Smart Speaker Banking Is Coming to a Device Near You, But Is It Secure?
11.7.18 securityaffairs
Virus

Smart speaker Banking Is coming to a device near you, Which are the cyber risks associated with their use? Are they a new opportunity for attackers?
The popularity of voice-activated smart speakers like the Google Home and Amazon Echo has made brands, and industries realize there’s adequate demand for introducing technology that lets people accomplish things just by speaking.

They can order items, check traffic in their areas and search for information, among other conveniences.

Soon, smart speaker owners can take care of their banking needs. Should you consider taking that approach, too?

Check Balances and Pay Credit Card Bills
Regional brand U.S. Bank is the first establishment in the financial industry to unveil online banking opportunities that work with all three virtual assistants — Alexa, Google Assistant and Siri — making it relevant to a significant segment of the market.

After a soft launch, U.S. Bank started marketing the option to its customers in June 18. For now, customers can check their account balances and make credit card or mortgage payments. The brand is also reportedly considering letting people transfer money to other account holders.

Also, smaller banks and credit unions offer similar functionality. Capital One and American Express let people pay bills through their smart speakers, too.

Smart Speakers Could Reveal Private Details
Most skills for the Amazon Echo that emphasize productivity give audible information to users. The idea is that they can do things without fumbling with their phones or otherwise using their hands.

The banking apps that work with Amazon and Google smart speakers give information through spoken responses to verbal prompts.

In contrast, people using Apple’s Siri assistant can do some banking tasks with iOS apps that support Siri, but they only see their information displayed on screens. Banking skills are not available on Apple’s HomePod speaker yet, and the company hasn’t divulged if they’re on the horizon.

Imagine the privacy concerns if you use a smart speaker banking app, and it lets your mother-in-law — who’s temporarily living with you — know how much money is in your account because she overhears the speaker’s reply to your prompt?

That’s an example of how a feature that’s supposed to be convenient could instead broadcast sensitive details to others who are nearby.

Users Must Set Up PINs
The banks that provide information to smart speaker owners require people to set up four-digit PINs and recommend that they be different than the individuals’ ATM PINs. As there are with passwords, there are recommended ways to pick a good PIN, too. However, not everyone follows these. Many take the risk of prioritizing handiness over security by setting up passwords that are easy to remember — but equally as easy for others to guess.

Also, although the Google Assistant and Amazon’s Alexa support individual voice recognition, U.S. Bank hasn’t enabled that feature on the platform yet. Security analysts point out that even with voice recognition technology in place, hackers could still record a person speaking and play it back for the speaker to detect later.

And the PINs people enter at ATMs aren’t as secure as many people think. Criminals can use hidden cameras or false keypads to capture PINs as people put them into the machines.

Research also found the motion-sensitive components of smartwatches could capture PIN data, then allow hackers to figure out what numbers they enter with up to 80 percent accuracy on the first attempt.

You can probably envision a scenario where a determined hacker devises a plan to hear a person’s spoken PIN sent to a smart speaker, too.

For example, maybe a smart speaker owner is in the habit of using such a device that’s on a nightstand a few feet away from a window to check a bank account balance each morning. If someone realizes that individual often keeps that window open in hot weather and learns their banking routine, they could wait outside the window to hear the details.

Smart Speaker
Image by Rahul Chakraborty

The Potential for Misunderstood Transfer Requests
If you eventually have the option to transfer money with a smart speaker, that option may not be failsafe, either, especially if you have to utter the person’s name to confirm your request.

Smart speakers have highly sensitive microphones, but they still don’t pick up on everything correctly. In one case, a toddler said “Alexa, play Digger Digger,” and an Amazon Echo Dot started providing pornographic content while adults in the background frantically told it to stop.

What if a smart speaker misinterprets either the name of the person who should receive your money or the amount you want to send? In either case, you could find yourself dealing with a tricky situation that’s difficult to rectify.

Hackers Always Find Ways to Orchestrate Attacks
As with anything else, it’s crucial to weigh the pros and cons. Sure, it might be great to pay your credit card bill with only a vocal command, but are you willing to let a potentially vulnerable smart speaker possess some of your most lucrative information?

Because the possibility of banking with your smart speaker is still so new, speculation primarily informs musings about the security risks that convenience could bring. If smart speaker banking becomes a mainstream practice, hackers will undoubtedly intensify their efforts to break into the speakers and get details that could compromise victims’ financial situations.

About the Author:

Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com. To learn more about Kayla and her recent projects, visit her About Me page.