Date | November 2017 | Marks available | 8 | Reference code | 17N.1.SL.TZ0.1 |
Level | SL | Paper | 1 | Time zone | no time zone |
Command term | To what extent | Question number | 1 | Adapted from | N/A |
Question
Voice biometrics technology in banking
CBR Bank is introducing voice biometrics technology that will authenticate customers when they telephone the bank. It will replace the current system, in which customers have to use passwords and/or security questions.
As part of the registration process, the customer has to say the phrase, “My voice is my password” three times. This provides a voice print that will be used to verify the customer’s identity in future telephone calls to the bank.
In addition to their voice, identify two ways how a customer can be recognized by CBR Bank’s biometrics technology.
Identify the steps used by the voice biometrics technology to authenticate a customer calling CBR Bank.
CBR Bank holds a large amount of information on its customers. Some customers are concerned about the security, privacy and anonymity of their data.
For each of the concerns above, explain one policy that CBR Bank could use to address the concerns of its customers.
The chief executive officer (CEO) of CBR Bank, Alice McEwan, said in a recent interview, “CBR Bank will be replacing all passwords, PINs and personal verification questions for our online banking and mobile banking with voice biometrics recognition.”
To what extent are the changes proposed by Alice beneficial for both CBR Bank’s customers and CBR Bank’s IT support?
Markscheme
Answers may include:
- Iris/retina
- Facial/face
- Fingerprint
- Hand / palm print
Do not accept “eye recognition” – this is too vague. Iris or retina is required for marks.
Award [1] for identifying each form of biometric identification up to a maximum of [2].
Answers may include:
- Biometric voice feature is initially recorded.
- Voice is converted from analogue to digital.
- Voice is stored in database together with other personal information.
- Voice is re-scanned when person needs to be authenticated over the phone.
- Voice is matched with information in database.
- If a match, then it is authenticated.
- If no match, then the customer is asked to repeat the phrase and is rejected after a certain number of attempts.
Award [1] for identifying each of the steps used to authenticate a customer calling CBR Bank up to a maximum of [4].
Answers may include:
Security:
- User access to data is limited to authorized personnel – to ensure data is secure during storage.
- Username and password access is implemented – to ensure data is secure during storage.
- A password policy is implemented (e.g., minimum length, mix of characters, changed after a given number of days etc.).
- Two-factor / two-step authentication is implemented (e.g., one-time password/PIN to a mobile phone, code-generating device supplied by the bank, confirmation email).
- Data is encrypted – to ensure data is secure during transmission.
- A firewall is used to protect the bank’s server.
- Bank servers are kept updated with the latest software / security patches.
- Bank employees are prohibited from accessing customer data on personal devices / devices outside the company network – to ensure that all devices are protected by the bank’s security measures.
Privacy:
- Customers are informed to specify how the data may be used – if/how it may be shared with third parties.
- Only authorized personnel will have access to the bank database – not all employees will be able to view data.
Anonymity:
- Ensure the customer’s anonymity is maintained – when data is shared with third parties, the data that could give the identity of a customer must be detached.
- Reports are kept anonymous – reports cannot allow individuals to be identified.
N.B.: The response requires an explanation of a policy and not a discussion of the problems themselves. There must be a policy for each kind of concern: security, privacy and anonymity and reason(s).
Award [1] for identifying a policy that CBR Bank could use to address the security, privacy and anonymity concerns of its customers and [1] for a development of the policy identified up to a maximum of [2].
Mark as [2] + [2] + [2].
Answers may include:
For customers:
Advantages of replacing passwords with biometric voice recognition:
- Customers don’t have to remember a password or PIN code / may not need additional verification such as one-time codes (automation).
- It is more secure, as voice characteristics are unique.
- It is harder for others to hack online banking with voice biometrics recognition (security).
- Some customers may have physical conditions that make entering PINs/passwords difficult – voice recognition will avoid having to type (access/inclusion).
Disadvantages of replacing passwords with biometric voice recognition:
- The voice recognition system may not accept foreign accents or a range of voices (systems).
- Illness (such as a cold) can change a person’s voice, making identification difficult (systems).
- A person’s voice can be easily recorded and used for unauthorized access (security).
- Someone with very similar voices (e.g., a member of the same family) may be able to gain access to the bank account (security).
For IT support:
Advantages of replacing passwords with biometric voice recognition:
- It is more secure, less likely to be hacked – fewer problems for IT staff to deal with (automation, systems).
- It is easy for customers to record by themselves – no IT staff required to set up (automation, systems).
- IT staff do not have to deal with lost password/PIN (automation, systems).
Disadvantages of replacing passwords with biometric voice recognition:
- The voice recognition system may not accept particular accents – customers cannot access their online banking and will need support (systems).
- A person’s voice can be easily recorded and used for unauthorized access – customers may complain about unauthorized access, IT staff will have to investigate hacked accounts (security, values).
- Illness (such as a cold) can change a person’s voice, making identification difficult – a greater number of customers might need to call support to access their own account (systems).
- When the new system is implemented, CBR Bank’s IT support could be overwhelmed with overlooked bugs (reliability).
- Audio files / biometric templates will require more storage space than passwords / PINs – this may make backing up data more time consuming / require IT support to increase available storage space, etc (data).
- Initial implementation of the new system may require additional IT support staff.
- IT support staff may face an increased workload (e.g., if the old system initially has to run parallel to the new system).
In part (c) of this question it is expected there will be a balance between the terminology related to digital systems and the terminology related to social and ethical impacts.
Keywords: security, authentication, stakeholder, reliability, data, security, change, identity, power, systems, values, ethics, accountability, transparency, access, inclusion
Refer to SL/ HL paper 1, part c markbands when awarding marks. These can be found under the "Your tests" tab > supplemental materials > Digital society markbands and guidance document.