March 2021
New Features and Enhancements
Support of additional mobile CDDC fields
Risk Analytics now supports additional fields collected in the mobile CDDC clear data in case of mobile non-monetary events or transactions.
The following fields that are part of the mobile CDDC clear data can now be used in the rules, grids, and reports of Risk Analytics Presentation Service:
- BLUETOOTH_DEVICE_LIST
- BOUNDED_BT_DEVICE_LIST
- DEVICE_MODEL
- WIFI_BSSID_LIST
- CONNECTED_BT_DEVICE_LIST
- CONNECTED_BSSID
- MOB_APP_RELEASE_DATE
- NETWORK_NAME
- KEYBOARD_ID
- LAUNCHER_ID
- MOB_TIMEZONE
Support for editing values of hotlist record
When editing an existing hotlist record, it is now possible to modify the value of the hotlist record.
Hotlist name added in audit data when modifying a hotlist record
The audit logs for created, modified, or deleted hotlist records now provide an additional HotListName element by providing the name of the parent hotlist. The log entry also includes the name of the hierarchy to which the hotlist belongs (i.e. Common, Non Mon Events, Transactions, Relationships etc.).
Banking factors updated in documentation
The banking factors listed in the OneSpan Risk Analytics for Digital Banking Quick Start Guide and OneSpan Risk Analytics for Corporate Banking Quick Start Guide have been updated to indicate whether the factor execution is computed in real time or once daily.
For more information about these new fields and factors, refer to the OneSpan Risk Analytics for Digital Banking Quick Start Guide and the OneSpan Risk Analytics for Corporate Banking Quick Start Guide.
Risk Analytics Jobs web service
Option to limit sending email notifications to particular email domains
It is now possible to determine the recipients of email notifications at domain level. Upon request, OneSpan Cloud Operations can set up a whitelist of email domains to which the email notifications are authorized to be sent. Users that are configured as recipients in the Presentation Service will not receive email notifications unless their email domain is whitelisted.
By default, email notifications to any domains are allowed in customer Staging or Production environments. In the Sandbox environment, emails are not sent to any domain (email notifications disabled) to prevent the Sandbox from being abused for phishing purposes.
Fixes and Other Updates
Issue OSRAC-2703: Missing validation on transactionType and eventType fields in transactionv3 and eventv4 endpoints
The validation of the transactionType and eventType fields was missing in the three scenarios that affect the different data collector interfaces:
- If the TPP object is present, browser, mobile, and TPP event and/or transaction types are accepted
- If the BrowserCDDC object is present, browser, mobile, and TPP event and/or transaction types are accepted
- If the MobileCDDC object is present, only mobile event and/or transaction types are accepted
This issue has been fixed.
Risk Analytics Presentation Service
Issue OSRAC-2265: Event Type empty in Score Analysis and Latest Events pages
In corporate banking environments, the Event Type values were not displayed in the grids of the Latest Events and Score Analysis pages. This issue has been fixed.
Issue OSRAC-2118 (Support Case CS0046256): User Ref empty in Event Detail page
In corporate banking environments, the User Ref value was not displayed on the Event Detail page. This issue has been fixed.
Issue OSRAC-747: Unexpected open redirection during logon
The Presentation Service was allowing an open redirection on the login page. The ReturnUrl parameter in the URL accepts a website or path that is used as target after a successful authentication. The sole purpose of this optional feature is to redirect to a particular page of the Presentation Service. The redirection to URLs that resolve to a domain outside of the Presentation Service application is now disallowed. If a redirected URL is now resolved to an external domain, the user is by default sent to the home page (Default.aspx).
Issue OSRAC-2039: Issue with custom subtypes or custom response codes no longer modifiable
On the Application Settings page of the Presentation Service, it was not possible to modify the name of a previously defined custom non-monetary event subtype, custom transaction subtype, or custom response code as soon as one of these existed with the same key in another Risk Analytics environment, if the environment belonged to the same database schema. This issue has been fixed.
Issue OSRAC-1838 (Support Case CS0032139): Issue with name of reimported custom types or custom subtypes not taken in account
New names defined in the XML import file that was reimported through the Export / Import page were ignored. This occurred when the XML import file contained custom non-monetary event or transaction types or subtypes that already existed with the same key but with a different name. This issue has been fixed.
