Detect impossible travel

Impossible travel is the scenario where a user moves between two locations faster than possible by any means of travel. It is a simple form of anomaly detection and could be an indication that the account is compromised. There are a few other reasons why impossible travel can happen, including:

  • The user is using a proxy that is turned on or off between requests, causing a sudden jump in location. (However, the Castle signal "Impossible travel" will not trigger for the same device, which removes this behavior from being flagged)
  • A sign of phising or malware
  • Account sharing, i.e. two or more physical users are sharing the account

Nevertheless, when impossible travel happens, it could be a sign of unwanted behavior that warrants additional attention. With Castle it's easy to spot impossible travel by using signals.

Step 1. Find users with impossible travel

In the Explore view, you can filter out all events or users with impossible travel by adding a filter for the "Impossible Travel" signal. Optionally, you can add another filter for the "New Device" signal, to hone in on logins that are extra suspicious:

Step 2. Create a policy to challenge impossible travel

Follow the steps how to create a policy , and provide these options:

  • For name, use e.g. "Challenge impossible travel"
  • For event, select $login and then $succeeded
  • For condition, select "risk-based" and then "Don't use a risk score"
  • In the Risk signals section, expand it and check the signals "Impossible travel" and "New device".
  • Make sure to select the option to trigger the policy when "All of the selected signals" match
  • For inline action, select "challenge"
  • Verify the settings and hit "save"

Finally, enable and re-order the policy to put the new policy to work