H&R Block Tries a New Anti-Fraud Tool

There have been two main ways to protect online brokerage operations from fraud: with back-office systems that track transactions and detect anomalies that might indicate money laundering, for example; and with intrusion-detection and -prevention systems that guard against Internet hackers.

H&R Block is deploying a third alternative--the e-Fraud Prevention Solution from Redwood Shores, Calif.-based Business Signatures Corp. The software tool tracks users' activity on online brokerage Web sites but does not need to be tightly integrated into back-office systems.

"This is a substantially different way of preventing fraud," says H&R Block chief information officer Marc West. "Running it on the edge of where the Web connects in gives us several benefits. We're looking at the Web stream of all traffic, not just one specific system itself." West says he's using the system to protect online brokerage customers and other H&R Block clients.

According to Business Signatures CEO Peter Relan, the system monitors traffic into a site. For example, if someone from one Internet source makes a lot of attempts to log in using different passwords, that's a problem that might not be picked up by a transaction-based system. Or a user might change his password and home mailing address, then have the brokerage sell his stock and send him the proceeds. Together these actions are suspicious, but each step may rely on a separate back-end system, which may allow the user to escape detection.

Because the Business Signatures software is installed on the periphery of a company's network, not within a transaction system, it identifies suspicious behaviors without requiring integration into the broker's back-end systems. The company has about 20 customers; about a half dozen of those are in financial services, including Citibank, Relan says.

"Once we see the traffic patterns, the business signatures of an online application can be deconstructed and deduced in a matter of hours," says Relan. "That's the key innovation." The "fraud logic" is separate from the "business logic," which means "that you can add a new rule on the fly in real time," he says. "You can't do that with your core application--it's too risky, too dangerous."

Once suspicious behavior is detected, the brokerage can look at the customer's transaction history or request a second confirmation of the transaction. "If somebody wants to make a large trade, you can have the customer-service center give them a call and confirm the trade," says H&R Block's West.

Business Signatures' Mutual 2 Factor Authenticator can prompt the customer to answer a personal question that a hacker is unlikely to know, or send a message to a cell phone. Mutual 2 Factor is sold on a flat-fee basis of $48,000 per year, including support, not on the per-user basis generally charged by suppliers of two-factor authentication systems, which involve a second identifying mechanism beyond the basic user-name with password.

Two-factor authentication is a hot topic because of fraud and identity theft concerns in the financial industry. Guidance issued last October by the Federal Financial Institutions Examination Council, an umbrella group representing federal bank regulators, strongly recommended two-factor authentication, and financial institutions have been surveying such alternatives as telephone confirmations, digital keys and tokens that generate single-use passwords. Avivah Litan, research director at Stamford, Conn.-based Gartner, estimates that 85 percent of U.S. banks will implement two-factor authentication by year-end. Because many banks have brokerage arms, this movement is likely to spill over into retail securities trading. E-Trade Financial Corp. has already made a major commitment to two-factor authentication using tokens.