IBM Tealeaf reported every day multiple sessions of bank’s customers with a very large number of hits, greater than 2000.
Most sessions in Tealeaf have hits in the range of 300-500, but every day there were sessions which had a large number of hits, i.e. at least 2000, which doesn’t make sense because all the Sessionization configuration were correct and all the other sessions seem to be of right size. We have to check if those sessions are large due to fragmented storage and, by any reason, if there are duplicate JSESSIONID which was used as a Sessionization cookie. None of those large sessions were non-fragmented and had no Sessionization issue.
As Tealeaf sessions were getting large, it got difficult to find any customer struggles and find out how those users engaged with the bank’s online services. It also raises suspicion of fraudulent transactions or malicious activities which needed an immediate solution.
Replaying such large sessions, we found multiple login but because session ID and TLTSID did not change it was stitched as the same session. Further investigation showed us that such sessions originate from specific locations only, on inquiry with BANK we came to know they have a computer in each bank branch for customers to login and access their account and subscribe to the bank’s services. On such computers, most customers wouldn’t close/restart browser session and will just logout. That gave root cause to such a large session. So, to have insight on such sessions we split them based on logout using IBM Tealeaf advance eventing. Splitting such sessions not only gave required insights of walk-in customers but also eliminated observed fraud & malicious threat.
Please click here for more details on IBM Tealeaf and Royal Cyber services.