May Release – 22.R2
New Features and Enhancements
Risk Analytics Presentation Service
Value separator now specified in all exported CSV files
All exported files produced by the Risk Analytics Presentation Service now specify the character used as a value separator (a semicolon ";" character) in their header, to avoid a parsing mismatch when reopening these files with CSV editors.
This applies to the CSV export of console logs in the Export/Import and Environment pages, and the reports generated or scheduled in the Reports page.
Web browser support
Updated web browser support
To keep Risk Analytics up to date, we have added support for the Edge browser, and removed support for Internet Explorer 11.
Risk Analytics now supports the Chrome and Edge browsers.
Fixes and other updates
Issue OSRAC-5426 (Support Case CS0079404): Unexpected impact of the Test Rule feature in the Event Detail screen
When running a rule test for historical events, the result of the test was unexpectedly impacting the further review of these events in the Event Detail screen. A rule that matched for these events during the rule test was added in the list of matched rules in the Event Detail screen.
This issue has been fixed.
Issue OSRAC-5555 (Support Case CS0082464): Failure of daily factors computation with "&" characters in event fields values
Ampersand "&" characters in the value of some string fields were causing failure on the daily factor computation when sending events to Risk Analytics, inducing multiple computation retries that caused high database load and decreased performance.
This issue has been fixed.
Issue OSRAC-5611: Unexpected result when a rule evaluated a missing or empty field that was not in a hotlist
When an event with a missing or empty field value was tested against campaign, division, or rule criteria for not being part of a hotlist, there was a discrepancy depending on whether the hotlist was empty or not. A criteria testing if such a field was not in a given hotlist was correctly evaluated as TRUE if the hotlist was empty (contained no records), but was wrongly evaluated as FALSE if the hotlist did contain any records.
This issue has been fixed.
This issue, and the corresponding fix, are relevant only for customers using the NOT IN or NOT EXISTS hotlist clause in campaigns, divisions, or rules.
It is important to highlight that existing campaigns, divisions, and rules using the NOT IN or NOT EXISTS hotlist clause will not automatically be fixed after the Risk Analytics version update. Only new campaigns, divisions, and rules, or ones modified after the update, will use the fixed algorithm. To fix an existing campaign, division, or rule, just edit it in Presentation Service and type in, for example, a small change in description prior re-saving it.
Please note that compiling a complete hierarchy (Non Mon Events, Transactions...) will not be sufficient to regenerate campaigns, divisions, and rules with the fixed algorithm.
Issue OSRAC-5653 (Support Case CS0083207): Missing mapping of some mobile CDDC fields
Some mobile non-monetary events or transaction fields collected in the mobile CDDC clear data were not correctly mapped and were not received and stored by Risk Analytics as expected:
- BLUETOOTH_DEVICE_LIST
- BOUNDED_BT_DEVICE_LIST
- DEVICE_MODEL
- WIFI_BSSID_LIST
- CONNECTED_BT_DEVICE_LIST
- CONNECTED_BSSID
- MOB_APP_RELEASE_DATE
- NETWORK_NAME
- KEYBOARD_ID
- LAUNCHER_ID
- MOB_TIMEZONE
This issue has been fixed.
March 2022
New Features and Enhancements
Missing fields added and supported as criteria
Several missing fields have been added and can now be used as criteria of campaigns, divisions, or rules. These fields can help users to build rules to manage specific fraud cases.
The following fields are now available in rules related to non-monetary events and transactions (for both digital and corporate banking environments):
- USER_REF
- APPLICATION_REF
- FINGERPRINT_RAW
- EXTERNAL_REF
The following fields are now available in rules related to transactions only (for both digital and corporate banking environments):
- REASON_CODE
- DEBTOR_IBAN
- DEBTOR_NAME
Fixes and other updates
Issue OSRAC-4657 (Support Case CS0068896): Presentation Service—Random ORA-12570, argument out of range exception errors
Login to the Risk Analytics Presentation Service was failing on a random basis for all users.
Risk Analytics Presentation Service was potentially entering an anomalous state for internal reasons (timeout during the execution of the reports) or for possible external reasons (interruptions in the network connectivity).
This issue has been fixed. Risk Analytics Presentation Service now detects and recovers from these errors automatically.
Issue OSRAC-4680 (Support Cases CS0033644 & CS0044923): Data Collector web service—Corrupted Couchbase document in case of failed Couchbase read
If an error occurred while reading an existing Couchbase document, the document was improperly considered not found and was reset at rewrite, causing improper calculation of the related factors and corruption of the Couchbase document.
This issue has been fixed. To avoid reset and corruption of existing Couchbase documents, rewrite is now prevented if the existing Couchbase documents fail to read.
Issue OSRAC-4865: Decision Analytics Server—Incorrect calculation of B_NEW_IP factor
The B_NEW_IP factor was not calculated correctly when it was an existing IP address. The value was always set to true.
This issue has been fixed.
Issue OSRAC-4912: Large amounts display issue in Presentation Service grids and Event Detail screen
Any amount fields that exceeded 15 significant digits (with or without decimal digits) were not displayed properly in the Presentation Service grids (Latest Events, Score Analysis, My Alerts, Customer Events) and the Event Detail page.
This issue has been fixed.
Issue OSRAC-4926: Issue displaying amounts with 3 decimal digits in Presentation Service grids
Any amount fields including 3 decimal digits were not displayed in full in the Presentation Service grids (Latest Events, Score Analysis, My Alerts, and Customer Events). Displayed amounts were rounded down to 2 decimal digits.
This issue has been fixed.
Issue OSRAC-5037 (Support Case CS0076758): Presentation Service—Incorrect deletion button availability
In the hotlist management in Risk Analytics Presentation Service, the Delete Selected button was available to users even if they did not have the Enable access to Hot List in edit mode permission. However, the hotlist record was not deleted, even when the user clicked the button.
This issue has been fixed.
September 2021
New Features and Enhancements
Support branch location as criteria of rules
The field BRANCH_LOCATION can now be used as criteria of campaigns, divisions, or rules in Risk Analytics. Using this field allows you to build rules that make decisions based on the branch location origin.
