Biometrics - Voice Verification Overview
The more-advanced voice recognition systems record and store combinations of sounds and notes. For example, a user records his name or a snippet of a song at the time of enrollment. In subsequent transactions, the user replays the recording using a special hardware token to authenticate. In the event that a user's biometric credential is compromised, the system enables re-enrollment using a new voice template.
Wireless financial transactions through cellular phones, pagers, and personal digital assistants can significantly increase a financial institution's level of transaction/operations and strategic risks, according to the FFIEC. Security solutions that work in wired networks must be modified for application in a wireless environment. The FFIEC urges institutions to evaluate the strategic risks posed by the wireless delivery channel. Standards for wireless communication are still evolving, creating considerable uncertainty regarding the scalability of existing wireless products.
Encryption of wireless financial transactions is essential because wireless communications can be recorded and replayed to obtain information. Encryption of wireless communications can occur in the institution's application, as part of the data transmission process, or both.
Transactions encrypted in the application (e.g., institution-developed for a PDA) remain encrypted until decrypted at the institution. This level of encryption is separate from the data transmission encryption process. However, application-level encryption typically requires customers to load the application and its encryption/decryption protocols on their wireless device. Since not all wireless devices provide application-loading capabilities, requiring application level encryption may limit the number of customers who can use wireless services.
Wireless network security should focus on securing systems throughout the transmission process, from the wireless device to the institutions' systems and back again. For example, a known wireless security vulnerability exists when the Wireless Application Protocol (WAP) transmission encryption process is used. WAP transmissions deliver content to the wireless gateway-server where data is decrypted from WAP and re-encrypted for Internet delivery. This is often called the "gap-in-WAP." This brief instant of decryption increases risk as the transaction may be viewable in plain text (unless encryption also occurred in the application layer).
Finally, wireless financial transactions increase the potential for unauthorized use due to the limited availability of authentication controls on wireless devices and higher likelihood that the device may be lost or stolen. Authentication solutions for wireless devices are currently limited to username and password combinations that may be entered and stored in clear text view (i.e., not viewed as asterisks "****"). This creates the risk that authentication credentials can be easily observed or recalled from a device's stored memory for unauthorized use.