MIT's Technology Review has an
article about the new Pay by Voice commercial service by a company called, surprisingly enough, Voice Pay. Now, I can imagine at least a couple of different general responses you, the reader, might have to this news. The first would be the semi-jaded, popular science devotee's reaction of "gee, that makes sense". The other would be the security-minded skeptic's reaction of "that's got to be so full of holes it will look like Swiss cheese."
Both responses are probably right in some sense, BUT, the devil is in the details, as they say. I'll point out the ones that seem the most obvious to me, without getting too technical.
- The system is based around mobile (or cell, for the US readers) phones, which implies more environmental noise than fixed line, compression effects (from coding the voice to use less bandwidth over the air), and possible hands-free use (which means even more noise and a different "sound" to the voice, which could confuse the voice recognition algorithm).
- Verifying someone's identity is easier than other recognition tasks (like picking someone out of a crowd). The system has been pre-trained on the person's characteristics and the system architecture is usually better controlled, for starters.
- This implementation of identity verification uses voice biometrics as well as call-back to the previously registered mobile number. This allows the fusion of two different types of data, although it is over the same "channel." If the shopping is done on-line, then there is not only multiple types of data, but also multiple channels that the data is passing over, which increases security.
- Fooling the system with a voice synthesizer might indeed be possible, but access to the potential victim's mobile phone would be required - as well as log-in details in some cases and 100% spoof rate could not be guaranteed.
- The company obviously didn't want to get into the issues surrounding false positive/negative rates and credit card security, but the truth of the matter is that the existing credit card system is not very secure in itself, but the losses to the credit card industry due to fraud are small enough compared to the profits that it isn't worth the effort to them to make it significantly more secure. (Note: Before anyone emails me about credit cards with chip and PIN, please consider just how big the credit card market is and how many traditional chipless cards are out there and will be for many years to come.) The company seems to be assuming that the same rules will apply here - if they succeed in getting into the market in a big way, their losses due to fraud will be easily written off.
There is much more that I could say here, but in the interest of not turning this into a paper by itself, I'll cut it off here. Feel free to email me or post a comment, though.