Securing IVR orders for SMB

hello, i would like to use IVR on asterisk 1.4 in order to take orders from customers out of the business hours. As they will use a regular phone connection, i can’t encrypt the communication. So, for their privacy, would there be a way (open source if possible) to record a sample of their voice spectrum which can be analysed and stored in our DB and which can be matched to the client’s voice when ordering. In such case, even when the person’s client number, address etc gets spoofed (improbable!), it’s impossible to fraud his/her voice. Obviously this recording would need prior approval from the client first, but it seems to provide a secure way of IVR?

i think you are thinking some kind of voiceprint authentication? I wouldn’t put too much faith in this, mainly because telephone calls don’t have good enough voice quality to get a good voiceprint. It’s like trying to recognize who somebody in a blurry photo is- because the details are missing it could easily be someone with a similar height/hairstyle/etc.

Besides if something changes (IE they switch to a cell phone) it might generate a false rejection.

I think a better way to do this would be that each order recieved sends a confirmation or at least a reciept to their email. Customer either then clicks on something in the email to confirm the order, or at least will be notified that their account is being used.
Also maybe automated phone orders can only go to the address on file, which means if someone was going to rip off your customer they’d have to steal the package from them too.
Or maybe call to confirm the order as soon as you open before you ship it out?

either way, I think this problem can be much better solved from a policy standpoint than by voiceprints…

thanks for the feedback. The problem we have, is that the major part of our customers are mainly ELDERLY people, so they simply don’t haver (and never will have) an email…

i thouht voice samples were a bit like fingerprints. Would they really change whether the call came from a landline or mobile?

anyway, is there anything on the market to identify voiceprints?

well voiceprints are semi-unique and I’m sure there is software to identify a user by it. If you can find one for Linux you could probably use it with AGI or Record(). I don’t personally know of any though.

Thing is though a voiceprint by itself is semi-unique, sort of like a fingerprint is truly unique. However take a fingerprint, now fax it, copy it, crinkle up the copy and then fax that again. The result is much more blurry / lower quality, and while it might be recognizable as the original print it has probably lost many of the tiny details that would be used to make a positive match.
The same is true with voice and the PSTN- even assuming conditions are good (high quality landline, ulaw codec, etc) you are still downsampling the voice to 8khz 8bit or so. That downsampling removes a lot of the audio information. Add to that the fact that most PSTNs are at least a little fuzzy and you have even less to work with. Then when you toss a cell phone into the mix you have real compression going on which although you may not hear it, probably does alter the frequency patterns.

So maybe you will get this to work, but personally I wouldn’t trust it or spend too much time on it. Instead I’d just make it so you can’t place an order without knowing a handful of things, IE give them as well as a customer number a ‘customer passcode’ or something. Or only permit re-orders via the automated system to the address on file.

Also one thing to keep in mind- privacy and authentication are two different things. This will NOT help with privacy, but it will help with authentication. encrypting the phone convo helps with privacy but won’t help with authentication unless they are calling from an IP phone with a security certificate in it.

thanks for the reply. If you would happen to stumble upon such a proggy anyway, don’t hesitate letting me know. The major issue is that actually we’re taking orders during business hours, included credit card information, which is ok with everyone. I’d be more hesitating having clients giving out there credit card information out of the business hours (spoofing thru asterisk…)