Expanded currency amount fields
All amount-related fields in Risk Analytics, such as AMT_TXN, had a size limitation of 10 digits and 2 decimals. This caused issues for certain currencies.
The size limit has been increased to support up to 20 digits and 3 decimals (23,3). Bracketed numbers show the character limit of that field. The first number is the total number of allowed characters. The second number is the number of allowed decimal places.
This new feature is currently subject to two known issues. See Known Issues for further details.
Event creation date displayed in local time zone in the Presentation Service datagrids and infolist
Risk Analytics has been enhanced to now display the events creation date in the local time zone of the fraud analyst operator in Presentation Service.
A new Local Event Date field can now be optionally displayed in addition to the former Event Date field displayed in the Presentation Service datagrids (Latest Events, Score Analysis, My Alerts).
On the Event Details page, a new Local Created Date field can now be optionally displayed in addition to the former Created Date field.
The new Local Event/Created Date field provides information on the event creation date that has been converted to the local time zone as configured on the client machine of the fraud analyst using the Presentation Service. This can provide a more relevant creation date information for customers dealing with local traffic only.
Improved customer support (CS0056014)
A new Support Role has been added in Risk Analytics Presentation Service.
This role grants OneSpan technical customer support staff access to the Presentation Service console in the customer's environment for troubleshooting and support purposes.
More performant SQL statements with Oracle parallel queries
Risk Analytics now supports Oracle parallel queries. This makes SQL statements more performant by using available CPUs to spread the load and complete the task faster. For further details, refer to the Oracle documentation (e.g. About Parallel Queries or How Parallel Execution Works).
Detection of different countries between web and mobile events
New additional fields and factors are now available for use in rules, to correlate countries of origin for both web and mobile events. This serves to detect any abnormal change in the country of origin for web and mobile events coming from the same user.
Before, in the rule criteria fields and factors, the country was considered separately if initiated from a web event (based on the IP address) or from a mobile event (based on the GIS location).
The following new fields and factors are now available in rules:
-
IP_GIS_COUNTRY (field)
Provides information about the country of the event, independent if the event was triggered on the web or from a mobile device (based on the IP country or GIS country, depending on the context).
-
IP_GIS_COUNTRY_ALPHA_COD (field)
IP_GIS_COUNTRY, represented in ISO-Alpha code.
-
SAME_SESSION_COUNTRY (factor)
Checks if the country of the current event is the same as the country used for the previous web or mobile event in the same session.
-
PREVIOUS_WEB_MOB_EVT_DISTANCE (factor)
Measures the distance in km between the current and the previous web or mobile event of the same user.
For more information about these new factors, refer to the OneSpan Risk Analytics Quick Start Guides.
Fixes and other updates
Issue OSRAC-3880: Decision Analytics Server—Incorrect behavior of some session-based factors
The following factors did not behave as expected when the session changed:
- SAME_SESSION_IP
- SAME_SESSION_ISP
- SAME_SESSION_IP_COUNTRY
- SAME_SESSION_IP_CONTINENT.
These factors must check if the IP, ISP, IP Country, or IP Continent in the current event are the same as in the previous event of the same session. The factor was not reinitialized when receiving an event with a new session.
This issue has been fixed.
Issue OSRAC-3892 (Support Case CS0059696): Presentation Service—Incorrect behavior of Match rules with phonetical recognition
The Match Phonetically feature that can be used for the match keys of match rules did not function correctly and was not able to perform a sounds like recognition. Consequently, the related rule did not match as expected.
This issue has been fixed.
Issue OSRAC-3945 (Support Case CS0054975): Jobs web service—Events post failure
Very rarely, posting events failed when performed during the reload sequence of the Data Collector web service cache. This applied e.g. when the cache reload was triggered during the import of the configuration file in the Presentation Service, or during the creation of a new Risk Analytics environment in the Presentation Service.
This issue has been fixed.
Issue OSRAC-3975 (Support Case CS0041979): Documentation—Incomplete description of some factors
The description of the following factors has been updated in the Risk Analytics for Digital Banking Quick Start Guide and Risk Analytics for Corporate Banking Quick Start Guide:
- SAME_SESSION_DEVICE
- SAME_LAST_SESSION_DEVICE
- PREVIOUS_EVT_DISTANCE
- IS_PREVEVT_SAME_NETWORK
- IS_PREVEVT_SAME_GIS_CITY
- IS_PREVEVT_SAME_GIS_COUNTRY
- IS_PREVEVT_SAME_GIS_CONTINENT
- IS_PREVEVT_SAME_PIN_PROT
- IS_PREVEVT_SAME_FINGER_PROT
- IS_PREVEVT_SAME_FACE_PROT
- IS_PREVEVT_SAME_BEHAVIOR_PROT
The documents previously did not indicate that the factors were related to the previous event for
(1) the same session, or
(2) the same relationship_ref (retail user- Digital Banking) or the same user_ref (corporate user - Corporate Banking), or
(3) the same mobile application UID.
Issue OSRAC-3981: Presentation Service—Incorrect description of the Match Key Substring parameters
For Match Rules, the Match Key definition can optionally include usage of a substring feature. When using the substring feature, the second parameter to enter is Substring Length, not the Substring End Position that was indicated.
This issue has been fixed. The parameter label now matches the real behavior.
Issue OSRAC-3982: Presentation Service—Failure of Daily Factors computation
Import of configuration file in the Presentation Service between version 2.9.0 and 2.9.3 was potentially preventing the correct computation of some Daily Factors afterward (e.g. the AVG_ROOTING_PROBA factor group).
This issue has been fixed. Incriminated Daily Factors will now be calculated normally as from the new version.
Issue OSRAC-4003 (Support Case CS0062311): Risk Analytics database—Issue with mobile application language field in mobile CDDC data
On some mobile operating systems, the application language value collected by the Mobile Security Suite CDDC SDK for the CDDC data property 57 (applicationLanguage) of the mobile CDDC message is longer than the typical five characters. Application languages with more than five characters were not supported and produced a failure when the mobile event was posted to Risk Analytics.
