Anil John
Making Digital Services Secure and Trustworthy

Anil John

Fraudulent Account Activity Signaling and NISTIR 7817

 Share  Print  Email

In the comments of my previous blog post on fraudulent account activity signaling, Steve Howard pointed to NISTIR 7817: A Credential Reliability and Revocation Model for Federated Identities (PDF) by Hilde Ferraiolo as being relevant to the discussion. It is, and I was rather mortified to realize that it had slipped my mind. So this blog post provides a short synopsis of that work as it applies to fraudulent activity monitoring in federated identity implementations.

To keep it relevant, let me focus on what the report calls the Three Party Model (Credential Holder, Identity Provider and Service Provider) and the Four Party Model (Credential Holder, Identity Provider, Attribute Provider and Service Provider). I would encourage you to read the overview which outlines the various models in which actors in an authentication and attribute validation scenario can come together.

Really liked the emphasis on this bit:

Evidence of malicious activity at the service provider is not generally shared with the identity provider. This situation is unfortunate, as the service provider is at the forefront of attacks. It has all audit trails and knowledge of suspicious or malicious account activities [...] Service provider feedback is especially useful and indicative in the federation since the feedback is likely reported by several service providers in the federation, thus providing strong evidence of credential compromise.

NISTIR 7817: A Credential Reliability and Revocation Model for Federated Identities
  • The introduction is a setup for describing what the report called a Uniform Reliability and Revocation Service (URRS) which “… provides revocation status information to and from identity providers, service providers, attribute providers, and users”
  • A role for a credential holder to inform the URRS about a credential compromise
  • The concept of a ‘Reliability Score’ that can be updated by a SP and can be used by other SPs or Identity Providers to make a risk based decision on future action
  • Discussion about how privacy enhancing technologies such as selective disclosure schemes and anonymous credentials could play in this model

The report, very similar to the shared signals report, requires a trusted service that interacts with both Identity Providers and Service Providers with all the associated non-technical challenges it implies.

I found the focus on credential revocation checking and status notification (Revoked, Suspended, Active) via the URRS a bit baffling since in a 3 party or 4 party model, when a credential is revoked or suspended by an Identity Provider, it is not usable in a federation scheme. At the same time, I found much value in the concept of a shared ‘Reliability Score’ that shows decreased reliability with each negative feedback from the SPs and serves as input into a risk-based decision by the SPs to determine the suitability of a presented credential in an authentication event.

My sense is that there are points from both this report and the shared signals paper that are complementary, and could be the core of a shared fraud analytics platform service.

And since I am, at least on a thought exercise level, expending some energy on this and since any seemingly valuable effort/task/time-wasting-exercise requires a good acronym, I hereby name this particular windmill that I am tilting at the Federation-wide Reliable Account Usage Data (FRAUD) Service.

RELATED INFO



This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.

Topic(s):
By on |

Continue The Conversation ...

I would love to know your thoughts on this blog post.
Meet me over on Mastodon to join the conversation!

I am a public interest technologist. I help organizations and leaders make digital services secure and trustworthy.
Learn more »