Q&A with Justine Fox, Director of Software Engineering at NuData Security.
Why do companies block IP addresses to begin with?
Attackers leverage compromised devices and assigned IP addresses to commit identity theft and fraud related crimes. The cheapest and easiest solution to preventing further abuse by a device associated with an IP address is to block the IP address. Often companies will subscribe to aggregated lists of IP addresses with a known risk of abuse. This helps to prevent attacks from occurring by leveraging the history of good or bad behavior from an IP address while keeping the cost of goods and services from that company low.
Why do good users sometimes find their IP address is under a blocklist?
Internet service providers (ISP) use several different internet protocols to assign IP addresses to their customers. IP addresses are cycled amongst the customers of the ISP and the ISP will typically remove tainted or block listed IP addresses temporarily while the IP address recovers from being used for abuse. Otherwise your household may contain a compromised device that is abusing online services.
How often does a good user experience IP address block listing?
This varies depending on the online services the good user is using and the type of security measures used by the companies they do business with. For example, an infrequently updated threat or abuse block list has a higher chance to inappropriately block a good user than a frequently updated block list. If the online service is using a layering strategy that includes a block list as part of the approach, then the alternative layers may provide additional insights to evidence whether or not to block the user interaction.
Why are IP addresses often recycled?
There is a fixed pool of IP addresses available to internet service providers for their customers.
ID blacklisting is a way to prevent fraudsters and other bad actors from accessing websites. Are there other ways organizations can protect themselves without putting good users at risk?
Taking a layered approach can strengthen security while lowering the risk of reputation damage that comes from incorrectly blocking a good user. As an example, an organization can combine a block list with passive or active biometric authentication, behavior analytics, and device intelligence.
What is passive biometric authentication and how can it help organizations identify bad actors?
Passive biometric authentication is information about how the device is being used, such as typing speed or device orientation. Organizations can use this information to know if the user of the device is a good user or an attacker based on whether the device usage matches the normal pattern of the expected user.
Justine Fox is a Director of Software Engineering at Mastercard working in the NuData Security group. In addition to their role at Mastercard, they work as an AWS Academy Accredited Instructor for BCIT and UBC.
