Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

If we know a user is legitimate, then why would we want to make their user experience more challenging?

Joshua Goldfarb, Global Solutions Architect — Security

September 19, 2022

4 Min Read
A woman holds a mask behind her back as she shakes hands with a businessman
Source: photobyphotoboy via Adobe Stock

Years ago, I had to get hold of a personal document that I needed from a government office. I had brought with me all of the documentation that I was told I needed, but there was an issue — a bureaucratic technicality that rendered one of the pieces of documentation invalid in the eyes of the clerk.

I tried to argue that if we zoomed out and looked at the big picture, it was clear that I was me and entitled to my own document. The clerk would not hear of it, though, and replied, "It should not be easy to get this document." I did not agree and quipped, "It should be easy to get this document if one is entitled to it." Unfortunately, that remark did not get me the document, and I was forced to return another day.

The reason I am sharing this story with you is because it can teach us an important lesson about balancing fraud and user experience. My example illustrates how off-base the conventional wisdom is that says making something harder for a legitimate user to get reduces risk. If a user is legitimate, and if we know they are legitimate, then why would we ever want to make their user experience more challenging?

All that does is introduce another kind of risk — the risk that the user will give up and go elsewhere to get what they need. I didn't have the option of going elsewhere when I needed my document from the government. The users of your online application, on the other hand, very much do have that option in most cases. It is worth thinking about how user experience can be balanced against the need to detect and mitigate fraud losses.

Here are five ways enterprises can improve their fraud detection capabilities in order to better balance fraud detection and user experience.

1. Device Intelligence

I am often surprised by how many fraud rules focus on IP addresses. As you know, IP addresses are trivial for a fraudster to change — the minute you block them from one IP address, they move on to another. The same goes for blocking entire countries or ranges of IP addresses — it is trivial for a fraudster to bypass that. Focusing on IP addresses creates unreliable rules that generate a huge volume of false positives.

Reliable device identification, on the other hand, is entirely different. Being able to identify and track end-user sessions via their device identifiers, rather than their IP addresses, enables fraud teams to hone in on devices that are interacting with the application. This allows for fraud teams to perform a variety of checks and analyses that leverage device identification, such as looking for known fraudster devices, looking for devices that log into a relatively high number of accounts, and other methods.

2. Behavioral Intelligence

It can be quite difficult to differentiate between legitimate users and fraudsters at layer 7 (the application layer) of the OSI model. Moving up to layer 8, or the user layer, however, makes that differentiation much more plausible.

In most cases, legitimate users and fraudsters behave differently within sessions. This is mainly because they have different objectives and levels of familiarity with the online application. Studying end-user behavior gives enterprises another tool they can use to more accurately differentiate between fraud and legitimate traffic.

3. Environmental Intelligence

In many cases, environmental clues (the environment being where the end user is coming from) exist that can help a fraud team differentiate between fraud and legitimate traffic. Having insight into and properly leveraging these environmental clues takes some investment, though it pays huge dividends when it comes to more accurately detecting fraud.

4. Known Good User Identification

As organizations get better at understanding what fraudulent traffic looks like, they also reap another benefit: They become better at identifying what good traffic and what known good users look like. In other words, if I can be reasonably confident that the session in question and the end user navigating it are both good, I can be reasonably confident that I don't need to pile on tons of friction in the form of authentication requests, multifactor authentication (MFA) challenges, or otherwise.

5. Session Focus

Some teams focus somewhat myopically on transactions. That is a bit like trying to see the beauty of the ocean through a straw. True, you can see a portion of the ocean, but you miss most of it. Similarly, looking across the entirety of the end-user session, rather than at individual transactions or groups of transactions, is a great way to more accurately separate fraudulent traffic from legitimate traffic. The techniques mentioned above, along with others, all work far better with a broader, more strategic view of what is going on.

Reduce the Friction

Enterprises do not need to choose between effective fraud detection and ease of use. It is possible to manage and mitigate risk without introducing additional friction to your end users as they journey through your online applications. The time has come to throw out the conventional wisdom that says otherwise.

About the Author(s)

Joshua Goldfarb

Global Solutions Architect — Security, F5

Josh Goldfarb is currently Global Solutions Architect — Security at F5. Previously, Josh served as VP and CTO of Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team, where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT. In addition to Josh's blogging and public speaking appearances, he is also a regular contributor to Dark Reading and SecurityWeek.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights