HBOS to extend security system to debit cards after major reduction in online fraud

Monitoring technology can block suspicious card transactions on the internet

Banking group HBOS plans to roll out anti-fraud technology, developed to identify suspicious credit card transactions on the internet, to 10 million debit card holders, after achieving a major reduction in online fraud.

The organisation, whose high street banks include Halifax and Bank of Scotland, worked with a supplier to develop the technology last year.

It has cut losses through online credit card fraud by 80% and expects to make further savings by extending the technology to other areas of online banking.

HBOS, which recently reported a 17% increase in annual pre-tax profits to 」4.81bn, said it had saved millions after introducing the eVision anti-fraud system in response to a sharp rise in online credit card fraud.

The system, which is able to identify and block fraudulent transactions without losing the bank business by blocking genuine purchases, paid for itself within two months, said Gordon McFadyen, manager for fraud prevention. Moving a large number of debit cards over to the system would bring further savings, he said.

"When you have a large book of debit cards, that is a significant number of people who buy over the internet. If anyone misuses debit card numbers we will lose the value of the transaction because you cannot recover from the merchant," said McFadyen.

The bank approached RSA Cyota last year to develop the system, after new rules introduced by Mastercard and Visa meant that liability for online credit card fraud passed from retailers to UK banks.

"We were starting to incur heavy losses we could not recover. The merchant was getting the order, and the genuine customer would be charged," he said. "The losses were enough to worry us."

HBOS uses an industry-standard package to detect unusual patterns of credit card spending by comparing each card transaction against the customer's spending history.

But the technology is poor at identifying transactions on the web, where both genuine credit card holders and fraudsters frequently behave in anomalous ways.

HBOS worked with RSA Cyota to develop eVision, an online service capable of analysing the risk of each credit card transaction by monitoring data about the customer's IP address and the "fingerprint" of their computer.

A pilot in August last year showed that eVision was able to detect fraudulent purchases with between 80% and 90% accuracy. At the same time, it was able to reduce the number of genuine transactions blocked by the bank's anti-fraud system, by a factor of 15.

"It is clear we are not seeing the fraud we were seeing. Virtually all the transactions going through the system are good transactions. The genuine transactions we are declining are almost nil. We are getting maximum business benefit," said McFadyen.

Graham Titterington, senior analyst at Ovum, said that looking at fraud patterns for internet transactions made sense, as similar technology had led to big reductions in fraud conducted using non-electronic credit card purchases.

"The liability model has changed from merchants to the banks in certain situations. The technology used by HBOS provides an alternative for stronger authentication. The experience from the customer is that transaction analysis is more effective than stronger authentication at reducing fraud," he said.

Integrating the service with HBOS' systems was straightforward, said McFadyen. RSA Cyota already hosted the bank's credit card authentication service and had access to the data it needed to provide the additional fraud checks.

"In terms of integration there was almost nothing to do for the bank. It is very minimal. It has proved to be very efficient," he said.

The bank also plans to work with RSA Cyota to use eVision to match the strength of the authentication process for each customer to the potential risk of each transaction.

"If the transaction seems to be higher risk, the screen will be modified to augment the standard questions with a few others," said McFadyen.

The eVision service has been taken up by a number of banks in Europe and the US, who are using it to share information on fraudulent transaction patterns. The service allows banks to keep up with fraudsters who share information with each other on new attacks.



How eVision works

eVision records and analyses the IP address of the person making the order, their location, and which internet service provider the customer is using.

The system also takes an electronic "fingerprint" of the user's machine, recording the operating system and the type of browser.

The system is able to use these and other factors to assign a risk to each transaction with a high degree of accuracy.

"If the country is Russia, the amount is very high, and it is the first time you are making the transfer, the probability of fraud is very high. If you have a fingerprint used in the past by a fraudster, then there is a high probability of fraud," said Uri Rivner, head of business development at RSA Cyota.

RSA Cyota has created an e-fraud network to allow other banks that have signed up to the system to instantly alert each other to new fraud patterns.

RSA Cyota hosts the eVision service, which runs on Unix and Oracle, at its datacentre. It runs on Sun Solaris and iPlanet servers.


Risk-based versus two-factor authentication technology

Risk-based authentication technology, such as the eVision system used by HBOS, may provide banks with a more cost-effective approach to internet security than two-factor tokens, analyst firm TowerGroup has concluded.

Although two-factor authentication tokens are effective, their deployment is expensive and difficult to manage. They can also be vulnerable to man-in-the-middle attacks, said George Tubin, senior analyst at TowerGroup.

"Risk-based authentication is a fantastic new authentication approach. It is invisible to the end-user. It does not require them to change their behaviour. It uses information behind the scenes that has not been looked at until now. It makes sense that companies should use that," he said.

Reductions of 80% or more in fraud levels are realistic, Tubin said, as the technology allows banks to intercept potential frauds before they occur, while traditional anti-fraud systems may only discover frauds after the money is missing.

Pressure from US financial regulators has pushed the majority of US banks to take steps to introduce risk-based authentication technology by the end of 2006 to meet regulatory requirements.

"Traditionally we think of two-factor authentication as a hardware token you carry with you. That is not necessarily true," said Tubin.

"This technology should be considered as two-factor authentication. You are using more than user name and password. You are using additional factors of information collected over the internet," he said.

In practice, Tubin said banks are likely to deploy risk-based authentication technologies to protect consumers, while businesses might be offered protection from two-factor tokens.

"To manage the ongoing issuing of tokens is quite an expense. Tokens get lost, people forget how to use them. If all banks went with a token-based approach we would all have multiple tokens, and it becomes unmanageable," said Tubin.

Read more on Hackers and cybercrime prevention