Can Voice Biometrics Hack Computer Security?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.destinationcrm.com/Articles/Editorial/Magazine-Features/Can-Voice-Biometrics--Hack-Computer-Security-78802.aspx

In April, hackers broke into Sony's PlayStation 3 Network, gaining
access to data from roughly 77 million user accounts. A month later,
Sony's systems were breached again, compromising the account data of
25 million users of the company's Online Entertainment PC-based gaming
service.

As a result of those two attacks—considered among the largest and most
pervasive ever—the Japanese electronics maker shut down its
PlayStation Network and related services for nearly a month. In
addition, Sony spent more than $170 million on identity theft
insurance and free content for customers whose data might have been
compromised, improvements to network security, customer support, legal
fees, and an investigation into the attacks.

Sony is not the only company that has taken a hit. This year alone,
some other very high-profile and very costly cases involved Citibank,
RSA (the company that makes the widely used SecurID tokens for
computer access), Google's Gmail service, and U.S. defense contractor
Lockheed Martin. Other cases costing hundreds of millions of dollars
go back five years or more. Understandably, the spate of attacks is
sparking interest in voice biometrics applications to protect customer
data.

On a Smaller Scale

Large-scale attacks, like the one on Sony, are the exception; most
cyber crimes occur on a much smaller scale, typically involving theft
of a single individual's personal or financial information to make
fraudulent purchases or bank transactions. In most cases, the thieves
gain access either through programs installed directly on the victim's
computer or via a company's servers.

Symantec, which makes Norton Antivirus software, estimates that the
cumulative bill for these kinds of cyber crimes in 24 countries
totaled $388 billion last year: $274 billion in lost time and $114
billion in cash costs, including money stolen or spent resolving the
cyber attacks. The company also reports that 431 million adults
experienced some form of cyber crime last year, equating to nearly 1.2
million people per day, or 14 per second.

When those types of attacks occur, it isn't the interactive voice
response (IVR) system or call center that is breached but, rather, the
databases that support them, explains Judith Markowitz, president of
J. Markowitz Consultants, which specializes in voice security.

"A lot of them end up in identity fraud, with people pretending to be
other people," Markowitz says. "It's all part of a whole pattern of
attacks against call centers. These are becoming more and more
vicious, and they're being done by professionals as part of a global
effort."

Although voice security can do little to stave off large attacks, like
those that happened at Sony, some applications can go a long way
toward protecting consumer information in the smaller, more targeted
attacks. Using speech technologies, companies can limit access to
personal accounts and related data by blocking anyone whose voice
characteristics do not match a stored voiceprint.

"You can't steal a person's voiceprint the way you can get their PIN
or Social Security number," says Dan Miller, senior analyst at Opus
Research. "Voiceprints are stored differently—as a binary
representation of the voice file. They are usually encrypted and
stored separately, so the voice files are meaningless without another
file to give them context."

According to Miller, most attempted hacks involving voice technologies
are replay attacks, in which fraudsters try to gain access to
voice-guarded systems with recordings of the voice. To prevent those
attacks, he recommends changing passwords. Companies also can install
security software that can detect whether an audio input is live or
recorded.

Additionally, recent research from contact center technology provider
Convergys found that consumers do not like giving personal information
to agents. According to that study, 70 percent of consumers would
prefer to use an IVR system with biometrics than speak to an agent.
The perception is that automation reduces the risk of fraud and that
an agent might try to steal information, whereas an application
cannot, says Jenny Burr, senior manager of speech science and global
professional services at Convergys.

Of course, most agents are honest, but the fear among consumers is
real. "It's more paranoia, but there have been a few instances," Burr
notes.

Still, that's good news for voice biometrics technology vendors, who
have garnered more interest and a sharp spike in sales in recent
months.

For What It's Worth

That interest is expected to translate into real dollars for the
vendors of such technology. In fact, according to research firm RNCOS,
the technology has been "stupendously growing" in recent years because
of rising personal security concerns and a greater awareness of
identity theft.

In a report, "Global Biometric Forecast to 2012," RNCOS indicated that
as the technology improves, prices will fall and consumers will become
more accustomed to using biometrics to prove their identities and make
secure transactions. RNCOS's findings also suggest that voice
biometrics will gain popularity in the coming years as its superiority
over other technologies, such as face, iris, and fingerprint
recognition, is recognized. The voice recognition market is expected
to grow at a compound annual rate of about 13 percent through 2013,
according to RNCOS.

