Using Geolocation and Anonymizer Data in Rules

RA uses geolocation and IP verification to detect high-risk activities. These capabilities use the IP address of end users to:
cara
RA uses geolocation and IP verification to detect high-risk activities. These capabilities use the IP address of end users to:
  • Verify that they are not accessing from a country or region that you have blacklisted.
  • Verify that they are not moving faster than is actually possible.
  • Verify that they are not hiding their location.
  • Verify that they are not coming from an IP address that you have blacklisted.
Based on one of these checks, you can decide on the mitigating action that you want to take. This action can range from alerting your fraud or security team of possible compromise, requiring additional authentication from the end user, or denying access for the session.
This article discusses the use of IP geolocation data and Negative IP checks in RA. Together, these two capabilities together provide one of the major components of RA fraud and high risk detection. They support the following checks as a part of the RA out-of-the-box rule settings:
  • Geolocation (Negative Country List)
  • End user change in access location (Zone hopping)
  • Anonymizer data (Negative IP Types)
  • Administrator-defined negative IPs (Negative IP Address List)
This article covers the following topics:
2
What Is Geolocation Data
Neustar IP Intelligence, an industry leader in geolocation information, provide CA Risk Analytics the following types of data as a result of collaboration between the two organizations:
  • Geolocation data
    .
    This data classifies each IP address by latitude, longitude, continent, country, and city.
    By default, this data is used in the Negative Country Check rule and for calculating the distances in case of the Zone Hopping Check rule. You can also use this data for any custom rules that you create by using the Rule Builder.
    The Country and City elements are both useful for checks on the point of access.
  • Connection information
    .
    Each IP address is classified by routing type, connection type, and line speed.
    This information, especially routing type, is useful in assessing the validity of the geolocation information. For example, if the connection type is Satellite, then the user’s location is not reliable
    In practice, you can ignore this information for geolocation purposes. However, fixed connection types, such as cable, DSL, and OCX are less likely to be origins of fraud. This is because their locations are more easily backtracked to Internet accounts.
    You can use this data to evaluate fraud.
  • Anonymizer data
    .
    Neustar IP Intelligence perform rigorous testing of IP addresses to determine if their location information is reliable. As a part of this testing, they identify some IP addresses as
    Anonymizers
    .
  • IP addresses with this status have tested positive as anonymous proxies that are used to hide the true location of an end user. While this does not necessarily indicate that the intent is fraudulent, it does clearly indicate that the user is hiding their location, and therefore represents a high risk access potential.
How to Use Geolocation Data in Rules
This topic describes the following:
Negative Country Check
You use the
Manage List Data
and
Category Mappings
pages in the Administration Console to configure the
Negative Country List.
You do so by adding to or removing countries to the list that you consider high risk.
Typically, you will define this to be a list of countries from where any access attempt is
always
verified by using some form of Increased Authentication. You can also use this as a Deny rule and list a small set of countries in the Negative Country List.
For financial transactions, you can combine the Negative Country Check rule with an Amount-based rule to reduce the number of cases marked for further investigation.
For general access control, the rule is defined as an Increase Authentication risk advice to trigger a more stringent login process. In these situations, cases are not created.
 
Zone Hopping Check
The location latitude and longitude are the most important information used in the
Zone Hopping Check
rule. This rule verifies the time and speed required for physically travelling between the points of origin of two successive transactions using the IP addresses that were used.
If two successive transactions are originating at at a speed beyond what is reasonably possible within a short time span, then you must conclude that either two different people were accessing the same account from different locations or the user did something, either intentionally or inadvertently, to mask their true location. As a result, you can use this as a Deny rule.
It is highly recommended that you start by setting the values of the Zone Hopping Check rule to the default values provided. Based on the performance of this rule over time, you can tune the settings of this rule to make them more precise.
In its default settings, you should expect the rule to fire about 0.02% of the time. The false-positive rate for this rule is good at under 10:1.
IP Routing Type
IP Routing Type
is an attribute of the IP addresses, and determines the likelihood that the user’s location matches the location of the IP address. The following table describes the possible values that you can use for IP Routing Type.
IP Routing Type
Indication
Fixed
User IP is at the same location as the user.
Anonymizer
User IP is located within a network block that has tested positive for anonymizer activity. This means the user is potentially hiding their true location by using a service that deliberately proxies all user traffic.
AOL:
AOL POP
AOL Dialup
AOL Proxy
User is a member of the AOL service; Neustar IP Intelligence can identify the user country in most cases; any regional info more granular than country is not possible. Please note that in GeoPoint AOL IPs are denoted by a simple Y/N (Yes/No).
POP
User is dialing into a regional ISP and is likely to be near the IP location; the user could be dialing across geographical boundaries.
Superpop
User is dialing into a multi-state or multi-national ISP and is not likely to be near the IP location; the user could be dialing across geographical boundaries.
Satellite
A user connecting to the Internet through a consumer satellite or a user connecting to the Internet with a backbone satellite provider where no information about the terrestrial connection is available. In both cases, the user can be anywhere within the beam pattern of the satellite, which typically spans a continent or more.
Cache Proxy
User is proxied through either an Internet accelerator or content distribution service; user could be in any location.
International Proxy
A proxy that contains traffic from multiple countries.
Regional Proxy
A Proxy (not Anonymizer) That Contains Traffic From Multiple States Within A Single Country.