This issue has been fixed. The corresponding MOBILE_APP_LANGUAGE field now supports up to 50 characters.
Issue OSRAC-4031: Risk Analytics database—Issue with TXN Date and NME Date when values are taken from the mobile CDDC data
For mobile requests, when the transaction or event date is not present in the request payload, it is taken from the mobile CDDC data. In such cases, an issue occurred in the date/time format.
This issue has been fixed.
Issue OSRAC-4107 (Support Case CS0064102): Issue with proxy information mapping
There was an issue, where it was possible for an IP address to be flagged as both a corporate proxy and an anonymous or transparent proxy. The expected behavior, however, is that the IP address is flagged as either an anonymous or a transparent proxy, as the case may be. These two flags should take precedence over the corporate proxy.
This issue has been fixed.
Issue OSRAC-4155: TXN date incorrectly displayed for mobile requests in OneSpan Risk Analytics Presentation Service
For mobile requests where neither the transaction date nor the clear date is present in the mobile CDDC data an issue occurred with displaying the TXN date in OneSpan Risk Analytics Presentation Service.
This issue has been fixed.
Issue OSRAC-4310 (Support Case CS0065245): Decision Analytics Server—Incorrect behavior of session-based factors
The following factors of the type SAME_SESSION_XXX were not behaving as expected:
-
SAME_SESSION_IP
-
SAME_SESSION_ISP
-
SAME_SESSION_IP_COUNTRY
-
SAME_SESSION_IP_CONTINENT
The unexpected behavior occurred when an event was presented without providing the related XXX field in the middle of the session. The corresponding factor was then reset, and the subsequent event in the session was not considering the last XXX field known for the session.
This issue has been fixed.
Issue OSRAC-4727 (Support Case CS0071155): Presentation Service—Unexpected addition of empty record in hotlists via the hotlist record management action
When a rule triggered the hotlist record management action, if the hotlist field value was not provided then an empty record was unexpectedly created in the related hotlist.
This issue has been fixed.
Issue OSRAC-4822 (Support Case CS0072378): Presentation Service—Missing information in exported audit logs
When exporting audit data from the Presentation Service Audit page (using the Download button), some information was missing in the exported Excel file (e.g. in the case of a delete report action, the technical data related to the action was empty).
This issue has been fixed.
Known Issues
Expanded currency amount fields
There are currently two separate known issues related to the extended amount fields:
-
Any numeric fields that exceed 15 significant digits (with or without decimal digits) might not be displayed properly. In some cases, their display in the Presentation Service grids (Latest Events, Score Analysis, My Alerts, Customer Events) and the Event Details may be affected.
This is only a display issue, all numerical values are correctly recorded in Risk Analytics.
-
Amounts including 3 decimal digits are not displayed in full in the Presentation Service grids (Latest Events, Score Analysis, My Alerts, Customer Events). Displayed amounts are rounded down to 2 decimal digits.
This is only a display issue, all numerical values are correctly recorded in Risk Analytics.
July 2021
Fixes and other updates
Issue OSRAC-3912 (Support Case CS0061015 [DB]): Presentation Service—WhitelistedDomain config file
WhitelistedDomains is a new mandatory configuration parameter that defines a whitelist of recipient domains to which the notification is authorized to send emails.
This new parameter and its values must be configured for both new installations and upgrades of Risk Analytics web applications.
Issue OSRAC-3755: Presentation Service—Incorrect interface definition displayed in the Application Settings page
While editing more than one interface definition in the Application Settings page without refreshing the page between individual edits, the name of the interface definition displayed in the edition popup was incorrect.
This issue has been fixed.
May 2021
New Features and Enhancements
Link to Forensic Analysis page added in My Alerts and Customer Events grids
Access to the Forensic Analysis polar chart was only available when looking at the events in the grids of the Latest Events and Score Analysis pages. Now it is also possible to access the Forensic Analysis polar chart via the events in the grids of the My Alerts and Customer Events pages.
Full display of column header names in generated reports
The report column headers in the generated reports are formed with the entity and column names of the extracted data. If the name was too long, the full string was truncated.
To have unequivocal header names in the generated reports, full column header names without any truncation are retained to avoid confusion or misinterpretation.
New response ChallengeFIDO
A new response code has been added: ChallengeFIDO, with the response code value 14.
This response can be used to indicate that a FIDO-based authentication or registration must be performed.
Fixes and Other Updates
Issue OSRAC-3034: Presentation Service—Navigation pane empty in the Rule Management page
In the Rule Management page, the navigation pane on the left that displays the rules and hotlists was emptied when the user created or edited the rule action type Launch workflow. This issue has been fixed.
Issue OSRAC-2899: Presentation Service—Unexpected locking of the next alert on Risk & Relationship Management page
The Complete 50 action in the Risk & Relationship Management page unexpectedly locked the next alert in the queue (if any). This issue has been fixed.
Issue OSRAC-2931: Presentation Service—Unexpected complete of alerts on a random basis on Risk & Relationship Management page
Rarely and on a random basis, the Complete 50 action on the Risk & Relationship Management page unexpectedly flagged the alerts as Completed when the user selected the outcome On hold custom date. This issue has been fixed.
Issue OSRAC-2844: Blocked email notifications are resent
Since version 2.11.1, the new option to limit sending email notifications to particular email domains caused issues. Some email notifications that were not whitelisted were blocked in a queue and then resent when unblocked. This caused a pollution of email notifications in the recipients’ inboxes.This issue has been fixed.
Issue OSRAC-3627 (Support Case CS0057479): tppIP and psuDeviceID fields incorrectly flagged as mandatory
When posting events to API /events or API /transactions, the tppIP and psuDeviceID fields are provided when you send events coming from a third-party provider (TPP) application. In previous versions, these two fields were incorrectly flagged as mandatory fields. This caused an issue for redirected or decoupled signatures where these fields cannot be provided because they do not apply for events coming from the bank's application (web and trusted device applications) during a redirect or decoupled authentication approach.
tppRef is the only mandatory field for all TPP events and redirect and decoupled authentication approaches.
