How to Spot Identity Fraud in Your Ping Stack

Your digital identity ecosystem is probably under attack right now. You may have some indication of the attack, like unexplained significant drops in network performance or a ransom request, or it may be completely unbeknownst to you. But chances are, you’re under attack. So how do you know if you’re under attack? Well, the safe bet is to simply assume you already are. But, there are other indicators. Odd login behaviour, large numbers of failed login attempts, and huge spikes in login attempts are all likely evidence of something malicious afoot. 

As your trusted IAM partner, Ping has a vested interest in helping you protect your business. Our experience with the largest enterprises in the world has shown us that fraudsters, as big and scary as they can be, are also human and follow the path of least resistance. They mostly target the weakest links – your users. With the increasing sophistication and quality of attacks, users often fall victim to credential theft via phishing, vishing, smishing, and man-in-the-middle attacks, precisely because it is so challenging to differentiate malicious messages from genuine ones. 

Major forms of identity fraud stemming from attacks on your users include account takeover (ATO), new account fraud, and MFA fatigue. While Ping does everything possible to remediate vulnerabilities and protect your mission-critical Ping stack wherever possible, preventing bad actors in real-time at the user session level falls on you, the IAM administrator. It’s a large burden to bear, but Ping has your back and it starts with detection.

I am a big fan of Oscars and the Academy awarded seven of them to a motion picture called ‘Everything Everywhere All At Once’. I love this title because it encapsulates the essence of early fraud detection. 

Everything - means that we need to look beyond usernames and passwords. While these credentials are important, the context of the authentication journey is equally relevant. We are creatures of habit, and it is possible to profile our behaviour in digital channels. Examples include the devices we use, our location, how we type and move the mouse (behavioural biometrics), the applications we access, the times of day or night we are active, failed login attempts from specific IP addresses, or the number of accounts accessed from a single device. This list continues to grow as we evolve and learn about new trends and attack vectors.

Everywhere - implies the need to examine all the channels available to the user. It is no longer sufficient to protect web applications without considering mobile devices or analogue channels like customer service helplines. Most of us use at least two of these channels in our everyday interactions with services such as retail, banking, energy or mobile communication.

All at once - a layered, defence-in-depth approach is essential for spotting malicious behaviour. Most risk signals from the context we evaluate during digital journeys could potentially be bypassed by malicious actors if viewed in isolation. However, by stacking and analysing these signals together in parallel, we significantly enhance our detection capabilities. For example, a malicious actor might use a VPN or proxy to appear closer to the genuine user's location and avoid detection of an impossible travel attack. However, if we also track those known services, another predictor - such as an anonymization attempt - will be triggered, increasing our ability to detect and thwart the attack.

According to experts and leading analysts, identity proofing via selfie matching and official documentation authentication offers the highest assurance that a user is who they say they are. Referred to as remote identity verification, this ironclad process is the most effective way to stop cybercriminals. So, in theory, you could reduce the number of identity fraud incidents to near zero by enforcing communication through a single channel, such as a mobile application, restricting access to only one device, and implementing identity verification for every login. But that would be very cumbersome on users, if not frustrating. It would also be very expensive. 

You don’t want your preventative measures to end up negatively affecting revenue or productivity. While extreme measures can prevent account takeover, new account fraud, and MFA fatigue, they are impractical for every login use and should be used sparingly–only in risky situations. For example, leveraging identity proofing for account recovery or large value monetary transactions is likely worth enduring the additional user friction and cost. Leveraging identity proofing so a customer can shop on your website for an inexpensive item is likely not worth it and will do more harm than good.

Learn more about Ping’s identity proofing service, PingOne Verify.

So how do you achieve balance? The good news is, we have customers like you doing it every day. Imagine attaching a risk level to authentication (registration or transaction) journeys. This approach allows you to effectively scale security controls in real-time and in an adaptive manner. If the risk is low, meaning nothing suspicious is detected, additional security measures may not be required. When the risk is medium or high, friction is added, scaling the strength of the methods accordingly. This means you can directly correlate higher risk levels with identity fraud events, enhancing security without unnecessarily impacting the user experience. Imagine a tool that does all that and then also issues advice on how to proceed in a high-risk scenario – well, it’s called PingOne Protect and hundreds of Ping’s customers are using it to solve their identity fraud challenges.

PingOne Protect has predictors that focus on the characteristics and context of a user session. These predictors range from behavioural biometrics (how the user interacts with the login page) and device profiling to counting the IP addresses used by a single user and the number of users from a single IP. While some predictors, like user behaviour (UEBA - User and Entity Behavioral Analysis), are powered by artificial intelligence and machine learning, others are purely heuristical, operating based on algorithms designed to spot suspicious behaviour and bots including flavours of Man-in-the-Middle Attacks, such as Adversary-in-the-Middle. Some predictors are even sourced externally to further enhance detection rates, such as state-of-the-art intelligence systems that monitor Internet Protocol addresses globally and provide an added layer of defence against malicious activities. You build out access policies by stacking PingOne Protect predictors together and assigning scores to them. When these scores are totalled, they determine the overall risk level of an event.

The truth of the matter is that implementing threat protection into your Ping stack is paramount. Since you’re likely under attack now, do not wait for fraudsters to successfully penetrate your systems. Now is the time. You likely already have some risk and fraud investments, and bringing them all together in your Ping ecosystem will help ensure maximum protection.

Stop bad actors in real-time with the vendor you already trust. Ping’s fraud solution protects you against account takeover, MFA fatigue, and new account fraud.