Last week, I went to my bank to make a deposit during lunch hour. At the ATM terminal, I noticed a man standing nearby talking on the phone. The conversation sounded business-like, and was nothing out of the ordinary, so I didn’t pay any further attention to him. I entered my PIN and went on with my transaction. When I was done, I stepped aside. The guy moved to the same ATM right after me, so fast that it caught my attention. I had a gut feeling that something was off but was unsure what and didn’t think he could access my account any longer. I was wrong.
I learned the hard way that shoulder surfing is a very real means of committing fraud. This is when someone looks over your shoulder when you are using the bank ATM with the intention of snooping and stealing information. Shoulder surfing is not the only method ATM thieves have at their disposal, though. There are skimmers, who use card-reading devices that attach to the card slots of legitimate ATMs. Someone can tamper with security cameras or even set up their own fake ATMs in remote locations. The bottom line, PINs can be compromised in many different ways. Once the PIN is compromised, and in the hands of a fraudster, the potential for financial loss is enormous.
Recently, we talked to one of Nuance’s voice biometrics customers, Banco Santander Mexico. In 2011, the Mexican Government enforced strict guidelines for the use of PINs. Customers were not allowed to use more than two consecutive numbers, repeat the same number or use any personal numbers related to birthdate for example. Customers were going crazy. Although the intentions aimed to protect consumers, it was not only inconvenient but as soon as the PIN was selected it was quickly forgotten. Santander needed a solution that met government regulations for security yet was easy for customers to use. Santander implemented Nuance’s active authentication, VocalPassword, which allows customers to securely and automatically use their voice as their password and relieves them from having to rely on PINs, passwords, and security questions. Watch this video to understand Santander’s experience using voice biometrics.
To finish my story, it turns out that my gut feeling was correct and my account was hacked. What should have been a simple transaction became a major time and emotional drain for me. The guy did in fact shoulder surf, he learned my PIN and was able to re-enter it before the system completely logged me out. He walked away with my money, which fortunately was returned to me by the bank after I filed a fraud report. Although I thought it would never happen to me, it did. In fact, the police informed me that my case was one of many in the Bay Area. I have no doubt that replacing my PIN with my voice would have prevented this crime. My recent experience makes me even more passionate about my work with voice biometrics and makes me pose this question once again: Why aren’t all banks deploying a more secure and more convenient means of authentication like Santander?