I have a website that contains a secure area accessible by logging in with account info. Within the secure area, I have some expensive IP. I have been finding that people are sharing their passwords with other people. Are there any existing technologies / solutions / methods that I can implement to detect fraud patterns?
Thanks in advance for the help.
On
It is quite a tricky issue:
If your users change location several times a day, their IP will change, but it's still the same person.
If your user has the same location throughout the day, but connects several times, it could very well be different users, say, in an internet café.
You will have to use a combination of those: if the user changes IP frequently, go and check the map location of that IP, and see if it's possible to travel the distance in the time between the 2 connections. If it's not, it's a fraud.
On
There are several ways to approach this. But it's really going to boil down to the type of content and how often a given user really is grabbing new content. For adult websites, obviously the primary purpose of the logins is to download new content. I'm not sure about your site.
One way, and perhaps the easiest, is to simply limit the number of simultaneous downloads and/or rate limit each download.
If the files are large enough, you can impose a rate limit on how fast the data transfer takes place. Pick something that's a little slow, but not slow enough to make people mad. I would guess taking 30 seconds to download a file isn't too bad.
Then, only allow them to download 1 or 2 documents at a time per login id. People will be a bit less likely to share their password if they know that they may not be able to download something because someone else is.
Another approach would be to capture the IP address when the user signs in. Yes, I know this changes, but it gives you a starting point. If multiple users are active with the same login id but with different IPs, then you can either send them an alert stating that their account has been "hacked" ;) and that you are changing the password. Change it, kick everyone out, and send the password to the email address you have on file.
Bear in mind, that you don't want to stop a user from accessing it from work then going home and accessing it there. So, you have to make sure that they are essentially online at the same time. This means getting requests from different IPs within a minute or two of each other.
A twist on this would be to detect if multiple session ids are associated with the same login. For example, when they log in, save the current session id to a table. After they log out or a timeout is reached, clear that session id.
Don't let them log in again while another session id is active. Inform them they have to wait xx minutes until the session is cleared OR that another user is currently logged in with their account.
Ask them if they want to reset the session. This allows for situations where someone accidentally closes the browser and goes back to your site. If they pick yes, then stop the currently active session, change the password and send it to the email address on file.
I guarantee this last one will make people stop sharing their passwords. After all if I can't log in because someone I gave my password to is currently online, then this is a pain point I want to stop. Also, if I'm the one who borrowed the password and just locked myself out because the password changed then I'll either get my own account or go elsewhere: both of which are usually acceptable situations.
On
https://softwareengineering.stackexchange.com/a/442073/422609 has some detailed suggestions on this topic.
Signals that may be useful:
You can also look at other means such as using links to get people to login or multifactor auth that adds some friction to the sharing.
I would think more about what you intend to do once you detect someone sharing it. Is the outcome to get them to pay per user or per organization?
Finally, a bigger question is do you want to build detection or buy detection? Dealing with constantly updating device/browser information, IP and location accuracy and then combining that with user behaviour and events is hard work.
Check how big the problem is for free with tools like https://upollo.ai and then see whether you want to build it in house or use tools like Upollo for detection
check geographical region. If within some timeframe multiple logins from regions geographically far apart log in, then you know those credentials have been shared.
bandwitdh consumption: if your site offers lots of content, if a user goes over some high limit, it means its credentials have been shared
keep a counter of live sessions so you can see how many people log in at the same time. This is imprecise because the same person can log in through multiple browsers from the same IP and have a session on each one.