As a further demonstration of the industry's growth, Miller noted,
providers of voice authentication solutions generated about $100
million in revenue in 2010. "By our own very conservative estimates,
we expect that to grow to about $320 million by 2015," he says, "but
it could even be significantly larger than that."

Miller uses another ruler to measure growth. Currently, about 6
million people have enrolled their voiceprints in some way. By 2015,
that number is likely to reach 30 million, he says.

But the key will be to get consumers to consent to having their
voiceprints stored on file. Local and federal law-enforcement agencies
in some countries, such as Mexico, have been collecting voice samples
as part of the arrest process, in much the same way that suspects are
fingerprinted.

For consumers to consent, the collection process must be seamless,
according to experts. "The user interface is the key to all of this,"
Burr says. "You need a consistent, clean interface."

For enterprises, finding a way to collect voice data without
irritating customers or compromising security causes the greatest
concern regarding any security application. With modern solutions, the
two do not need to be mutually exclusive. "Privacy and security are
not antagonistic," Markowitz says.

Miller says, "Voice biometrics is not yet completely a must-have, but
it's making its mark in some very difficult markets." He notes that
the technology has penetrated the telecommunications, finance, law
enforcement, and government sectors and is poised to gain traction in
healthcare and insurance.

"Growth has been very small for the past three years, but now it's
starting to pick up," he adds.

While some say the soaring interest in voice biometrics is
unprecedented, others report having seen steady growth all along. The
technology's "been around for years and grown little by little over
time," Markowitz says. "The interest has been there; it's not sudden."

What have changed, according to Markowitz, are the technology itself
and the prices that vendors charge for it. "It's more attractive now
to organizations that do not want to spend $500,000 to put something
in," she says. Voice biometrics vendors are "making it possible for
call centers to use" their products.

The Cloud Conundrum

Vendors are making their products more accessible by using
software-as-a-service (SaaS) models. "With SaaS, these applications
are cheaper to get into," Burr says. "SaaS is making the costs go way
down."

Graham Allen, director of product management at Convergys, says, "Look
for more SaaS deployments. It's a going-forward strategy."

But while the cloud is good for those who would deploy voice security
solutions, it is also contributing to the need for greater security.
The threat risk grows as more data is stored in the cloud and on
mobile devices, such as smartphones and tablets, experts warn. While
much of the data stored in the cloud is encrypted, "each network has
its own vulnerabilities and ways to get in," says Valene Skerpac,
president of iBiometrics, a voice security consulting firm. "Mobile
phones are also subject to malware and phishing attacks. The same way
people can get to PCs, they can get to mobile phones."

Consumers are expressing fear. According to a recent survey by
ThreatMetrix and the Ponemon Institute, only 21 percent of U.S.
consumers feel "completely" safe when conducting mobile banking
transactions, such as checking account balances, transferring funds,
or making payments. In that survey, 48 percent of consumers said they
felt "somewhat protected," and 23 percent said they did not feel
protected at all.

Those perceptions have made consumers less willing to use mobile
banking. Only 29 percent of those surveyed said they have done banking
on their mobile phones, and 51 percent said they have not used mobile
banking applications for fear of diminished protection.

"Mobile, in particular, is difficult to protect from fraud," Julie
Conroy McNelley, senior fraud and risk analyst at the Alite Group,
said in a statement. "With around 4,000 different device types to
secure, it's often a daunting task. On top of that, few consumers are
using antivirus or anti-spyware software on their mobile devices.
Mobile, just like more traditional e-commerce transactions from a
desktop, has the potential to become a hotbed for fraud."

To illustrate that point, a team of researchers from the University of
Indiana and the City University of Hong Kong this year demonstrated a
malware program it had created for Android mobile devices that keeps
an ear out for credit card numbers spoken aloud or entered on a
phone's keypad. Called Soundminer, the program could attach itself to
the phone's microphone and then capture the credit card data.
Soundminer was able to send that data to a companion program, called
Discoverer, which could covertly transmit the stolen data to the
hacker.

In several tests, the low-profile applications avoided detection by
the phone's owner and installed antivirus software. What made the
applications so stealthy was that they coded the sensitive data to
resemble a system file for the phone's vibration, volume, or wake-up
settings.

Lucky for Google, the applications were not the product of malicious
hackers but, rather, of researchers who simply wanted to expose the
weakness in the Android operating system.

That is a common practice, according to Skerpac. "Companies like
Google let and encourage developers to hack their systems to uncover
vulnerabilities," she says. "It's not like years ago when there were a
lot of denials."

