JoshDavisFromNC | Posts: 7

How to trigger "2 Different IP Countries in 1 hour"?

0 votes

I'm testing out the API calls against my sandbox and trying to trigger the "2 Different IP Countries in 1 hour" rule, but I seem to be missing a step. These are the steps I tried.

  1. I went into my sandbox's OneSpan Risk Analytics console and enabled the "Login Account Takeover" rule under Non Mon Events, so that everything in the tree containing "2 Different IP Countries in 1 hour" is enabled.
  2. Created a new user by calling /users/register with my browser's CDDC and my real client IP address.
  3. Called the /users API to verify my new user had been created.
  4. Called the /users/{userID@domain}/login API with the same CDDC and client IP address, and received a response code 200 with sessionStatus=accepted.
  5. Called /users/{userID@domain}/events/validate for the LoginSuccess event with the same CDDC and client IP address, and received a response code 200 with riskRepsonseCode=0 and sessionStatus=accepted.
  6. To simulate a phishing attempt, I called the /users/{userID@domain}/login API with the same CDDC but with the client IP address set to a Russian IP address. I received a response code 200 with sessionStatus=accepted.
  7. Called /users/{userID@domain}/events/validate for the LoginSuccess event with the same CDDC, a different sessionID than in step 5, and the Russian client IP address, and I still received a response code 200 with riskRepsonseCode=0 and sessionStatus=accepted.

I expected a different response at step 7 indicating a higher risk value than at step 5. I'm looking at the Non Mon Events report and I can see two non mon events within two minutes of each other with the same event type (1313219 which I assume is LoginSuccess) and the same relationship id, and it knows that one was from the United States and the other was from the Russian Federation.

Any ideas what steps I might have missed?

This may or may not be related, but I used the LoginInput object type for the login API rather than the AdaptiveLoginInput. I couldn't get the latter to work for me. I got a 500 response from the server and couldn't see any indication of what I had done wrong.

 


Hakim Aldaoub | Posts: 54

Reply to: How to trigger "2 Different IP Countries in 1 hour"?

0 votes

Hi Josh,

Could you please provide the request payload for your ../users/register API call.  While you did indicated that you used LoginInput objectType to login, I need to determine which objectType you have used when you registered, in order to help you with the your inquiry. Please make sure to remove any sensitive data before submission.

Thank you!

Hakim


JoshDavisFromNC | Posts: 7

Reply to: How to trigger "2 Different IP Countries in 1 hour"?

0 votes

No sensitive data here, all test data.

These are the register, login, and validate payloads I used for the original path.

To simulate the phishing attempt, I changed clientIP to "95.173.136.71" in login and validate, and I changed sessionID to "00000002" in validate.


Hakim Aldaoub | Posts: 54

Reply to: How to trigger "2 Different IP Countries in 1 hour"?

2 votes

In order to see the desired result, you will need to register using "objectType": "AdaptiveRegisterUserInput" attribute in your JSON payload, and then login using "objectType": "AdaptiveLoginInput".  

When you call "/users/{userID@domain}/login" endpoint the second time simulating an IP from another country, like in step 6, you must receive a "riskResponseCode" attribute with a value that represent the authentication challenge associated with this type of behaviour, for example it could be '2' for "Challenge", or '23' for "ChallengeFingerprint", depending on your Risk Analytics instance setup to step up the authentication.  The value for your first login should be '0' for "Accept", if you used the default request body.

Coming to the important part of your question, when you have called "/users/{userID@domain}/events/validate" to validate your login, you should have called the endpoint using "eventType": "LoginAttempt" rather than "eventType": "LoginSuccess", if you take a look into your latest events in Risk Analytics for your login attempts, you will see their event type fields are filled as "LoginAttempt" and not "LoginSuccess", so in step 7, you should have validated using "LoginAttempt" in your request.  Then you will have a response body with the same "riskResponseCode" you had following your login attempt, and a "sessionStatus" as "unknown" until you have completed the required authentication. 

Please note that if you chose to set up your response code to a value that requires a device to authenticate, like "ChallengeFingerprint", you will need first to activate that device to be your trusted device, otherwise you will receive '409' error code.

Please let me know how it works for you.


JoshDavisFromNC | Posts: 7

Reply to:

0 votes

Thank you for your response. When I change the eventType to LoginAttempt, the Russian IP address gets the riskResponseCode of 2 and a sessionStatus of unknown, and I can see that the rule was fired in the Risk Analytics dashboard. So that answers my original question, and now I see that the parent rule's campaign criteria is set up to trigger on LoginAttempt, so I understand why it needed to change.

I do get the 409 response from the generate-secure-challenge API, but that's expected behavior. I haven't yet installed your Android app on my phone and performed the activation. That's next on my list.

The AdaptiveRegisterUserInput works fine for me. However, when I try to log in with the AdaptiveLoginInput, I get a 500 error code response, and I didn't see any indication of what I might have done wrong. I attached the JSON payloads for both calls.

 


Hakim Aldaoub | Posts: 54

Reply to: How to trigger "2 Different IP Countries in 1 hour"?

0 votes

I am glad you reached there.

As for the latest error code you had with AdaptiveLoginInput, what seems to cause the issue is in "02-users-login-adaptive-POST_request.txt" file, "sessionID" should have been written with an uppercase D in ID.


Hakim Aldaoub | Posts: 54

Reply to: How to trigger "2 Different IP Countries in 1 hour"?

0 votes

You are welcome.  Glad that helped.


Hello! Looks like you're enjoying the discussion, but haven't signed up for an account.

When you create an account, we remember exactly what you've read, so you always come right back where you left off