New technologies like voice biometrics and enhanced online banking security measures are being implemented to combat fraud risks. Voice biometrics uses the unique characteristics of a voiceprint to verify users' identities and is more accurate than fingerprints. It involves enrolling users to create a voice template that is then matched against live calls to pass or fail authentication. Corporate online banking also implemented two-factor authentication but fraudsters developed new "man-in-the-machine" attacks by infecting systems with malware. In response, the bank communicated with customers and improved front-line security while continuing to develop prevention and detection technologies like biometric readers, user profiles, and payment profiling.

1. New Frauds & New
Technologies -
Voice Biometrics & Corporate Online Banking
October 2015

2. Contents
• Driving force for implementation
• What is it?
• Implementation journey
• The thresholds
Voice Biometrics
Corporate Online Banking
• History
• Fraud attack vectors
• Our Response
• Future Implementations - Prevent v Detect

3. Why Implement Voice Biometrics
Voice of the Client – 2010 Survey
“Maybe they could ask me my name next
time”
“Impossible to get through your phone
security”
“Substantially reduce redundant security
checks it’s liudicrous”
“stop the tortuous verification Q&A”
“if Barclays calls me to offer advice please
go ahead and do so without going
through the security rig marole”
“Long period taken for security verification
costing me international call charges”
Business Case -
• Improve Client Advocacy & Satisfaction
• A colleague journey that will provide our people to personalise every call and help Improve our
Employee Engagement scores
• Reduce the Average Call Time
• Improve our risk profile
Fraud Risk not a major driver

4. Voice Biometrics - A Quick Guide
InconclusivePassVerifyEnrolConsent
What is it?
• A ‘template’ that uses the unique characteristics of a voice print
(more unique than a fingerprint) that is language and accent
independent and excludes all background noise.
How does it work?
• Once a client proves their identity, they are enrolled on to the
service and a voice print is stored against a unique ID.
• Each time they call thereafter, the live client audio is matched
against the stored print, and a result is presented to the Advisor;
PASS or INCONCLUSIVE
The Process
Eligible

5. Implementation Approach across our Businesses
Build & Test
Friends and
Family
Service Centres
International
(50% of client base)
Service Centres
International
(remaining client
base)
Build & Test
Service Centres
Intermediaries
Service Centres
WM UK (20% of
client base)
I&I (RMD &
RMS) Glasgow &
IoM
Client
Relations
I & I
Service
Centres
(WM UK & PCS)
Client
Relations (WM
UK)
I&I (RMS
London)
Wealth Asia
(design)
2012
2013
2014
Build & Test
Other businesses
Corporate Banking
Servicing
Personal Banking
(SkyBranch)2015

6. 0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
80.00%
90.00%
100.00%
-72
-67
-62
-57
-52
-47
-42
-37
-32
-27
-22
-17
-12
-7
-2
3
8
13
18
23
28
33
38
43
48
53
58
63
68
73
78
83
88
93
98
Cumulative % of Clients’ Scores (period of 1 week)
Scoring for the voice biometrics system ranges from -100 to 100
Barclays Voice Biometrics Evaluation
Model
First Pass
False Accept Rate 6.23%
False Reject Rate 4.97%
Equal Error Rate 5.56%
Calibration Audio Files 460
Voice Biometric Scores Thresholds

7. 0
10
20
30
40
50
60
70
80
-72-68-64-60-56-52-48-44-40-36-32-28-24-20-16-12 -8 -4 0 4 8 12 16 20 24 28 32 36 40 44 48 52 56 60 64 68 72 76 80 84 88 92 96
VolumeofClientsateachscore
Scores received for clients over the period of a week
Selecting The Threshold

8. Voice Biometrics
Any Questions

9. Corporate Online Banking
The 2 factor, smartcard authentication device had
served us well for over 8 years, however during H2
2012 and H1 2013 the threat was seen as increasing
with larger number of Corporate clients infected with
banking malware.
First Fraud October 2013!
Corporate Online Cases
Total Cases to date 125
Successful Cases 64

10. First Attack Vector – Man in the Machine 1 – October 2013
Fraudster Client Environment
Banks’
Environments
Systems
Client
machin
e Idle
Smartcard
left in reader
Internet
Payments Out

11. Second Attack Vector – Man in the Machine 2 – June 2014

12. What was our response?
Communicate / Communicate / Communicate
Improve our front line security
Whilst continuing on our journey to implement our layered security
approach for detection.

13. Now / Future Implementations – Prevent v
Detect
1. Prevent – Biometric Finger
Vein Readers for
authentication
3. Detect – Biometric user
profiles
2. Detect – Real Time
Payment Profiling

14. BioCatch - The Videos
Fraudsters
Session
User’s
Session
Cool or Creepy??