Issue OSRAC-1013: Issue of privilege escalation with import of an XML configuration file
The import of an XML configuration file through the Risk Analytics Presentation Service Export / Import page allowed any Presentation Service user with the import/export privilege to escalate privileges by importing a file with new or modified roles/clearances and users.
For security reasons and to prevent this vulnerability, it is no longer allowed to create or modify any user/roles/assigned clearances via the XML import files. When importing XML files, the following nodes are now ignored (if any):
- LT_SECURITY_ROLES: node defining a role category
- LT_SECURITY_CLEARANCES: node defining an allowed clearance (permission) for a role
- PT_SECURITY_USERS: node defining a user and its password
- LT_SECURITY_USER_ENVIRONMENT: node defining the assignment of a role to a user
Issue OSRAC-2087: Unexpected persistent error message in hotlist record creation
After attempting to create a hotlist record with a value that already exists in the hotlist, the error message This value already exists is displayed. While canceling the operation and attempting to create a hotlist record right after, the same error message was immediately prompted again. This issue has been fixed.
Issue OSRAC-1843: Invalid cancel operation during hotlist records file upload
When uploading a file that contains a list of record values in a hotlist, the Cancel button in the import hotlist records dialog was closing the pop-up window with the file upload still running in the background. However, once the upload has started, it is not possible to cancel the operation. To avoid confusion, the Cancel button is now no longer available in the dialog when the file upload has started.
Issue OSRAC-1810: Incorrect position of the displayed modified date for the hotlists
When opening any hotlist, the modified date of the hotlist was incorrectly displayed in two lines. This issue has been fixed.
Issue OSRAC-740: Unrestricted hotlist records file upload unexpectedly
The Presentation Service allows users to upload files that contain a list of record values for the hotlists. To prevent users from uploading files with arbitrary content (e.g. binary files), the MIME type of the uploaded files used to import hotlists record values is now verified, and the uploaded files must be .txt files.
Issue OSRAC-2137: Redirect not working when clicking on the Event Detail icon on My Alerts page
When clicking the Event Detail icon on the left side of the My Alerts page, the redirect to the Event Detail page was not working. This issue has been fixed.
Issue OSRAC-2273: Failure of non-monetary history rule creation aggregated by application level
The creation of non-monetary history rules was failing if the selected aggregation was at Application Level. This issue has been fixed.
Issue OSRAC-2000: Waiting icon on IE 11 not animated
Some Waiting icons indicating that a process is running were not animated on Internet Explorer 11. This issue has been fixed.
January 2021
New Features and Enhancements
New fields to process entity and contract IDs in corporate banking
In corporate banking environments, two additional fields have been added: entity_ref and contract_ref. With these new fields, it is now possible to process additional information for corporate users and make non-monetary events or transactions on behalf of some other, external corporations and/or companies, i.e. the entities. It is also possible to split any activity that is based on different contracts of an entity.
In addition to the two new fields, 14 new factors have been defined to aggregate data for a given contract. These new factors are:
- CO_NUM_DAYS_SINCE_LAST_EVENT
- U_NUM_TXN_SUCCESS_CO_LNGTIME
- U_NUM_TXN_ATTEMPT_CO_LNGTIME
- U_TXN_AMT_SUCCESS_CO_LNGTIME
- CO_BENEFICIARY_AGE_TXN
- CO_BENEFICIARY_AGE_NME
- CO_NUM_EVENTS_SUCCESS_LNGTIME
- U_LAST_SCA_CO_AGE
- CO_FIRST_EVENT_AGE
- CO_STDDEV_TXN_AMOUNT_LNGTIME
- CO_IP_ISP_AGE
- CO_COOKIE_AGE
- CO_IP_COUNTRY_AGE
- CO_DEVICE_AGE
Enhanced availability of IP geolocation information
The IP Geolocation service of Risk Analytics returns some IP related information, however, Risk Analytics has not used this information until now.
Risk Analytics now collects this additional information for the IP addresses. It can also be used for Presentation Service rules, Presentation Service reports, and it is also available in various Presentation Service grids. The corresponding fields are by default hidden in the Presentation Service grids, but can be selected from the lists to be included in the grids.
