Castle predicts a risk score for each individual device based on how its activity matches their user's normal behavior. We look at device properties, geographic location, time of day, IP address, and the sequence and rate at which events are triggered. A high risk indicates that the account is more likely to have been compromised.
In contrast to a traditional fraud score where risk scoring is done per-user, Castle predicts a per-device risk to be able to stop a high-risk login while at the same time letting known devices through. The user's risk score is simply the maximum of the device risks.
If a device's risk score exceeds a certain threshold, you can use that to trigger additional authentication. If the risk score is too high, the login can be automatically halted.
We recommend using the following thresholds and corresponding actions:
There are two ways the risk engine learns what is normal behavior for a user:
The risk score is calculated by combining the reasons that have are generated from the device. Reasons can be categorized into:
There is an initial training period for each user account. During the training period new devices and locations are considered to be lower risk than after the end of the training period. Fraudulent signals will still have impact, e.g. brute-force login or fast travel.
This is an example on how the score may develop for a user from the initial training period, through new devices being added, feedback collected, and fraudulent signals triggered: