Until now, the two companies have approached online security in different ways.
RSA's name derives from three MIT mathematicians, Ron Rivest, Adi Shamir and Len Adleman, who demonstrated the first algorithm for public key encryption in 1977. The company has grown over the last 20 years to become the leader in encryption and also strong authentication devices, such as the RSA SecurID token which generates a one-time password every 60 seconds.
Cyota, meanwhile, has long pushed the message that, in the consumer financial market, banks are looking for solutions that balance security and usability. Its risk-based approach to combating fraud centres not on hardware devices, but on detecting deviations from established online banking behaviours – for example, by logging in from obscure locations, transacting from an unrecognised device, or emptying an account rather than paying a small bill. The company built a strong reputation on a good understanding of criminal behaviour.
On top of profiling genuine users so that anomalies can be spotted, Cyota also tracks fraudsters and uses pattern recognition algorithms to detect and quickly respond to new fraud trends, as well as spotting the migration of fraud from one bank to another. A key tool in this effort is its cross-bank repository of fraud patterns, generated while processing online transactions for thousands of global banks with which it works.
Clearly these are complementary rather than conflicting approaches – so the merger makes sense. RSA Security spokesman John Madelin told OUT-LAW that today's market demands a layered approach to security.
Uri Rivner, Cyota's Vice President of International Marketing, said that, together, the companies can pool their expertise in detecting fraud, understanding risk and providing multiple authentication options.
He argues that Cyota recognises a place for tokens in security; its point has always been that while tokens are extremely effective, they may not alone satisfy the diverse needs of a large user population. Both companies believe that there are different segments of consumers – determined by associated transaction risk level and user lifestyle and preference – that necessitate different types of fraud protection.
"There is a difference between offering tokens to consumers, and requiring people to use them in every situation," said Rivner. "Some banks deploying tokens will choose to offer them to the public, thus fulfilling a real need that many security-conscious customers have and demonstrating their leadership in security."
He continued, "To protect the customers who choose not to use such security devices, the banks deploy behind-the-scenes monitoring of online transactions, or use a dynamic authentication system that elevates the level of security for high risk transactions only. Other banks, especially in some European countries, distribute tokens to all consumers and require everyone to use them. One thing is clear: the authentication market is changing, and banks are realising that it's all about finding the most appropriate technology."
Madelin agrees. He points out that the choice of solution will be influenced by transaction volume and value. The companies see their combined offerings as offering greater choice to banks needing to protect customer identities and secure remote transactions. “It’s about applying the technology to solve real world scenarios, ultimately resulting in less fraud, at a lower cost, with greater user convenience and a balanced approach to risk”.
The combined offering will offer authentication techniques ranging from device recognition, out-of-band phone authentication, watermarking and anomaly detection to digital certificates, tokens and smart cards – all depending on the risks posed and the desired convenience.
New York-based Cyota will keep its name; it will just gain the tagline "an RSA Security company" and become a wholly-owned subsidiary. The deal is expected to close within 30 days, subject to regulatory approvals.