How secure is voice banking with a virtual assistant?
Emirates NBD customers can now check accounts through Amazon’s Alexa, but security precautions prevent financial transactions
After months of beta testing and consumer feedback, Emirates NBD customers with Alexa devices can now check their account and credit card balances, listen to daily market briefings and find out about banking products — all through a voice conversation with the virtual assistant.
ENBD is the first in the region to offer Alexa voice banking through its collaboration with Amazon Web Services, as it invests in digital transformation. The bank said in 2017 it was spending Dh1 billion on digitisation over the next three years.
While the new Alexa "skill" — commands Amazon's smart speakers can respond to — does not yet offer the ability to make payments and transfers, ENBD says customers are asking for those additional features.
“There is a possibility we will be scaling this up to add financial transactions, but when you do that it will definitely come with enhanced proto-security and privacy protocols for the customer,” says Sunanda Panikkar, head of virtual assisted services and AI at ENBD.
Concerns about security and privacy have been part of the debate about voice banking over the past few years. Alexa, launched in 2014, and other virtual assistants, such as Apple’s Siri since 2011 and Google Assistant in 2016, have made consumers’ lives easier. But there is a difference between using Alexa to play music and using it to pay your credit card bill. So how secure is it?
“The thing with all these different types of technologies is [you have to weigh] the ease of use versus the potential loss which you could suffer from fraud,” says David Michaux, managing director at Forward Defense, an IT security solutions provider in Abu Dhabi.
Globally Internet of Things (IoT) security spending is expected to reach $3.1 billion (Dh11.38bn) in 2021, according to US researcher Gartner. A 2014 study from Hewlett-Packard found that 70 per cent of IoT devices are vulnerable to attack; issues included privacy concerns over collecting consumer data, insufficient authorisation barriers and lack of encryption.
"A worrying number of these devices are protected only by generic factory settings and passwords," says Maher Yamout, senior security researcher at cybersecurity provider Kaspersky. "Even worse, voice-activated personal assistant technology cannot yet authenticate the owner. In other words, whoever asks the voice-activated personal assistant for a task, will get it."
Many financial organisations, mainly in the US, are already using voice-activated virtual assistants to access accounts and make payments. Under the Alexa skills category of “banking and finance”, more than 3,000 results come up, including American Express, Capital One, PayPal and US Bank.
Some banks have also integrated Apple’s Siri, including Mashreq Bank in the UAE. In 2016, Mashreq started allowing customers to transfer payments of up to Dh500 using Siri. A spokesperson confirmed the service is still available.
Mashreq Bank customers can tell Siri how much they want to transfer and to whom, but have to authenticate by using either their pin or touch ID fingerprint recognition. They then receive a text alert once the debit takes place.
In 2017, UK bank Barclays rolled out a similar concept, allowing customers to ask Siri to make a payment and then authenticate it with Apple’s touch ID — making the process of sending money “virtually hands free”.
OCBC Bank in Singapore has offered voice banking through Google Assistant on a smartphone or Google Home device since April 2018. Customers can mainly inquire about the bank’s services and plan their financial future; for example, they can calculate the mortgage loan amount they can afford.
Bank of America, which serves more than 65 million consumer and small business clients, created its own virtual assistant Erica in June 2018. In the year since roll-out, the bank said seven million customers used Erica to complete over 50 million requests.
“It’s been a solid first year, but we’re just beginning to scratch the surface of Erica’s full potential to transform the client experience and help them live their best financial lives,” said David Tyrie, head of advanced solutions and digital banking at Bank of America, in a statement at the time.
The security concerns with voice banking are that pins, account numbers and financial information are said aloud for anyone within earshot to hear. As PayPal puts in its disclaimer: “Please be aware that the skill will read out the financial information (ex: PayPal balance) loud”.
With ENBD, a user must first link the bank account to the skill and create a four-digit pin. They can use voice banking through the Alexa app on their phone or through their Alexa home devices, such as the Echo Dot smart speaker. To get started, customers say "Alexa, open Emirates NBD" and then state their pin.
“Since this is a voice banking feature, we advise customers to access the skill in an appropriate environment, whether they’re at home or alternatively they can use their earphones,” says Ms Panikkar.
If ENBD goes ahead with allowing financial transactions, the bank has emphasised it will add an additional security barrier, such as Smart Pass. The device-specific security measure generates a new token every time a customer wants to complete an online or mobile transaction.
Alphabet’s Google Assistant rolls out Arabic service across the Mena region
Banking through mobile phones, in general, comes with potential vulnerabilities that have to be addressed, says Mr Michaux.
“Most people are going to be doing this on their mobile phones,” he says. “We see a high rate of people’s mobile phones getting infected by different types of malware, which in theory would allow people to potentially listen to your phone calls or to see the key taps which you’re typing in.”
Aside from possible fraud, there are privacy concerns. Amazon, Apple and Google have all been criticised for recording conversations from consumer devices to subject them to human review. The companies have either suspended the practice or offer users the option to opt out.
“We take the privacy and security of our customers’ personal information seriously,” says an Amazon spokesperson in Dubai.
Amazon’s website states: “Amazon designs Alexa and Echo devices with multiple layers of privacy protection … from microphone and camera controls to the ability to view and delete your voice recordings.”
Amazon manually reviews and annotates “a small fraction of one per cent of Alexa requests” to help improve the service. Customers can opt out through “manage your Alexa data” under privacy settings in the app.
Although Alexa devices are not yet available for sale in the UAE, the Amazon spokesperson says the company is "working hard to make our features and devices available everywhere our customers want them".
Despite security and privacy concerns, consumer demand for ease and speed has led to fast adoption of voice banking and other digital banking solutions.
Banks must keep up by integrating virtual assistants, said a 2018 report from Javelin Strategy & Research entitled Smart Speaker Banking Must Overcome Digital Inertia. More than half of all consumers surveyed said they would use Alexa to make routine banking requests, including checking account balances (47 per cent) and reviewing recent transactions (43 per cent).
Paolo Barbesino, head of multichannel banking at ENBD, says the bank collected “very valuable feedback from our customers that suggest what to include in the next features”. These include making payments and receiving reminder notifications. For now, the initial launch is “the first step in further enhancing voice banking in the years to come”, he says.
Mr Michaux says the future of secure voice banking may be voice recognition, where your voice is your password. “It’s very difficult for somebody to copy that,” he says. “The chances of fraud are dramatically reduced.”
In the meantime, Mr Michaux says the region’s financial institutions should move towards voice banking cautiously.
“The region is actively trying to move forward with these advanced features,” he says. “We need to keep in mind that being the first to do something is not always the best way. It’s sometimes best to learn from other people’s mistakes.”
Updated: December 12, 2019 12:30 PM