The following fields are available:
- IP_TYPE: type of IP address
- IP_PROXY_TYPE: network protocol the server uses to proxy the user connection
- IP_HOSTING_FACILITY: indicates whether the connection originated at a facility that provides storage, computing, or telecommunication services
- IP_STATE: information for states and provinces in all countries where they exist
- IP_STATE_CODE: alpha code corresponding to the state
- IP_AREA_CODE: phone number prefix assigned to the corresponding city
Best practice recommendations for rule designers
A new section "Rule design best practice" has been added to the OneSpan Risk Analytics Administrator Guide to outline some best practices recommended for rule designers for the rule creation.
For more information, refer to the OneSpan Risk Analytics Administrator Guide.
Risk Analytics Presentation Service
Review of available fields in Presentation Service grids
The list of available fields in the various Presentation Service grids (on the Score Analysis, Latest Events, My Alerts, and Customer Details pages) have been reviewed, and the consistency has also been improved.
Next Work Date column renamed on My Alerts page
To better understand when an alert is placed on hold until a particular date, the Next Work Date column has been renamed to On Hold Until in the grid of the My Alerts page of the Risk Analytics Presentation Service, and it is now displayed by default.
Fixes and Other Updates
Risk Analytics Presentation Service
Issue OSRAC-1182 (Support Case CS0021644): Login issue with empty error message
On a random basis, login to the Presentation Service was failing, and the Presentation Service displayed a red error text box with no error message. This was caused by an invalidated anti-forgery token. This issue has been fixed. Now, an explicit error message is displayed: The anti-forgery token is no more valid. Please refresh the page. Login is possible after this message has been displayed and the login page has been refreshed.
Issue OSRAC-1193: Missing Waiting icon for large hotlist record file import
When a large hotlist record file was imported in the Rule Management page, the Waiting icon was not displayed during the whole import process. Thus, it was not clear that the import process was still running. This issue has been fixed. The Waiting icon is now displayed throughout the import process.
Issue OSRAC-1191 (Support Case CS0031931): Incorrect double-quote escaping in exported CSV reports
When reports in the Reports page were generated with data that contained double quotes, the exported CSV reports were corrupted because the double quote characters were incorrectly escaped. This issue has been fixed.
Issue OSRAC-1064: Impossible to export saved alert custom queries
When exporting saved alert custom queries with the Export custom queries shared to any users functionality of the Risk Analytics Presentation Service Export / Import page, the export was failing and no export file was produced. This issue has been fixed.
Issue OSRAC-1717 (Support Case CS0041249): Incorrect rendering of < character in the Latest Events page
When a rule matched that contained the less-than symbol (<) in its name, the symbol was not correctly displayed in the Matches column of the Latest Events page grid for the corresponding rule name. This issue has been fixed.
Issue OSRAC-1009: Possible timeout when modifying campaigns or recompiling the full hierarchy
For campaigns with many divisions and/or rules, the modification of such a campaign or the recompilation of the full hierarchy, (i.e. when the Compile All Rules button was clicked) sometimes ended with an unexpected error due to a timeout. This issue has been fixed.
Issue OSRAC-1006 (Support Case CS0024321): Issue during import of a configuration file larger than 4MB
The maximum size of configuration files imported through the Risk Analytics Presentation Service Export / Import page was limited to 4MB. This maximum size has now been extended to 50MB.
Issue OSRAC-1231 (Support Case CS0032129): Login history not displaying login attempts for users after the first page
On the User Administration page of Risk Analytics Presentation Service, from the second page and on, the login attempts were not displayed when opening the login history of a user located in the users grid. This issue has been fixed.
Issue OSRAC-1011: No automatic pre-selection of the right account in the Customer Details page
When selecting an account in the customer tree view of the Risk & Relationship Management page, the redirection to the Customer Details page was performed without by default pre-selecting the given account to filter events related to that account only. This issue has been fixed.
Risk Analytics database
Issue OSRAC-1379 (Support Cases CS0038053 & CS0040658): Performance decreased on events processing
An index restructuring performed on the Risk Analytics database as of version 2.10.0 was causing a possible decrease in performance for the rules execution. Additional rework on the indexes has been performed to fix the issue.
