RSA Adaptive Authentication

(On-Premise) 7.1
Bait Credentials Setup and
Implementation Guide
Contact Information
Go to the RSA corporate website for regional Customer Support telephone and fax numbers:
www.emc.com/domains/rsa/index.htm
Trademarks
RSA, the RSA Logo, eFraudNetwork and EMC are either registered trademarks or trademarks of EMC Corporation in the
United States and/or other countries. All other trademarks used herein are the property of their respective owners. For a list of
EMC trademarks, go to www.emc.com/legal/emc-corporation-trademarks.htm#rsa.
License agreement
This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and
may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice
below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any
other person.
No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any
unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability.
This software is subject to change without notice and should not be construed as a commitment by EMC.
Note on encryption technologies
This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption
technologies, and current use, import, and export regulations should be followed when using, importing or exporting this
product.
Distribution
Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.

EMC believes the information in this publication is accurate as of its publication date. The information is subject to change
without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED AS IS. EMC CORPORATION MAKES NO

REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS
PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE.

Copyright 2013 EMC Corporation. All Rights Reserved. Published in the USA.
July 2013
 RSA Adaptive Authentication (On-Premise) 7.1 Bait Credentials Setup and Implementation

Contents
Preface................................................................................................................................... 5
About This Guide................................................................................................................ 5
RSA Adaptive Authentication (On-Premise) Documentation ............................................ 5
Support and Service ............................................................................................................ 6
Before You Call Customer Support............................................................................. 6

Chapter 1: Overview of RSA Bait Credentials .............................................. 7

Benefits of RSA Bait Credentials ....................................................................................... 7
How Baiting Works ............................................................................................................ 7
Baiting Process ............................................................................................................ 8

Chapter 2: Implementing RSA Bait Credentials .......................................... 9

Before You Begin ............................................................................................................... 9
Bait Credentials Implementation Process ........................................................................... 9
Implementing the RSA Adaptive Authentication API ................................................ 9
Setting Up a Bait Credentials List ............................................................................. 10

Contents 3
RSA Adaptive Authentication (On-Premise) 7.1 Bait Credentials Setup and Implementation

Preface

About This Guide

This guide describes how to implement RSA bait credentials. It is intended for
administrators and other trusted personnel. Do not make this guide available to the
general user population.

RSA Adaptive Authentication (On-Premise) Documentation

For more information about RSA Adaptive Authentication (On-Premise), see the
following documentation:
Authentication Plug-In Developers Guide. Describes the Authentication Plug-In
development process that enables external authentication providers to integrate
their products with RSA Adaptive Authentication (On-Premise).
Back Office Users Guide. Provides an overview of the following Back Office
applications: Policy Management, Case Management, Access Management,
Customer Service Administration, and the Report Viewer.
Bait Credentials Setup and Implementation Guide. Describes how to set up and
implement RSA bait credentials, which help provide you with accelerated fraud
detection and prevention capabilities.
Best Practices for Challenge Questions. Describes the best practices related to
challenge questions that RSA has evolved through experience at multiple
deployments.
Installation and Upgrade Guide. Describes detailed procedures on how to install,
upgrade, and configure RSA Adaptive Authentication (On-Premise).
Integration Guide. Describes how to integrate and deploy RSA Adaptive
Authentication (On-Premise).
Operations Guide. Provides information on how to administer and operate
RSA Adaptive Authentication (On-Premise) after upgrade. This guide also
describes how to configure Adaptive Authentication (On-Premise) within the
Configuration Framework.
Performance Guide. Provides information about performance testing and
performance test results for the current release version of RSA Adaptive
Authentication (On-Premise).
Product Overview Guide. Provides a high-level overview of RSA Adaptive
Authentication (On-Premise), including system architecture.
Release Notes. Provides information about what is new and changed in this
release, as well as workarounds for known issues. It also includes the supported
platforms and work environments for platform certifications. The latest version of
the Release Notes is available on RSA SecurCare Online at
https://knowledge.rsasecurity.com.

Preface 5
 Security Best Practices Guide. Provides recommendations for configuring your
network and RSA Adaptive Authentication (On-Premise) securely.
Web Services API Reference Guide. Describes RSA Adaptive Authentication
(On-Premise) web services API methods and parameters. This guide also
describes how to build your own web services clients and applications using web
services API to integrate and utilize the capabilities of Adaptive Authentication
(On-Premise).
Whats New. Highlights new features and enhancements in RSA Adaptive
Authentication (On-Premise) 7.1.
Workflows and Processes Guide. Describes the workflows and processes that
allow end users to interact with your system and that allow your system to interact
with RSA Adaptive Authentication (On-Premise).