In response to these and other threats, the smartphone security market
is expected to grow wildly in the coming years.

A report by Goode Intelligence, "Mobile Phone Biometric Security:
Analysis and Forecasts 2011-2015," pegs the current mobile phone
biometric security market at slightly more than $30 million, rising to
more than $161 million by 2015, for growth of more than 536 percent,
the agency predicts.

More Is Better

Early growth will be driven by embedded fingerprint sensors and voice
biometrics that will be used together as part of multifactor
authentication solutions, the report says.

Experts agree that to truly secure mobile devices, multifactor
authentication will have to be the industry standard. Multifactor
authentication is already being mandated as part of the Health
Insurance Portability and Accountability Act (HIPAA), governing the
personal protection of patients' private health information. Since
April, the U.S. federal government, through the National Strategy for
Trusted Identities in Cyberspace, has proposed a voluntary national
"identity ecosystem" based on multifactor authentication. Moreover,
the Payment Card Industry's Data Security Council has made multifactor
authentication part of its compliance guidelines. In some cases,
failing to comply could result in steep penalties, including fines and
increased transaction fees from credit card issuers.

Businesses also face mounting pressure from their partners and
customers to demonstrate compliance.

But, despite the push, voluntary adoption of multifactor
authentication hasn't been significant yet. That is sure to change,
according to most experts.

"There's already a better understanding on the buyer side for
solutions that are multifactor," Miller says. "With phones now more
vulnerable, why wouldn't you look at it?"

Skerpac agrees with Miller: "Everything is leading to multifactor,
multimodal authentication."

Convergys's Burr says, "You'll see more deployments in the mobile and
Web space as banks and other companies put out more apps for the
smartphone."

Most applications of multifactor authentication use PINs or passwords
as the first line of defense and supplement them with a voice security
application. Others combine voice with more complex methods, such as
iris or fingerprint scans. But those tend to be far more expensive to
implement, and the public views them as intrusive.

"To go across the different channels, you need to get to where the
technology runs in the background, just pulling out the pieces of a
normal conversation that it needs," Convergys's Allen says.

One company already involved is Sensory, which about a year ago
released versions of its Truly Handsfree Trigger software for mobile
devices running Apple's iOS and Google's Android operating systems.
The software lets the devices constantly listen for voice commands
that wake them up and guide them through user queries. In addition,
the company has developed voice-activated chips to unlock phones and
applications.

Todd Mozer, CEO of Sensory, acknowledges that some of the other
biometrics, such as fingerprint or iris scans, might be more accurate
than voice, but voice security is the most convenient for mobile,
especially since all phones have microphones built in.

To keep mobile phones safe, Mozer recommends, users should install
software that requires them to speak their passwords or other trigger
phrases before the devices connect to their networks. That can be
accomplished through the device's digital signal processor, allowing
the user to activate components of the phone without the operating
system, he says. "Once you're in the OS, the device is already opened
and connected, so it's better to do it pre-OS," Mozer states.

Mozer expects to see many other security applications become available
for mobile phones, and not all of them will relate to voice. "All
phones have cameras now, so you can use that to perform some sort of
visual check of the person for access purposes," he says.

Shoring up security in other ways helps, Skerpac advises. "Keep data
in separate systems, so that even if [would-be thieves] hack into one
system, you can make sure they can't get into the others."

In addition, swap out legacy text-dependent systems for ones that are
text-independent. The prevailing trend in voice biometrics has been
text-dependent, meaning a person enrolls his voiceprint by repeating a
standard phrase. But now there's a move toward systems that are
text-independent, in which users can utter any phrase to register
their voiceprints. Because these systems can be easily randomized,
they're a lot harder to crack with recordings, analysts point out.
"It's the area where we are seeing the most research," Skerpac says.

Text-dependent systems traditionally have worked well in quiet
environments and not so well in noisier locations. To circumvent that,
Sensory is tying voice biometrics to its Truly Handsfree Triggers,
which filter all other environmental noises and carry out a command
only when a trigger word is spoken. Early tests have shown that when
used with hands-free triggers, voice security technology "becomes very
reliable in noisy environments," Mozer says.

While that research is important, Skerpac says, studies will have to
be done to determine the effects of aging on biometrics solutions. "In
the long term, this could produce real problems for systems," she
argues.

"Nothing is 100 percent," Skerpac says, admitting that even voice
biometrics could do a better job at times. "But what we have now is
certainly better than what we had before."

And, more than that, it's better than nothing at all.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.