OneSpan Risk Analytics web services
Issue OSRAC-1015 (Support Case CS0030990): Unable to connect to Risk Analytics with OpenID if wrong credentials are entered
For a Risk Analytics user that only has an account on the OpenID server, but no Risk Analytics account, the user will now be prompted the following error message: You don’t have permissions to access the application. Please contact a system administrator. This issue has been fixed.
Issue OSRAC-1842 (Support Case CS0043108): Events API not working where Error return code is 500
For non-existing custom event and transaction types, the response return code 500 is incorrect. The response return code should be 409. This issue has been fixed.
Issue OSRAC-1981: (Behaviosec) Error message displays incorrect field in validation error when sending JSON payload
This issue specifically deals with the catching and processing of "Invalid JSON" errors. If a JSON payload is sent with a field containing invalid data (wrong type) in the OneSpan TID API microservices, the objectType parameter is then listed after the field with the invalid data in the JSON payload. The error that is returned is listed in the incorrect field in the validation error (in the objectType field instead of the field with the invalid data). Attempting to move the objectType field before the field with the invalid data causes a correct error message to be returned. This should not happen, as the order in a JSON payload should not matter. This issue has been fixed.
Issue OSRAC-1987 (Support Case CS0043596): TXN_DATE field displaying date in different time zone
On the TID API swagger page, field 64 in mobileCddc.clearData has been exposed by mistake. Thus, it’s passing an invalid value that results in a bad request. Field 64 in the API, must not be exposed to the client and passing field 64 in clear data must not result in a 400 bad request. This issue has been fixed.
September 2020
New Features and Enhancements
Risk Analytics Presentation Service
Enhancement on Alerts Email Notification
The automatic email notification feature has been enhanced. It is now possible to optionally define a threshold for the number of notifications sent during a defined period of time. When this threshold is reached, recipients will not receive an email each time a new pending alert enters the queue.
The Presentation Service now also offers the possibility to send escalation notification emails for alerts that are still pending and have not yet been managed within a defined period of time.
Additional dynamic variables can be also added in the available notification email templates, both for the subject and the message body. These new variables are:
- ID number of the alert record
- User Ref (only in case of corporate banking environments)
For more information, refer to the OneSpan Risk Analytics Administrator Guide.
Additional ChallengeVoice response code
An additional ChallengeVoice response code has been added in Risk Analytics and can be used and returned by the decision rules.
The purpose of this new response code is to notify the calling application to challenge an authentication based on a virtual one-time password that is provided to the end user via a voice call.
The value of the <riskResponseCode> in the post-response of the TID web service for ChallengeVoice is 13.
New non-monetary event types
New standard non-monetary event types have been added for both the Digital Banking and Corporate Banking environments. These events allow pushing some new events of the following types to Risk Analytics:
- AlertSetup
- ChangeAlertDelivery
- ChangeLimit
- AddChequePrintingPayee
- ChequePrintingRequest
Extended size of the customString fields
The customString fields (from customString1 to customString6), allowing to push data that is not managed natively by Risk Analytics, can now have up to 4000 characters (instead of 1000 characters in previous product versions).
Open Banking TPP support
OneSpan Risk Analytics allows to monitor events coming from a third-party payment service provider (TPP) operating one or several Open Banking services through Open Banking APIs.
Risk Analytics provides new TPP interfaces that allow a banking application server to push events and transactions received from the Open Banking APIs. New non-monetary and transaction event types, new fields, and factors have been defined to support the main flows implemented by a TPP acting as Account Information Service Provider (AISP) or Payment Initiation Service Provider (PISP). In addition, the set of default rules provided when creating a new environment has been reviewed and enhanced for both the Digital Banking and Corporate Banking environments to help customers complying with the Open Banking standards.
TID Web Service
Extended size of the cookieSession field
The cookieSession field, which should contain all the client cookies, can now have up to 4000 characters (instead of 250 characters in previous product versions). OneSpan recommends sending this field as part of the events being sent to the TID web service.
Behavioral score support
Risk Analytics now supports additional fields for non-monetary events and transactions resulting from behavioral analysis. This analysis includes the behavioral score, behavioral confidence, and behavioral training state. Risk Analytics users can use these new fields in their rules or hotlists, display them in Risk Analytics Presentation Service, and use them for reporting.
