Stop Identity Fraud with an Identity Threat Prevention Taxonomy

Today’s fraudsters are both creative and adaptive. Whether their goal is to monetize an account with a stored payment method or transfer funds from a financial institution, identity is the key for unlocking access to online services. If one method of fraud no longer works, cybercriminals change and advance their techniques in pursuit of achieving their goals. 

While it's important to have awareness of identity-related cybercrimes like account takeover (ATO) and new account fraud (NAF), you also need to develop a holistic threat prevention strategy to detect and stop attacks. To help you do that, Ping has developed an identity threat taxonomy – a powerful tool used to visualize a logical sequence of related parts in a threat prevention strategy. 

Identity solution providers like Ping are required to keep track of the ever changing threat landscape to provide secure and seamless user experiences. By studying this identity threat taxonomy, you can better understand and prioritize threat protection in your own organization.

Originally used in the life sciences as a means for classifying animal and plant species, a taxonomy is used in the identity security space as a tool for visualizing related components in an identity and access management (IAM) ecosystem. 

We developed this identity threat taxonomy by asking a few key questions about the organizations we serve, their cybersecurity challenges, and the greater threat landscape. It is helpful to ask yourself these questions as you consider how to best combat fraud at your organization: 

• Why do you need to prevent fraud? 

• What are the most common online fraud threats today? 

• How will an attacker attempt to execute these threats? 

With a high-level view of your security posture in place, you can then zero in on more specific details of your threat detection strategy. Asking yourself these questions will lead to specific actions that protect your organization: 

• Why is the attacker interested in your organization?  

• What types of attacks is your organization most vulnerable to? 

• How will your organization prevent these specific attacks? 

In the end, preventing identity fraud requires a holistic view of your identity security posture that can be broken down into constituent parts. By constructing your own threat landscape, you also develop a clear picture of specific actions required to stop cybercriminals before they can do damage. 

Let’s walk through the identity threat taxonomy and see how you can apply it to help your organization combat online fraud. 

Why Do You Need to Prevent Fraud? 

A great starting point for developing a counter-fraud strategy is examining exactly why you need to prevent fraud in the first place. For example, do you offer a referral bonus that could be taken advantage of by fraudsters who could create multiple new accounts and collect multiple sign-up bonuses at once? Are you seeing many fraudulent transactions coming out of otherwise legitimate accounts that have been taken over by cybercriminals using stolen credentials? Put simply, you should consider the negative impact to your business that would result from threat actors pulling off a successful fraud. 

What  Are the Most Common Online Fraud Threats Today?  

ATO and NAF are the two most common identity-related threats faced by online services today. While different industries such ecommerce, financial services, healthcare, and social media face unique threats with ATO and NAF, you can count on identity-based attacks being doorways to access sensitive information. This goes for just about any use-case in any industry – a significant amount of online fraud begins with an identity crime, like an account that has been taken over or a stolen identity that is then used to register for a new account. 

How Will an Attacker Attempt to Execute These Threats? 

Look at your organization’s attack surface and consider how fraudsters may attack you. Attack vectors are the means that fraudsters use to execute ATO and NAF. Depending on your organization and IAM practices, common attack vectors include social engineering, credentials stuffing, session hijacking, synthetic identities, man-in-the-middle (MITM), adversary-in-the middle (AiTM), and more. Again, certain industries are more likely to experience threats via specific attack vectors than others. 

Importantly, certain attack vectors are only specific to either ATO or NAF, while others are applicable to both. To illustrate, credential stuffing is only relevant to ATO since hackers attempt to access established accounts with leaked or stolen credentials. Conversely, with fake device attack vectors, criminals modify device attributes to evade device profiling in both ATO and NAF. 

You also need to consider which parts of the user journey should be examined when assessing attack vectors. For example, you need to focus on the login itself for credential stuffing. However, when it comes to session hijacking, your attention should shift to post-authentication transactions. 

Now that you have a high-level view of your identity security posture, it's time to use the identity threat taxonomy to directly correlate specific threats with your own organization so you can develop actionable solutions for detection and mitigation. 

Why Is the Attacker Interested in Your Organization?  

By understanding what you have to lose, you also get a clearer picture of what a fraudster stands to gain by attacking your organization. To illustrate, if you operate an ecommerce platform that stores a good deal of user data, a fraudster may be after customer PII and credit card info. If you operate a bank, perhaps a fraudster is after your customers’ funds, or is looking to make a fraudulent application for credit in order to take your organization’s money directly. Regardless of your business type, knowing why criminals might be attracted to your organization lays the foundation for your threat prevention strategy. 

What Types of Attacks Is Your Organization Most Vulnerable to? 

