be more secure than Pins, passwords and memorable phrases."
Copyright 2017 United Press International, Inc. (UPI). Any reproduction, republication, redistribution and/or modification of any UPI content is expressly prohibited without UPI's prior written consent.