Fixes and Other Updates
Risk Analytics Presentation Service
Unable to create/save alert categories in the Alert Management Page
If a high number of alert categories already exists in the Risk Analytics database schema, it was not possible to create and save a new alert category in the Alert Management page for any environment of the schema. This issue has been fixed.
accountRef Field missing in Alert Email notifications
When the Alerts Email Notification feature was enabled and the {{accountRef}} field in the subject or the message body of the email template configuration on the Alerts Email Notification page was included, the account reference was sometimes empty. This applied for all emails received for alerts that were related to non-monetary events. This issue has been fixed.
Broken hyperlinks on fields in the Event Details screen
The hyperlinks for some fields in the Event Details screen were broken and redirected the user to a wrong web page. This issue has been fixed.
May 2020
Fixes and Other Updates
Risk Analytics Presentation Service
Performance issue in Score Analysis page
The Score Analysis page sometimes took several minutes to fetch data when querying a large number of events. The query has been improved to display data faster.
Performance issue in displaying rules
The Rule Management page sometimes took long to display a selected rule, when the rule has frequently matched (e.g. 10,000 times) during the previous week. This issue has been fixed and the rules are now quickly displayed, independent of how frequently they have matched.
Rule test issue
The rule test execution in the Rule Management page reported an error in the rule test history. This occurred if the campaign hosting the rule was defined with null values for its campaign history criteria period (i.e. 0 days, 0 hours, and 0 minutes). This issue has been solved.
Possible timeout error in campaigns
On a random basis, a timeout error message was produced during the creation or editing of campaigns in Risk Analytics Presentation Service. This occurred due to an internal exception when attempting to delete some temporary tables that were still locked (Oracle Error ORA-14452). Despite the error message, however, the campaigns were created or edited successfully. This issue has been solved.
Incorrect rendering of warning messages
The warning messages displayed unexpected rendering issues with <b> HTML tags in the messages after attempting to delete a campaign, division, or rule. This issue has been solved.
Incorrect rendering of displayed element descriptions
The descriptions of some elements on the Rule Management page displayed unexpected rendering issues with non-escaped HTML characters (e.g. " instead of "). This issue has been solved.
Scrolling issues in several pop-up windows
When opening some pop-up windows in Risk Analytics Presentation Service (e.g. IP Address, Device, Beneficiary, or Logon History), it was not possible to scroll through all the records in the pop-up window because the scroll bar was not available. This issue has been solved.
Abnormal cross-environment events displayed in Score Analysis page
The Score Analysis page was displaying events related to all environments of the Risk Analytics database schema. This issue has been solved, the Score Analysis page now displays only events of the current environment.
Event type identifiers changed after event type import
When importing a new set of event types and subtypes previously exported with the Export Professional Services Tool Kit Configuration functionality of the Export / Import page, the identifiers of all non monetary and transaction event types and subtypes were renewed. This occurred even when the identifiers related to identical event type and subtype keys that already existed before the import. Consequently, when a user was reviewing events that occurred before the import, the legacy identifiers were no longer known after the import. This issue has been solved, now identifiers of already existing type and subtype keys are not changed during import.
Incorrect application type after import of new interface definitions
When importing a new set of interface definitions previously exported with the Interfaces Configuration functionality of the Export / Import page, the application type was incorrectly set for some interface definitions. Also, the web events pushed on Risk Analytics were classified as mobile events. This issue has been solved.
Failing import of new report configurations
When importing a new set of reports previously exported with the Export Reports Configuration functionality of the Export / Import page, the import sometimes failed with the following error message: ORA-08002: sequence SEQ_REPORTS.CURRVAL is not yet defined in this session. This issue has been solved.
Wrong event in forensic analysis page
When viewing the details of some non-monetary events in the Forensic Analysis page, the displayed event name was incorrect. This only occurred when the corresponding NME key value of the non-monetary event was identical as the TXN key value of a transaction (e.g. the non-monetary event LoginAttempt and the transaction InternalCustomerTransfer where both have the key value 101). This issue has been solved.
User created twice in user administration
When creating a new user in the User Administration page, several instances of the user were created when the user clicked Save several times quickly in the creation form. This issue has been solved.
Logon history displayed only failed login attempts
In the User Administration page, only failed login attempts were displayed when opening the logon history of an existing user. This issue has been solved, the logon history now displays all login attempts.