This issue has been fixed.
Issue OSRAC-2932 (Support Case CS0047466): Decision Analytics—Incorrect calculation of factors
The U_NEW_xxx_SESSION factors were incorrectly calculated after a null or missing value for a related field and were sent during the session. After the first transaction, the values of the U_NEW_xxx_SESSION were reset in each subsequent transaction in the same customer session. The expected behavior is for the value not to be reset. This issue has been fixed.
Known issues
Issues TID-6396, TID-6570: HTTP-500 internal server error
Description: When posting an event, on rare occasions an HTTP-500 internal server error occurs.
Status: Will be fixed in a future release. Workaround: re-post the event.
April 2021
New Features and Enhancements
OneSpan Risk Analytics audit enhancements
Risk Analytics Presentation Service now supports the ability to display a contrast between the before and after states on the Audit page for several actions across the Risk Analytics application. Additionally, the Audit page was enhanced to make the data more readable and protected against some vulnerabilities.
A contrast between Original Value and New Value was added as audit improvement for the following features:
- Reports management
- User Administration updates
- Personal Settings and Personal Settings updates
- Application Settings
- Alerts Email Notification, for both tabs i.e. New Alert Notification and Escalation Notification
You can display the added contrast when you click Show Data.
In addition, vulnerabilities were removed for hotlist actions, and the content was improved. This can also be displayed when clicking Show Data.
Fixes and Other Updates
Issue OSRAC-2746: Presentation Service—Currency settlement not reported in Latest Events page
When currency settlement information was provided in a transaction, the currency settlement value was not displayed on the Latest Events page. This issue has been fixed.
Issue OSRAC-2155: Presentation Service—Score Type selection is lost
When selecting to display the score of mobile events in the settings of the Score Analysis page (Score Type Mobile), this selection was lost and Presentation Service switched back to web events as a default when sorting the elements of the grid by a particular column (e.g. Event Date) and refreshing the page. This issue has been fixed.
Issue OSRAC-1947: Presentation Service—Elements in Reports page do not indicate the parent entity
During the creation of a report query in the Reports page, when adding a sorting criterion (a specific column of a specific entity), the sorted element did not indicate the parent entity in the sorting panel but only the column name. This issue has been fixed.
Issue OSRAC-2571: Presentation Service—Clear button on My Alerts page
On the My Alerts page, the Clear button on the Alert Settings panel that resets the settings to the default values did not work when the user selected an option and clicked Clear. The button was only functional if the user had clicked Apply in the Alert Settings panel before clicking Clear. This issue has been fixed.
Issue OSRAC-2835: Presentation Service—Broken Complete 50 action in Risk & Relationship Management page
Due to a regression issue, the Complete 50 function in the Risk & Relationship Management page to complete up to 50 pending alerts in one shot was not working anymore. This issue has been fixed.
Issue OSRAC-2570 (Support Case CS0045732) IP proxy information not correctly mapped
The following IP proxy fields were not mapped correctly and always produced a value set to 0. The fields had to be amended so that the IP proxy information is correctly mapped under AUDIT & REPORT > Reports.
- IP_ANONYMOUS_PROXY
- IP_CORPORATE_PROXY
- IP_TRANSPARENT_PROXY
This issue has been fixed.
Issue OSRAC-2677 (Support Case CS0044383): Rule Engine—Inconsistency in time period selection for history rules and match rules
When using TXN_DATE_TIME (for transactions) or NON_MON_EVENT_DATE (for non-monetary events) instead of the CREATED_DATE parameter as the history date reference, the selection of the historical time period in history rules and match rules was not correct.
The events where the date for TXN_DATE_TIME or a NON_MON_EVENT_DATE was later than the actual date at the execution of the rule, were incorrectly considered in the history rules and match rules. This issue has been fixed.
March 2021
New Features and Enhancements
Risk Analytics Presentation Service
Support of additional mobile CDDC fields
Risk Analytics now supports additional fields collected in the mobile CDDC clear data in case of mobile non-monetary events or transactions.
The following fields that are part of the mobile CDDC clear data can now be used in the rules, grids, and reports of Risk Analytics Presentation Service:
- BLUETOOTH_DEVICE_LIST
- BOUNDED_BT_DEVICE_LIST
- DEVICE_MODEL
- WIFI_BSSID_LIST
- CONNECTED_BT_DEVICE_LIST
- CONNECTED_BSSID
- MOB_APP_RELEASE_DATE
- NETWORK_NAME
- KEYBOARD_ID
- LAUNCHER_ID
- MOB_TIMEZONE
Support for editing values of hotlist record
When editing an existing hotlist record, it is now possible to modify the value of the hotlist record.
Hotlist name added in audit data when modifying a hotlist record
The audit logs for created, modified, or deleted hotlist records now provide an additional HotListName element by providing the name of the parent hotlist. The log entry also includes the name of the hierarchy to which the hotlist belongs (i.e. Common, Non Mon Events, Transactions, Relationships etc.).
Risk Analytics Jobs web service
Option to limit sending email notifications to particular email domains
It is now possible to setup a whitelist of email domains (parameter WhitelistedDomains in the appsettings.json configuration file of the Jobs web service) for which the email notifications are authorized to be sent. All recipients configured in the Presentation Service to receive email notifications will not receive any email if their email domain is not whitelisted.
By default, email notifications to any domains are allowed.
For more information, refer to the OneSpan Risk Analytics Installation Guide.
Update of the Oracle ODP.NET driver used by Risk Analytics applications
The version of the Oracle ODP.NET driver (Oracle Data Provider for .NET core) used by the Risk Analytics applications has been upgraded from version 2.19.60 to 2.19.90.
Update of some third-party libraries used by Risk Analytics applications
To ensure more enhanced security, the version of the following third-party libraries or frameworks used by the Risk Analytics applications have been upgraded to the most recent version:
- jQuery legacy part: version 2.2.4
- Bootstrap: version 3.4.1
- Microsoft.AspNet.SignalR: version 2.4.1
- AjaxControlToolkit: version 20.1.0
- jquery-validation: version 1.19.2
Banking factors updated in documentation
The banking factors listed in the OneSpan Risk Analytics for Digital Banking Quick Start Guide and OneSpan Risk Analytics for Corporate Banking Quick Start Guide have been updated to indicate whether the factor execution is computed in realtime or once daily.
