case study How RSA and HBOS revolutionized e-commerce security | By Alison Case

Some rulesare meant GOOD INTENTIONS, NEGATIVE CONSEQUENCES to be When Visa and MasterCard broken introduced a new e-commerce security scheme, 3D Secure, in 2004, they had the right intentions: protecting credit BREAKING THE RULES card holders and e-merchants The security team at HBOS was particular- from online fraud. Cardholders ly attracted to technology in development at RSA that could alert the to potential could register their cards and fraud before it occurred. The two compa- receive a password, which nies embarked on a partnership to integrate they would be obliged to use to the new technology with 3D Secure and a complete a transaction. However, revolutionary new concept was born: risk- cardholders were allowed to based authentication. Today, risk-based authentication is used by almost every card transact up to three times before issuer in the U.K. and recommended as a registering—giving fraudsters best practice by industry organizations in- ample opportunity to use stolen cluding the U.K. Payments Administration cards on supposedly secure sites. (UKPA). Soon after, e-commerce fraud The full solution developed by HBOS and RSA is a unique, flexible, self-learning increased significantly and monitoring system that works in two steps: issuers, including The RSA Risk Engine analyzes each online HBOS, were forced to absorb the transaction in real time using parameters losses. Given its large debit and credit card base, HBOS knew it had to find a solution—and fast. About HBOS “We knew we needed a security Banking and company HBOS plc is system that would prevent the a wholly owned subsidiary of - vast majority of online fraud ing Group. With more than 30 million cus- without compromising our tomers, is the largest retail bank and leading provider of current customers’ experience,” says accounts, savings, personal loans, credit Anne Claydon, brand strategy cards, and mortgages in the United King- manager at Lloyds Banking dom. The group’s other main brands include Group, which now owns HBOS. Lloyds TSB, Bank of , , Scot- “That’s when we turned to RSA.” tish Widows, and Cheltenham & Gloucester.

16 Vol. 7, No. 1, 2010 RSA, The Security Division of EMC Vantage Magazine

VantageSpring 10_01_r1.indd 16 1/22/10 5:31 PM “We needed a security system that would prevent online fraud without compromising our customers’ experi- ence. That’s when we turned to RSA.” —Anne Claydon, brand strategy man- ager, Lloyds Banking Group

remarkable. In 2008, 90% of attempted “card not present” fraud (i.e., the card is not visible to the merchant) was blocked, and phishing incidents dropped by 85%. These statistics are in stark contrast to general trends, in which “card not present” fraud jumped by 70% in the previous two years and phish- ing incidents jumped by 186% in the previous 12 months, ac- cording to the Association for Payment Clearing Services, now UKPA. What’s more, the bank achieved a high level of security with no negative impact on consumer experience. While more than 99% of cardholders were never challenged with authentication, fraudsters were typically challenged and failed. “We’ve had no negative feed- back from customers as a result of using this system,” says Jon Berrill, head of Card Opera- tions at HBOS Credit Cards. “Indeed, many are impressed with our effectiveness in con- tacting them to confirm suspect including IP address, IP geo-location, the new security scheme. activity.” ISP and connection type, and user To bolster security even further, Some continue to suffer profile. Based on the risk calculated HBOS became a member of the RSA relatively high fraud losses, but the in step one, the system presents the eFraudNetwork, the industry’s first partnership with RSA has helped appropriate level of security for that and largest cross-institution and cross- HBOS protect its bottom line. Between transaction. platform online fraud network. The October 1, 2007, and the end of 2008, Although the 3D Secure system network identifies and tracks fraud- HBOS prevented more than £13 mil- initially did not allow for this novel ster profiles, patterns, and behavior, lion (US$20.7 million) in attempted e- process and technology, once HBOS and disseminates the information to commerce fraud, which translates to a and RSA engaged with Visa and all network members. greater than 2,000% return on invest- MasterCard to point out the benefits— ment. “Partnering with RSA has been including stemming potential losses RESULTS ARE THE BOTTOM LINE such a success,” says Claydon. “What and boosting consumer confidence Soon after the project’s launch in started out as a single project has now with minimal impact on customer 2004, fraud levels dropped by 80%, extended into other areas of the bank experience—the companies embraced and more recent statistics are equally and will be developed even further.” i

Photograph by Jonathan Worth RSA, The Security Division of EMC Vantage Magazine Vol. 7, No. 1, 2010 17

VantageSpring 10_01_r1.indd 17 1/22/10 5:31 PM