Javascript is actually
a good thing!
Make sure it's turned on
so that pingidentity.com can work properly.
The Role of Dynamic Authorization in Fraud Prevention | Ping Identity

The Role of Dynamic Authorization in Fraud Prevention

Jun 20, 2022
-minute read
Headshot of Adam Rusbridge Ping Identitys Senior Product Manager
Adam Rusbridge
Senior Product Manager

Introduction

The pandemic left many businesses unprepared for the sudden shift from face-to-face interactions to mostly digital operations. From banks to retailers to grocery stores to healthcare providers, organizations without systems in place to support secure user access from devices 24/7 put their businesses, employees, partners, and customers at risk. In Ponemon’s 2021 study The Real Cost of Online Fraud, 61% of respondents said their organizations did not have the right technologies to mitigate online financial fraud. 

 

Enterprises in the early stages of their digital transformation struggled to keep up with new market entrants with better  customer experience, and they started losing market share. They also opened themselves up to attacks by bad actors. Organizations using role-based access control (RBAC), a coarse-grained approach that was  effective when users and systems were on-premises, found that they needed a more flexible approach and migrated to an identity-defined security solution, attribute-based access control (ABAC) with dynamic authorization. This new approach combines centralized control with user-level context to make real-time decisions.

 

Hi, I'd like to talk to you today about identity defined security.
Many leading global companies have unlocked huge value in identity and access management solutions.
But putting identity at the core of your security architecture, you can reduce the risk of stolen credentials, eliminating the number one threat of breach in the enterprise.
Centralized access control to remove security holes and improve compliance.
Protect your customers and employee identity data from end to end.
And enforce both corporate data access policy and user preferences for data privacy.
Most organizations today still rely on a perimeter based approach to security.
This is made up of both the physical walls of their office and a network firewall.
This made sense when all the users applications and identities were inside this perimeter and the bad guys were on the outside.
But today, users and their devices are mobile.
And many SaaS enterprise applications and services are in the cloud, making a perimeter based approach to security ineffective in securing the enterprise.
To make matters even worse, users authenticate with many passwords giving hackers a much larger surface area for attack.
Well there's a better way, the Ping Identity platform makes identity a security cornerstone with five key capabilities.
First, single sign-on gives all of your users, your employees, customers and partners single-click access to SaaS, cloud, and legacy apps.
SSO from Ping lets you authenticate your users once, no matter where they are with a single set of corporate credentials, eliminating all of those insecure passwords and giving your organization a single authentication authority.
But since most organizations still rely on passwords for their corporate credentials, they're still susceptible to breach.
Multi-factor authentication or MFA allows your enterprise to move beyond passwords with a great user experience.
As users sign on, policy is evaluated using contextual data to determine if step up authentication beyond a password is necessary.
If so, they're prompted for another factor.
This is highly configurable, including one time pass codes via SMS, email or voice or maybe a user is prompted for a fingerprint on their device.
With MFA, hackers are denied access even with a stolen password.
Okay, so now your users are securely authenticated, but not every user should have access to all applications.
The access security capability will give your organization a central policy driven access control layer for all enterprise apps, whether they're in the cloud or on premises.
As users make requests to applications or to API's through a mobile application for instance, contextual data and attributes such as the application page requested, time of the day, network, session status, group, etc.
are used to evaluate authorization policy at the application page or API level and determine whether access is granted or denied.
Another challenge that many organizations face is keeping their customer and employee identity data safe and secure.
Many times identity data is scattered across many unsecure data stores and directories.
The Ping directory consolidates and secures your sensitive identity data at all phases during capture, and transit, at rest, or during reporting and logging.
It does this without sacrificing performance or scale.
In addition, most organizations are required to govern who has access to what data.
For instance, when a partner requests customer data maybe to fill an order, you may need to protect social security numbers or credit card data.
The Ping data governance capability enforces both corporate policy and user privacy preferences for all requested data from partners, various corporate groups or other applications.
Ensuring your organization complies with all relevant industry, geographic, or corporate policies.
The Ping Identity platform makes identity the new perimeter, strengthening corporate security, and ensuring regulatory compliance without sacrificing user experience.
Thank you.

How Does Dynamic Authorization Enhance Attribute-based Access Control (ABAC)?

Attribute-based access control (ABAC) improves security by evaluating more than just a user’s role for authorization decisions. The context of an access request provides a more detailed view of the situation. For example, with more employees working from home, enterprises have to be on the lookout for fraudsters attempting to enter their system using an employee’s stolen credentials. By adding attributes when making an authorization decision, if that login attempt is from another country, the activity will be flagged.  

 

Attributes can include:

 

  • User (e.g., security clearance or age)  

  • Resource (e.g., resource type or creation date) 

  • Context (e.g., location or time of day)

 

Dynamic authorization is real-time enforcement of the fine-grained business logic around what users can see and do, in what context, and for what purpose.

How Does Dynamic Authorization Work?

Dynamic authorization starts with an application, like a mobile app, providing data to the central authorization system that identifies the nature of the request. Examples include a customer who wants to access their ecommerce account or an HR employee who wants to access confidential employee files. The central authorization system then takes responsibility for collecting the additional data required to make the appropriate authorization decision. This could include:

 

  • Retrieving additional context, such as organizational roles and user attributes, from a directory service

  • Checking cloud-based device risk services

  • Evaluating fraud and risk systems to get an update on the user's current risk status

     

Increasing Trust with Policy-based Access Control (PBAC)

Dynamic authorization relies on policies that look beyond a single attribute, like a role (e.g., customer or HR employee), and add context by assessing multiple attributes (e.g., time of day, IP address, or type of resource) for decision making. The policies an organization puts in place direct the authorization decision tree for each access request. High-value actions, including accessing sensitive data or making a significant purchase, are subject to different policies than simply viewing a retail website. The user experience can remain frictionless for low-risk situations, but levels of friction can be added when necessary. For example, if a customer who rarely uses a retail site suddenly tries to make a $10,000 purchase, stepped-up authentication using multi-factor authentication (MFA) can be required to make sure their account hasn’t been taken over by a fraudster.

