Blogs »
Risk Management with OAAM

When you conduct business in person, by phone, or over the web, you trust that every customer is using valid identification. But with every faceless transaction, you could put your business at risk.  Can you safeguard your business if you don't know who your customers really are?  With a real-time fraud and authentication solution, you know right away who your customers are.  No matter how your customers reach you, you can trust in the security of every transaction.

Many industries require complete identity authentication, including banking and credit, insurance, government services, healthcare, etc.

About Oracle Adaptive Access Manager (OAAM)
OAAM provides sophisticated multifactor authentication and proactive, real-time fraud prevention functionality for Web-based connections. Risk-based authentication is one such capability OAAM provides. The OAAM risk-scoring engine combats identity fraud in real-time by evaluating whether a user should be allowed to authenticate based on the type of transaction being attempted and the probability of fraud occurring. Next, the OAAM risk-scoring engine evaluates how a user answers a series of dynamically generated questions that are created based on a combination of public and private data sources. OAAM then generates a fraud score and the user is either allowed to continue with the transaction or is denied access.

Can OAAM address FFIEC supplement to authentication in an Internet Banking environment?
On June 28, 2011, the Federal Financial Institutions Examination Council (FFIEC) issued a Supplement to the Authentication in an Internet Banking Environment guidance first issued in Oct. 2005. The FFIEC considered that further guidance was appropriate due to the continued growth of electronic and mobile banking and greater sophistication of the associated threats, which have increased risks for financial institutions and their customers.

The FFIEC member agencies have directions to members to initiate assessments against these expectations by January 2012.

Overall this supplement emphasizes on,

- Account Origination and Customer Verification - This is meant to know the identity of the customer prior to account origination. Moreover this is also required for compliance with Section 326 of the Patriot Act. The recommended method was to use Knowledge Based Authentication (KBA) to verify the identity of the user based on out-of-wallet (non-credit) data available from publicly available databases.
- Risk Assessment - Identify risky transactions, such as logins and money transfers.
- Risk Mitigation - This involves using two factor authentication to mitigate transaction risk. No particular method was reported, however the guidance singled out two technologies – (1) Device Authentication using IP Address location and Geo location, and (2) Out-Of-Band Authentication.
- Audit - Monitoring and Reporting

Oracle Adaptive Access Manager (OAAM) offers a layered security model that enhances the security of online transactions, including mobile transactions, with multiple different capabilities:

Device Identification and Location Awareness - OAAM uses geo-location for mobile devices to quickly detect and prevent new types of fraud and misuse.  If someone typically logs in from a laptop or mobile device in New York, and there is a transaction to transfer large amount from user's bank account initiated outside North America from a device whose identity doesn't match user's device, OAAM flags this as an anomaly and can either block the transaction of challenge user.

Predictive Risk Analytics - OAAM predictive risk analysis in addition to flexible rules engine and pattern based auto-learning capabilities.  This allows organizations to rely on a combination of location, end point identity, historical behavior and context-awareness to guarantee higher identity assurance for access from mobile devices.

Answer Logic - this is a fuzzy logic based processing technique applied to challenge question responses and increase usability of a challenge answer flow by accepting variations of the valid answer.  If a answer to challenge is close enough to be considered fat-fingered entry, OAAM can detect this is a medium risk situation and allow user to complete the transaction.

Jaggy helps financial institutions to comply with the FFIEC Guidelines by implementing Risk Management solutions based on Out-of-Band technology coupled with Oracle OAAM.