Thursday, December 02, 2010

Whither voice biometric security after the UK Department Work & Pensions drops anti-fraud trials?

An interesting story last month on Silicon.com, that the UK Department of Work & Pensions has abandoned its trials of voice biometrics as an anti-fraud tool.This is not a snap decision, as Silicon.com reports that the DWP has spent at least £2.4m on trials since May 2007. This is one of the largest payment organisation’s in the UK, so its decision is of interest to most organization who need to validate customer identity and handle payments. Voice biometrics has had a lot of interest from the financial services industry, so the DWP’s decision may well lead a number of banks to study it closely.

What makes it especially interesting is that fraud is such a huge problem for DWP (the DWP’s own estimates put their annual fraud losses at £5.2bn per annum) and voice biometrics has promised so much to reduce fraud. Indeed, as anti-fraud has been one of the major pitches of the voice biometrics industry, why on the surface might it have failed at the DWP?

The first part of this is to understand what types of problem voice biometrics are good at tackling. In my experience, voice biometrics are a useful tool in identity validation. Passwords tend to test “do you know what you should know?”. By comparison, biometrics can test “…are you who you say you are, even if you do know your password?”. There are valid arguments about biometrics accuracy, but provided they are not used as a single factor authentication when taking a voice sample over a poor quality public telephone line, I believe that they remain a valuable addition to the security toolkit.

I have to admit that while I haven’t worked directly with DWP, I do have some knowledge of the issues they face from work with local government and other government departments.
Identity theft is the sort of fraud that voice biometrics is ideal for tackling, but traditional identity theft in the form of impersonation is relatively low. This is partly because although the amount stolen in benefit fraud is large the value of individual claims is relatively low and identity theft impersonation is generally uneconomic.

A much bigger problem (where voice biometrics could perhaps play a part) is false identity. The problem here is that once you let a false identity into the system through one channel, then it can ‘validate’ itself through other channels and become very hard to detect. Preventing false National Insurance numbers being created is crucial and this is perhaps an opportunity for voice biometrics, at least to prevent serial fraudsters creating multiple identities themselves.

The biggest problem, though, for the DWP is the complexity of the system and the massive fraud figure of £5.2bn (2.1% of all expenditure) is as much a reflection of error as it is of more exotic types of theft. This error can be genuine on the part of claimants, or deliberate, but either way it is the complexity of the system and the lack of real time information that prevents its resolution and detection.

Surprisingly, this was the problem that the DWP tried to tackle with voice biometrics, basically trying to use tone & emotion detection and similar mechanisms to detect claimants lying. I have to admit some doubt here as to whether this is a practical application in real time. In the world of call recording it has long been used as an application that can detect calls where customers (or call centre workers!) have become angry, but this has not tended to be a real time application. The other problem is the inbound call to DWP. At the risk of stating the obvious, claimants of benefits are more likely to be stressed than average and especially so when talking to the DWP. Furthermore, most of the demographic who regularly deal with the DWP are likely to be calling on mobile phones rather than landlines (so poor call quality) and be may well not have strong English language skills (so will be more hesitant, accented and less standard).

My suspicion is that the best way for the DWP to tackle fraud would be to use more process simplification and back this up with analytics rather than try and fix the front end with technology. Once that’s done, voice biometrics could have a very valuable anti-fraud role to play, but as the solution to the right problem.