A BBC piece about the fallibility of a bank's voice recognition system annoyed me this evening, with its insinuation that the bank is not just insecure but incompetent.
The twin journalists are either being economical with the truth in order to make a lame story more sensational, or are genuinely naive and unaware of the realities of ANY user authentication system. This is basic security stuff: authentication systems must strike a balance between false negatives and false positives. In any real-world implementation, there are bound to be errors in both directions, so the system needs to be fine-tuned to find the sweet spot between the two which depends, in part, on whether the outcome of false negatives is better or worse than for false positives. It also depends on the technology, the costs, and the presence of various other, compensating controls which the journalists don't go into - little things such anti-fraud systems coupled with the threat of fraudsters being prosecuted, and the access controls that lead on from authentication.
Authentication errors or failures are just one of many classes of risks to a bank. The implication that the bank is hopelessly incompetent is, frankly, insulting to the professionals concerned. Does it not occur to the journalists that it's the bank's business since, to a large extent, they carry the costs of fraud, plus the control costs, plus having to deal with the customer aggravation that stronger controls typically cause?
There is no recognition for the technical capability: voice recognition may not be cutting-edge but it is advanced technology, particularly given the crappy audio quality of most phone networks. Now there's an issue worth reporting on!
Trotting out a few carefully selected, doubtless out-of-context and incomplete statements from security experts doesn't help matters either. I bet they are seething too.
This is cheap journalism, well below the standard I've come to expect from Auntie. It's not fake news, but the thin end of the same wedge.