Support and Service

RSA SecurCare Online https://knowledge.rsasecurity.com

Customer Support Information www.emc.com/support/rsa/index.htm

RSA Solution Gallery https://gallery.emc.com/community/marketplace/rsa?

view=overview

RSA SecurCare Online offers a knowledgebase that contains answers to common

questions and solutions to known problems. It also offers information on new releases,
important technical news, and software downloads.
The RSA Solution Gallery provides information about third-party hardware and
software products that have been certified to work with RSA products. The gallery
includes Secured by RSA Implementation Guides with step-by-step instructions and
other information about interoperation of RSA products with these third-party
products.

Before You Call Customer Support

Make sure that you have direct access to the computer running the Adaptive
Authentication (On-Premise) software.
Please have the following information available when you call:
Your RSA Customer/License ID.
Adaptive Authentication (On-Premise) software version number.
The make and model of the machine on which the problem occurs.
The name and version of the operating system under which the problem occurs.
 RSA Adaptive Authentication (On-Premise) 7.1 Bait Credentials Setup and Implementation

1 Overview of RSA Bait Credentials

Benefits of RSA Bait Credentials
How Baiting Works
This chapter provides an overview of RSA bait credentials and their operation.

Benefits of RSA Bait Credentials

Implementing RSA bait credentials provides you with accelerated fraud detection and
prevention. Bait credentials are designed to enable you to:
Track the profiles and patterns of fraudsters more closely
Identify fraudsters who prepare and carry out phishing attacks
Block fraud attempts that use stolen credentials
Baiting in the online banking channel is analogous to using marked money to catch
real-world thieves.
In the online banking channel, the use of bait credentials assists in tagging fraudster
devices and IP addresses. Combined with RSA Adaptive Authentication and the
RSA Risk Engine, bait credentials assist in preventing subsequent fraud attempts
from those tagged devices and IP addresses.
In addition, fraud events are logged in the Case Management application, and a list of
the risk score contributors for every logon attempt and action are displayed. This list
includes indications of logon attempts that use the bait credentials and subsequent
logon attempts that come from a fraudulent device or IP address.

How Baiting Works

Baiting works by supplying phishing websites with bait credentials that enable those
illegal websites and devices to be monitored. Those illegal devices and any associated
IP addresses can then be tagged by the system. Further attempts by the fraudster to use
those tagged devices are detected by the bait credentials, which can continue to
monitor and flag the tagged devices as fraudulent.

1: Overview of RSA Bait Credentials 7

 RSA Adaptive Authentication (On-Premise) 7.1 Bait Credentials Setup and Implementation

Baiting Process
The following figure shows the baiting process.

Baiting takes place as follows:

1. The RSA FraudActionTM anti-phishing or anti-Trojan services detect a phishing
site or Trojan attack. False bait credentials are fed into the phishing website using
a proprietary methodology that disguises the credentials as genuine credentials.
2. When the fraudster attempts to use the false bait credentials to log on to the
banking website, the Risk Engine immediately detects the fraudulent attempt and
tags the fraudster.
3. Any subsequent logon attempts from those tagged devices and IP addresses are
recognized as fraudulent.

8 1: Overview of RSA Bait Credentials

 RSA Adaptive Authentication (On-Premise) 7.1 Bait Credentials Setup and Implementation

2 Implementing RSA Bait Credentials

Before You Begin
Bait Credentials Implementation Process
This chapter describes the procedures involved in implementing the RSA bait
credentials.

Before You Begin

Before using the RSA bait credentials:
Implement the following RSA products and services:
RSA Adaptive Authentication Hosted or On-Premise version
RSA FraudAction anti-phishing service or anti-Trojan service
Establish bait credentials for the first time. To do this, contact the RSA
FraudAction or RSA Adaptive Authentication project managers or a Support
account manager.

Bait Credentials Implementation Process

To implement the RSA bait credentials:
Implement RSA Adaptive Authentication API calls to send failed logon attempts
with the bait credentials. See Implementing the RSA Adaptive Authentication
API on page 9.
Set up a list of bait credentials so that RSA FraudAction service, the online
banking application, and Adaptive Authentication can manage the list effectively.
See Setting Up a Bait Credentials List on page 10.

Implementing the RSA Adaptive Authentication API

This section describes the implementation of the Adaptive Authentication API.

General Guidelines
You can use the failed logon attempt event type in one of the following ways:
Only for bait credentials if you maintain a bait credentials list that you check
against. RSA recommends this option as it provides the clearest separation
between bait and other logon attempts.
For any failed logon even if the logon does not use bait credentials. This option
may allow for additional fraud detection beyond bait credentials (in a future
release or risk model), such as credential harvesting and others.

