Fraud investigation using Nametag data
When the Nametag automated system determines or suspects that an identity verification attempt is fraudulent, the attempt first comes to a trained reviewer at Nametag. The reviewer can determine that the attempt was: a) not fraudulent and the automated system was being cautious; b) not fraudlent but the data presented is not sufficient to validate the identity of the end-user; c) the document is, in fact, an attempt to defraud you.
In the first case, the Nametag reviewer will complete any remaining processing that is necessary and inform the end-user and, if the request was initiated by a helpdesk agent, the agent that the identity verification request is complete.
In the second case, Nametag will inform the end-user that they should try again to validate their identity. In the Nametag request console, the request will remain in the “Pending” state. Optionally, the administrator of your Nametag instance can enable the setting to send an email to the person who inititated the request and to the Owners and Admins of the Nametag instance.
In the last case, Nametag will not inform the end-user, but will inform the agent that the request was rejected for fraud. Optionally, the administrator of your Nametag instance can enable the setting to send an email to the person who initiated the request and to the Owners and Administrators of the Nametag instance.
After you become aware of an attempt at fraud, Nametag reccomends the following investigative steps. Some of these steps may not be applicable depending on your use of Nametag.
Agent communication
If possible, coordinate with the agent who initiated the request to contact the end-user and collect information about the expected results and the goal of the end-user.
Gathering Information from the Nametag console
With the “User” priviledge level or above, view the detailed information in the Nametag console, noting the information about the device, collected information, and, if collected, the location information.
If you use the labels in Nametag Copilot to relate to service desk ticket IDs, you should search for other requests with the same label and collect data from them as well. This will help you develop a more complete picture of the events around the attempted fraud.
Collecting information sent to your SIEM system from Nametag
Nametag offers a configuration to send detailed logs via webhooks to a data collection system, typically a SIEM or other log collection and analysis platform. These logs contain a significant amount of information that you can correlate with other from logs authentication systems (Okta, EntraID, etc.), website access logs, and firewall logs. The logs from Nametag should integrate into your existing security processes.
The documentation for this is available to all customers with an NDA in place. Please contact help@nametag.co for more information.
Using data from your SIEM (including the data from Nametag), there are a few steps you should take to add to the picture of the events around the attempted fraud:
- look for the IP addresses from Nametag (both the device IP address and the browser IP address) in data from other logs
- look for the user agent from Nametag in data from other logs; sometimes user agents can be very unique
- look for the device ID and device fingerprint from Nametag in other Nametag logs in your SIEM; if you find it, collect the IP address and user agent from that device and go to the first step and repeat the investigation
Once you have as complete a picture as you can develop, you can now start taking defensive steps or further investigative steps.
Contacting Nametag
In the event you need more information than is provided to you by Nametag, you can contact us at security@nametag.co and we are happy to partner with you in your investigation using system logs from Nametag. Note that we expunge logs older than 60 days.