Advanced Authentication Service › Risk Evaluation and Fraud Detection › Risk Evaluation Rules

Risk Evaluation Rules

The Advanced Authentication service provides the following risk evaluation rules:

• Exception User Check

  An organization may choose to exclude an end user from risk evaluation during a certain time interval. For example, suppose an end user travels to a country that is configured as negative in the Advanced Authentication service. For the duration of the user’s stay in that country, the user can be designated as an exception user. All transactions that originate from that user during that specified period are allowed to proceed. None of the other risk evaluation rules are applied when these exception users log in to perform a transaction. In other words, these exception users are allowed to proceed with their transaction even if their transaction did not clear some of the other rules.

  Transactions originating from exception users receive a low risk score and the advice is typically ALLOW.

• Untrusted IP Check

  The Untrusted IP Check rule uses a list of IP addresses that originate from anonymizer proxies or have been the origin of known fraudulent transactions in the past.

  Transactions originating from these negative IP addresses receive a high score and the advice is DENY.

• Negative Country Check

  The Negative Country Check rule uses a list of countries from which a significant number of fraudulent transaction attempts have been made in the past. During a transaction attempt, the country information is derived from the device IP address.

  Transactions that originate from configured negative countries receive a high score and the advice is DENY.

• Trusted IP/Aggregator Check

  The Trusted IP/Aggregator Check rule uses a list of IP addresses and aggregators that are considered to be trusted sources by the organization. Many organizations use the services of account and data aggregation service providers to expand their online reach. The originating IP address when an end user logs in from a protected portal is different from the IP address used when the end user comes in through such an aggregator. An organization may choose to exclude a transaction attempt from risk evaluation if the originating IP address shows a trusted source.

  Transactions originating from IP addresses and aggregators that are trusted by the organization receive a low score, and the advice is ALLOW.

• User Known

  The User Known rule uses a list of end users who are already registered with the Advanced Authentication service.

  If the end user is unknown to the Advanced Authentication service, then an ALERT advice is returned. An administrator can then choose to prompt the end user to register with the system.

• DeviceID Known

  The DeviceID Known rule uses a list of Device IDs that have been generated and assigned to end users by the Advanced Authentication service.

  Transactions originating from known devices receive a low risk score and the advice is ALLOW.

• User Associated with DeviceID

  The User Associated with DeviceID rule uses a list of user-device associations that were generated during earlier transactions.

  Transactions originating from a known device and known user receive a low score, and the advice is ALLOW.

  Transactions originating from a known device that is not associated with a known user receive a medium score, and the advice is INCREASEAUTH.

• Device MFP Match

  The Device MFP Match rule uses a list of known devices and their associated DeviceDNAs.

  Transactions originating from a known device whose DeviceDNA does not match receive a medium score, and the advice is INCREASEAUTH.

  Transactions originating from an unknown device that is not associated with a known user receive a high score, and the advice is DENY.

• User Velocity Check

  The User Velocity Check rule checks for the frequency with which an end user is trying to perform transactions. Frequent use of the same user ID could be an indication of risky behavior. For example, a fraudster might use the same user ID and password from different devices to watch a specific activity in a targeted account.

  Too many transactions originating from the same user within a short interval receive a high score and the advice is DENY.

• Device Velocity Check

  The Device Velocity Check rule checks for the frequency with which a device is used for transactions. Frequent use of the same device could also be an indication of risky behavior. For example, a fraudster might use the same device to test multiple combinations of user IDs and passwords.

  Too many transactions originating from the same user device within a short interval receive a high score and the advice is DENY.

• Zone Hopping Check

  In the case of consecutive logins from locations in different time zones, the Zone Hopping Check rule checks for the time interval between login attempts. If an end user logs in from two long-distance locations within a short time span by using the same user ID, this might be a strong indication of fraudulent activity.

  However, there may be cases where a User ID is shared, in which case, the Advanced Authentication service understands that the two people sharing the same User ID can be in geographically different locations and responds with an appropriate response.

  Transactions originating from the same user from locations that are far apart from each other within a short interval receive a high score and the advice is DENY.

Consider an example scenario where four rules are configured in the following order:

1. Negative IP, with a score of 85
2. User Velocity, with a score of 70
3. Device Velocity, with a score of 65
4. DeviceID Known, with a score of 30

If the Advanced Authentication service determines that a transaction is coming from a negative IP address, then it returns a score of 85 (DENY), based on the first configured rule that matched. Another transaction exceeding the configured Device Velocity gets a score of 65, which results in a request for increased authentication.