000035344 - FAQs for EFN data stored in RSA databases for RSA Adaptive Authentication (On Premise)

Document created by RSA Customer Support Employee on Aug 5, 2017Last modified by RSA Customer Support Employee on Aug 18, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000035344
Applies ToRSA Product Set: Adaptive Authentication (OnPrem)
RSA Product/Service Type: Platform EFN
RSA Version/Condition: 7.x
IssueThe following questions are some typical examples of inquiries we receive regarding EFN data:
  • We have a Customer whose IP address appears to be in the EFraudNetwork. Is there a way to verify why they are on that list?
  • This started on MM/DD/YYYY.  When will this IP address be removed from the EFN data?
  • Are there any other indicators that can be looked at?
  • Is there a way to whitelist this IP if we feel that this is in error?
  • What are the typical actions recommended at this point?
ResolutionIP addresses are added to the EFN data based on the feedback/input of hundreds of organizations who
do regular case marking and confirm incidents of genuine fraud. These data points number in the several millions each day.
So an IP address, which has been added to the EFN data, is there because it has been confirmed as the source of fraud in, typically,
hundreds or thousands of instances.  
There is an example of an EFN entry for an IP address below.  As you will note it has a risk score and and expiration (date).  
The risk score is an indicator of the ratio of confirmed fraud against a given IP address.  The expiration date is the probable date when a
given IP address will "expire" and be removed from the EFN data.  This expiration would depend on multiple factors and might be extended. 
 
Element     Value           Risk Score  Expiration
IP          103.255.5.103   990         20170517

Q: Is there a way to verify why they are on that list?
A:  We cannot verify "why" they are on the list, however, we can check to see if a given IP address is in the current EFN data.  
     The following query will help you to confirm this: 
 
select * from EFN_LOCAL_DATA where data_value = UPPER('');  

(Please see additional notes below.)
 

Q: Are there any other indicators that can be looked at?
A: The above comments speak to this question somewhat.
Q: Is there a way to whitelist this IP if we feel that this is in error?
A: If an address is in the EFN data store, it is not very likely that this is in error.  Using the AA Policy Manager, you could whitelist
     an IP address which is in the EFN, however, this is not be recommended and should only be done out of absolute necessity.
Q: What are the typical actions recommended at this point?
A: You can confirm that the IP address is in the EFN and relay this to the Customer.  You are welcome to share
     the content of this email with that individual as well.
NotesSome additional notes about the EFN data, which comes from external sources, and the internal fraud list,
which contains data from activity within a given Customer's organization and flagged by the risk engine and/or case marking. 
The RSA Risk Engine contains an internal fraud list to which IP addresses are added during the nightly Offline Tasks.  
These IP addresses are distinct from the EFN data which is updated daily and to which the risk engine also refers when performing
device forensics (-i.e., device print comparison, IP address analysis, etc.).  The logic for IP addresses being added to and removed from
the Internal IP Fraud list and to/from the EFN Local Data tables is similar.  The way IP addresses are added to these repositories
is based upon their association with known fraudulent activity, either within your organization (Internal IP Fraud list) or
from external sources and organizations (EFN/eFraud network).  
The SQL query to extract the data from the Internal IP Fraud list is:
select * from rsa_core.rba_list_data where list_type = 'ip_fraud_list'; 

IP addresses in the EFN/eFraud network as stored in the RSA_AA_Core database are SHA2 hashed values.  The SQL query to retrieve a single IP address is:
select * from EFN_LOCAL_DATA where data_value = UPPER('');

Please Note: You will need to know the IP address which is reported as being in the EFN data and calculate the SHA2 (SHA256) value for that address.  
One website which may be helpful is: http://www.xorbin.com/tools/sha256-hash-calculator   

Attachments

    Outcomes