RSA paid $145m for online anti-fraud products company Cyota Inc last year in a bid to accelerate its move into consumer identity protection services. Chris Young, ex head of security at AOL and the man who led the acquisition of Cyota, is now the general manager of the RSA Cyota Consumer Solutions arm.
The integration work has led to the development of an Adaptive Authentication scheme, which builds on the Cyota products and allows banks apply layers of online security.
These are founded on the use of a core risk engine that scans against IP address or a device fingerprint, or digital watermarks for reverse authentication. It then moves to the use of a collaborative, cross-bank eFraudNetwork to defend against phishing attempts, and on to using the business intelligence from that to build a risk-based authentication process which uses an appropriate form of authentication to control the access of users with different levels of risk.
The choices available go from authenticating users with a one-time password generated via an RSA SecurID hardware token, to a software token, a SMS text message, or to the use of secret life questions and out-of-band phone calls.
The Bedford, Massachusetts-based vendor points to a latent demand among financial services companies for security systems that supplement single-factor user-name and password-authentication processes.
In October 2005, the Federal Financial Institutions Examination Council of five US federal banking regulators said it considered single-factor authentication inadequate for online banking. It is now strongly recommending that all financial institutions adopt multiple-factor authentication, layered security, or other controls that strengthen the use of username and passwords for online banking and other web-based financial transactions.
The company said that as part of the integration, RSA Cyota has added a feature that allows financial institutions to shift between authentication methods and change the segmentation of their users based on some inbuilt profiling analytics of the product. The system can use what it knows about a user, the chosen access channel, the location of the access point, and proposed transaction type to apply an appropriate level of security using different methods of authentication. That choice is based on a risk profile generated by the Adaptive Authentication system.
RSA said that eTrade, the online banking and brokering business, is one of the first customers to use such a risk-based authentication systems, with the bank’s customers given a free or low-cost hardware token that generates a one-time password for them to securely access their accounts.