The Computerworld Honors Program
Honoring those who use Information Technology to benefit society
LOCATION:
Leicester, N/A, GB

YEAR:
2007

STATUS:
Laureate

CATEGORY:
Finance, Insurance and Real Estate

NOMINATING COMPANY:
EMC

ORGANIZATION:
Alliance & Leicester plc

PROJECT NAME:
Prevention of Internet Banking Fraud and Identity Theft With Adaptive Authentication Web Security Solution

Short Summary
In March 2006, Alliance & Leicester plc, the seventh largest UK-based bank, became the first to offer an innovative Adaptive Authentication for the Web security solution. Specifically designed for consumer banking, the system combines several countermeasures against online fraud and identity theft in a single security solution. It enables customers to log in to their online accounts in a simple and secure way, protected from threats such as phishing and pharming. Features include ground-breaking two-factor user authentication, unique site-to-user authentication, and background monitoring for proactive risk management. Alliance & Leicester is the first bank worldwide to roll out such a solution to its entire Internet banking base.

The security solution is free and easy to use and has boosted user confidence in the Internet for everyday banking. Between March and December 2006, Alliance & Leicester experienced a 25 percent jump in Internet banking transactions, translating to an annual cost savings of more than £1 million. All of the bank’s 750,000 active online customers are protected by the new security system, and Alliance & Leicester expects to increase its active customer base by a further half-million online users by 2008.

In a recent customer satisfaction survey, 90 percent rated the security measures as good or excellent, 99 percent as satisfactory, and 83 percent confirmed that they would not enter their PIN into the Alliance & Leicester Web site without first seeing their personalized phrase and image. Mapa, an independent market research agency, called Alliance & Leicester “the most secure online bank in the UK.” The new security solution also has delivered a strong return on investment by achieving fraud losses 12 times lower than the bank projected.

Introductory Overview
Online banking providers and customers face ever increasing threats from Internet fraud and identity theft. Industry losses grew significantly in 2005 and 2006, and according to UK regulator FSA (the Financial Services Authority), 50 percent of UK users say they are extremely or very concerned about the safety of Internet transactions. Alliance & Leicester plc, the seventh largest UK-based bank and a member of the FTSE 100 index of leading shares since 1997, decided to deploy innovative measures to: combat online security threats, increase user confidence in the safety of Internet transactions, reduce losses from online fraud, and enlarge its online user base.

Alliance & Leicester worked with RSA, the Security Division of EMC, to implement an innovative Adaptive Authentication for the Web security solution. It is provided free to users (in FSA research, 77 percent of customers said that they would stop using Internet banking if asked to pay for security), and combines several online fraud countermeasures, including:

• Two-factor Authentication -- The Alliance & Leicester solution uses traditional customer ID and PIN as a first identification factor, but goes beyond that by using the device/IP characteristics of the computers the customer regularly uses as a second authentication factor. This “behind-the-scenes” authentication minimizes user inconvenience or confusion at log-in. There are no additional security details to input such as a one-time pass code, and the customer is not required to purchase or carry an additional piece of hardware such as a token or fingerprint scanner. The solution effectively discourages fraudsters. It provides low unit cost per customer, enhances the bank’s infrastructure and is easy to align with the existing security model.

• Two-way Authentication -- To protect against threats such as phishing and pharming, in which users unknowingly enter personal security details into a bogus site, Alliance & Leicester is the only UK bank to provide two-way user-to-site and site-to-user authentication. The bank’s site is identified to customers by displaying a previously selected, personalized image and phrase combination, confirming that the site is genuine. The image and phrase are created when customers enroll in the system, and stored in a database along with user PC characteristics. Subsequent logins from the same PC will display the image and phrase so that the customer can be sure this is Alliance & Leicester. Customers can login from multiple/unlimited PCs, and the first time a new one is used a challenge question will be asked. Users can opt not to register a PC if, for instance, they are using a public computer.

• Background neural network monitoring and analysis -- This enables the bank to profile user behavior and monitor for atypical transactions and money movement in order to spot and stop threats before it is too late. The system blocks/flags suspicious activity for review by the Fraud Risk Management department, and can even identify new emerging attacks, not just known ones, providing long-term protection from evolving threats.


Benefits
Has your project helped those it was designed to help?   Yes

What new advantage or opportunity does your project provide to people?
The decision to bank online is often based on whether customers trust the bank to protect them against fraud. Alliance & Leicester has met this challenge head on, by being first-to-market in the UK with Adaptive Authentication for the Web. The solution gives customers peace of mind when conducting everyday banking transactions online. It is free and easy to use, and avoids cumbersome or time consuming requirements that would have risked turning customers away from Internet banking altogether. Since most of the additional security measures are transparent to the user, the solution minimizes inconvenience and change in behavior, while delivering unrivaled protection against online fraud and identity theft. Mapa, an independent market research agency, called Alliance & Leicester “the most secure online bank in the UK.”