Case-sensitivity issue for user names
You cannot create two Risk Analytics Presentation Service users with identical names but different capitalization. Risk Analytics Presentation Service ignored how user names were capitalized but to log in to Risk Analytics Presentation Service the user name had to be entered in the same capitalization as used when the user name was created. For consistency reasons, this constraint has been removed, and Risk Analytics Presentation Service is now case-insensitive for the user name on the login page.
Performance issue in Latest Events page
When querying a high number of events in the Latest Events page, it sometimes took several minutes to fetch data. The query has been improved to display data very quickly.
Inconsistency of displayed fields on Latest Events and Event Details pages
An inconsistency of the fields displayed in the Latest Events and Event Details pages has been fixed to display the same values in both pages. This problem mainly concerned the Beneficiary fields.
No audit for the actions in the Event Details page
All actions performed in the Event Details page, e.g. fraud dispositions, launch action and memos are now audited.
TID web service
Remaining issue with empty fields in the JSON interfaces
Previously, factor calculation failed when non-monetary events or transactions were posted on the Data Collector web service with empty values for some optional Boolean or numeric fields, and the System.FormatException... error was logged in the Data Collector web service log files. This issue had been fixed in an earlier version of Risk Analytics.
However, this issue still occurred for particular fields (e.g. CUSTOM_NUMBER_1 to CUSTOM_NUMBER_3) when non-monetary events or transactions were posted on the JSON interfaces with empty values. Now, this issue has been fixed, and the optional fields can be pushed with empty values to the JSON interfaces without undesired impacts.
Issue with null fields in the JSON interfaces
When non-monetary events or transactions were posted on the Data Collector web service JSON interfaces with null values for some optional Boolean or numeric fields. The post failed, and the System.FormatException... error was logged in the Data Collector web service log files. This issue has been fixed, and the optional fields can now be pushed with null values on the JSON interfaces without undesired impacts.
Data Collector web service synchronous events management
To prevent timeout issues and improve performance, the Data Collector web service now manages the incoming events synchronously.
Risk Analytics Database
Cleanup of unused objects in the Risk Analytics database
For previous versions, unused legacy objects were present in the Risk Analytics database schema. Some of these orphan objects were possibly reporting an error without consequence during a database schema upgrade with the Database Deployment Tool. These unused objects are now removed from the database when the newest version of the Database Deployment Tool is used to upgrade the database schema.
In addition, to improve performance, indexes were restructured and unused CLOB columns have been removed from some tables related to both non-monetary events and transactions.
For a database schema upgrade, this re-structuring can lead to an increased duration when upgrading from a previous version of Risk Analytics, especially during the stage of 2.9.2 to 2.9.3 post-script execution.
Label security missing in the PT_HTTP_POST_LOG table
The label security (i.e. the Risk Analytics environment name) was no longer stored in the new records inserted in the PT_HTTP_POST_LOG table. This issue has been resolved.
Less data in the PT_HTTP_POST_LOG table
Heavy data was recorded in CLOB columns in the PT_HTTP_POST_LOG table. Processing the data took very long and generated a lot of redo log data. Information logs in this table have been made lighter to avoid a heavy load on the database. For more information, refer to the OneSpan Risk Analytics Installation Guide.
Errors in IRM_JOBS and IRM_WORKFLOW procedures
The navigation in Decision Hierarchy pages, such as rule editing, usually generated irrelevant errors in the PT_INTERNAL_ERRORS_LOG table. This did not cause any inconvenience but the errors could be misleading. This issue has been fixed.
Master Admin Rescue Tool
Tool failed to start
The Master Admin Rescue Tool failed to start, and the following error was thrown: Unhandled Exception: System.InvalidOperationException: The configuration is invalid. Creating the instance for type ICredentialService failed. The constructor of type CredentialService contains the parameter with name 'oasClient' and type IOASClientthat is not registered. This issue has been fixed.
Vulnerability Issues
SQL injection
To prevent vulnerability issues due to SQL injection attacks, the Risk Analytics data access layer has been refactored. All internal methods using string types as input parameter, which are vulnerable to SQL injection attacks, have been rewritten to use an enumerated type as input parameter.
Cross-Site Scripting (XSS)
User input and output data sanitization has been implemented to ensure protection against cross-site scripting (XSS).