Scenario 5. Change User Profile

The scenario showcases illegitimate profile changes to the customer account. More specifically, a hacker changes the email address for a number of different customer accounts in a short period of time.

Scenario actor: Eve EXEPICIER

About this scenario - requests

The scenario consists of five consecutive requests that are sent to Risk Analytics. In each request the email address of a customer account is changed to [email protected].

The following requests are attempts to change the email address:

  • Request RA_0501 attempts to change the email address of Edouard ELIS
  • Request RA_0502 attempts to change the email address of Eric ERAMZI,
  • Request RA_0503 attempts to change the email address of Emile EHIMAGE
  • Request RA_0504 attempts to change the email address of Elie EDIEUDONNE
  • Request RA_0505 attempts to change the email address of Eve EXEPICIER, the main actor for this scenario

As the bank defined to disallow five or more change email attempt requests within a 1-minute time frame, the last change profile event for Eve EXEPICIER is challenged by a two-factor Push Notification message (response code: ChallengePush2FA, Response = 7).

Analysis

To analyse the rules triggered and alerts raised for the scenario, log on to Risk Analytics Presentation Service and navigate to SUPERVISE & INVESTIGATE > My Alerts.

Pending alert:

  • RA_0501 Change email address in the Change Profile Declined or Challenged alert queue, raised by the matching rule RA_0501 Change email address.

Walkthrough: Conduct a forensic analysis of an event

To forensically analyze an event, follow these steps:

Conduct a forensic analysis of the event

  1. Navigate to SUPERVISE & INVESTIGATE > Score Analysis.

  2. In the Score Analysis dashboard, click SETTINGS.

  3. From the PERIOD menu, select the applicable date or period.

  4. Click APPLY.

  5. In the Score Analysis table, search the matching rule RA-0501 Change email address; you can also use the search field of the Matches column and enter the name or parts of the name of the matching rule (e.g. enter RA_0501).

  6. In the relevant row, click on the Go To Forensic Analysis icon in the right-most column.

  7. In the Forensic Analysis window, drag the IP Addresses pulsing green ball to the center and drop it as the pivot.

    The Relationships quadrant of this polar chart shows the five customer accounts which were accessed from the same IP address.