As Vishal Salvi, the chief information security officer of HDFC Bank says, the primary business objective was to reduce online fraud and the number of attacks. Other objectives included increasing customer confidence and creating overall trust for the channel.
Beyond traditional customer authentication
Apart from regular online user authentication methods like the user ID-password combination, HDFC Bank also had the traditional security layers for network, OS, application security, firewalls, intrusion detection systems, intrusion prevention systems and security monitoring working behind the scenes. A strong password management policy backed by password complexity filters is also in place, with mandatory customer password changes every six months.
Salvi and his team wanted to ensure additional layers of security for better fraud detection and proactive mitigation of phishing attacks. So the bank implemented a multi-layered security control approach for NetBanking. This included
According to Salvi, the new security layers called for additional infrastructure to complement the existing authentication mechanisms. Since another circle of controls was created over the NetBanking core, integration and screen development work was required between HDFC Bank's systems and the RSA system.
The project began in October 2008, and HDFC Bank started using the new security mechanisms in January. Since the risk engine used for fraud detection learns over a period of time, the organization initially had a high rate of false positives. "Incidents of false positives have improved to a very large extent, and there are very few incidents at present," Salvi says.
Log in (before and after)
HDFC Bank uses the RSA FraudAction service to gain visibility of emerging security threats such as phishing and Trojan attacks. According to Salvi, this is the first line of defense for the bank.
Virtual keyboards (not an RSA solution) ensure that the passwords of HDFC Bank's NetBanking customers do not fall prey to phishing attacks during log in. This acts as the second layer of defense.
Site-to-user authentication (using RSA Adaptive Authentication) acts as the third protection layer for HDFC Bank's NetBanking customers. This is achieved by displaying an image and caption (preselected by the customer) after log in to verify the website's legitimacy. "It's very difficult for a phisher to replicate the same image and pass code for every individual user. This gives confidence to the users that they are going into a genuine site," Salvi says.
The fourth layer of protection is activated for high-value transactions like adding a payee. As part of this step, the customer is asked challenge questions (pre-defined by the user) to verify his identity.
Another layer of defense that has been incorporated is an out-of-band one-time password accompanied by an automated call initiated on the customer's pre-defined cell phone. The transaction goes through once the customer gets a call, receives the code and enters it on his phone. All these layers have also been implemented using RSA Adaptive Authentication.
HDFC Bank's sixth layer of protection for NetBanking customers uses RSA Adaptive Authentication's risk engine, which helps the company score transactions according to the risk profile. According to Salvi, every control used in the different security layers for NetBanking is governed by a policy. Since these policies are not hard-coded, they can be modified depending on the changing threat scenario.
Salvi claims that HDFC Bank has witnessed an 85% to 90% decline in phishing attacks since deployment of the new security layers. "According to recently released Reserve Bank of India figures, there has been an increase in the number of phishing attacks on Indian banks. However, we have actually seen a steep decline in the number of attacks against us," Salvi says.
This encouraging trend has resulted in Salvi and his team extending the scope of security from just third-party transfers to direct payments -- the protection will extend to HDFC Bank customers' credit and debit card payments as well. "Although the risk is much lesser for direct payments since the transactions can be traced, we still want to include that in the scope," Salvi says.