Mobile Gateway
A Gateway To Connect Mobile Devices To The Public Internet. For Example, Wap Is A Gateway Used By Mobile Phone Providers.
Unknown
Routing method is not known or is not identifiable in the above descriptions.
Connection Type
Connection Type indicates the data connection between a device or private LAN to the public Internet provider. The following table describes the possible values that you can use for Connection Type.
Connection Type
Description
OCX
This represents OC-3 circuits, OC-48 circuits, etc. which are used primarily by large backbone carriers.
TX
This includes T-3 circuits and T-1 circuits still used by many small and medium companies.
Satellite
This Represents High-speed Or Broadband Links Between A Consumer And A Geosynchronous Or Low Earth Orbiting Satellite.
Framerelay
Frame Relay Circuits May Range From Low To High Speed And Are Used As A Backup Or Alternative To T-1. Most Often They Are High-speed Links, So Geopoint Classifies Them As Such.
DSL
Digital Subscriber Line Broadband Circuits, Which Include Adsl, Idsl, And Sdsl. In General, Ranges In Speed From 256k To 20mb Per Second.
Cable
Cable Modem broadband circuits, offered by cable TV companies. Speeds range from 128k to 36MB per second, and vary with the load placed on a given cable modem switch.
ISDN
Integrated Services Digital Network high-speed copper-wire technology, support 128K per second speed, with ISDN modems and switches offering 1MB per second and greater speed.
Dialup
This Category Represents The Consumer Dialup Modem Space, Which Operates At 56k Per Second. Providers Include Earthlink, Aol, And Netzero.
Fixed Wireless
Represents Fixed Wireless Connections Where The Location Of The Receiver Is Fixed. Category Includes Wdsl Providers, Such As Sprint Broadband Direct, As Well As Emerging Wimax Providers.
Mobile Wireless
Represents Cellular Network Providers Such As Cingular, Sprint, And Verizon Wireless Who Employ Cdma, Edge, Ev-do Technologies. Speeds Vary From 19.2k Per Second To 3mb Per Second.
Unknown
GeoPoint was unable to obtain any connection type or the connection type is not identifiable in the above descriptions.
Line Speed
This parameter indicates the speed of the Connection Type between the device (or a private LAN) and the public Internet provider. The following table describes the possible values that you can use for Line Speed for each of the Connection Types.
Line Speed
Corresponding Connection Type
High
OCX, TX, And Framerelay
Medium
Satellite, DSL, Cable, Fixed Wireless, And Isdn.
Low
Dialup And Mobile Wireless.
Unknown
Neustar IP Intelligence was unable to obtain any line speed information.
Region
For convenience, Neustar IP Intelligence have divided the U.S. into 10 geographical regions:
  • Northeast
  • Mid Atlantic
  • Southeast
  • Great Lakes
  • Midwest
  • South Central
  • Mountain
  • Northwest
  • Pacific
  • Southwest
A complete listing can be found under Reference Data, in the
Download
section of the Neustar IP Intelligence Extranet. Refer to these text files for the latest information.
Continent
Neustar IP Intelligence recognize eight continents:
  • Africa
  • Antarctica
  • Asia
  • Australia
  • Europe
  • North America
  • Oceania (Melanesia, Micronesia, Polynesia)
  • South America
Using Anonymizer Data
IP addresses can also be classified with an anonymizer status. You can control the types of anonymizer IPs that you include in a rule. The different categories of negative IP types, as derived from the Neustar data, are:
  • Negative
    IP addresses with this designation have been sources of fraudulent transactions in the past.
  • Active
    IP addresses with this designation allegedly are anonymizing proxies that have been sources of fraudulent transactions and have been active in the last six months.
  • Suspect
    IP addresses with this designation allegedly are anonymizing proxies that have been active over the last two years, but not for the last six months.
  • Private
    IP addresses with this designation allegedly are anonymizing proxies that are not publicly accessible. These addresses typically belong to commercial ventures that sell anonymity services to the public.
  • Inactive
    IP addresses with this designation allegedly have been sources of fraudulent transactions, but have been found inactive in the last two years.
  • Unknown
    IP addresses with this designation allegedly are anonymizing proxies for which no results are currently available.
You must either set your rule to the defaults listed or you must clear Suspect IPs.
While the use of an anonymizer does not necessarily indicate intent to commit a crime, it is highly suspicious because the user might be masking their location. For example, users may be participating in marginal activities, such as accessing gaming from a country where it is not allowed or accessing video or music content from a region that is not licensed.
The hit rate for this rule is highly variable by customer because it is influenced by the portfolio of end users. However, the approximate review rate based on Anonymizers is 0.1% (one in 1000 transactions). False-positive rates tend to vary greatly from as low as 20:1 for US and European users to as high as 100:1 for less developed regions.
How to Use the Negative IP Address List
The
Negative IP Check
rule performs two functions
within
a single rule:
  • The rule checks for the IP addresses of end users against the list of known anonymizer proxies.
  • The rule consults the Negative IP Address list that you define to verify whether the incoming IP address is in one of the ranges defined in your table.
You use the
Manage List Data
and
Category Mappings
page in the Administration Console to add IP Addresses to the Negative IP Address list.
The rule performance for blacklisted IP addresses depends on how you manage your list. Typically, you add IP addresses to the list when you see fraudulent or risky access that you want to stop and you remove IPs from the list when it is found to be originating from a legitimate user.
You can review the transaction report to determine why an end user was blocked or challenged.