Until now, the two companies have approached online security in
different ways.
RSA's name derives from three MIT mathematicians, Ron Rivest,
Adi Shamir and Len Adleman, who demonstrated the first algorithm
for public key encryption in 1977. The company has grown over the
last 20 years to become the leader in encryption and also strong
authentication devices, such as the RSA SecurID token which
generates a one-time password every 60 seconds.
Cyota, meanwhile, has long pushed the message that, in the
consumer financial market, banks are looking for solutions that
balance security and usability. Its risk-based approach to
combating fraud centres not on hardware devices, but on detecting
deviations from established online banking behaviours – for
example, by logging in from obscure locations, transacting from an
unrecognised device, or emptying an account rather than paying a
small bill. The company built a strong reputation on a good
understanding of criminal behaviour.
On top of profiling genuine users so that anomalies can be
spotted, Cyota also tracks fraudsters and uses pattern recognition
algorithms to detect and quickly respond to new fraud trends, as
well as spotting the migration of fraud from one bank to another. A
key tool in this effort is its cross-bank repository of fraud
patterns, generated while processing online transactions for
thousands of global banks with which it works.
Clearly these are complementary rather than conflicting
approaches – so the merger makes sense. RSA Security spokesman John
Madelin told OUT-LAW that today's market demands a layered approach
to security.
Uri Rivner, Cyota's Vice President of International Marketing,
said that, together, the companies can pool their expertise in
detecting fraud, understanding risk and providing multiple
authentication options.
He argues that Cyota recognises a place for tokens in security;
its point has always been that while tokens are extremely
effective, they may not alone satisfy the diverse needs of a large
user population. Both companies believe that there are different
segments of consumers – determined by associated transaction risk
level and user lifestyle and preference – that necessitate
different types of fraud protection.
"There is a difference between offering tokens to consumers, and
requiring people to use them in every situation," said Rivner.
"Some banks deploying tokens will choose to offer them to the
public, thus fulfilling a real need that many security-conscious
customers have and demonstrating their leadership in security."
He continued, "To protect the customers who choose not to use
such security devices, the banks deploy behind-the-scenes
monitoring of online transactions, or use a dynamic authentication
system that elevates the level of security for high risk
transactions only. Other banks, especially in some European
countries, distribute tokens to all consumers and require everyone
to use them. One thing is clear: the authentication market is
changing, and banks are realising that it's all about finding the
most appropriate technology."
Madelin agrees. He points out that the choice of solution will
be influenced by transaction volume and value. The companies see
their combined offerings as offering greater choice to banks
needing to protect customer identities and secure remote
transactions. “It’s about applying the technology to solve real
world scenarios, ultimately resulting in less fraud, at a lower
cost, with greater user convenience and a balanced approach to
risk”.
The combined offering will offer authentication techniques
ranging from device recognition, out-of-band phone authentication,
watermarking and anomaly detection to digital certificates, tokens
and smart cards – all depending on the risks posed and the desired
convenience.
New York-based Cyota will keep its name; it will just gain the
tagline "an RSA Security company" and become a wholly-owned
subsidiary. The deal is expected to close within 30 days, subject
to regulatory approvals.
