Preventing phishing attacks based on reputation of user locations

摘要

User sessions are authenticated based on locations associated with a user account used for sending a request for creating a session. Examples of locations of a source of a request include a geographical location, a network address, or a machine cookie associated with a device sending the request. Locations of the request are compared with stored safe locations associated with the user account and a suspiciousness index is determined for the session. The level of authentication required for the session is determined based on the suspiciousness index. Locations are associated with a reputation based on past history of sessions originating from the locations. A location associated with a history of creating suspicious session is considered an unsafe location. Reputation of the location originating the session is used to determine the level of authentication required for the session.

主权项

1. A computer implemented method comprising:
maintaining, by a system, a safe locations database storing safe locations for user accounts, the safe locations database associating each user account with a set of safe locations, each stored safe location associated with a past user session determined to be safe, each stored safe location having a location type; and growing the safe locations database by adding safe locations for user accounts based on live user sessions associated with user accounts, comprising:
receiving a request to create a session associated with the user account;identifying a plurality of locations of different location types associated with a source of the request;retrieving one or more stored safe locations associated with the user account from the safe locations database;matching locations from the identified plurality of locations with the one or more stored safe locations retrieved from the safe locations database;determining that the request is authorized if at least one of the identified plurality of locations associated with the source of the request matches a stored safe location retrieved from the safe locations database;responsive to determining that the request is authorized, selecting at least one of the identified plurality of locations associated with the source of the request, wherein the selected location is of a different location type than the identified location that matches a stored safe location; andadding the selected location to the set of safe locations associated with the user account stored in the safe locations database.