Halifax Bank of Scotland have installed RSA Cyota technology that reduces fraud for internet transactions, by noting when a fraudster tries to access their customers accounts.

HBOS to extend security system to debit cards after major reduction in online fraud

HBOS worked with RSA Cyota to develop eVision, an online service capable of analysing the risk of each credit card transaction by monitoring data about the customer’s IP address and the “fingerprint” of their computer.

A pilot in August last year showed that eVision was able to detect fraudulent purchases with between 80% and 90% accuracy. At the same time, it was able to reduce the number of genuine transactions blocked by the bank’s anti-fraud system, by a factor of 15.

And RSA Cyota provide this product description:

How eVision works

eVision records and analyses the IP address of the person making the order, their location, and which internet service provider the customer is using.

The system also takes an electronic “fingerprint” of the user’s machine, recording the operating system and the type of browser.

The system is able to use these and other factors to assign a risk to each transaction with a high degree of accuracy.

“If the country is Russia, the amount is very high, and it is the first time you are making the transfer, the probability of fraud is very high. If you have a fingerprint used in the past by a fraudster, then there is a high probability of fraud,” said Uri Rivner, head of business development at RSA Cyota.

RSA Cyota has created an e-fraud network to allow other banks that have signed up to the system to instantly alert each other to new fraud patterns.

RSA Cyota hosts the eVision service, which runs on Unix and Oracle, at its datacentre. It runs on Sun Solaris and iPlanet servers.

 

Risk-based versus two-factor authentication technology

Risk-based authentication technology, such as the eVision system used by HBOS, may provide banks with a more cost-effective approach to internet security than two-factor tokens, analyst firm TowerGroup has concluded.

Although two-factor authentication tokens are effective, their deployment is expensive and difficult to manage. They can also be vulnerable to man-in-the-middle attacks, said George Tubin, senior analyst at TowerGroup.

“Risk-based authentication is a fantastic new authentication approach. It is invisible to the end-user. It does not require them to change their behaviour. It uses information behind the scenes that has not been looked at until now. It makes sense that companies should use that,” he said.

Reductions of 80% or more in fraud levels are realistic, Tubin said, as the technology allows banks to intercept potential frauds before they occur, while traditional anti-fraud systems may only discover frauds after the money is missing.

Pressure from US financial regulators has pushed the majority of US banks to take steps to introduce risk-based authentication technology by the end of 2006 to meet regulatory requirements.

“Traditionally we think of two-factor authentication as a hardware token you carry with you. That is not necessarily true,” said Tubin.

“This technology should be considered as two-factor authentication. You are using more than user name and password. You are using additional factors of information collected over the internet,” he said.

In practice, Tubin said banks are likely to deploy risk-based authentication technologies to protect consumers, while businesses might be offered protection from two-factor tokens.

“To manage the ongoing issuing of tokens is quite an expense. Tokens get lost, people forget how to use them. If all banks went with a token-based approach we would all have multiple tokens, and it becomes unmanageable,” said Tubin.