An operational concern often voiced by public sector RPs relying on an external CSP authentication service is account take over fraud. This becomes even more interesting when the CSP is integrated with a broker architecture that allows a single account to be used at multiple RPs. This blog post looks at some of the current thinking around how this type of fraud could be mitigated.
Some time ago I had the opportunity to chat about this with Andrew Nash, who has been in the trenches on this topic. Recent circumstances motivated me to re-read a white paper he wrote for OIX on this topic called "The Shared Signals Model (PDF)". It provides a good overview of the issue and outlines one way of addressing it.
Fraudulent takeover of Consumer accounts and subsequent misuse is a significant problem that occurs daily at Identity Providers [...] The Shared Signals model describes a new collaborative system that enables intelligence sharing between Account Managers (e.g. Identity Providers) to reduce the impact of fraud and account theft on Identity Providers and consumers. Intelligence sharing is limited to event evaluation and information signaling at an account management level and does not require insight into user level transactions.OIX White Paper: The Shared Signals Model
- Really like the use of the term "Account Manager" to describe the operational entity that owns and manages Consumer accounts rather the overloaded term Identity Provider. Within the context of the paper, all Identity Providers are Account Managers, but not all Account Managers are Identity Providers;
- The paper seems to be written for the CSP/IdP community, which is understandable since the good ones out there do implement some manner of continuous identity verification which is typically the source of the event that needs to be signaled, which in turn leads to;
- Not much of a focus on the value-add for RPs;
At the end of it, the approach requires a bunch of highly competitive entities (CSPs/IdPs) to get together and invest in a trusted third party that can serve as the neutral clearing house for sharing fraudulent activity information between them. A valuable service, no doubt, but not an easy one from a legal, compliance, policy and privacy perspective.
I agree with Andrew that "A gestalt perspective, derived from multiple view points based on sharing signals about account use and misuse, creates a much more powerful set of insights". But in the absence of such an perspective, implementing a fraud signaling capability within the confines of a particular community of interest that has adopted a broker/proxy model for authentication may be a good starting point.
In this model, the broker acts as the "Signal Manager" for the community and the existing relationships between the entities are leveraged in order to enable this capability. One of the primary differences is that the RPs in this case are full participants in the signaling. Some points to note with the two variations above:
- The “stop everything” threshold of the CSP may be higher than that of an RP (after all public sector organizations are notoriously risk averse), so having the ability to signal the RP and have it make the risk based decision to not authorize access to some or all of the application functionality would come into play here (Pic on left)
- It is very feasible that the fraudulent activity is actually detected by the RP and it initiates the signal to the broker which, using a double-blind mechanism, could notify the other RPs that are connected to it. (Pic on right)
Interested in hearing about the viability of such a mechanism, and how this could potentially be done using standards based approaches.
- OIX White Paper: The Shared Signals Model (PDF)
- Are Federated Credentials and Continuous Identity Verification Compatible?
- Proxy Architecture
- Fraudulent Account Activity Signaling and NISTIR 7817
Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!
This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.