For more information about these new fields and factors, refer to the OneSpan Risk Analytics for Digital Banking Quick Start Guide and the OneSpan Risk Analytics for Corporate Banking Quick Start Guide.
Fixes and Other Updates
Issue OSRAC-2703: Missing validation on transactionType and eventType fields in transactionv3 and eventv4 endpoints
The validation of the transactionType and eventType fields was missing in the three scenarios that affect the different data collector interfaces:
- If the TPP object is present, browser, mobile, and TPP event and/or transaction types are accepted.
- If the BrowserCDDC object is present, browser, mobile, and TPP event and/or transaction types are accepted.
- If the MobileCDDC object is present, only mobile event and/or transaction types are accepted.
This issue has been fixed.
Issue OSRAC-2265: Presentation Service—Event Type empty in Score Analysis and Latest Events pages
In corporate banking environments, the Event Type values were not displayed in the grids of the Latest Events and Score Analysis pages. This issue has been fixed.
Issue OSRAC-2118 (Support Case CS0046256): Presentation Service—User Ref empty in Event Detail page
In corporate banking environments, the User Ref value was not displayed on the Event Detail page. This issue has been fixed.
Issue OSRAC-747: Presentation Service—Unexpected open redirection during logon
The Presentation Service was allowing an open redirection on the login page. The ReturnUrl parameter in the URL accepts a website or path that is used as target after a successful authentication. The sole purpose of this optional feature is to redirect to a particular page of the Presentation Service. The redirection to URLs that resolve to a domain outside of the Presentation Service application is now disallowed. If a redirected URL is now resolved to an external domain, the user is by default sent to the home page (Default.aspx).
Issue OSRAC-2039: Presentation Service—Issue with custom subtypes or custom response codes no longer modifiable
On the Application Settings page of the Presentation Service, it was not possible to modify the name of a previously defined custom non-monetary event subtype, custom transaction subtype, or custom response code as soon as one of these existed with the same key in another Risk Analytics environment, if the environment belonged to the same database schema. This issue has been fixed.
Issue OSRAC-1838 (Support Case CS0032139): Presentation Service—Issue with name of reimported custom types or custom subtypes not taken in account
New names defined in the XML import file that was reimported through the Export / Import page were ignored. This occurred when the XML import file contained custom non-monetary event or transaction types or subtypes that already existed with the same key but with a different name. This issue has been fixed.
Issue OSRAC-1013: Presentation Service—Issue of privilege escalation with import of an XML configuration file Issue OSRAC-1013: Issue of privilege escalation with import of an XML configuration file
The import of an XML configuration file through the Risk Analytics Presentation ServiceExport / Import page allowed any Presentation Service user with the import/export privilege to escalate privileges by importing a file with new or modified roles/clearances and users.
For security reasons and to prevent this vulnerability, it is no longer allowed to create or modify any user/roles/assigned clearances via the XML import files. When importing XML files, the following nodes are now ignored (if any):
- LT_SECURITY_ROLES: node defining a role category
- LT_SECURITY_CLEARANCES: node defining an allowed clearance (permission) for a role
- PT_SECURITY_USERS: node defining a user and its password
- LT_SECURITY_USER_ENVIRONMENT: node defining the assignment of a role to a user
Issue OSRAC-2087: Presentation Service—Unexpected persistent error message in hotlist record creation
After attempting to create a hotlist record with a value that already exists in the hotlist, the error message This value already exists is displayed. While canceling the operation and attempting to create a hotlist record right after, the same error message was immediately prompted again. This issue has been fixed.
Issue OSRAC-1843: Presentation Service—Invalid cancel operation during hotlist records file upload
When uploading a file that contains a list of record values in a hotlist, the Cancel button in the import hotlist records dialog was closing the pop-up window with the file upload still running in the background. However, once the upload has started, it is not possible to cancel the operation. To avoid confusion, the Cancel button is now no longer available in the dialog when the file upload has started.
Issue OSRAC-1810: Presentation Service—Incorrect position of the displayed modified date for the hotlists
When opening any hotlist, the modified date of the hotlist was incorrectly displayed in two lines. This issue has been fixed.
Issue OSRAC-740: Presentation Service—Unrestricted hotlist records file upload unexpectedly
The Presentation Service allows users to upload files that contain a list of record values for the hotlists. To prevent users from uploading files with arbitrary content (e.g. binary files), the MIME type of the uploaded files used to import hotlists record values is now verified, and the uploaded files must be .txt files.
Issue OSRAC-2137: Presentation Service—Redirection not working when clicking on the Event Detail icon on My Alerts page
When clicking the Event Detail icon on the left side of the My Alerts page, the redirection to the Event Detail page was not working. This issue has been fixed.
Issue OSRAC-2273: Presentation Service—Failure of non-monetary history rule creation aggregated by application level
The creation of non-monetary history rules was failing if the selected aggregation was at Application Level. This issue has been fixed.
Issue OSRAC-2000: Presentation Service—Waiting icon on IE 11 not animated
Some Waiting icons indicating that a process is running were not animated on Internet Explorer 11. This issue has been fixed.
Issue OSRAC-1796: Presentation Service—Information unexpectedly wrapped on several lines in the environment creation console
The information displayed during the creation of an environment in the console of the Environments page was sometimes unexpectedly wrapped on several lines. This issue has been fixed.
The Environments page is available only for Master administrators (i.e. users with the ADMIN_ROLE in the first environment created by default in a Risk Analytics schema).
January 2021
New Features and Enhancements
New fields to process entity and contract IDs in corporate banking
In corporate banking environments, two additional fields have been added: entity_ref and contract_ref. With these new fields, it is now possible to process additional information for corporate users and make non-monetary events or transactions on behalf of some other, external corporations and/or companies, i.e. the entities. It is also possible to split any activity that is based on different contracts of an entity.
