Clive Summerfield, Founder & CEO of FARx, tells SJUK how the removal of biometric security by Microsoft and Amazon has left UK banks wide open to cyber-attacks – and what they can do about it.
In recent months, both Microsoft’s Nuance voice biometric solutions and Amazon Connect Voice ID were retired due to a change in business direction, leaving behind a vast chasm in biometric security.
Both systems were an essential line of defence, used in telephone call centres and customer service to prove a customer is who they say they are by analysing their biometric voice data.
This biometric security significantly eliminates reliance on knowledge-based authentication processes (also known as PII – Personally Identifiable Information), which are easy to socially engineer, such as customers’ names, addresses, post codes and dates of birth.
Organisations can properly confirm a user’s identity before granting access to sensitive data, such as financial records and clients’ personal information and performing high value transactions.
Currently, many banks in the UK, like other businesses, often utilise offshore customer service and help desk operations.
While this has its own benefits, they are often heavily reliant on PII to verify callers, which poses significant data privacy risks, especially in offshore call centres.
While we don’t often hear about banks being breached, this is primarily because they are some of the most secure organisations in the world and breaches often are not reported in the public domain for obvious reasons.
However, the risk is growing, fuelled by technological advancements on the side of attackers (such as AI-generated cloned voices and deepfakes) and now compounded by the retirement of Microsoft Nuance and Amazon Connect.
So, what can banks and financial institutions do to protect themselves in the absence of these biometric security solutions?
Potential replacements for Microsoft Nuance and Amazon Connect do exist, however these come with their own drawbacks.
Not only would implementation require long-term set-up – leaving banks with weaker, less reliable protections during this period – but many come at a very high cost.
The larger issue, however, is that many biometric security alternatives are US-based.
This poses the question of whether banks, financial institutions and government services would – and perhaps more importantly, should – put UK citizens’ biometric identity data in the hands of US tech firms, especially when a better system exists in the UK.
While US biometrics firms might be well capitalised and therefore can offer safe procurement, their use by UK organisations who handle UK citizens’ data introduces a dependency on systems governed by foreign data laws. This challenges not only how the UK safeguards privacy, but also how it retains control over its citizens’ data.
Essentially, the concern is that once personal information crosses national borders, so does the control over how it’s used, accessed and protected, potentially putting it at risk.
Once data is owned and governed by overseas law, UK regulators – such as the ICO (Information Commissioner’s Office) – have a far reduced reach, making it hard to ensure that data integrity meets UK standards.
Banks, financial institutions and government services alike need only invest a little time and they would likely find that the solution lies within the UK’s own borders; next-gen biometric security solutions offering both convenience and enhanced functionality and efficiency.
These solutions – such as FARx, the first and only company globally which fuses, speaker, speech and face recognition – can, in many cases, offer a highly effective way to reduce the immediate security threat posed by identity theft, insider fraud and voice cloning.
What’s more, being located in the UK means that data is controlled by our own regulators and data laws.
This data sovereignty ensures that organisations and government services based here retain protection, control and management of their own data and assets without foreign interference.
Considering recent political developments in the US, this is becoming more important than ever.
To address this issue, banks can adopt a voice biometrics system within the UK.
This system can verify the identity of a UK citizen speaking to the human agent in the offshore call centre.
In this scenario, there is no need for the UK caller to disclose their PII to the offshore agent, as the UK-based VB system will confirm that the caller is indeed who they claim to be.
Both the biometric and the PII remain local and using the protection of the UK ICO.
For UK-based biometric security solutions to be effectively implemented in place of systems such as Microsoft Nuance and Amazon Connect, the solution’s technology itself must be designed with data integrity built-in as a priority. This includes:
The data is clear – AI-powered attacks and identity fraud are becoming an increasingly volatile risk; one that is also getting easier for attackers to proliferate as they outpace legacy security systems.
With solutions such as Nuance and Amazon Connect retired and US-based biometric solutions costly and problematic in their own way, the solution lies far closer to home. And it is ripe for the picking.
