Banking group HBOS plans to roll out anti-fraud
technology, developed to identify suspicious credit card
transactions on the internet, to 10 million debit card holders,
after achieving a major reduction in online fraud.
The organisation, whose high street banks include Halifax and
Bank of Scotland, worked with a supplier to develop the technology
last year.
It has cut losses through online credit card fraud by 80% and
expects to make further savings by extending the technology to
other areas of online banking.
HBOS, which recently reported a 17% increase in annual pre-tax
profits to 」4.81bn, said it had saved millions after introducing
the eVision anti-fraud system in response to a sharp rise in online
credit card fraud.
The system, which is able to identify and block fraudulent
transactions without losing the bank business by blocking genuine
purchases, paid for itself within two months, said Gordon McFadyen,
manager for fraud prevention. Moving a large number of debit cards
over to the system would bring further savings, he said.
"When you have a large book of debit cards, that is a
significant number of people who buy over the internet. If anyone
misuses debit card numbers we will lose the value of the
transaction because you cannot recover from the merchant," said
McFadyen.
The bank approached RSA Cyota last year to develop the system,
after new rules introduced by Mastercard and Visa meant that
liability for online credit card fraud passed from retailers to UK
banks.
"We were starting to incur heavy losses we could not recover.
The merchant was getting the order, and the genuine customer would
be charged," he said. "The losses were enough to worry us."
HBOS uses an industry-standard package to detect unusual
patterns of credit card spending by comparing each card transaction
against the customer's spending history.
But the technology is poor at identifying transactions on the
web, where both genuine credit card holders and fraudsters
frequently behave in anomalous ways.
HBOS worked with RSA Cyota to develop eVision, an online service
capable of analysing the risk of each credit card transaction by
monitoring data about the customer's IP address and the
"fingerprint" of their computer.
A pilot in August last year showed that eVision was able to
detect fraudulent purchases with between 80% and 90% accuracy. At
the same time, it was able to reduce the number of genuine
transactions blocked by the bank's anti-fraud system, by a factor
of 15.
"It is clear we are not seeing the fraud we were seeing.
Virtually all the transactions going through the system are good
transactions. The genuine transactions we are declining are almost
nil. We are getting maximum business benefit," said McFadyen.
Graham Titterington, senior analyst at Ovum, said that looking
at fraud patterns for internet transactions made sense, as similar
technology had led to big reductions in fraud conducted using
non-electronic credit card purchases.
"The liability model has changed from merchants to the banks in
certain situations. The technology used by HBOS provides an
alternative for stronger authentication. The experience from the
customer is that transaction analysis is more effective than
stronger authentication at reducing fraud," he said.
Integrating the service with HBOS' systems was straightforward,
said McFadyen. RSA Cyota already hosted the bank's credit card
authentication service and had access to the data it needed to
provide the additional fraud checks.
"In terms of integration there was almost nothing to do for the
bank. It is very minimal. It has proved to be very efficient," he
said.
The bank also plans to work with RSA Cyota to use eVision to
match the strength of the authentication process for each customer
to the potential risk of each transaction.
"If the transaction seems to be higher risk, the screen will be
modified to augment the standard questions with a few others," said
McFadyen.
The eVision service has been taken up by a number of banks in
Europe and the US, who are using it to share information on
fraudulent transaction patterns. The service allows banks to keep
up with fraudsters who share information with each other on new
attacks.
How eVision works
eVision records and analyses the IP address of the person making
the order, their location, and which internet service provider the
customer is using.
The system also takes an electronic "fingerprint" of the user's
machine, recording the operating system and the type of
browser.
The system is able to use these and other factors to assign a
risk to each transaction with a high degree of accuracy.
"If the country is Russia, the amount is very high, and it is
the first time you are making the transfer, the probability of
fraud is very high. If you have a fingerprint used in the past by a
fraudster, then there is a high probability of fraud," said Uri
Rivner, head of business development at RSA Cyota.
RSA Cyota has created an e-fraud network to allow other banks
that have signed up to the system to instantly alert each other to
new fraud patterns.
RSA Cyota hosts the eVision service, which runs on Unix and
Oracle, at its datacentre. It runs on Sun Solaris and iPlanet
servers.
Risk-based versus two-factor authentication
technology
Risk-based authentication technology, such as the eVision system
used by HBOS, may provide banks with a more cost-effective approach
to internet security than two-factor tokens, analyst firm
TowerGroup has concluded.
Although two-factor authentication tokens are effective, their
deployment is expensive and difficult to manage. They can also be
vulnerable to man-in-the-middle attacks, said George Tubin, senior
analyst at TowerGroup.
"Risk-based authentication is a fantastic new authentication
approach. It is invisible to the end-user. It does not require them
to change their behaviour. It uses information behind the scenes
that has not been looked at until now. It makes sense that
companies should use that," he said.
Reductions of 80% or more in fraud levels are realistic, Tubin
said, as the technology allows banks to intercept potential frauds
before they occur, while traditional anti-fraud systems may only
discover frauds after the money is missing.
Pressure from US financial regulators has pushed the majority of
US banks to take steps to introduce risk-based authentication
technology by the end of 2006 to meet regulatory requirements.
"Traditionally we think of two-factor authentication as a
hardware token you carry with you. That is not necessarily true,"
said Tubin.
"This technology should be considered as two-factor
authentication. You are using more than user name and password. You
are using additional factors of information collected over the
internet," he said.
In practice, Tubin said banks are likely to deploy risk-based
authentication technologies to protect consumers, while businesses
might be offered protection from two-factor tokens.
"To manage the ongoing issuing of tokens is quite an expense.
Tokens get lost, people forget how to use them. If all banks went
with a token-based approach we would all have multiple tokens, and
it becomes unmanageable," said Tubin.