DEV Community

Husnain Babar
Husnain Babar

Posted on

Stop Account Takeovers Before They Happen: Real-Time IP Risk Scoring for SaaS

When a user logs in from Moscow, then 5 minutes later from São Paulo, then again from Lagos — should you trust them?

For most SaaS applications, the answer was historically "yes, unless they fail password login." But modern account takeover (ATO) attacks don't rely on stolen passwords alone. They exploit the gap between what you can verify (credentials) and what you can see (context).

This is where real-time IP risk scoring changes everything.

The ATO Problem That Traditional Security Misses

Most SaaS apps have basic login security:

  • Password requirements + rate limiting
  • Two-factor authentication (2FA)
  • Session timeouts
  • CAPTCHAs on suspicious activity

These work against credential stuffing. They don't work against:

  • Credential stuffing with rotating proxies: Attackers use thousands of residential IPs to make each login look like it's coming from a different location
  • Session hijacking via token theft: Once a session token is stolen, the attacker doesn't need credentials — they just need a request that looks legitimate
  • MFA bypass via SIM swapping: Even 2FA isn't foolproof if an attacker can hijack the second factor

The common thread? Attackers may have valid credentials or tokens, but the IP context is wrong.

What Is IP Risk Scoring?

IP risk scoring analyzes every incoming request's IP address and assigns a risk score (typically 0-100) based on:

1. VPN/Proxy Detection

  • Commercial VPNs (NordVPN, ExpressVPN, etc.)
  • Proxy services (data center IPs, open proxies)
  • Tor exit nodes
  • Hosting provider IPs (AWS, Azure, DigitalOcean)

These aren't automatically malicious — but a SaaS user logging in from a Tor exit node? That's worth a closer look.

2. Geolocation Anomalies

  • Impossible travel (login from Tokyo, then 2 minutes later from London)
  • IP claiming to be in one country but routing through another
  • IP geolocation vs timezone mismatch

3. Device/IP Consistency

  • Same user logging in from 50 different IP addresses in 24 hours
  • New device from a country they've never visited
  • Shared corporate IP with anomalous activity

4. Reputation Intelligence

  • IP ranges associated with known botnets
  • IPs flagged by threat intelligence feeds
  • IPs with history of fraud attempts

A Real-World Scenario

Let's walk through what happens with vs. without IP risk scoring.

Without IP Risk Scoring

  1. User logs in from IP 185.xxx.xxx.xxx — password correct, MFA passes
  2. Session granted — app has no visibility into the IP context
  3. Attacker access granted — they're now inside the account
  4. Discovery delay — you might not notice for days/weeks

With IP Risk Scoring (using GeoIPHub)

  1. User logs in from IP 185.xxx.xxx.xxx
  2. GeoIPHub analyzes:
    • IP is a data center IP (DigitalOcean, Singapore)
    • Risk score: 87/100 (high)
    • Reason: Data center IP, not typical for this user's history
  3. App responds:
    • If risk < 40: Allow
    • If risk 40-70: Require additional verification (email code, re-enter MFA)
    • If risk > 70: Block + alert security team
  4. Result: Attack blocked before session is granted

The difference is context, not complexity.

Why Real-Time Matters

Static IP databases (downloaded weekly) can't catch:

  • New VPN nodes: VPN providers spin up new servers daily — static databases miss them
  • Tor exit node churn: Tor nodes change constantly — by the time you update, the attacker has moved
  • Compromised residential IPs: Botnets infect residential devices and use them as proxies — these don't appear in any blacklist

Real-time IP intelligence services (like GeoIPHub) maintain live databases and use machine learning to:

  • Classify unknown IPs in milliseconds
  • Update risk scores as new threat data arrives
  • Provide context (VPN type, proxy tier, carrier) for manual review

Implementation Guide

Step 1: Integrate an IP Intelligence API 

// Example with GeoIPHub
async function checkIPRisk(ipAddress) {
  const response = await fetch(`https://api.geoiphub.com/v1/risk?ip=${ipAddress}`, {
    headers: { 'Authorization': `Bearer ${process.env.GEOIPHUB_KEY}` }
  });
  const data = await response.json();
  return data.risk_score; // 0-100
}
Enter fullscreen mode Exit fullscreen mode

Step 2: Define Risk Thresholds

Your thresholds depend on your risk tolerance:

Low risk (0-30):     Allow automatically
Medium risk (31-70): Require additional verification
High risk (71-100):  Block + alert security team
Enter fullscreen mode Exit fullscreen mode

Step 3: Track User Baselines

For each user, store:

  • Typical login locations (countries, cities)
  • Normal device fingerprint (browser, OS)
  • Typical IP range type (residential vs. corporate)
  • Login time patterns

New logins are compared against this baseline.

