What Are Impossible Travel Logins?
What is an “impossible travel login”? How can it affect your organization? And what is the best way of combatting it?
An impossible travel login is where an account is accessed from two different locations, in too short a time for the user to realistically have travelled between those two locations. This indicates that one of the logins is fraudulent.
With the rise in hybrid working, employees are connecting to digital accounts from a range of physical locations and verifying an individual’s identity is becoming increasingly difficult. Employees can login from an office or from home, within our outside of office hours, from a desktop or their tablet. This makes work practices easier and more flexible for the end-user, helping to boost productivity. But, without the proper security tools in place, it also exposes your company to identity- and credential-related cyberthreats, such as impossible travel logins.
“Impossible travel” or a “superman login” is when a user accesses an account from one geographical place, then logs in again from a markedly different location without enough time to reasonably have travelled there. For example, it is obviously impossible to log in from New York, then Frankfurt, Germany, 60 minutes later. There is no way someone can physically travel the 3,852 miles between the two locations in one hour. If an account registers this type of behavior, there is a high chance that one of the logins is fraudulent and that there are two users (one valid and one fraudulent) trying to access the same account.
However, there is another explanation. With the use of VPNs, this type of travel can appear possible digitally. A user’s home Wi-Fi might be registered in New York, but the corporate VPN might be rerouted via Frankfurt. The digital signature of each login will show two very different locations – locations that is it impossible to travel between so quickly.
But why are impossible travel logins so dangerous, how can you identify them, and how can you prevent unauthorized third parties from accessing your users’ accounts?
The Risks Of Impossible Logins
Simply put, an impossible login means that someone who shouldn’t have, has your user’s account details. They’ll likely either have stolen these via a phishing attempt, or cracked them using brute force. As they have valid login credentials, their access would go unnoticed if it weren’t for the geographical identification. This is dangerous as it gives the malicious user free time within your system. They might use this time to understand what security protocols are in place or attempt to gain the credentials to an account with more access privileges.
The malicious user might also try to identify sensitive data and steal important information about customers, your business or your security set up. They could then lock down this information using ransomware and demand payment to stop them from releasing it, or install other types of malware to corrupt your system or damage your infrastructure.
There are many things that a malicious user might do once they have gained access to your network. An impossible login can be the precursor to a much bigger, more significant breach if it goes unnoticed. It is, therefore, essential that impossible logins are dealt with thoroughly and efficiently.
Identifying Impossible Travel Logins
Thankfully, evidence of an impossible travel login is easy to identify. The only data that is needed is a time stamp and a location stamp. By monitoring where a login request is coming from, and making a note of the time, you can easily recognize any logins that are impossible. In most instances it will be obvious if the travel window is unrealistic. There are, however, travel times that may need to be researched to understand how plausible the login is.
Complications
There are several factors that make successfully identifying an impossible travel login slightly harder.
- Using two devices to access your account, even in the same location, can be flagged as an impossible login. A laptop connecting to a home ISP can give a markedly different location to a mobile device that is connecting through a carrier ISP. The swing in location might appear like one of these devices is attempting to gain access fraudulently.
- If an employee uses a private VPN whilst working at home, their account location will be disguised. In the interests of security, a SIEM might block this login as it cannot verify where you are logging in from.
Preventing Impossible Travel Logins
SIEM
A Security Information and Event Management (SIEM) solution can have policies in place to mitigate the risk of impossible logins, without continually deferring to an admin or SOC. Increasingly, SIEMs are using AI and ML to identify and remediate impossible login attempts. A SIEM can understand a user’s usual behavior, recording data such as login locations, times, and devices, and flag any trends that do not fit within this pattern. This analysis is adaptive and specific to each user, ensuring that is an accurate method for identifying anomalies and threats.
Admins can adjust the sensitivity scale depending on the way that their organization works. This ensures that the balance between security and usability can be tailored.
The larger your organization, the more versatile your SIEM solution needs to be. A multinational company will have users logging in from a range of locations, at different times of the day. Your SIEM will have to build an intricate picture of each user to accurately identify if the login is valid or fraudulent. A smaller organization, on the other hand, will have a much more limited geographic location, with a more manageable number of users. It will, therefore, be easier to identify a fraudulent login.
To learn more about the top 10 SIEM solutions, read our article here.
CASB
On top of SIEM solutions, a CASB (Cloud Access Security Broker) will monitor and protect user access to the cloud. CASBs will ensure that any login to the cloud is in line with the pre-existing security protocols, i.e., correct device, appropriate geographical location, and expected login time. Although they cover very different areas, CASBs and SIEMs have a similar end outcome.
With both CASBs and SIEMs, a notification can be delivered to an account or SOC admin. It will then be up to the admin to decide if the access attempt should be permitted or blocked. To determine if a login is authentic or not, an admin will need to provide a “plausible benign scenario” – a justification of why a valid login attempt has been logged in a specific location. There will need to be a reason why that user is logging in from thatlocation at that time. A login should only be permitted if all these factors can be explained.
To maintain account security, the user should be blocked from the account until their attempt is verified. Whilst locked out of their account, the user will be unable to access important documents or applications. While this is a highly effective way of blocking threat actors, it can also impact the productivity of a legitimate user signing in via a VPN or on two devices. This process can be time consuming and therefore frustrating for both the admin and the user.
To find out more about The Top 10 CASB Solutions, read our article.
IP Recognition
If an employee works between several specified locations, the IP address for that location can be whitelisted, meaning that entry will be allowed. Any other IP addresses can be blocked. This is particularly useful if your organization has several branch locations, or they are regularly working from home as the accounts can only be accessed from a predetermined IP.
Device Recognition
If a user travels to many different locations and needs access to their accounts, registering their device might be a better solution than IP recognition. This ensures that only specific devices will have access to your accounts. The benefit of this is that your user will be able to gain access from wherever they are. The downside is that if their device is lost or broken, they will be unable to login on a different device until the admin has approved the new device.
MFA
There are ways to protect your accounts from impossible travel login attempts that do not need to monitor IP location. By requiring MFA (Multifactor Authentication) to allow access to accounts, you can ensure that only verified users are admitted. MFA requires a user to verify their identity in at least two ways. This might be through a password, OTP, hardware token or biometric identification. This can be a very robust way of enhancing account security.
Contextual identification policies can be in place which automatically corroborate a user’s location, time, or other behavioral factors with their usual habits. This makes it apparent if a user’s login is suspicious or anomalous. This is a very simple security feature that is easy to roll out, if it isn’t already in place.
You can learn more details about the best MFA solutions for business by reading our article here.
Summary
Impossible travel logins are an obvious indicator that the wrong person is trying to access your accounts. They are easy to spot, even if there are factors that might lead to false positives. With the right security tools in place, you can block a malicious login attempt at the click of a button. It is, however, essential that impossible travel logins are treated robustly and effectively. Failure to do so could lead to further, more significant cyberattacks and breaches.