2: Implementing RSA Bait Credentials 9

 RSA Adaptive Authentication (On-Premise) 7.1 Bait Credentials Setup and Implementation

For more information on implementing the FAILED_LOGIN and bait credentials in

the Adaptive Authentication API, see the specific sections in the following
documents:
RSA Adaptive Authentication (On-Premise) Web Services API Reference Guide:
Supported Event Types
Event-Specific Data Elements
DeviceActionTypeList Values
UserType Values
RSA Adaptive Authentication (Hosted) API Reference Guide and API Programmers
Guide:
UserType Values
EventType Values
IdentificationData Structure

Setting Up a Bait Credentials List

Note: Both RSA Adaptive Authentication and RSA FraudAction project managers
must be involved in this process.

The following setup steps are required:

Setting up an agreed list of bait credentials between the customer and RSA
FraudAction service.
Setting up the agreed list of these credentials on the customer side (in the online
application).
Setting up the agreed list with Adaptive Authentication (Hosted or On-Premise)

Note: This setup procedure is required when bait credentials are used for the first time
and every time the previous list of bait credentials is fully employed. The
recommended list size is generally a function of the number of attacks.

RSA FraudAction Service Setup

You can create your own bait credentials or use bait credentials created by RSA.

Note: RSA Adaptive Authentication customers do not typically send real website
logon names for security reasons. Instead, you send mapped values using methods
such as hashing or encryption. Similarly, mapping is required between bait credentials
as used by the RSA FraudAction service and those used by RSA Adaptive
Authentication.

10 2: Implementing RSA Bait Credentials

 RSA Adaptive Authentication (On-Premise) 7.1 Bait Credentials Setup and Implementation

Bait Credentials Created by Customers

You can create your own bait credentials. These bait credentials consist of a table with
two columns, a bait credentials list used by the FraudAction service and a mapped list
used by Adaptive Authentication.

Bait Credentials Created by RSA

RSA creates the bait credentials as follows:
1. You provide username and password creation rules in the FraudAction setup form
to a FraudAction project manager.
2. The FraudAction project manager creates the bait credentials and passwords
according to a forecast of attacks. The planning is based on using several bait
credentials per attack.
3. You receive the list of bait credentials and passwords from the FraudAction
project manager and verify that there are no conflicts between the credentials in
this list and any logon credentials that currently exist in the bank.
4. You must provide the mapping between the FraudAction bait credentials and the
values for Adaptive Authentication to use those credentials.
5. You sign off on the bait credentials list. This sign off is a prerequisite to using
these credentials as bait in phishing attacks and Trojan attacks.

Customer Setup
After the list of credentials is created and signed off by you, you must ensure that the
credentials are not used for legitimate customers. Specifically, you must identify and
handle logon attempts with bait credentials by fraudsters and prevent assigning the
bait credentials to genuine accounts that are created. This can be done using one of the
following methods:
You can create actual accounts from the signed-off list of credentials. Setup is
required to create the accounts and you can make either of the following
application changes:
Block these accounts at logon using some vague error message designed not
to alert the fraudster. The purpose of this is to enable the collection of
fraudulent data regarding IP addresses, payees, and other information.
Make these accounts appear as real ones to mislead fraudsters when they log
on. This offers greater fraud detection benefit. Any critical actions such as
payments or credit profile changes are not executed, but appear to be so to the
fraudster.
You can create a reserve list of accounts and credentials that cannot be used for
accounts. Setup is required to create this list of accounts and application changes
are required to check the account against the list of bait credentials before the
actual logon flow is processed.

RSA Adaptive Authentication (Hosted) Setup

This bait credentials list is coordinated and managed by the RSA FraudAction service
and RSA Adaptive Authentication project managers.

2: Implementing RSA Bait Credentials 11

 RSA Adaptive Authentication (On-Premise) 7.1 Bait Credentials Setup and Implementation

RSA Adaptive Authentication (On-Premise) Setup

You must load the list of bait credentials so that the RSA Risk Engine can detect them
and handle them as bait credentials. You must run a list-loading procedure, which is
described in the Operations Guide.
The RSA FraudAction service uses bait credentials in phishing and Trojan attacks, and
you load mapped values into Adaptive Authentication.
To create a list of bait credentials, see the section Add a List in the Back Office
Users Guide.

Note: When creating a User Id list, you must name the list baits_list.

12 2: Implementing RSA Bait Credentials