Impossible traveller

Coro reviews a user's cloud application sign-ins for evidence of unauthorized access or potential account compromise. If you have configured an Impossible traveler threat detection policy, Coro observes the geographic location of each user's successful sign-in attempts. Coro compares each sign-in to previous successful sign-ins over a 24 hour period to determine if the user can realistically travel between locations in the time available.

For example, if a sign-in takes place at 09:00GMT in London, United Kingdom, and the next sign-in takes place at 09:15GMT in Cape Town, South Africa, a person cannot realistically have traveled between the two locations in 15 minutes. Therefore, one of the sign-ins is potentially fraudulent and might be evidence of a compromised account.

Coro uses best estimates of the fastest form of transport between two locations, including a travel preparation buffer, to determine the minimum viable travel time. Coro then compares the total travel time to the duration between events.

Important

To avoid false positives, Coro excludes location differences inside a predefined radius to account for location shift based on IP address lookup data variances.

Impossible traveler detection can also be triggered by VPN usage, where a user's location might change quickly upon connection to a VPN endpoint. Coro recommends excluding legitimate VPNs that your users are expected to use from Coro detection.

Where the calculated travel time exceeds the sign-in timespan, Coro raises an Impossible traveler ticket to alert admin users:

Impossible traveler ticket

Each ticket presents an aggregation of all Impossible traveler events for a protected user in a 24 hour period, showing the number of times the incident occurred (Event happened) and a list of all incident details (Full details).

Select the dropdown for an incident record to view details of the locations and times involved:

Impossible traveler ticket - details

note

Coro classifies Impossible traveler tickets as suggested for review, automatically closing them after a review period of one week.

To learn about ticket actions, see Impossible traveler.