In addition to the two new fields, 14 new factors have been defined to aggregate data for a given contract. These new factors are:
- CO_NUM_DAYS_SINCE_LAST_EVENT
- U_NUM_TXN_SUCCESS_CO_LNGTIME
- U_NUM_TXN_ATTEMPT_CO_LNGTIME
- U_TXN_AMT_SUCCESS_CO_LNGTIME
- CO_BENEFICIARY_AGE_TXN
- CO_BENEFICIARY_AGE_NME
- CO_NUM_EVENTS_SUCCESS_LNGTIME
- U_LAST_SCA_CO_AGE
- CO_FIRST_EVENT_AGE
- CO_STDDEV_TXN_AMOUNT_LNGTIME
- CO_IP_ISP_AGE
- CO_COOKIE_AGE
- CO_IP_COUNTRY_AGE
- CO_DEVICE_AGE
Enhanced availability of IP geolocation information
The IP Geolocation service of Risk Analytics returns some IP related information, however, Risk Analytics has not used this information until now.
Risk Analytics now collects this additional information for the IP addresses. It can also be used for Presentation Service rules, Presentation Service reports, and it is also available in various Presentation Service grids. The corresponding fields are by default hidden in the Presentation Service grids, but can be selected from the lists to be included in the grids.
The following fields are available:
- IP_TYPE: type of IP address
- IP_PROXY_TYPE: network protocol the server uses to proxy the user connection
- IP_HOSTING_FACILITY: indicates whether the connection originated at a facility that provides storage, computing, or telecommunication services
- IP_STATE: information for states and provinces in all countries where they exist
- IP_STATE_CODE: alpha code corresponding to the state
- IP_AREA_CODE: phone number prefix assigned to the corresponding city
Best practice recommendations for rule designers
A new section "Rule design best practice" has been added to the OneSpan Risk Analytics Administrator Guide to outline some best practices recommended for rule designers for the rule creation.
For more information, refer to the OneSpan Risk Analytics Administrator Guide.
Risk Analytics Presentation Service
Review of available fields in Presentation Service grids
The list of available fields in the various Presentation Service grids (on the Score Analysis, Latest Events, My Alerts, and Customer Details pages) have been reviewed, and the consistency has also been improved.
Next Work Date column renamed on My Alerts page
To better understand when an alert is placed on hold until a particular date, the Next Work Date column has been renamed to On Hold Until in the grid of the My Alerts page of the Risk Analytics Presentation Service, and it is now displayed by default.
Fixes and Other Updates
Risk Analytics Presentation Service
Issue OSRAC-1182 (Support Case CS0021644): Login issue with empty error message
On a random basis, login to the Presentation Service was failing, and the Presentation Service displayed a red error text box with no error message. This was caused by an invalidated anti-forgery token. This issue has been fixed. Now, an explicit error message is displayed: The anti-forgery token is no more valid. Please refresh the page. Login is possible after this message has been displayed and the login page has been refreshed.
Issue OSRAC-1193: Missing Waiting icon for large hotlist record file import
When a large hotlist record file was imported in the Rule Management page, the Waiting icon was not displayed during the whole import process. Thus, it was not clear that the import process was still running. This issue has been fixed. The Waiting icon is now displayed throughout the import process.
Issue OSRAC-1191 (Support Case CS0031931): Incorrect double-quote escaping in exported CSV reports
When reports in the Reports page were generated with data that contained double quotes, the exported CSV reports were corrupted because the double quote characters were incorrectly escaped. This issue has been fixed.
Issue OSRAC-1064: Impossible to export saved alert custom queries
When exporting saved alert custom queries with the Export custom queries shared to any users functionality of the Risk Analytics Presentation Service Export / Import page, the export was failing and no export file was produced. This issue has been fixed.
Issue OSRAC-1717 (Support Case CS0041249): Incorrect rendering of < character in the Latest Events page
When a rule matched that contained the less-than symbol (<) in its name, the symbol was not correctly displayed in the Matches column of the Latest Events page grid for the corresponding rule name. This issue has been fixed.
Issue OSRAC-1009: Possible timeout when modifying campaigns or recompiling the full hierarchy
For campaigns with many divisions and/or rules, the modification of such a campaign or the recompilation of the full hierarchy, (i.e. when the Compile All Rules button was clicked) sometimes ended with an unexpected error due to a timeout. This issue has been fixed.
Issue OSRAC-1006 (Support Case CS0024321): Issue during import of a configuration file larger than 4MB
The maximum size of configuration files imported through the Risk Analytics Presentation Service Export / Import page was limited to 4MB. This maximum size has now been extended to 50MB.
Issue OSRAC-1231 (Support Case CS0032129): Login history not displaying login attempts for users after the first page
On the User Administration page of Risk Analytics Presentation Service, from the second page and on, the login attempts were not displayed when opening the login history of a user located in the users grid. This issue has been fixed.
Issue OSRAC-1011: No automatic pre-selection of the right account in the Customer Details page
When selecting an account in the customer tree view of the Risk & Relationship Management page, the redirection to the Customer Details page was performed without by default pre-selecting the given account to filter events related to that account only. This issue has been fixed.
Risk Analytics database
Issue OSRAC-1379 (Support Cases CS0038053 & CS0040658): Performance decreased on events processing
An index restructuring performed on the Risk Analytics database as of version 2.10.0 was causing a possible decrease in performance for the rules execution. Additional rework on the indexes has been performed to fix the issue.
OneSpan Risk Analytics web services
Issue OSRAC-1015 (Support Case CS0030990): Unable to connect to Risk Analytics with OpenID if wrong credentials are entered
For a Risk Analytics user that only has an account on the OpenID server, but no Risk Analytics account, the user will now be prompted the following error message: You don’t have permissions to access the application. Please contact a system administrator. This issue has been fixed.
Issue OSRAC-1842 (Support Case CS0043108): Events API not working where Error return code is 500
For non-existing custom event and transaction types, the response return code 500 is incorrect. The response return code should be 409. This issue has been fixed.
Issue OSRAC-1981: (Behaviosec) Error message displays incorrect field in validation error when sending JSON payload
This issue specifically deals with the catching and processing of "Invalid JSON" errors. If a JSON payload is sent with a field containing invalid data (wrong type) in the OneSpan TID API microservices, the objectType parameter is then listed after the field with the invalid data in the JSON payload. The error that is returned is listed in the incorrect field in the validation error (in the objectType field instead of the field with the invalid data). Attempting to move the objectType field before the field with the invalid data causes a correct error message to be returned. This should not happen, as the order in a JSON payload should not matter. This issue has been fixed.
Issue OSRAC-1987 (Support Case CS0043596): TXN_DATE field displaying date in different time zone
On the TID API swagger page, field 64 in mobileCddc.clearData has been exposed by mistake. Thus, it’s passing an invalid value that results in a bad request. Field 64 in the API, must not be exposed to the client and passing field 64 in clear data must not result in a 400 bad request. This issue has been fixed.
September 2020
New Features and Enhancements
Risk Analytics Presentation Service
Enhancement on Alerts Email Notification
The automatic email notification feature has been enhanced. It is now possible to optionally define a threshold for the number of notifications sent during a defined period of time. When this threshold is reached, recipients will not receive an email each time a new pending alert enters the queue.
The Presentation Service now also offers the possibility to send escalation notification emails for alerts that are still pending and have not yet been managed within a defined period of time.
Additional dynamic variables can be also added in the available notification email templates, both for the subject and the message body. These new variables are:
- ID number of the alert record
- User Ref (only in case of corporate banking environments)
For more information, refer to the OneSpan Risk Analytics Administrator Guide.
Additional ChallengeVoice response code
An additional ChallengeVoice response code has been added in Risk Analytics and can be used and returned by the decision rules.
The purpose of this new response code is to notify the calling application to challenge an authentication based on a virtual one-time password that is provided to the end user via a voice call.
The value of the <riskResponseCode> in the post-response of the TID web service for ChallengeVoice is 13.
New non-monetary event types
New standard non-monetary event types have been added for both the Digital Banking and Corporate Banking environments. These events allow pushing some new events of the following types to Risk Analytics:
- AlertSetup
- ChangeAlertDelivery
- ChangeLimit
- AddChequePrintingPayee
- ChequePrintingRequest
Extended size of the customString fields
The customString fields (from customString1 to customString6), allowing to push data that is not managed natively by Risk Analytics, can now have up to 4000 characters (instead of 1000 characters in previous product versions).
Open Banking TPP support
OneSpan Risk Analytics allows to monitor events coming from a third-party payment service provider (TPP) operating one or several Open Banking services through Open Banking APIs.
Risk Analytics provides new TPP interfaces that allow a banking application server to push events and transactions received from the Open Banking APIs. New non-monetary and transaction event types, new fields, and factors have been defined to support the main flows implemented by a TPP acting as Account Information Service Provider (AISP) or Payment Initiation Service Provider (PISP). In addition, the set of default rules provided when creating a new environment has been reviewed and enhanced for both the Digital Banking and Corporate Banking environments to help customers complying with the Open Banking standards.
TID Web Service
Extended size of the cookieSession field
The cookieSession field, which should contain all the client cookies, can now have up to 4000 characters (instead of 250 characters in previous product versions). OneSpan recommends sending this field as part of the events being sent to the TID web service.
Behavioral score support
Risk Analytics now supports additional fields for non-monetary events and transactions resulting from behavioral analysis. This analysis includes the behavioral score, behavioral confidence, and behavioral training state. Risk Analytics users can use these new fields in their rules or hotlists, display them in Risk Analytics Presentation Service, and use them for reporting.
Fixes and Other Updates
Risk Analytics Presentation Service
Unable to create/save alert categories in the Alert Management Page
If a high number of alert categories already exists in the Risk Analytics database schema, it was not possible to create and save a new alert category in the Alert Management page for any environment of the schema. This issue has been fixed.
accountRef Field missing in Alert Email notifications
When the Alerts Email Notification feature was enabled and the {{accountRef}} field in the subject or the message body of the email template configuration on the Alerts Email Notification page was included, the account reference was sometimes empty. This applied for all emails received for alerts that were related to non-monetary events. This issue has been fixed.
Broken hyperlinks on fields in the Event Details screen
The hyperlinks for some fields in the Event Details screen were broken and redirected the user to a wrong web page. This issue has been fixed.
May 2020
Fixes and Other Updates
Risk Analytics Presentation Service
Performance issue in Score Analysis page
The Score Analysis page sometimes took several minutes to fetch data when querying a large number of events. The query has been improved to display data faster.
Performance issue in displaying rules
The Rule Management page sometimes took long to display a selected rule, when the rule has frequently matched (e.g. 10,000 times) during the previous week. This issue has been fixed and the rules are now quickly displayed, independent of how frequently they have matched.
Rule test issue
The rule test execution in the Rule Management page reported an error in the rule test history. This occurred if the campaign hosting the rule was defined with null values for its campaign history criteria period (i.e. 0 days, 0 hours, and 0 minutes). This issue has been solved.
Possible timeout error in campaigns
On a random basis, a timeout error message was produced during the creation or editing of campaigns in Risk Analytics Presentation Service. This occurred due to an internal exception when attempting to delete some temporary tables that were still locked (Oracle Error ORA-14452). Despite the error message, however, the campaigns were created or edited successfully. This issue has been solved.
Incorrect rendering of warning messages
The warning messages displayed unexpected rendering issues with <b> HTML tags in the messages after attempting to delete a campaign, division, or rule. This issue has been solved.
Incorrect rendering of displayed element descriptions
The descriptions of some elements on the Rule Management page displayed unexpected rendering issues with non-escaped HTML characters (e.g. " instead of "). This issue has been solved.
Scrolling issues in several pop-up windows
When opening some pop-up windows in Risk Analytics Presentation Service (e.g. IP Address, Device, Beneficiary, or Logon History), it was not possible to scroll through all the records in the pop-up window because the scroll bar was not available. This issue has been solved.
