000036116 - Questions and answers about the fact 'Device IP is Diff from Event IP' in RSA Adaptive Authentication (OnPrem) 7.x

Document created by RSA Customer Support Employee on Jun 29, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036116
Applies ToRSA Product Set: Adaptive Authentication (OnPrem)
RSA Product/Service Type: Adaptive Authentication (OnPrem)
RSA Version/Condition: 7.x
NotesFrom the documentation:
Fact Name = Device IP is Diff from Event IP   
Previous Fact Name = sourceIPNotCookieIP
Type = Boolean              
Description = Specifies whether the IP address of the device(represented by this cookie) is different from the IP address of the event.

Q1) What exactly is the “Event IP”? It is not mentioned anywhere else in the documentation.
Q2) Does event IP identify the source of the service call where client IP identifies the actual client?
We can define Device IP and Event IP as:
  • Device IP: is the IP address that was linked to the device and stored in the desktop table.
  • Event IP: is the IP address sent in the Soap request (should be always the end-user IP address) and stored in the event_log table.
Where would you use this fact? Under what conditions would client IP and event IP be different? Are they always supposed to be the same and this fact detects cookie tampering?
This fact tells whether those 2 IP addresses are the same or not.  So there are multiple scenarios where this information can be useful.
Having that the Device IP is the IP address stored in the device cookies (associated to the Device record stored in the desktops table), this information can change on multiple situations.  Some of them are:
  • The cookie from the customer is stolen and used from another computer to attempt a fraud.  The cookie would suggest an IP address and it is sent in the Device info, but the real IP from the attacker is sent in the SOAP call.
  • The cookie is modified somehow (tampered on purpose by a third party), but the SOAP call keeps sending the real IP address from the computer establishing the connection to the server.
  • The customer changes to another location.  For example, start the transaction in their office, but then move to another network nearby.  The IP address assigned by the new network will be different, though the cookie stored and used for the transaction may still have the old IP address referenced.
  • The customer opened the session in their local network, and then connect to a VPN. The session cookie may still be the same, but the IP address has changed.
Some of these situations contain a high risk of fraud, or are detected as fraudulent.  So this fact can be triggered under these and any other circumstances where there IP addresses are different.