Has your project fundamentally changed how tasks are performed?   Yes

How do you see your project's innovation benefiting other applications, organizations, or global communities?
Given the extensive positive media coverage the Alliance & Leicester Adaptive Authentication for the Web security solution has generated, it is expected to have wide-reaching impact as providers in financial services and many other industries recognize the need to offer similar levels of online security in order to protect customers and keep their businesses competitive.

By increasing the use of Internet banking, the new security system has given Alliance & Leicester a significant competitive advantage. The 25 percent jump in Internet transactions the bank recorded between March and December 2006 demonstrates improved user confidence in online banking and translates to an annual cost savings of more than £1 million, due to the low cost nature of transacting through the online channel. The new security solution also has delivered a tangible return on investment by achieving fraud losses 12 times lower than the bank projected.


The Importance of Technology
How did the technology you used contribute to this project and why was it important?
Alliance & Leicester’s Adaptive Authentication for the Web solution is a ground-breaking implementation of online fraud prevention technologies from RSA, the Security Division of EMC.

The core technology, RSA Adaptive Authentication for Web, is a comprehensive security platform, driven by the real-time RSA Risk Engine, which identifies potential fraud patterns and delivers highly accurate assessments of a given activity or transaction’s legitimacy. The solution includes the RSA Risk-based Authentication Module, a transparent technology that combines positive device identification (via a device recognition algorithm) with real-time risk assessments, and assigns a risk score based on the likelihood of fraudulent activity. The RSA Site-to-user Authentication Module is a visible technology that assures users that the bank’s Web site is genuine before they enter sensitive or confidential information. Alliance & Leicester also participates in the RSA eFraudNetwork, a cross-institution, cross-industry repository that improves fraud detection and helps address emerging threats.

Sophisticated monitoring capabilities allow the bank’s Fraud Risk Management Department to quickly assign levels of risk to individual IP addresses and reduce the number of false positives. The bank also maintains a list of both IP addresses and countries from which it would like to restrict access and monitor closely through forensic reports.

The security solution captures transactional behavior in real-time. For example, if a customer usually moves £100 between accounts and then asks to move £5000 the system may, based on the customer profile and risk assessment, ask for additional identifying information, further decreasing the risk of Internet fraud.

More accurate identification of genuinely fraudulent activity also means fewer IT resources are required to address potential incidents. Today, a new phishing attack can be investigated in 10 to 20 minutes, compared to past investigations that may have taken days, freeing IT resources for other value-adding activities.

As the first UK deployment of Adaptive Authentication for the Web, this solution differs from typical US stand-alone solutions. Since Alliance & Leicester’s Internet banking runs on multiple Windows 2003 servers at two UK locations, the new security solution was integrated into the bank’s existing middleware architecture, using IBM WebSphere ND, a technology new to Alliance & Leicester, as the application-hosting environment. WebSphere was used to deploy the second factor authentication application, and is re-usable for future projects. These include improving email security, as well as offering higher-value services and transactions online. The RSA Oracle database was integrated using new Visual Basic components and is housed on the same Windows 2003 server as the bank’s other Oracle Internet databases.

Originality
What are the exceptional aspects of your project?
Alliance & Leicester is leading the UK financial services market with an Adaptive Authentication for the Web implementation that combines ground-breaking two-factor authentication, unique two-way authentication, and background neural network monitoring for risk assessment.

Traditionally, banks have asked customers to input static passwords, PINs, or IDs to identify themselves. Other banks in the UK have tested second factor authentication using security tokens, but only Alliance & Leicester does not require a customer to purchase or carry complicated additional hardware such as a token or fingerprint scanner. The Alliance & Leicester solution notes the characteristics of the computers that customers use regularly, and employs these characteristics as the second factor authentication.

To protect against threats such as phishing and pharming, in which users unknowingly enter personal security details into a bogus site, Alliance & Leicester is the only UK bank that identifies its site to customers when they are logging in so that they can be sure the site is genuine. In addition, the solution uses neural network analysis to profile user behavior and monitor for atypical transactions and then blocks and flags them for review.

How is it original?
Key achievements of Alliance & Leicester and the Adaptive Authentication for the Web solution include:

• Only system to give customers true confidence in the safety of online banking, by delivering several innovative countermeasures against online fraud in a single, easy-to-use security solution.

• Only solution to use PC forensics to identify characteristics of the customer’s computers as the second factor authentication, eliminating the need for a one-time pass code, or a token or fingerprint scanner.

• Only bank in the UK to identify its site to customers with a personalized image and phrase so they can be sure that they are entering the bank’s site, rather than a bogus site created by fraudsters.

• First UK bank worldwide to roll out such an online security solution to the entire Internet banking base of 750,000 users.

• First UK online security solution to be integrated with the bank’s middleware infrastructure, rather than standalone, to enable future use in other aspects of the bank’s business.

• Demonstrated tangible return on investment (ROI) by achieving 12 times lower losses from online fraud than expected.


Is it the first, the only, the best or the most effective application of its kind?   All of the above

Success
Has your project achieved or exceeded its goals?   Exceeded

Is it fully operational?   Yes

How many people benefit from it?   750,000

If possible, include an example of how the project has benefited a specific individual, enterprise or organization. Please include personal quotes from individuals who have directly benefited from your work.
Alliance & Leicester is the first UK bank to use online security technology specifically designed for the consumer banking market. It delivers improved customer confidence in online banking and satisfaction with the online experience. In a recent customer satisfaction survey, 90 percent of users rated the security measures as good or excellent, 99 percent as satisfactory, and 83 percent confirmed that they would not enter their PIN into the Alliance & Leicester Web site without their previously selected authentication phrase and image being displayed.

Here’s what Alliance & Leicester customers had to say:
• “I am impressed with the unique picture and phrase combination strategy to prove authenticity.”
• “More people should use this.”
• “A banking strategy all banks should consider.”
• “I very much like the idea of secure sites using the unique image and/or phrase to make sure no one is pretending to be the site I think I’m on.”

How quickly has your targeted audience of users embraced your innovation? Or, how rapidly do you predict they will?
To speed customer migration to the new security service, Alliance & Leicester deployed an extensive communications program, including automated phone messages, statement inserts, a personal letter and security highlights on the bank’s Web site.

During the development process, the customer journey was tested in user research groups, and the feedback used to make improvements, ensuring that customers would understand the new log in procedure and how it enhanced security. As a result, more customers were able to use the new system without help and calls to Contact Centers were minimized.

The solution was quickly adopted by the online user base. Between March and December 2006, the bank saw a 25 percent increase in the number of online transactions, a strong demonstration of improved customer confidence in conducting online transactions. One hundred percent of the bank’s 750,000 online customers are now actively using the new security system.

Difficulty
What were the most important obstacles that had to be overcome in order for your work to be successful? Technical problems? Resources? Expertise? Organizational problems?
The implementation team faced a number of challenges. First, were the logistics of a UK-based bank working with RSA’s California-based staff. The entire team maintained a multi-disciplined approach to project management, including input from technical, business and marketing people, and key RSA staff were relocated to the UK at critical points.

A major technical challenge was the bank’s desire to build an integrated rather than stand-alone implementation. This required development within an application environment new to the bank -- WebSphere ND -- which was successfully deployed as a reusable asset for this and other projects.

The tight delivery timeframe from November 2005 to March 2006 was made more challenging by the narrow three-week window between the solution’s February 2006 public announcement and the full delivery deadline. This presented an opportunity for online fraudsters during a period of known customer confusion, making the team’s ability to get the full solution in place without delay a significant achievement.

Often the most innovative projects encounter the greatest resistance when they are originally proposed. If you had to fight for approval or funding, please provide a summary of the objections you faced and how you overcame them.
Given intense media coverage regarding online security threats, Alliance & Leicester identified Web security as key to building public confidence in online banking and reducing losses from online fraud. The solution was also instrumental in reaching its goals of becoming the UK's leading direct retail bank and expanding its Internet banking base by a further half-million users by 2008. To make it happen, the bank's chief executive championed the project, as he felt it was important for Alliance & Leicester to be first-to-market in the UK with Adaptive Authentication for the Web. The project launched in November 2005 and the chief executive locked-in the delivery deadline by announcing the solution to the public when presenting Alliance & Leicester’s annual results in February 2006. The full implementation was up and running less than three weeks later in March 2006. This rapid and highly successful implementation would not have been possible without the chief executive’s advocacy and support.
Digital/Visual Materials
The Program welcomes nominees to submit digital and visual images with their Case Study. We are currently only accepting .gif, .jpg and .xls files that are 1MB or smaller. The submission of these materials is not required; however, please note that a maximum of three files will be accepted per nominee. These files will be added to the end of your Case Study and will be labeled as "Appendix 1", "Appendix 2" or "Appendix 3." Finally, feel free to reference these images in the text of your Case Study by specifically referring to them as "Appendix 1", "Appendix 2" or "Appendix 3."

Currently Uploaded Appendices:
No appendices currently uploaded.