Step 4: Handle Edge Cases

  • Corporate users: Often login from shared corporate IPs. Whitelist known ranges.
  • Remote workers: May travel frequently. Allow temporary exceptions with documentation.
  • Legitimate VPN users: Let users register their VPN as trusted.

Step 5: Alert and Respond

When high-risk activity is detected:

  1. Notify user: Email/SMS "New login detected from unusual location"
  2. Temporarily lock account: User must re-authenticate
  3. Log for security team: IP, risk score, context for investigation
  4. Optionally: Force password reset

The ROI of IP Risk Scoring

What does this cost vs. what does it save?

Costs

  • API usage: ~$29-$99/month for most SaaS apps (GeoIPHub tiers)
  • Implementation: 2-4 hours of engineering time
  • False positives: Some legitimate users will get extra prompts

Savings

  • Reduced fraud: ATO attacks cost $120K-200K per incident on average
  • Better user trust: Users feel their data is protected
  • Lower support burden: Fewer "my account was hacked" tickets
  • Compliance: Meets SOC 2, PCI DSS, and GDPR requirements for access controls

If you prevent one major ATO incident per year, the ROI is 100x the cost.

Common Concerns

"Won't this hurt user experience?"

Only if you're aggressive with thresholds. With calibrated thresholds:

  • 90%+ of legitimate users: Never see extra prompts
  • 5-8%: See one-time email verification
  • 2-3%: See MFA re-entry on rare logins
  • Attackers: Get blocked entirely

"What about mobile users on cellular networks?"

Cellular IPs (mobile carriers) typically score low-risk because:

  • They're consumer-facing, not data center
  • Users stick to their carrier (geographic consistency)
  • Mobile device fingerprints match expected patterns

"Can't attackers just use residential proxies?"

They can, but:

  • Residential proxies are expensive ($10-50/month per IP)
  • Attackers can't afford thousands of them
  • Risk scoring detects anomalies (new device + new IP + unusual time)

It raises the cost of attack dramatically.

Beyond ATO: Other Use Cases

IP risk scoring isn't just for login security:

1. Payment Fraud Prevention

Block high-risk IPs from making purchases, especially high-value transactions.

2. API Abuse Prevention

Rate-limit or block IPs making abusive API calls (scraping, credential stuffing).

3. Content Licensing Compliance

Enforce geo-restrictions (e.g., "US-only content") with real-time IP validation.

4. Bot Traffic Detection

Identify and filter bot traffic from analytics, improving data quality.

The GeoIPHub Advantage

We built GeoIPHub because existing IP intelligence solutions had gaps:

  • Static databases: Outdated in days, useless for real-time threats
  • Limited scope: Only geolocation, no risk scoring
  • Expensive: Pricing scaled with traffic, not features
  • Complex: Required hours of integration and tuning

GeoIPHub provides:

  • Real-time risk scoring (0-100): Millisecond response times
  • VPN/Proxy detection: Commercial, data center, Tor, residential proxies
  • Geolocation: Country, city, timezone, ISP
  • Simple pricing: Flat monthly rates, no per-request billing
  • One API call: Get everything you need in a single request

Getting Started

  1. Sign up at geoiphub.com — free tier available
  2. Get your API key — delivered instantly
  3. Make your first request: 
   curl https://api.geoiphub.com/v1/risk?ip=8.8.8.8 \
     -H "Authorization: Bearer YOUR_API_KEY"
Enter fullscreen mode Exit fullscreen mode
  1. Integrate into your login flow in < 1 hour

The Bottom Line

Account takeovers are expensive, damaging, and increasingly sophisticated. Traditional security (passwords + MFA) is necessary but not sufficient.

Real-time IP risk scoring adds the missing context layer — letting you see not just who is logging in, but where they're coming from, whether it's consistent, and whether you should trust them.

For a fraction of the cost of a single ATO incident, you can prevent thousands of them.

The question isn't whether you can afford IP risk scoring. The question is whether you can afford the consequences of not having it.

Protect your SaaS with real-time IP intelligence: GeoIPHub — Risk scoring, VPN detection, and geolocation in one API.security, authentication, saas

Top comments (0)