Şekerbank T.A.Ş. is the leading Turkish bank for small and midsize enterprises, and its internet banking services are among the three highest-rated online banking Web sites in Turkey. They have earned a reputation for having the most user-friendly and secure online banking Web sites in the country. Last week at the European Identity Conference, they were one of the winners of the “Best Internal Project” award for a solution developed together with Smartsoft and Oracle for providing risk-based authentication and authorization. I thought it was an interesting case study, so I thought I would share it with you.
Their solution was built around SmartSoft’s SRM (Smart Risk Manager) Fraud Management System and Oracle Adaptive Access Manager, our solution in the area of strong authentication and proactive, real-time fraud prevention. SmartSofts’ expertise in EMV and payment card systems means that they understand credit card fraud at a deep level. This understanding is the basis for the fraud controls that SRM introduces at the merchant and issuer sides, detecting fraud in real-time and taking just-in-time precautions and actions. The bank has been using SRM for over 2 years to secure their credit and debit card operations.
The bank wanted to bring the same level of fraud management that they had achieved with their credit and debit card operations to their internet banking channel. This would require understanding the mechanisms of internet banking fraud, enable comprehensive and automated tracking of online transactions, and use this to identify instances of frauds in real time. The bank also wanted to make sure that they fully complied with international and domestic regulations for internet banking.
In order to do this, the bank worked with SmartSoft and Oracle to add OAAM Adaptive Risk Manager (ARM) into their fraud controls system. ARM is OAAM’s back-end, proactive real-time fraud detection product, providing a behind-the-scenes comprehensive anti-fraud software solution. ARM provides a strong second and third factor of security by verifying a host of factors used to confirm identity – from device characteristics (the computer and mobile device used to login) to a user’s location and online behavioral profiles. Adaptive Risk Manager can also trigger numerous actions based on its analysis, such as challenging or blocking the user.
For the deployment, the project team conducted a broad analysis of requirements in terms of internet banking fraud rules, and configured more than 50 OOTB rules in OAAM’s rule engine. They also developed an advanced scoring mechanism for real-time analysis of each transaction’s fraud probability, aimed at achieving a detection rate of nearly 99% of all fraud attempts.
An information channel was defined between OAAM and SRM, whereby the two systems can enrich each others decision-making data. For interactions originating in the internet banking channel, OAAM can calculate risk levels and notify SRM about high risk transactions. Conversely, SRM can send fraud data for risky transactions it encounters to OAAM for use in its behavioral analysis. This integration between the two systems makes the fraud analysis richer and more reliable.
On top of this, the bank’s fraud analysts are using existing reporting capabilities and Oracle BI Publisher for deep down reporting and trend analysis to identify zero-day fraud patterns. Case management also enabled the organization to take care of risky activities and provide flexible service to end-users in real time.
The bank deployed OAAM in just three months, providing the bank’s fraud analysts with comprehensive visibility and monitoring capabilities for internet banking transactions. With the deployment in production, the bank was able to achieve a previously unmatched level of security for internet banking and fully ensure Şekerbank’s compliance with international and domestic regulations. They were also able to realize a decrease in operational costs for surveying internet banking transactions of ~70%, as now only 2% of all transactions require manual control following a system alert.
It’s always good when you come across a success story like this one, and when especially when the project teams get the recognition they so richly deserve (but seldom get). Kudos to them on the success of the project and the award.