 

Risk Signals and Risk Providers

Organizations are always under pressure to balance security against friction in the customer experience.  An increasingly attractive approach is to adapt the user experience based on the level of trust in the user.

 

How do you know if you can trust a user? Organizations typically use numerous data sources and risk signals to determine whether access should be granted. Over time, a trust relationship is developed using signals from external fraud and risk providers, along with information about the user, their devices, and the actions they want to perform. Data enrichment from risk providers can:

 

  • Lower fraud rates

  • Reduce the number of false positives

  • Avoid manual reviews and chargebacks

  • Remove friction and increase revenue

A centralized approach moves authorization policies away from application-level decisions to allow fraud teams to respond consistently and more quickly to issues in the organization as a whole. Tools to detect fraud are constantly evolving, and fraud teams can review and add best-in-class risk signals to policies as they are identified.

How Does Dynamic Authorization Prevent Fraud?

A multi-layer approach to fraud prevention is always your best option, since bad actors are coming up with new ways to commit fraud every day.  

 

 

As more transactions move online, the cost of online fraud is rising, And fraudsters are getting smarter.
Fraud prevention needs to happen throughout the Customer journey, and it needs to be invisible to legitimate users.
If providers, our customers get it wrong, they risk losing trust.
Market share, and millions of dollars.
With the PingOne cloud platform, fraud detection starts at the first interaction and continues through the entire customer journey.
Fraud signals.
Lead into authentication and authorization Decisions to stop fraudsters from creating accounts, logging in, and completing transactions.
Enterprises can orchestrate multiple fraud signals to ensure that they prevent fraud, But don't create friction for real users.
The PingOne Cloud platform provides actionable intelligence throughout the user journey.
Detection begins before registration and continues through authentication by analyzing Dozens of signals to analyze.
Distinguish real users from bots and bad actors.
These signals help identify bot attacks, new account fraud, and account takeover.
The signals evaluate and mitigate fraud in real time, leveraging dynamic authorization to Safeguard transactions and sensitive data as known users sign on, The Penguin Cloud platform assesses risk and steps up authentication when needed.
Enterprises can even leverage identity verification.
I needed to confirm a user's actual identity.
Multiple fraud signals from Ping and beyond can be orchestrated, Stopping fraudsters in their tracks and delivering extraordinary experiences to real Customers.
Detect fraudulent activity as it happens.
Mitigate risk and shut down fraudsters before loss occurs.
Apply learnings and reinforce your defenses, all while legitimate users transact with ease and confidence.

 

 

Fraud can happen at any stage of the user journey. Developing strong policies and identifying risk signals to curtail fraudulent activity is part of this multi-layered approach. By proactively flagging suspicious activity during account creation, account login, profile changes, attempted transactions, attempts to access sensitive data, and other steps in the user journey, fraud can be prevented.

 

 

As part of a multi-layered approach, some countries have taken additional steps to prevent fraud. In the UK, the nationwide Take Five Stop-Challenge-Protect campaign helps people protect themselves from preventable financial fraud by teaching them about email deception, phone-based scams, and online fraud and alerting them to tactics used by criminals who pretend to be trusted organizations. One campaign focus is authorized push payment (APP) scams, where a criminal tricks an individual or business into sending an irreversible payment to a bank account the criminal controls. If a bank that has formed a trusting relationship with a vulnerable person can find a way to alter the user experience–such as by asking whether the person has received a phone call or email telling them to make the transaction–the person is nudged to  stop before sending their money to the fraudster. 

Additional Benefits of Dynamic Authorization

The benefits of centralized authorization policies that are used to control access by evaluating identity attributes, entitlements, consents, and additional contextual information go beyond fraud prevention.

 

Regulatory and Privacy Compliance

Dynamic authorization allows organizations to comply with regulations through attribute filters and privacy consent enforcement mechanisms. Compliance with GDPR, CCPA, CDR, and other regulations means that customers must have control over and insight into their data. Without a central authorization system providing a single view of users, siloed user data makes it hard to manage consents.

 

Personalization

Understanding your users allows you to personalize your interactions with them. Beyond the personalization of greetings and offers, personal preferences can also be used to prevent fraud. For example, a banking customer who never banks by phone can turn off that option in their account profile, preventing a bad actor from making a fraudulent phone transaction. 

 

Ready to Implement Dynamic Authorization at Your Company?

The landscape of solution providers is constantly evolving and shifting. Layering controls and best-of-breed risk models is the right approach. Organizations should seek agility in their fraud prevention solutions.  


PingOne Authorize and PingAuthorize offer companies the agility to react instantly without sacrificing security or regulatory compliance. These tools provide centralized authorization policies that evaluate the context of a request to make intelligent decisions — all while protecting your data, services, applications, and APIs and providing your users with seamless experiences.

Share this Article:
Related Resources
MFA Fatigue Attack: How to Detect and Prevent It
Louise Watson
Feb 21, 2025
An MFA fatigue attack bombards users with push notifications until one is approved. Learn how to detect and prevent prompt bombing at your organization.
Biometric Authentication: How It Works & Why It Matters
Rich Keith
Nov 7, 2024
Learn how biometric authentication works, key methods like fingerprint and facial recognition, security features, and real-world use cases.

Start Today

Contact Sales

sales@pingidentity.com

See how Ping can help you deliver secure employee, partner, and customer experiences in a rapidly evolving digital world.