Even as the number of people in India accessing the Internet grows
at a fast clip, it has also simultaneously exposed this population
to threats such as phishing. A recent report compiled by the
Anti-Phishing Working Group estimates that India was witness to 107
unique phishing attacks in the first six months of 2009. The
growing number of phishing incidents has even led India’s
apex bank, the RBI to issue a circular to all member banks for
cautioning their respective users on the growing number of
fraudulent transactions.
As the sophisticated and
scale of attacks grew, it prompted HDFC Bank – one of
India’s best known private sector banks to take a relook at
the way it could tackle online attacks. “Today attacks can
emerge from any part of the world and target unsuspecting users. As
a bank, we needed a method to proactively fight these threats and
stop fraudsters from impersonating us,” says Vishal Salvi,
Senior Vice President and CISO, HDFC Bank.
To effectively protect its customers, HDFC Bank needed a solution
that could monitor frauds at a global scale, and pass on this
intelligence to the bank in India. It also needed this solution to
be intelligent enough to learn on its own and help the bank in
detecting suspicious patterns in transactions. The bank finally
chose RSA’s FraudAction Service, which gives the bank
real-time monitoring and protection against trojan, phishing and
other online attacks. For example, if the service detects a
suspicious e-mail or Trojan emerging from a server, it can initiate
steps to take down the server, and prevent it from further
propagating messages.
HDFC Bank also deployed RSA Adaptive Authentication to provide
customers with a convenient online protection through the use of a
personal security image and caption to verify the legitimacy of
HDFC Bank's website. “To further protect our customers, we
have split the user id and password screen into two different
pages. This significantly reduces the chances of users being
directed to a fake website,” says Salvi.
The significance of RSA’s Adaptive Authentication technique
lies in the fact that it has self-learning risk indicators such as
device identification and user behavior profiling – which
when combined with the intelligence it gets from the RSA
eFraudNetwork community – helps the solution tackle both
existing and emerging threats. For example, if a customer is used
to access his bank from his home and a particular location, the
solution uses this information to build a profile of the customer.
Subsequent transactions are used to learn about behavior patterns
and are incorporated into the risk engine.
“Every transaction is assigned a risk score. If a transaction
is above a certain threshold, it gets flagged off and is subject to
another authentication,” says Salvi. For example, unusual
transactions are duly verified through questions or authentication
through SMS, phone and e-mail.
Today, thanks to the intelligent self-learning risk engine,
phishing attacks have come down by close to 60 percent while there
have been no incidents of frauds. Further, response time to
phishing attacks has also been reduced to as little as 5 hours.
Security is always a journey and not a milestone. As attacks get
more sophisticated, it is critical for security based solutions to
have self learning capabilities. HDFC Bank’s adoption of
adaptive security solutions shows the direction that current and
future security deployments will eventually take.