The industry where you operate and the type of assets you are protecting directly impact the types of cyberattacks your organization might be vulnerable to. Similarly, your chosen security protocols like multi-factor authentication (MFA) also influence the type of attack a fraudster might choose to implement – for example, cybercriminals may deploy a sophisticated Adversary-in-the-Middle (AitM) phishing attack to get around MFA.

ATO is a common identity threat across all verticals because users often have many online accounts but use the same password across multiple platforms. Fraudsters may strike at an ecommerce site with an ATO in order to make fraudulent purchases with the payment method on file, or at a healthcare organization in order to harvest PII and PHI, or at a financial institution in order to make a transfer of funds. Conversely, NAF is much more common for businesses that offer loyalty programs and rewards points, or that offer new users direct access to funds. At Ping, we commonly see NAF challenges in financial services, where stolen or synthetic identity info is used to apply for lines of credit or loans, and in ecommerce and retail, where loyalty programs and sign-up bonuses are common. 

How Will Your Organization Prevent These Specific Attacks? 

Once you’ve mapped the specific attack vectors that your organization is vulnerable to, it's time to take action and find solutions with detection, mitigation, and prevention. While prevention is always a good strategy, detection and mitigation are critical pieces of the identity threat taxonomy structure. 

Different types of mechanisms work to detect specific types of attacks. For example, bot detection is highly effective for credential stuffing attacks and for stopping large scale ATO campaigns. Other detection techniques look at things like device and IP info, or user location and behavior to assess whether a session is risky.

With your detection mechanisms operational, it's time to employ remediation strategies that offer challenges and changes to the user flow to stop specific types of attacks. For example, CAPTCHA is a relevant mitigation tool for stopping bots. However, CAPTCHA is useless when attempting to add friction for a user suspected of using stolen credentials to manually log in to an account. In this case, it may be more appropriate to call for MFA.

Organizations need a robust threat protection solution that can address the latest and most sophisticated identity attacks. Using this identity threat taxonomy as a guide, you can see what is needed to prevent, detect, and mitigate ATO and NAF.

In designing Ping’s threat prevention solution, the engineers at Ping directly correlated attack vectors with different parts of the user journey. In turn, you can employ different security tools to stop ATO and NAF depending on the stage in the user journey where a threat presents itself. 

• Guest User: While ATO and NAF threats focus on identities, you can still monitor user intent before an individual is even identified. Ping’s platform detects suspicious activities and non-human behavior as soon as a user begins interacting with your digital property.  

   

• Registration: Since registration is the stage where NAF takes place, you can prevent the registration of fake accounts by detecting unusual behavior during the process.

   

• Authentication: It’s no secret that authentication is the entry point for ATO. Look for attacks such as credential stuffing and password spraying during this stage, and add friction according to important indicators. 

   

• Authenticated User Transactions: Some attack vectors occur long after the registration and authentication stages. Especially with session hijacking, it's critical to continuously authenticate users when they are conducting transactions well beyond registration and authentication. 

   

Using Risk Scores & Classifications to Trigger Mitigation

When assessing a threat, a risk score is insufficient on its own. In order to bring action to your counter-fraud strategy, you must build in real-time mitigation to stop threats once they are detected. 

Let’s assume your organization has an OTP MFA in place. Generally, the OTP will only be employed above a certain risk threshold as reflected in your risk policies. An OTP MFA can be highly effective with certain attack vectors like stolen credentials. However, this same OTP MFA will be rendered ineffective by a sophisticated AitM attack. Ping’s solution focuses on triggering the right mitigation method with the appropriate amount of friction according to the level and type of risk – ideally without sacrificing a smooth user experience for legitimate users. 

Monitoring Detection & Mitigation in Your Identity Ecosystem 

It is critically important to monitor and analyze the performance of your detection and mitigation strategies. As you're dealing with a dynamic ecosystem in nature (new browsers, attack vectors etc.) it is crucial to monitor the detection and mitigation efficacy to inform threat intelligence and adapt over time. 

Challenge-based mitigations like MFA and CAPTCHA can act as self-labeling mechanisms. Once a threat is detected and a challenge mitigation deployed, you can then look back at the activity to see if the detection was accurate. In the event that your detection and mitigation strategies are coming up with false positives, you can use labels to properly monitor and tune predictors over time. 

An identity threat taxonomy is a powerful means for developing a holistic threat prevention strategy. At Ping, we have designed our threat detection tool, PingOne Protect, to help you seamlessly fortify every part of your identity ecosystem in real time to stop ATO and NAF. In creating this threat detection tool, we have sought to address the most common types of identity threats.

Account Takeover (ATO)

New Account Fraud (NAF)

By using relevant detection and mitigation techniques in the right stages of the user journey, PingOne Protect allows you to dramatically reduce instances of ATO and NAF, while also providing exceptional user experiences. Ready to get started? Check out our Ultimate Guide to Online Fraud Prevention for actionable next steps, or schedule a demo today!