- 21 Oct 2024
- 1 Minute to read
- DarkLight
Scenario 1. Black list device
- Updated on 21 Oct 2024
- 1 Minute to read
- DarkLight
This scenario showcases how to blocklist devices. In this particular case, rooted mobile phones are not allowed by the bank of the scenario's actor.
Scenario actor: Alice ARNAUD
About this scenario - requests
The scenario consists of six requests that are sent to Risk Analytics. In the first four requests (RA_0101.a., RA_0101.b., RA_0101.c., and RA_0101.d.), Alice ARNAUD attempts to login, fails, tries again, and succeeds. This sequence is considered as normal and poses no risk.
Alice ARNAUD proceeds with an external transfer transaction in request RA_0101.e., which is again normal and poses no risk.
Finally (request RA_0102.), Alice ARNAUD attempts to login from a rooted mobile phone. As rooted devices are ruled as a very high risk by the bank, the rooted device - identified by its device ID - is inserted into the DEVICE_BLACK_LIST hot list, and the login attempt is declined (response code: Decline, Response = 1).
Analysis
To analyse the rules triggered and alerts raised for the scenario, log on to Risk Analytics Presentation Service and navigate to SUPERVISE & INVESTIGATE > My Alerts.
Pending alert:
RA_0102 Rooted Device in the High Risk Devices alert queue, raised by the matching rule RA_0102 Rooted Device.
The unique identifier for the rooted device (AA_ROOTED_FPH_*) has been added to the DEVICE_BLACK_LIST.
Walkthrough: Review the DEVICE_BLACK_LIST records
To review the relevant records, follow these steps:
Review the DEVICE_BLACK_LIST records
Navigate to DESIGN RULES & ACTIONS > Rule Management.
In the Hot Lists menu in the navigation pane on the left, open Non Mon Events.
Select the DEVICE_BLACK_LIST link in the table to review the records of that table.