Scenario 2. Account Takeover

This scenario showcases a potential account takeover. During a legitimate web banking session, a request is received from an IP address that belongs to a different ISP.

Scenario actor: Bob BERNEY

About this scenario - requests

The scenario consists of four requests that are sent to Risk Analytics. In the first three requests (RA_0201.a., RA_0201.b., RA_0201.c), Bob BERNEY attempts to login, succeeds, and downloads account information. This short sequence is considered as normal and poses no risk.

Bob BERNEY proceeds in the same session (no intermediate login attempts from another device) with an attempt to change his password, channeled through another Internet service provider. As this is consistent with a typical account takeover scenario, the rogue device identified by its fingerprint hash is inserted into the DEVICE_BLACK_LIST hot list, and the change password attempt is challenged (response code: Challenge, Response = 2).

Analysis

To analyse the rules triggered and alerts raised for the scenario, log on to Risk Analytics Presentation Service and navigate to SUPERVISE & INVESTIGATE > My Alerts.

Pending alert:

  • RA_0202 Account Takeover in the Critical Risk Devices alert queue, raised by the matching rule RA_0202 Account Takeover.

Walkthrough: Flag an event as fraudulent

To review the relevant records, follow these steps:

Flag an event as fraudulent

  1. Navigate to SUPERVISE & INVESTIGATE > My Alerts and identify the RA_0202 Account Takeover alert for Bob BERNEY.
  2. Select the event ID to open a new browser window/tab.
  3. Expand the FRAUD DISPOSITIONS list and make sure the value is set to Fraud.
  4. Click SAVE.
  5. Close the newly opened window/tab to continue.
  6. Verify if the event has been flagged correctly:
    1. To display all events related to Bob BERNEY, navigate to My Alerts.
    2. In the Events table, select the Bob BERNEY name link.

      The value in the Fraud Disposition column for the challenged change password attempt is now Fraud and the row related to this alert is highlighted in color.

To combat this type of account takeover, a history criterion has been defined for all non-monetary events except login attempts. Viewing the history criterion for non-monetary event types outlines the steps how to view the relevant history criterion.

Viewing the history criterion for non-monetary event types

  1. Navigate to DESIGN RULES & ACTIONS > Rule Management.
  2. In the Rules section of the navigation pane on the left, expand the following items: Non Mon Events > 1. RA Demo NME Scenarii (High) > RA_02 Account Takeover (High).
  3. Select he RA_0202 Account Takeover (Low) rule to display the More than 1 ISP in a short time history criterion.

RA_0202 Account Takeover rule details

The unique identifier for the rogue device (ROGUE_FPH_22_*) has been added to the DEVICE_BLACK_LIST.

Walkthrough: Review the DEVICE_BLACK_LIST records

To review the relevant records, follow these steps:

Review the DEVICE_BLACK_LIST records

  1. Navigate to DESIGN RULES & ACTIONS > Rule Management.
  2. In the Hot Lists menu in the navigation pane on the left, open Non Mon Events.
  3. Select the DEVICE_BLACK_LIST link in the table to review the records of that table.