In working with site owners and developers, one of the most common requests is "Can you tell me which users to block"? But while Impermium has been providing real-time account risk ratings for years, we actually try to answer this question "No."
"No? But I just want to kick out the bad users and allow in the good," they say.
The issue is, when you attempt to build a single, monolithic gate, you hamstring your ability for nuanced detection. What should your system do for someone in the grey area? A gate either allows or blocks; there is no "try." In the language of machine learning, developers are asking for a system with near-perfect precision (because they want to firmly block users from access); unfortunately, to maximize precision, systems tend to make trade offs in recall-the catch rate of the filter-that lead to large populations of "almost bad" users slipping through. Conversely, if you optimize solely for recall-let's not miss anybody at all-your system will likely block many legitimate users as well.
That's why we've taken an approach that looks at a continuum of risk, and correspondingly delivers a continuum of user actions. Flagrant incidents can certainly be blocked, but for the next tiers down, we encourage our clients to deploy a succession of graduated challenges: CAPTCHA, re-auth, step-up auth, knowledge-based challenges, etc.. Even more importantly, our systems ensure that this risk rating from
action 1 always carries through to
action 2, action 3, ... action ∞.
In practice, this means that if someone signs up under somewhat suspicious circumstances-maybe an unfamiliar device in a locale that users in his subpopulation don't often visit-the user is presented a low-grade challenge. If that user then goes on to fairly innocuous activities, we'll adjust the risk rating accordingly and allow him to proceed. On the other hand, if that user attempts a high-impact transaction, the system will take progressively more severe steps to mitigate.
While this risk-based approach is sometimes counter-intuitive for clients, our experience and data continue to show that it's the most effective mechanism for balancing the user experience needs of the good guys against the protective defenses for the bad guys. And through this approach, we have our best chance of holding back the enemy and keeping our sites safe, clean, and growing.