Identity Theft Detection

Due to the multiple security challenges we face today, there is a need for a higher level of security to protect users from identity theft. When identity theft occurs, fraudsters impersonate the identity of someone else in order to access their computer.

Today, security officers provide users with tools and education on how to protect their identity (such as, Two-Factor Authentication, Password complexity, reset rules, and so on). But once an identity is stolen, no tool can clearly identify or track the incident, and the responsibility for detection lies entirely on the security officer. ITM On-Prem (ObserveIT) enables you to include users in the detection process, and thus make users responsible for their identities. IT identity theft incidents can be detected and neutralized much quicker when users have a means to flag unauthorized logins.

The ITM On-Prem (ObserveIT) Identity Theft Detection solution is designed to detect access to ITM On-Prem (ObserveIT) monitored endpoints from unauthorized client computers.

When Identity Theft Detection is enabled, and users are logged on to ObserveIT-monitored endpoints, ITM On-Prem (ObserveIT) administrators or security officers will be notified about any suspicious login. A suspicious login is defined when a user tries to log in from an unauthorized client machine.

ITM On-Prem (ObserveIT) keeps track of authorized user login IDs and their client machines by "pairing" the domain name/login name of the user with the client computer from which the user is logged in. If a user logs in to a server from a client that is not paired to the user, an email is sent to the user, stating that there is a suspicious login with this user's credentials.

Events are generated for each and every login whether or not they originate from paired user-clients. If a user requests a user-client pairing, a "pairing request" event is issued. The administrator can track and monitor all authorized and unauthorized login and pairing request events.

For example, if a hacker steals the credentials of a user and logs in from a remote machine, or if an internal user uses the administrator's password to log in to a server from the user's desktop, a suspicious login event is generated, and the user will receive notification about this via email. The email confirms which server the user logged on to, and from which client (user) machine they logged in. After receiving the email notification, if the user (or administrator) is indeed the person who logged in, he can ignore the email or submit another pairing request. If the user (or administrator) denies that he was the person who logged in, he should report this to the administrator.

For example, an internal user steals an administrator’s password and logs in to a server from her own desktop, generating an email saying, “The user ‘johnsmith’ logged in to server DBPROD-4 from unauthorized desktop KATHY-DSKTP. Please confirm that it was you who performed this action.”

Following is an example of a suspected identity theft email notification:

To enable the Identity Theft Detection feature, the "Enable Identity Theft Detection" check box must be selected in the server's policy settings.

The user can either confirm or deny the action. In parallel, an event is logged for the administrator to track and monitor unauthorized pairings. Granular security rules can be applied to specify how to manage each user confirmation.

Overview of the Identity Theft Detection Process

The user logs in to a server from the desktop.
If Identity Theft Detection is enabled, the user receives an email notification about the login activity. At the same time, an event is triggered.

In order for a user to receive email notifications, the user’s email must be configured in the user’s profile on the LDAP server.
If the email notification indicates a suspicious login activity which was not initiated by the user:
1. The user can click the first link in the email text (i.e., "If this activity was not initiated by you, click here.") to create a high severity event which will appear in the Events list.
2. An email is sent to the ITM On-Prem (ObserveIT) administrator reporting the suspicious login event.
If the email notification indicates login activity which was initiated by the user, the user can either ignore the email, or click the second link in the email text (i.e., "If you want to avoid receiving notifications when DomainName/LoginName is logged in from 'clientName', click here."). By clicking this link, the user submits a pairing request to the administrator which in effect says "I do not want to receive emails when I connect from this client. Please approve this user-client pairing."

If the pairing request is approved by the administrator, the user will no longer receive emails about activity for this specific user-client pairing. If the administrator rejects the pairing request, the user will continue to receive email notifications about this user-client activity. In addition, a new "pairing request" event is added to the Events table with a "Not Approved" status, and a message is sent to the user confirming this.

If Identity Theft Detection is enabled, and the ITM On-Prem (ObserveIT) system fails to send an email notification to the user, the email will be redirected to the administrator.

The following topics describe how to: