A Dutch bank has started allowing mobile banking customers to log in and pay for items using their voice.
Voice-activated payments have been launched on the ING Netherlands mobile banking app, offering a simple alternative to entering a pin or password.
Users simply have to say a short phrase, and the app will match up the sound recording to a file stored on the phone.
The shape of vocal cavities and the way someone moves their mouth means that speech can be more unique than a fingerprint, it is claimed.
Fraudulent attempts to access the app can be recorded, stored and used to improve security.
And while the technology is new for mobile banking, it is used widely on bank phone systems to reduce fraud.
The Associated Press reported last year that US government departments even use it when people call to deal with tax and pension issues.
A biometrics company called Nuance is providing the speech-recognition technology for ING Netherlands.
The system launched on Tuesday, and is available on iOS and Android phones.
Making digital payments easier is a big focus of banks and financial services providers.
Russian government-backed hackers who penetrated high-profile U.S. government and defence industry computers this year used a method combining Twitter with data hidden in seemingly benign photographs, according to experts studying the campaign.
In a public report Wednesday, researchers at security company Fire Eye INC said the group used the unusual tandem as a means of communicating with previously infected computers. Fire Eye has briefed law enforcement on what it found.
The technique, uncovered during a Fire Eye investigation at an unnamed victim organization, shows how government-backed hackers can shift tactics on the fly after they are discovered.
"It's striking how many layers of obfuscation that the group adopts," said Fire Eye Strategic Analysis Manager Jennifer Weedon. "These groups are innovating and becoming more creative."
The machines were given an algorithm for checking a different Twitter account every day. If a human agent registered that account and tweeted a certain message, instructions for a series of actions by the computer would be activated.
The tweeted information included a website address, a number and a handful of letters. The computer would go to the website and look for a photo of at least the size indicated by the number, while the letters were part of a key for decoding the instructions in a message hidden within the data used to display the picture on the website.
Weedon said the communication method might have been a fail safe in case other channels were discovered and cut. Vikram Thakur, a senior manager at Symantec Corp, said his team had also found Twitter controls combined with hidden data in photos, a technique known as steganography.
Fire Eye identified the campaign as the work of a group it has been internally calling APT 29, for advanced persistent threat. In April, it said another Russian-government supported group, APT 28, had used a previously unknown flaws in Adobe Systems Inc.'s Flash software to infect high-value targets.
Other security firms use different names for the same or allied groups. Symantec recently reported another data-stealing tool used in tandem with the steganography, which it calls Seaduke. Thakur said both tools were employed by the group it knows as the Duke family.
Thakur said another tool in that kit is Cozy Duke, which Russian firm Kaspersky Lab says is associated with recent breaches at the State Department and the White House.
