|
Introduction
|
Arcot RiskFort (referred to as RiskFort later in the manual) is an adaptive authentication solution that evaluates each online transaction in real time by examining a wide range of collected data against out-of-box rules. It then assigns each transaction a risk score and advice the e-Banking application. Higher the risk score, the greater is the possibility of a fraud. Based on bank’s business policies, RiskFort application can then use this risk score and advice e-Banking application to approve or decline the transaction, ask for additional authentication, or alert a customer service representative.
RiskFort offers the flexibility to modify the configuration parameters of any of the risk evaluation rules in keeping with bank’s policies and risk-mitigation requirements. It also gives the flexibility to modify the default scoring configuration, scoring priorities, and risk score for any rule, and selectively enable or disable the execution of one or more rules. Besides pre-configured out-of-the-box rules, RiskFort’s field-programmable add-on rules capability allows for industry-specific rules to be selectively deployed and augmented based on bank’s requirements.
|
|
Enrolment to the RiskFort System
|
For adaptive authentication for login to Finacle e-Banking, a user has to be enrolled with RiskFort. Following are the important aspects to be noted for RiskFort Enrolment:
-
Enrolment is the process of creating a new user in the RiskFort database.
-
Every time the Finacle e-Banking application forwards a request for risk analysis, RiskFort uses the ‘User Unknown rule’ to determine if the user details exist in the RiskFort database. If this information is not found, then RiskFort treats the incoming request as a first-time (or unknown) user request and internally passes an alert advice to Finacle e-Banking.
|
|
Steps for Explicit Enrolment (First time login)
|
|
1.
|
Finacle e-Banking user logs into the application, RiskFort system validates if the user exists in the system.
|
|
2.
|
Finacle e-Banking Application collects information required by RiskFort that will be used by RiskFort for analysing risk:
-
User system information that includes operating system, platform, browser information (such as browser language, HTTP header information), locale, and screen settings.
-
Device information that includes DeviceID, such as Flash Shared Object (FSO) cookie or browser cookie.
-
Location information that includes IP address and ISP (Internet service provider) -related information.
-
Additional Inputs that might include locale and related information.
|
|
3.
|
Application calls the Risk function in RiskFort. In this call, Finacle e-Banking will pass all the user and device information collected in the preceding step to RiskFort.
|
|
4.
|
RiskFort performs risk analysis for the user and generates an advice. In this case because the user is not yet "known" to the RiskFort system, the ALERT advice is generated.
|
|
5.
|
For an ALERT advice that is generated, the Finacle e-Banking will make an explicit call to RiskFort for user creation. In this call, Finacle e-Banking will pass all pertinent user details.
Following details should be passed to RiskFort for Explicit Enrolment:
-
User Name
-
Last name
-
Email ID
-
Organization
|
|
6.
|
If the call is successful then, RiskFort creates the user in the database. With this, user is enrolled with RiskFort.
|
|
7.
|
Finacle e-Banking calls RiskFort’s Evaluate Risk function again. In this call, Finacle e-Banking will ensure that all the user and device information that was collected in Step 2 is again passed to RiskFort.
|
|
8.
|
RiskFort performs risk analysis for the user. In this case, RiskFort executes the rules and generates the risk score and the advice.
|
|
9.
|
RiskFort generates a DeviceID which is then stored in client browser (User’s system).
|
All the above steps will be performed when the user logs in for the first time. If the user logs in for the second time, then as the user is already enrolled, RiskFort will evaluate the risk score and then based on the risk score, user will be allowed/denied login.
|
|
Functional Flow
|
When a Finacle e-Banking user logs in to the application using the login credentials the following process takes place.
The user logs into the e-Banking application, based on the Risk score assigned by the RiskFort to the user for the login, the following would occur:
|
1.
|
Allow login: If the received user data is assigned a low score after rule execution by RiskFort (based on the incoming data and the data stored for this user or device), then the advice from RiskFort is ALLOW. User logs into the default landing page.
|
|
2.
|
Deny login: If the received user data is assigned a high score after rule execution (based on the incoming data and the data stored for this user or device), then the advice is DENY. In this case an error message “Login not allowed. Please contact Customer Care for more details” is displayed.
|
|
3.
|
Increase Authentication: If RiskFort flags the login as suspicious (based on the ules set in RiskFort) then the advice is INCREASEAUTH. This implies that extra credentials are required to help further authenticate the user.
-
In this case, a secondary authentication needs to be performed by the e-Banking application. Once the secondary authentication is successful, user will be allowed to login.
-
At this stage, irrespective of the fact whether the user failed or cleared the secondary authentication, application will pass the result back to RiskFort. This information helps RiskFort build an up-to-date and accurate user history.
-
If secondary mode of authentication is not configured in e-Banking solution, then solution will not allow the user to login. And an error message “Login not allowed. Please contact Customer Care for more details” is displayed.
|
Note:
If the call to RiskFort system connection fails during user login, then error message “Host is not available. Please try after sometime” is displayed.
|
