Continuous risk assessment allows you to adapt your mitigation strategy based on the risk-level or trust-level of the current context. This process relies on identifying risk signals that may indicate fraudulent activity, and trust signals that indicate trust.
A device fingerprint is a device identifier calculated based on a combination of device attributes configured by the user, and on how the device is used. Common attributes include screen resolution, browser type and version, time zone settings, IP address, operating system, etc. The device fingerprint is used to identify the device, such as for recognizing trusted devices.
Device spoofing is when an attacker disguises their device as a different kind of device. For example, they can make their device appear as the device of the legitimate user trying to login, make a device that’s known to be malicious appear as a different friendly device, or bypass limits on incorrect password input for a brute-force attack. There are many ways to spoof a device, such as manipulating device attributes (like OS and model), using a virtual machine, or using a device emulator.
Network reputation allows us to detect risk and build trust based on the current IP address of the device. For example, the activity may be deemed suspicious if the IP has a fraudulent reputation or if it suggests that the user may be hiding their true location (e.g., using a proxy).
Behavioral anomaly detection relies on analyzing behavior patterns to automatically identify unusual behavior when it occurs. By creating behavior profiles and checking if some device or user behaves outside of the created profiles, it's possible to detect suspicious activity. For example, it is suspicious if a user suddenly pastes their password when they typically enter it manually, or if a user interacts with a website in a way that's unusual for humans but typical for bots.
Bots and automation
Bot detection involves detecting sophisticated automated attacks based on behavior analysis, traffic analysis and automation tools. For example, a high rate of login attempts from a single device strongly indicates credential stuffing attacks conducted by bots and automation frameworks. Similarly, a high rate of account opening from a single device strongly indicates New Account Fraud conducted by device farms or bots.
Remote access to a user's device can be used in device takeover attacks. This access is typically obtained using a remote desktop connection (RDC). Attackers may convince the user to provide this access as part of a social engineering attack (for example, by promising free technical support), or may trick the user into downloading malware that allows the attacker to control the device without the user even knowing. If a device is being accessed remotely, device takeover should be suspected.
Session hijacking occurs when an attacker takes control of an active user session—such as when the user is logged in to their bank account or shopping at an online store. By gaining control of the session, the attacker can perform a cookie replay attack to get unauthorized information, complete a duplicate transaction, or basically do anything the user can do on the website. Multiple devices being used within the same session is a good indication that the cookie may have been stolen.
Action velocity is the number of actions reported over a given period of time. A high rate (velocity) or an anomaly in the rate of actions by a single device or from a single IP address is a valuable risk indicator. For example, many attempts to perform a login within a short period of time may indicate bot activity.