Abnormal cross-environment events displayed in Score Analysis page
The Score Analysis page was displaying events related to all environments of the Risk Analytics database schema. This issue has been solved, the Score Analysis page now displays only events of the current environment.
Event type identifiers changed after event type import
When importing a new set of event types and subtypes previously exported with the Export Professional Services Tool Kit Configuration functionality of the Export / Import page, the identifiers of all non monetary and transaction event types and subtypes were renewed. This occurred even when the identifiers related to identical event type and subtype keys that already existed before the import. Consequently, when a user was reviewing events that occurred before the import, the legacy identifiers were no longer known after the import. This issue has been solved, now identifiers of already existing type and subtype keys are not changed during import.
Incorrect application type after import of new interface definitions
When importing a new set of interface definitions previously exported with the Interfaces Configuration functionality of the Export / Import page, the application type was incorrectly set for some interface definitions. Also, the web events pushed on Risk Analytics were classified as mobile events. This issue has been solved.
Failing import of new report configurations
When importing a new set of reports previously exported with the Export Reports Configuration functionality of the Export / Import page, the import sometimes failed with the following error message: ORA-08002: sequence SEQ_REPORTS.CURRVAL is not yet defined in this session. This issue has been solved.
Wrong event in forensic analysis page
When viewing the details of some non-monetary events in the Forensic Analysis page, the displayed event name was incorrect. This only occurred when the corresponding NME key value of the non-monetary event was identical as the TXN key value of a transaction (e.g. the non-monetary event LoginAttempt and the transaction InternalCustomerTransfer where both have the key value 101). This issue has been solved.
User created twice in user administration
When creating a new user in the User Administration page, several instances of the user were created when the user clicked Save several times quickly in the creation form. This issue has been solved.
Logon history displayed only failed login attempts
In the User Administration page, only failed login attempts were displayed when opening the logon history of an existing user. This issue has been solved, the logon history now displays all login attempts.
Case-sensitivity issue for user names
You cannot create two Risk Analytics Presentation Service users with identical names but different capitalization. Risk Analytics Presentation Service ignored how user names were capitalized but to log in to Risk Analytics Presentation Service the user name had to be entered in the same capitalization as used when the user name was created. For consistency reasons, this constraint has been removed, and Risk Analytics Presentation Service is now case-insensitive for the user name on the login page.
Performance issue in Latest Events page
When querying a high number of events in the Latest Events page, it sometimes took several minutes to fetch data. The query has been improved to display data very quickly.
Inconsistency of displayed fields on Latest Events and Event Details pages
An inconsistency of the fields displayed in the Latest Events and Event Details pages has been fixed to display the same values in both pages. This problem mainly concerned the Beneficiary fields.
No audit for the actions in the Event Details page
All actions performed in the Event Details page, e.g. fraud dispositions, launch action and memos are now audited.
TID web service
Remaining issue with empty fields in the JSON interfaces
Previously, factor calculation failed when non-monetary events or transactions were posted on the Data Collector web service with empty values for some optional Boolean or numeric fields, and the System.FormatException... error was logged in the Data Collector web service log files. This issue had been fixed in an earlier version of Risk Analytics.
However, this issue still occurred for particular fields (e.g. CUSTOM_NUMBER_1 to CUSTOM_NUMBER_3) when non-monetary events or transactions were posted on the JSON interfaces with empty values. Now, this issue has been fixed, and the optional fields can be pushed with empty values to the JSON interfaces without undesired impacts.
Issue with null fields in the JSON interfaces
When non-monetary events or transactions were posted on the Data Collector web service JSON interfaces with null values for some optional Boolean or numeric fields. The post failed, and the System.FormatException... error was logged in the Data Collector web service log files. This issue has been fixed, and the optional fields can now be pushed with null values on the JSON interfaces without undesired impacts.
Data Collector web service synchronous events management
To prevent timeout issues and improve performance, the Data Collector web service now manages the incoming events synchronously.
Risk Analytics Database
Cleanup of unused objects in the Risk Analytics database
For previous versions, unused legacy objects were present in the Risk Analytics database schema. Some of these orphan objects were possibly reporting an error without consequence during a database schema upgrade with the Database Deployment Tool. These unused objects are now removed from the database when the newest version of the Database Deployment Tool is used to upgrade the database schema.
In addition, to improve performance, indexes were restructured and unused CLOB columns have been removed from some tables related to both non-monetary events and transactions.
For a database schema upgrade, this re-structuring can lead to an increased duration when upgrading from a previous version of Risk Analytics, especially during the stage of 2.9.2 to 2.9.3 post-script execution.
Label security missing in the PT_HTTP_POST_LOG table
The label security (i.e. the Risk Analytics environment name) was no longer stored in the new records inserted in the PT_HTTP_POST_LOG table. This issue has been resolved.
Less data in the PT_HTTP_POST_LOG table
Heavy data was recorded in CLOB columns in the PT_HTTP_POST_LOG table. Processing the data took very long and generated a lot of redo log data. Information logs in this table have been made lighter to avoid a heavy load on the database. For more information, refer to the OneSpan Risk Analytics Installation Guide.
Errors in IRM_JOBS and IRM_WORKFLOW procedures
The navigation in Decision Hierarchy pages, such as rule editing, usually generated irrelevant errors in the PT_INTERNAL_ERRORS_LOG table. This did not cause any inconvenience but the errors could be misleading. This issue has been fixed.
Master Admin Rescue Tool
Tool failed to start
The Master Admin Rescue Tool failed to start, and the following error was thrown: Unhandled Exception: System.InvalidOperationException: The configuration is invalid. Creating the instance for type ICredentialService failed. The constructor of type CredentialService contains the parameter with name 'oasClient' and type IOASClientthat is not registered. This issue has been fixed.
Vulnerability Issues
SQL injection
To prevent vulnerability issues due to SQL injection attacks, the Risk Analytics data access layer has been refactored. All internal methods using string types as input parameter, which are vulnerable to SQL injection attacks, have been rewritten to use an enumerated type as input parameter.
Cross-Site Scripting (XSS)
User input and output data sanitization has been implemented to ensure protection against cross-site scripting (XSS).