OneSpan Cloud Solutions In Action - MyBank Web Portal Demo, Part II
In Part I of this series, we reviewed the portfolio of security solutions available from OneSpan that are part of the MyBank Web Portal Interactive Solution. These products include: Secure Agreement Automation, OneSpan Sign, Mobile Security Suite, and Intelligent Adaptive Authentication – which is a combination of our Risk Analytics and OneSpan Cloud Authentication products.
We also demonstrated how to join the OneSpan Community Portal, register for a free developer sandbox account, and how to access MyBank web portal from within the sandbox. Finally, we stepped into the end user’s shoes as we walked through the registration process for the MyBank Web Portal. This took us through demonstrations of how Secure Agreement Automation, OneSpan Sign, and Mobile Security Suite could look to your customers once integrated into your application.
When we finished, we had arrived in our account dashboard on the MyBank Web Portal, ready to interact with either the web or mobile view, as seen in the image below.
In the second part of this series, we will use the MyBank app to show how OneSpan’s Intelligent Adaptive Authentication allows you to enforce policies and customize rules within our Risk Analytics service, to prevent fraudulent activities and improve the customer experience. You will be guided through a simple example with the default rules, introduced to the Risk Analytics Presentation Service, and then walked through an example of how a rule change can alter the end user’s experience.
Example: Payment with the Default Rules
When we make a payment transaction through the MyBank app, risk will be assessed based on your rules, and will be applied to the transaction to determine which authentication measures will be taken. The default values within the Risk Analytics service are set as follows:
- No authentication is required for low value transactions ($0 >= amount <= $100)
- Fingerprint challenge for medium value transactions ($100 > amount <= $4,999)
- Face recognition challenge for high value transactions ($5,000 > amount <= $100,000)
To show the Risk Analytics rules in action, we will submit a payment of $300 through MyBank app. From the home page of MyBank, navigate to the “Payments” tab, select a recipient, and enter the amount value of $300. Click “Create” to make the payment.
OneSpan Mobile Security Suite will immediately send a push notification to your trusted device to approve the money transfer. When selecting the notification, the payment amount, recipient name, and account number will appear on-screen. Tap “Yes” and OneSpan Orchestration SDK will prompt you to scan your fingerprint to finalize the transaction, following the medium value rule we mentioned earlier. You can see the experience from the trusted device in the images below.
Alternatively, you have the option to simply scan the Cronto image shown above when we made the transaction, using the app on your trusted device.
Risk Analytics Overview
Risk Analytics analyzes a vast range of mobile, customer application, and transaction data in real time to detect known and emerging fraud in the web and mobile banking channels, including:
- Account takeover
- New account fraud
- Mobile fraud
- Digital banking fraud
Through machine learning and sophisticated data modeling, Risk Analytics can then spot anomalies in user behavior, identify risk, and take immediate action.
Also, with RA presentation service, you will have the access to several features including:
- Real-time analysis of device and transaction risks
- Identify new fraud scenarios and suspicious account payees
- Policy enforcement for different levels of risky activities
- Account takeover fraud detection/prevention
Sign-in to Risk Analytics and Setup your Password
From the Sandbox menu, select the Risk Analytics tab. You will find your username constructed from your email address and a temporary password. Use these credentials to access the Risk Analytics Presentation Service following the link labelled with “Risk Analytics Presentation Service”. You will be prompted to provide a new password at your first login. Afterwards, you will be redirected to the OneSpan Risk Analytics presentation service webpage. This webpage will be important for the next example.
Example: Payment Rules Update
Following the default rules we mentioned earlier, you could try to make a payment of $90. You will notice that it goes through without authentication, adhering to the default authentication response for a low value transaction rule under $100. Let’s edit the default rule for “Medium Amount” and experiment the change of authentication type. We will change the lower threshold limit for this rule to start from $80 and set the authentication type to be PIN authentication. Therefore, when we make a transaction with the amount of $90, it will be treated as a medium amount transaction. Likewise, the authentication type will be stepped up to a PIN entry. Let’s jump into Risk Analytics and edit the default values for the rules.
When you logon to the Risk Analytics dashboard, navigate to “DESIGN RULES & ACTIONS” > “Rule Management” from the menu bar at the top. From the “Rules” section in the navigation pane on the left, expand “Transactions”, then “Adaptive Authentication Web Payments (Medium)", and expand “Challenged TXN (High)”. Inside it, there are the default rules to handle a web payment event, from the MyBank demo app in this case.
Inside the “Medium Amount” rule, click the brown pencil icon under “Rule” to edit it. From there change the value for the first criterion “AMT_CH_BILL” to “80” and click “Save”. Remember also to change the upper limit of the “Very Low Amount” rule to be “80” (the same way you altered the medium amount rule beforehand).
To edit the authentication type corresponding to the “Medium Amount” rule, click on the edit’s brown icon under “Response/Status” in the same rule’s window above. From there, change the value of the response code to “ChallengePIN”, as shown below.
Login to the MyBank webpage and make a payment of $90 to assess if it is treated as a medium risk transaction, and if the changes we made are effective. You will be prompted by your trusted device app to key-in your PIN, following the new rules we just defined for payment transactions. Make another payment of $70 to see if the changes on the “Very Low Amount” rule are reflected. You will notice it requires no authentication, as it is setup for “Very Low Amount” rule.
Finally, you could check the latest events from the example above and see which were triggered and which rules were matched. This could be displayed from “SUPERVISE &INVESTIGATE” > “Latest Events” in the menu bar of the Risk Analytics Presentation Service as in the screenshot below.
Event flow in Risk Analytics
The structure in Risk Analytics that any event goes through when it gets triggered is:
Hierarchy > Campaign > Division > Rule
In the example above, the event will go through “Transactions” Hierarchy > “Adaptive Authentication Web Payments (Medium)" campaign > “Challenged TXN (High)" Division > then to one of the listed rules that matches. Consult the screenshot below to see the hierarchy as shown in Risk Analytics.
This concludes our demo. We have seen how to sign-in to Risk Analytics and configure the rules to match different payment events. Also, how to alter the authentication types, and how an event flow through Risk Analytics hierarchy from the top down.
Stay tuned to the OneSpan Community for more blog tutorials that show the power of OneSpan’s Trusted Identity Platform solutions.